document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-03-21 02:10:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5871 from geekpi/master

Browse Source 
translated
This commit is contained in:
geekpi 2017-08-02 08:53:45 +08:00 committed by GitHub
commit bacdea1cbc
2 changed files with 185 additions and 187 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

187
sources/tech/20170628 Encryption How To Secure an NGINX web server on Ubuntu 16.04.md
View File

@ -1,187 +0,0 @@
translating----geekpi
Encryption: How To Secure an NGINX web server on Ubuntu 16.04
============================================================
By [Giuseppe Molica][1]</header>
[![Let's Encrypt Encryption CA](https://www.unixmen.com/wp-content/uploads/2017/06/le-logo-standard.png "le-logo-standard")][2]
### What is Lets Encrypt
[Lets Encrypt][3] is a free certificate authority brought by the Internet Security Research Group (ISRG). It provides an easy and automated way to obtain free SSL/TLS certificates a required step for enabling encryption and HTTPS traffic on web servers. Most of the steps in obtaining and installing a certificate can be automated by using a tool called [Certbot][4].
In particular, this software can be used in presence of shell access to the server: in other words, when its possible to connect to the server through SSH.
In this tutorial we will see how to use `certbot` to obtain a free SSL certificate and use it with Nginx on an Ubuntu 16.04 server.
### Install Certbot
The first step is to install `certbot`, the software client which will automate almost everything in the process. Certbot developers maintain their own Ubuntu software repository which contain software newer than those present in the Ubuntu repositories.
Add the Certbot repository:
```
# add-apt-repository ppa:certbot/certbot
```
Next, update the APT sources list:
```
# apt-get update
```
At this point, it is possible to install `certbot` with the following `apt` command:
```
# apt-get install certbot
```
Certbot is now installed and ready to use.
### Obtain a Certificate
There are various Certbot plugins for obtaining SSL certificates. These plugins help in obtaining a certificate, while its installation and web server configuration are both left to the admin.
We will use a plugin called **Webroot** to obtain a SSL certificate.
This plugin is recommended in those cases where there is the ability to modify the content being served. There is no need to stop the web server during the certificate issuance process.
#### Configure NGINX
Webroot works by creating a temporary file for each domain in a directory called `.well-known`, placed inside the web root directory. In our case, the web root directory is `/var/www/html`. Ensure that the directory is accessible to Lets Encrypt for validation. To do so, edit the NGINX configuration. With a text editor, open the `/etc/nginx/sites-available/default` file:
```
# $EDITOR /etc/nginx/sites-available/default
```
In this file, in the server block, place the following content:
```
location ~ /.well-known {
allow all;
}
```
Save, exit and check the NGINX configuration:
```
# nginx -t
```
Without errors, it should display:
```
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
```
Restart NGINX:
```
# systemctl restart nginx
```
#### Obtain Certificate with Certbot
The next step is to obtain a new certificate using Certbot with the Webroot plugin. In this tutorial, we will secure (as example) the domain www.example.com. It is required to specify every domain that should be secured by the certificate. Execute the following command:
```
# certbot certonly --webroot --webroot-path=/var/www/html -d www.example.com
```
During the process, Cerbot will ask for a valid email address for notification purposes. It will also ask to share it with the EFF, but this is not required. After agreeing the Terms of Services, it will obtain a new certificate.
At the end, the directory `/etc/letsencrypt/archive` will contain the following files:
* chain.pem: Lets Encrypt chain certificate.
* cert.pem: domain certificate.
* fullchain.pem: combination of `cert.pem` and `chain.pem`.
* privkey.pem: certificates private key.
Certbot will also create symbolic links to the most recent certificate files in `/etc/letsencrypt/live/**domain_name**/`. This is the path we will use in server configuration.
### Configure SSL/TLS on NGINX
The next step is server configuration. Create a new snippet in the `/etc/nginx/snippets/`. A **snippet** is a part of a configuration file that can be included in virtual host configuration files. So, create a new file:
```
# $EDITOR /etc/nginx/snippets/secure-example.conf
```
The content of this file will be the directives specifying the locations of the certificate and key. Paste the following content:
```
ssl_certificate /etc/letsencrypt/live/domain_name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain_name/privkey.pem;
```
In our case, `domain_name` would be `example.com`.
#### Edit NGINX Configuration
Edit the default Virtual Host file:
```
# $EDITOR /etc/nginx/sites-available/default
```
As follows:
```
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name www.example.com
return 301 https://$server_name$request_uri;
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/secure-example.conf
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
...
```
This will enable encryption on NGINX.
Save, exit and check the NGINX configuration file:
```
# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
```
Restart NGINX:
```
# systemctl restart nginx
```
### Conclusion
Following all the steps above, at this point we have a secured NGINX-based web server, with encryption granted by Certbot and Lets Encrypt. This is just a basic configuration, of course, and its possible to use many NGINX configuration parameters for personalizing everything, but that depends on specific web server requirements.
--------------------------------------------------------------------------------
via: https://www.unixmen.com/encryption-secure-nginx-web-server-ubuntu-16-04/
作者:[Giuseppe Molica ][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.unixmen.com/author/tutan/
[1]:https://www.unixmen.com/author/tutan/
[2]:https://www.unixmen.com/wp-content/uploads/2017/06/le-logo-standard.png
[3]:https://letsencrypt.org/
[4]:https://certbot.eff.org/

185
translated/tech/20170628 Encryption How To Secure an NGINX web server on Ubuntu 16.04.md Normal file
View File

@ -0,0 +1,185 @@
加密:如何保护 Ubuntu 16.04 上的 NGINX Web 服务器
============================================================
由 [Giuseppe Molica][1] 提供
[![Let's Encrypt Encryption CA](https://www.unixmen.com/wp-content/uploads/2017/06/le-logo-standard.png "le-logo-standard")][2]
### 什么是 Lets Encrypt
[Lets Encrypt][3]是互联网安全研究组织 ISRG 提供的免费认证机构。它提供了一种轻松自动的方式来获取免费的 SSL/TLS 证书 - 这是在 Web 服务器上启用加密和 HTTPS 流量的必要步骤。获取和安装证书的大多数步骤可以通过使用名为 [Certbot][4] 的工具进行自动化。
特别地,该软件可在可以使用 shell 的服务器上使用:换句话说,当可以通过 SSH 连接使用。
在本教程中,我们将看到如何使用 `certbot` 获取免费的 SSL 证书,并在 Ubuntu 16.04 服务器上使用 Nginx。
### 安装 Certbot
第一步是安装 `certbot`,该软件客户端可以几乎自动化所有的过程。 Certbot 开发人员维护自己的 Ubuntu 仓库,其中包含比 Ubuntu 仓库中存在的软件更新的软件。
添加Certbot 仓库:
```
# add-apt-repository ppa:certbot/certbot
```
接下来,更新 APT 源列表:
```
# apt-get update
```
此时,可以使用以下 `apt` 命令安装 `certbot`
```
# apt-get install certbot
```
Certbot 现已安装并可使用。
### 获得证书
有各种 Certbot 插件可用于获取 SSL 证书。这些插件有助于获取证书,而其安装和 Web 服务器配置都留给管理员。
我们使用一个名为 **Webroot** 的插件来获取 SSL 证书。
在有能力修改正在运行的内容的情况下,建议使用此插件。在证书颁发过程中不需要停止 Web 服务器。
#### 配置 NGINX
Webroot 通过为名为 `.well-known` 的目录中的每个域创建一个临时文件,并放置在 Web 根目录下。在我们的例子中Web 根目录是 `/var/www/html`。确保该目录对 Lets Encrypt 可访问以用于验证 。为此,请编辑 NGINX 配置。使用文本编辑器打开 `/etc/nginx/sites-available/default`
```
# $EDITOR /etc/nginx/sites-available/default
```
在该文件中,在服务器块内,输入以下内容:
```
location ~ /.well-known {
allow all;
}
```
保存,退出并检查 NGINX 配置:
```
# nginx -t
```
没有错误应该会显示:
```
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
```
重启 NGINX
```
# systemctl restart nginx
```
#### 使用 Certbot 获取证书
下一步是使用 Certbot 的 Webroot 插件获取新证书。在本教程中,我们将示例保护域 www.example.com。需要指定应由证书保护的每个域。执行以下命令
```
# certbot certonly --webroot --webroot-path=/var/www/html -d www.example.com
```
在此过程中Cerbot 将要求有效的电子邮件地址进行通知。还会要求与 EFF 分享,但这不是必需的。在同意服务条款之后,它将获得一个新的证书。
最后,目录 `/etc/letsencrypt/archive` 将包含以下文件:
* chain.pem加密链证书。
* cert.pem域名证书。
* fullchain.pem`cert.pem`和 `chain.pem` 的组合。
* privkey.pem证书私钥。
Certbot 还将创建符号链接到 `/etc/letsencrypt/live/**domain_name**/` 中的最新证书文件。这是我们将在服务器配置中使用的路径。
### 在 NGINX 上配置 SSL/TLS
下一步是服务器配置。在 `/etc/nginx/snippets/` 中创建一个新的代码段。 **snippet** 是配置文件的一部分,可以包含在虚拟主机配置文件中。所以,创建一个新的文件:
```
# $EDITOR /etc/nginx/snippets/secure-example.conf
```
该文件的内容将指定证书和密钥位置。粘贴以下内容:
```
ssl_certificate /etc/letsencrypt/live/domain_name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain_name/privkey.pem;
```
在我们的例子中,`domain_name` 是 `example.com`
#### 编辑 NGINX 配置
编辑默认虚拟主机文件:
```
# $EDITOR /etc/nginx/sites-available/default
```
如下:
```
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name www.example.com
return 301 https://$server_name$request_uri;
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/secure-example.conf
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
...
```
这将启用 NGINX 加密。
保存、退出并检查 NGINX 配置文件:
```
# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
```
重启 NGINX
```
# systemctl restart nginx
```
### 总结
按照上述步骤,此时我们已经拥有了一个安全的基于 NGINX 的 Web 服务器,它由 Certbot 和 Lets Encrypt 加密。这只是一个基本配置,当然你可以使用许多 NGINX 配置参数来个性化所有东西,但这取决于特定的 Web 服务器要求。
--------------------------------------------------------------------------------
via: https://www.unixmen.com/encryption-secure-nginx-web-server-ubuntu-16-04/
作者:[Giuseppe Molica ][a]
译者:[geekpi](https://github.com/geekpi)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.unixmen.com/author/tutan/
[1]:https://www.unixmen.com/author/tutan/
[2]:https://www.unixmen.com/wp-content/uploads/2017/06/le-logo-standard.png
[3]:https://letsencrypt.org/
[4]:https://certbot.eff.org/