網路管理基礎
Route53 與網路管理基本概念
EC2 Https 設定
AWS 綁定 Domain
- Route53 建立 Hosted Zones, 自己申請的 Domain (my-domain.me)
- Route53 Hosted Zones 建立 Record (my-domain.me), 綁定 EC2
Let’sEncrypt Certificate 申請
1. 安裝 certbot 工具
$ git clone https://github.com/certbot/certbot.git
$ cd certbot
$ ./certbot-auto
2. 透過 certbot 的 plugin 申請 certificate
$ ./certbot-auto certonly —a standalone -d my-domain.me —email someone@gmail.com
在流程中, 需要回答一些問題, LetsEncrypt 會發送 request 去驗證 my-domain.me
這個 domain
3. 使用 openssl 將 letsEncrypt 的 key 產生 ssl
這是 os 環境 letsencrypt 的預設目錄路徑
$ cd /etc/letsencrypt/live/my-domain.me
把 letEncrypt 給你的 private key 產生 ssl 憑證
$ openssl pkcs12 -export -in fullchain.pem \
-inkey privkey.pem \
-out keystore.p12
-name tomcat \
-CAfile chain.pem \
-caname root
把生成的 ssl 憑證, 放到 spring-boot
專案底下的 resouces
$ cp keystone.p12 ~/my-web-project/main/resources/
4. 設定 application-prod.yml
server:
port: 8443
ssl.key-store: keystore.p12
ssl.key-store-password: pwd
ssl.keyStoreType: PKCS12
ssl.keyAlias: tomcat
5. Http Redirect to Https
Http 已經退流行了, Google 也不歡迎 Http, 就順手把 Http 導向到 Https 吧,
@profile("prod")
, 的目的是讓本地開發(dev)流程簡單一點, 不走 Https,
只有機器上線(prod)才讓這個 Configuration Bean 被啟動.
@Profile("prod")
@Configuration
public class WebConfiguration {
@Value("${server.port}")
private Integer serverPort;
@Bean
public EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory() {
@Override
protected void postProcessContext(Context context) {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
};
tomcat.addAdditionalTomcatConnectors(initiateHttpConnector());
return tomcat;
}
private Connector initiateHttpConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
connector.setScheme("http");
connector.setPort(8080);
connector.setSecure(false);
connector.setRedirectPort(serverPort);
return connector;
}
}
6. Package and Deploy
$ mvn clean package
$ curl https://my-domain.me:8443/
Let’sEncrypt Certificate 限制
- Names/Certificate:單一 certificate 限制 100 個 hostname。
- Certificates/Domain:每個 domain 每個禮拜最多 20 個 certificate,但 renew 不計算在 quota 內 (需要憑證內的 hostname 與之前完全一樣)。
- Certificates/FQDNset:相同 hostname 的憑證每個禮拜最多發出五個。
Renew Certificate
因為有安裝 certbot
Renew 這個動作, 它也包裝好了, 一鍵使用如下
$ cd certbot
$ ./certbot-auto
這邊是詢問, 要處理哪個 domain
Requesting to rerun /bin/certbot-auto with root privileges...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: my-domain.me
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
這邊是詢問 Redirect
, 是否要將 http(port:80) 重新導向到 https
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for my-domain.me
Waiting for verification...
Cleaning up challenges
Deploying Certificate for my-domain.me to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enhancement redirect was already set.
搭啦~ 然後就 renew 成功啦
-------------------------------------------------------------------------------
Your existing certificate has been successfully renewed, and the new certificate
has been installed.
The new certificate covers the following domains:
https://my-domain.me
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=my-domain.me
-------------------------------------------------------------------------------
貼心小提示, renew 完成的憑證路徑, 還有到期日 2017-12-02
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/my-domain.me/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/my-domain.me/privkey.pem
Your cert will expire on 2017-12-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the "certonly" option. To non-interactively renew *all*
of your certificates, run "certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
沒有留言:
張貼留言