Changes between Version 5 and Version 6 of WebDienste


Ignore:
Timestamp:
Aug 1, 2020, 5:01:03 PM (5 years ago)
Author:
Johannes Lode
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • WebDienste

    v5 v6  
    55== Apache
    66
     7//tbd.//
     8
    79=== neuen V-Host erstellen mit SSL-Cert und getssl
    810
    9 ==== Apache und Datenverzeichnis konfigurieren
    10 
    11  1. DNS einrichten: den DNS-Namen für den neuen Host auf die IP-Adresse (oder als CNAME auf den Hostnamen) des Apache-Servers (`laubfrosch.p21.net`, `172.16.0.2`) zeigen lassen
    12  1. auf Laubfrosch anmelden, `root` werden
    13  1. im Verzeichnis `/var/www`
    14    a. für eine Web-Service: \\ ein neues Verzeichnis mit dem Hostnamen anlegen: `mkdir twiki.mtronig.de`
    15    a. für einen Nicht-Web-Server (z.B. IMAP, murmur, ...): \\ einen Sym-Link auf `localhost` anlegen: `mkdir ln -s localhost murmur.vpn21.net`
    16  1. SSL Verzeichnis erstellen
    17     a. mit eigenem SSL-Cert oder als zentrale Stelle für ein Sammel-Cert: \\ ein Unterverzeichnis `ssl` anlegen: `mkdir -p twiki.mtronig.de/ssl`
    18     a. zu einem Sammel-Cert hinzufügen: \\ einen Symlink auf das `ssl` Verzeichnis des Sammel-Cert-Halters legen: `ln -s ../usvn/ssl twiki.mtronig.de/ssl`
    19     a. für einen Nicht-Web-Server (z.B. IMAP, murmur, ...) ist das im `localhost` geregelt.
    20   Im `ssl` Verzeichnis (Link oder physisch) werden folgende Dateien für die nachfolgende Konfigruation benötigt und müssen durch getssl.sh erstellt werden:
    21     * `ca-bundle.pem`
    22     * `server.crt`
    23     * `server.key_decrypted`
    24  1. im Host-Verzeichnis die Web-Daten unterbringen, für einen Forwarder auf einen anderen Web-Service via `http` oder `https` kommen keine Daten hier hinein. \\ Die Web-Daten hier sollten dem `apache` User gehören: `chown -R apache:apache twiki.mtronig.de`.
    25  1. im Konfigurations-Verzeichnis `/etc/apache2/vhosts.d` eine neue Host-Konfiguration erstellen nach dem Namensmuster `nn-hostname.mit.domaine.tld.conf`. Jeder V-Host bekommt eine eigene Nummer, die vor `99` und auch vor `78` einsortiert wird, normalerweise aufsteigend ab `21` die nächste freie Nummer. Die Konfigurationsdatei richtet sich nach den Eigenschaften des Web-Service, soll aber auf jeden Fall die Teile der SSL-Konfiguration enthalten:
    26 {{{
    27 ### Section 3: Virtual Hosts
    28 #
    29 # VirtualHost: If you want to maintain multiple domains/hostnames on your
    30 # machine you can setup VirtualHost containers for them. Most configurations
    31 # use only name-based virtual hosts so the server doesn't need to worry about
    32 # IP addresses. This is indicated by the asterisks in the directives below.
    33 #
    34 # Please see the documentation at
    35 # <URL:http://httpd.apache.org/docs-2.0/vhosts/>
    36 # for further details before you try to setup virtual hosts.
    37 #
    38 # You may use the command line option '-S' to verify your virtual host
    39 # configuration.
    40 
    41 #
    42 # Use name-based virtual hosting.
    43 #
    44 #NameVirtualHost *:80
    45 
    46 #
    47 # Almost any Apache directive may go into a VirtualHost container.
    48 # The first VirtualHost section is used for requests without a known
    49 # server name.
    50 #
    51 <VirtualHost *:80>
    52     ServerName wrp.vpn21.net
    53     RedirectMatch permanent "^(/(?!.well-known/acme-challenge?).*)" https://wrp.vpn21.net$1
    54 </VirtualHost>
    55 
    56 <VirtualHost *:443>
    57         ServerName wrp.vpn21.net
    58 #        SSLProxyEngine On
    59 #        RequestHeader set Front-End-Https "On"
    60 
    61         RequestHeader edit Destination https://wrp.vpn21.net/ http://172.18.2.3:8080/
    62         ProxyRequests Off
    63         ProxyPass /.well-known !
    64         ProxyPass / http://172.18.2.3:8080/
    65         ProxyPassReverse / http://172.18.2.3:8080/
    66 
    67     SSLEngine on
    68    
    69     ## Server Certificate:
    70     # Point SSLCertificateFile at a PEM encoded certificate. If the certificate
    71     # is encrypted, then you will be prompted for a pass phrase. Note that a
    72     # kill -HUP will prompt again. Keep in mind that if you have both an RSA
    73     # and a DSA certificate you can configure both in parallel (to also allow
    74     # the use of DSA ciphers, etc.)
    75     SSLCertificateFile /var/www/wrp.vpn21.net/ssl/server.crt
    76 
    77     ## Server Private Key:
    78     # If the key is not combined with the certificate, use this directive to
    79     # point at the key file. Keep in mind that if you've both a RSA and a DSA
    80     # private key you can configure both in parallel (to also allow the use of
    81     # DSA ciphers, etc.)
    82     SSLCertificateKeyFile /var/www/wrp.vpn21.net/ssl/server.key_decrypted
    83 
    84     ## Server Certificate Chain:
    85     # Point SSLCertificateChainFile at a file containing the concatenation of
    86     # PEM encoded CA certificates which form the certificate chain for the
    87     # server certificate. Alternatively the referenced file can be the same as
    88     # SSLCertificateFile when the CA certificates are directly appended to the
    89     # server certificate for convinience.
    90     SSLCertificateChainFile /var/www/wrp.vpn21.net/ssl/ca-bundle.pem
    91 
    92     Header always add Strict-Transport-Security "max-age=15768000"
    93 </VirtualHost>
    94 }}}
    95  1. weiter mit der Einrichtung von `getssl`
    96 
    97 ==== getssl einrichten
    98 
    99 **Achtung:** DNS-Einrichtung muss schon funktionieren, damit `getssl` funktioniert.
    100 
    101  a. für einen Web-Host mit eigenem SSL-Cert:
    102    1. in das Verzeichnis `~root/.getssl` wechseln
    103    1. Host-/Domain-Verzeichnis anlegen: `mkdir twiki.mtronig.de`
    104    1. Konfigurationsdatei `twiki.mtronig.de/getssl.cfg` erstellen:
    105 {{{
    106 # Uncomment and modify any variables you need
    107 # see https://github.com/srvrco/getssl/wiki/Config-variables for details
    108 # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
    109 #
    110 # The staging server is best for testing
    111 #CA="https://acme-staging-v02.api.letsencrypt.org/directory"
    112 # This server issues full certificates, however has rate limits
    113 #CA="https://acme-v02.api.letsencrypt.org"
    114 
    115 #PRIVATE_KEY_ALG="rsa"
    116 
    117 # Additional domains - this could be multiple domains / subdomains in a comma separated list
    118 # Note: this is Additional domains - so should not include the primary domain.
    119 #SANS="trac.mtronig.de"
    120 
    121 # Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
    122 # If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.
    123 # An ssh key will be needed to provide you with access to the remote server.
    124 # Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.
    125 # If left blank, the username on the local server will be used to authenticate against the remote server.
    126 # If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location
    127 # These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"
    128 # where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
    129 #ACL=('/var/www/twiki.mtronig.de/web/.well-known/acme-challenge'
    130 #     'ssh:server5:/var/www/usvn.vpn21.net/web/.well-known/acme-challenge'
    131 #     'ssh:sshuserid@server5:/var/www/usvn.vpn21.net/web/.well-known/acme-challenge'
    132 #     'ftp:ftpuserid:ftppassword:usvn.vpn21.net:/web/.well-known/acme-challenge')
    133 
    134 #Set USE_SINGLE_ACL="true" to use a single ACL for all checks
    135 #USE_SINGLE_ACL="false"
    136 
    137 # Location for all your certs, these can either be on the server (full path name)
    138 # or using ssh /sftp as for the ACL
    139 DOMAIN_CERT_LOCATION="/var/www/twiki.mtronig.de/ssl/server.crt"
    140 DOMAIN_KEY_LOCATION="/var/www/twiki.mtronig.de/ssl/server.key_decrypted"
    141 CA_CERT_LOCATION="/var/www/twiki.mtronig.de/ssl/ca-bundle.pem"
    142 #DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
    143 #DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
    144 
    145 # The command needed to reload apache / nginx or whatever you use
    146 #RELOAD_CMD=""
    147 
    148 # Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
    149 # smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
    150 # will be checked for certificate expiry and also will be checked after
    151 # an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
    152 #SERVER_TYPE="https"
    153 #CHECK_REMOTE="true"
    154 }}}
    155    1. `getssl` Konfiguration testen: \\ `getssl twiki.mtronig.de`; \\ ggf. den Test forcieren: \\ `getssl -f twiki.mtronig.de`
    156 Das Ergebnis soll so aussehen:
    157 {{{
    158 # getssl -f twiki.mtronig.de
    159 
    160 Registering account
    161 Verify each domain
    162 Verifying twiki.mtronig.de
    163 twiki.mtronig.de is already validated
    164 Verification completed, obtaining certificate.
    165 Requesting Finalize Link
    166 Requesting Order Link
    167 Requesting certificate
    168 Full certificate saved in /root/.getssl/twiki.mtronig.de/fullchain.crt
    169 Certificate saved in /root/.getssl/twiki.mtronig.de/twiki.mtronig.de.crt
    170 copying domain certificate to /var/www/twiki.mtronig.de/ssl/server.crt
    171 copying private key to /var/www/twiki.mtronig.de/ssl/server.key_decrypted
    172 copying CA certificate to /var/www/twiki.mtronig.de/ssl/ca-bundle.pem
    173 reloading SSL services
    174  * Gracefully restarting apache2 ...                               [ ok ]
    175 twiki.mtronig.de - certificate installed OK on server
    176 certificate obtained for twiki.mtronig.de
    177 # _
    178 }}}
    179    1. "staging"-Konfiguration auf volle Konfiguration umstellen, indem die Zeile `CA="https://acme-staging-v02.api..."` deaktiviert wird (darf schon inaktiv sein, weil die globale Konfiguration für getssl diese CA vorgibt) und stattdessen die Zeile `CA="https://acme-v02.api.letsencrypt.org"` aktiviert wird.
    180    1. Produktiv-Zertifikat holen: \\ `getssl twiki.mtronig.de` \\ Das Ergebnis soll etwa so aussehen:
    181 {{{
    182 # getssl twiki.mtronig.de
    183 Registering account
    184 Verify each domain
    185 Verifying twiki.mtronig.de
    186 copying challenge token to /var/www/letsencrypt/Yfh65tFtentC8QnrHM3eSH3WFfOmmcVTNlJk3XGYaRk
    187 sending request to ACME server saying we're ready for challenge
    188 checking if challenge is complete
    189 Pending
    190 checking if challenge is complete
    191 Verified twiki.mtronig.de
    192 Verification completed, obtaining certificate.
    193 Requesting Finalize Link
    194 Requesting Order Link
    195 Requesting certificate
    196 Full certificate saved in /root/.getssl/twiki.mtronig.de/fullchain.crt
    197 Certificate saved in /root/.getssl/twiki.mtronig.de/twiki.mtronig.de.crt
    198 copying domain certificate to /var/www/twiki.mtronig.de/ssl/server.crt
    199 copying private key to /var/www/twiki.mtronig.de/ssl/server.key_decrypted
    200 copying CA certificate to /var/www/twiki.mtronig.de/ssl/ca-bundle.pem
    201 reloading SSL services
    202  * Gracefully restarting apache2 ...                                [ ok ]
    203 twiki.mtronig.de - certificate installed OK on server
    204 certificate obtained for twiki.mtronig.de
    205 # _
    206 }}}
    207    1. //fertig - freu! //
     11 * [[ApacheNeuerVhost|Apache und Datenverzeichnis konfigurieren]]
     12 * [[ApacheGetsslNeuesCert|neues SSL-Cert von Letsencrypt einrichten]]
    20813
    20914== Trac