Letsencrypt: Skirtumas tarp puslapio versijų

Iš Žinynas.
Jump to navigation Jump to search
 
(Jokio skirtumo)

Dabartinė 09:52, 26 kovo 2018 versija


ĮSPĖJIMAS
Šis puslapis pažymėtas kaip nebaigtas. Jo turinyje gali trūkti informacijos apie aprašytus informacijos panaudojimus bei esminiai trūkumai kurie gali trūkdyti juos realizuoti.

Debian Jessie (8.x)[keisti]

echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee /etc/apt/sources.list.d/backports.list
sudo apt-get update
sudo apt-get install certbot -t jessie-backports

sudo certbot certonly -a webroot --webroot-path=/var/www/html -d example.com -d www.example.com


nginx.conf[keisti]

 location ~ /.well-known {
          root /home/useris/public;
               allow all;
       }

/etc/nginx/snippets/ssl-params.conf[keisti]

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

Redirectas i ssl[keisti]

server {
   listen 80;
   server_name example.com www.example.com;
   return 301 https://$server_name$request_uri;
}

SSL hostas[keisti]

server {
   listen 443 ssl;
   server_name example.com www.example.com;
   include snippets/ssl-params.conf;
  ssl_certificate ...path to fullchain.pem;
  ssl_certificate_key ..path to privkey.pem;
}

Cron renew[keisti]

30 2 * * * root /usr/bin/certbot renew --noninteractive --renew-hook "/bin/systemctl reload nginx" >> /var/log/le-renew.log