Pulse Of The Blogosphere » SSL/TLS – Cài đặt SSL bằng Openssl và Let’s Encrypt

HOME / Operations / Mạng Máy Tính / SSL/TLS – Cài đặt SSL bằng Openssl và Let’s Encrypt

SSL/TLS – Cài đặt SSL bằng Openssl và Let’s Encrypt

Author: admin - Posted: 27/07/21 - Update: 24/10/22

1. Tạo key và cert

1.1. Sử dụng Openssl

- Windows không cài đặt openssl --> Cần cài đặt git-scm: https://git-scm.com/download/win

// Trên Windows dùng CMD cd vào thư mục của git để run được openssl
cd C:\Program Files\Git\usr\bin 
// Phiên bản OpenSSL 1.1.1 có hỗ trợ TLS 1.3
openssl version -a

// Generate cert.pem and key.pem
openssl req -days 3650 -x509 -newkey rsa:2048 -sha256 -nodes -keyout %UserProfile%\Desktop\key.pem -out %UserProfile%\Desktop\cert.pem -subj "/C=/ST=/L=/O=/OU=web/CN=medihome.vn"
# -nodes : no DES - no passphrase
# -days 365
# -x509: this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA.
# -sha256: use SHA-2 instead SHA-1
# -subj "/C=/ST=/L=/O=/OU=web/CN=medihome.vn" : Country/State/Locality(city)/Organization/Organization Unit/CommonName(required)
# -keyout key.pem -out cert.pem: file định dạng PEM có extension: .pem, .crt, .cer, .key

// Create file DH parameters ==> tạm thời chưa làm đc
openssl dhparam 2048 -out %UserProfile%\Desktop\dhparam.pem

// Trên Windows dùng CMD cd vào thư mục của git để run được openssl

cd C:\Program Files\Git\usr\bin

// Phiên bản OpenSSL 1.1.1 có hỗ trợ TLS 1.3

openssl version -a

// Generate cert.pem and key.pem

openssl req -days 3650 -x509 -newkey rsa:2048 -sha256 -nodes -keyout %UserProfile%\Desktop\key.pem -out %UserProfile%\Desktop\cert.pem -subj "/C=/ST=/L=/O=/OU=web/CN=medihome.vn"

# -nodes : no DES - no passphrase

# -days 365

# -x509: this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA.

# -sha256: use SHA-2 instead SHA-1

# -subj "/C=/ST=/L=/O=/OU=web/CN=medihome.vn" : Country/State/Locality(city)/Organization/Organization Unit/CommonName(required)

# -keyout key.pem -out cert.pem: file định dạng PEM có extension: .pem, .crt, .cer, .key

// Create file DH parameters ==> tạm thời chưa làm đc

openssl dhparam 2048 -out %UserProfile%\Desktop\dhparam.pem

1.2. Sử dụng Let's Encrypt

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt

./letsencrypt-auto certonly --standalone --email duyk30b@gmail.com -d medihome.ga jenkins.medihome.ga

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

cd /opt/letsencrypt

./letsencrypt-auto certonly --standalone --email duyk30b@gmail.com -d medihome.ga jenkins.medihome.ga

Sau khi generate certificate ta sẽ có 4 files:
/etc/letsencrypt/live/domain.com/cert.pem
/etc/letsencrypt/live/domain.com/privkey.pem
/etc/letsencrypt/live/domain.com/chain.pem
/etc/letsencrypt/live/domain.com/fullchain.pem

2. Cài đặt SSL

2.1. Live Server: Setting VSCode

-- Tại settings.json của VScode
-- Copy 2 file vào đúng đường dẫn

    "liveServer.settings.port": 5501,
    "liveServer.settings.root": "/",
    "liveServer.settings.CustomBrowser": "chrome",
    "liveServer.settings.https": {
      "enable": true,
      "cert": "/Users/duyk3/.vscode/https/cert.pem",
      "key": "/Users/duyk3/.vscode/https/key.pem",
      "passphrase": ""
    }

"liveServer.settings.port": 5501,

"liveServer.settings.root": "/",

"liveServer.settings.CustomBrowser": "chrome",

"liveServer.settings.https": {

"enable": true,

"cert": "/Users/duyk3/.vscode/https/cert.pem",

"key": "/Users/duyk3/.vscode/https/key.pem",

"passphrase": ""

}

2.2. ReactS

HTTPS=true
SSL_CRT_FILE=C:/Users/duyk3/.vscode/https/cert.pem
SSL_KEY_FILE=C:/Users/duyk3/.vscode/https/key.pem

HTTPS=true

SSL_CRT_FILE=C:/Users/duyk3/.vscode/https/cert.pem

SSL_KEY_FILE=C:/Users/duyk3/.vscode/https/key.pem

3. Test Nginx để run https://localhost

3.1. Tạo file: ./nginx/docker-compose.yml

version: '3.3'

services:
  nginx:
    container_name: mhc_nginx
    image: nginx:1.23.1-alpine
    restart: always
    volumes:
      - ./mh-nginx/conf.d/:/etc/nginx/conf.d/
      - ./mh-nginx/ssl/:/etc/nginx/ssl/
    ports:
      - "80:80"
      - "443:443"

version: '3.3'

services:

nginx:

container_name: mhc_nginx

image: nginx:1.23.1-alpine

restart: always

volumes:

- ./mh-nginx/conf.d/:/etc/nginx/conf.d/

- ./mh-nginx/ssl/:/etc/nginx/ssl/

ports:

- "80:80"

- "443:443"

3.2. Tạo file ./nginx/mh-nginx/conf.d/default.conf

server {
    listen       443 ssl;
    server_name  localhost;

    ssl_certificate           /etc/nginx/ssl/openssl/cert.pem;
    ssl_certificate_key       /etc/nginx/ssl/openssl/key.pem;
    ssl_protocols             TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers               'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    location / {
        proxy_pass http://10.0.13.80:4000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;
        proxy_redirect off;
    }
}

server {
    listen        80;
    server_name   localhost;
    return        301 https://$host$request_uri;
}

server {

listen 443 ssl;

server_name localhost;

ssl_certificate /etc/nginx/ssl/openssl/cert.pem;

ssl_certificate_key /etc/nginx/ssl/openssl/key.pem;

ssl_protocols TLSv1.2 TLSv1.3;

ssl_prefer_server_ciphers on;

ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

location / {

proxy_pass http://10.0.13.80:4000/;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_set_header Host $http_host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forward-Proto http;

proxy_set_header X-Nginx-Proxy true;

proxy_redirect off;

}

server {

listen 80;

server_name localhost;

return 301 https://$host$request_uri;

}

3.3. Tạo SSL
- Tạo thư mục: ./nginx/mh-nginx/ssl/openssl/

cd ./nginx/mh-nginx/ssl/openssl/
openssl req -days 3650 -x509 -newkey rsa:2048 -sha256 -nodes -keyout key.pem -out cert.pem -subj "/C=/ST=/L=/O=/OU=web/CN=medihome.vn"

1 2	cd ./nginx/mh-nginx/ssl/openssl/ openssl req -days 3650 -x509 -newkey rsa:2048 -sha256 -nodes -keyout key.pem -out cert.pem -subj "/C=/ST=/L=/O=/OU=web/CN=medihome.vn"

3.4. Run dọcker

sudo docker compose up -d
sudo docker compose logs -f

4. Một số kiến thức khác

TLS Cache Connection Session
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
DH parameters
HSTS
add_header Strict-Transport-Security "max-age=31536000" always;
OCSP stapling