Mar*_* B. 5 lets-encrypt certbot
让我们加密 certbot 有一个子命令enhance,其描述为“向现有配置添加安全增强”。
我可以在certbot 的 CLI 帮助文件中找到的唯一附加信息 是:
增强:通过向现有配置添加安全增强功能来帮助强化 TLS 配置。
目前尚不清楚在现有配置中添加了哪些附魔。修改了哪些文件等...我对使用 Ubuntu + Apache HTTP Server(使用--apache选项)进行配置特别感兴趣。
我也找不到它,所以我查看了源代码(和另一个文档),其中指出:
Run Code Online (Sandbox Code Playgroud)security: Security parameters & server settings --rsa-key-size N Size of the RSA key. (default: 2048) --must-staple Adds the OCSP Must Staple extension to the certificate. Autoconfigures OCSP Stapling for supported setups (Apache version >= 2.3.3 ). (default: False) --redirect Automatically redirect all HTTP traffic to HTTPS for the newly authenticated vhost. (default: Ask) --no-redirect Do not automatically redirect all HTTP traffic to HTTPS for the newly authenticated vhost. (default: Ask) --hsts Add the Strict-Transport-Security header to every HTTP response. Forcing browser to always use SSL for the domain. Defends against SSL Stripping. (default: None) --uir Add the "Content-Security-Policy: upgrade-insecure- requests" header to every HTTP response. Forcing the browser to use https:// for every http:// resource. (default: None) --staple-ocsp Enables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS. (default: None) --strict-permissions Require that all configuration files are owned by the current user; only needed if your config is somewhere unsafe like /tmp/ (default: False)
并在我的测试环境中尝试过:
certbot --authenticator webroot --installer apache
[...]
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/example.conf to ssl vhost in /etc/apache2/sites-enabled/example.ssl.conf
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://example.com and https://www.example.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
certbot enhance --hsts
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator None, Installer apache
Which certificate would you like to use to enhance your configuration?
-------------------------------------------------------------------------------
1: example.com
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel):
Which domain names would you like to enable the selected enhancements for?
-------------------------------------------------------------------------------
1: example.com
2: www.example.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Adding Strict-Transport-Security header to ssl vhost in /etc/apache2/sites-enabled/example.ssl.conf
certbot enhance --uir
Plugins selected: Authenticator None, Installer apache
Which certificate would you like to use to enhance your configuration?
-------------------------------------------------------------------------------
1: example.com
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel):
Which domain names would you like to enable the selected enhancements for?
-------------------------------------------------------------------------------
1: example.com
2: www.example.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Adding Upgrade-Insecure-Requests header to ssl vhost in /etc/apache2/sites-enabled/example.ssl.conf
您可以猜测其余的选项(没有全部尝试)。
它在我启用站点的 ssl.conf 中添加了以下几行:
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Header always set Strict-Transport-Security "max-age=31536000"
Header always set Content-Security-Policy upgrade-insecure-requests
这些在我启用站点的非 ssl.conf 中:
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
| 归档时间: |
|
| 查看次数: |
2042 次 |
| 最近记录: |