Install SSL Gratis di Nginx Debian 9
apa itu SSL ?
SSL (Secure Socket Layer) yaitu cara sebuah situs web membuat sambungan aman dengan browser web pengguna. jadi jika pengguna mengakses situs web tersebut, maka data akan di enkripsi oleh SSL itu, sehingga data lebih aman. SSL biasanya menjadi standar untuk komunikasi web yang aman digunakan untuk saat ini.
Ditutorial kali ini kita akan melakukan instalasi dan konfigurasi SSL Gratis di Nginx Debian 9
Syarat syarat yang dibutuhkan
Install Certbot di Debian 9
apt update apt install certbot
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
mkdir -p /var/lib/letsencrypt/.well-known chgrp www-data /var/lib/letsencrypt chmod g+s /var/lib/letsencrypt
nano /etc/nginx/snippets/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ { allow all; root /var/lib/letsencrypt/; default_type "text/plain"; try_files $uri =404;}
sudo nano /etc/nginx/snippets/ssl.confssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off;ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 30s; add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff;
nano /etc/nginx/sites-available/example.comserver { listen 80; server_name example.com www.example.com; include snippets/letsencrypt.conf; }
ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled
restart Nginx
systemctl restart nginx
Anda sekarang dapat menjalankan Certbot dengan plugin webroot dan mendapatkan file sertifikat SSL dengan menerbitkan
certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
Jika sertifikat SSL berhasil diperoleh, certbot akan mencetak pesan berikut:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-03-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
nano /etc/nginx/sites-available/example.comserver {listen 80;server_name example.com www.example.com ;include snippets/letsencrypt.conf;return 301 https://$host$request_uri;}server {listen 443 ssl http2;server_name www.example.com;ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;include snippets/ssl.conf;include snippets/letsencrypt.conf;return 301 https://example.com$request_uri;}server {listen 443 ssl http2;server_name example.com;ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;include snippets/ssl.conf;include snippets/letsencrypt.conf;# . . . other code}
systemctl reload nginx
Perpanjang Otomatis Sertifikat SSL Let’s Encrypt
Sertifikat Let’s Encrypt’s berlaku selama 90 hari. Untuk secara otomatis memperbarui sertifikat sebelum habis masa berlakunya, paket certbot membuat cronjob yang berjalan dua kali sehari dan secara otomatis akan memperbarui sertifikat apa pun dalam kurun waktu 30 hari sebelum masa berlaku sertifikat berakhir.
Karena kita menggunakan plug-in webroot certbot setelah sertifikat diperbarui, kita juga harus memuat ulang layanan nginx. Tambahkan --renew-hook "systemctl reload nginx"
ke file /etc/cron.d/certbot
sehingga terlihat seperti ini:
nano /etc/cron.d/certbot
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"
Post a Comment for "Install SSL Gratis di Nginx Debian 9"