Linux.nginx: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Root (Diskussion | Beiträge) |
|||
| Zeile 186: | Zeile 186: | ||
https://community.letsencrypt.org/t/howto-obtain-ecdsa-cert-in-addition-to-rsa-with-certbot/61687 | https://community.letsencrypt.org/t/howto-obtain-ecdsa-cert-in-addition-to-rsa-with-certbot/61687 | ||
== Script zur Erstellung von Servern == | |||
program massConf; | |||
{$mode objfpc}{$H+} | |||
uses | |||
Classes, SysUtils, Unix; | |||
function split(s:string; Delimiter:string=';'):TStringList; | |||
var | |||
n : Integer; | |||
begin | |||
result := TStringList.create; | |||
repeat | |||
n := pos(Delimiter,s); | |||
if (n>0) then | |||
begin | |||
result.add( copy(s,1,pred(n))); | |||
s := copy(s,succ(n),MaxInt); | |||
end else | |||
begin | |||
result.add(s); | |||
break; | |||
end; | |||
until false; | |||
end; | |||
var | |||
sHeaders : TStringList; | |||
sValues : TStringList; | |||
const | |||
Param = 'ablagen'; | |||
function eval(s:string):string; | |||
var | |||
n,m : Integer; | |||
begin | |||
if (pos('~',s)>0) then | |||
begin | |||
for n := 0 to pred(sHeaders.count) do | |||
begin | |||
m := pos('~'+sHeaders[n]+'~',s); | |||
if (m>0) then | |||
begin | |||
s := | |||
copy(s,1,pred(m)) + | |||
sValues[n] + | |||
copy(s,m+length(sHeaders[n])+2,MaxInt); | |||
if (pos('~',s)=0) then | |||
break; | |||
end; | |||
end; | |||
end; | |||
result := s; | |||
end; | |||
var | |||
sConf : TStringList; | |||
sParameter : TStringList; | |||
sTemplate : TStringList; | |||
sOutPut : TStringList; | |||
sData : TStringList; | |||
sCopy : TStringList; | |||
n,m : Integer; | |||
StartDataFlag : boolean; | |||
// Parameter | |||
pOutput : string; | |||
begin | |||
sConf := TStringList.create; | |||
sConf.loadfromFile(Param+'.conf'); | |||
StartDataFlag := false; | |||
sTemplate := TStringList.create; | |||
sParameter := TStringList.create; | |||
for n := 0 to pred(sConf.count) do | |||
begin | |||
if StartDataFlag then | |||
begin | |||
sTemplate.add(sConf[n]); | |||
end else | |||
begin | |||
if (pos('#',sConf[n])<>1) then | |||
sParameter.add(sConf[n]); | |||
end; | |||
if not(StartDataFlag) then | |||
if (sConf[n]=':') then | |||
StartDataFlag := true; | |||
end; | |||
sConf.free; | |||
// Load the parameter, more to come | |||
pOutPut := sParameter.values['Output']; | |||
sData := TStringList.create; | |||
sData.loadfromFile(Param+'.csv'); | |||
sHeaders := split(sData[0]); | |||
for n := 1 to pred(sData.count) do | |||
begin | |||
// prepare Data | |||
sValues := split(sData[n]); | |||
// assume [0] is speakfull | |||
write( sValues[0] + ' ... ' ); | |||
// Dateien sicherstellen? | |||
for m := 0 to pred(sParameter.count) do | |||
if (pos('cp ',sParameter[m])=1) then | |||
begin | |||
sCopy := split(eval(sParameter[m]),' '); | |||
if not(FileExists(sCopy[2])) then | |||
fpsystem('cp '+sCopy[1]+' '+sCopy[2]); | |||
sCopy.free; | |||
end; | |||
// Template ausbelichten | |||
sOutPut := TStringList.create; | |||
for m := 0 to pred(sTemplate.count) do | |||
sOutPut.add( eval(sTemplate[m])); | |||
sOutPut.saveToFile(eval(pOutPut)); | |||
sOutPut.free; | |||
// unprepare | |||
sValues.free; | |||
writeln('OK'); | |||
end; | |||
sData.free; | |||
sHeaders.free; | |||
sTemplate.free; | |||
sParameter.free; | |||
end. | |||
== Meilensteine == | == Meilensteine == | ||
Version vom 3. März 2019, 22:18 Uhr
Überblick
- Ich verwendet nginx als HTTP/2 Server auf einem Raspberry Pi
- PHP soll in allen Stufen möglich sein
Auslieferung von Android-Apps
- Hinzufügen zu /etc/nginx/mime.types
application/vnd.android.package-archive apk;
Authentifizierung
- System-Voraussetzung
apt-get install apache2-utils
- in der Host.conf
auth_basic "Administrator’s Area"; auth_basic_user_file /etc/apache2/.htpasswd;
- in der Kommandozeile
htpasswd -bc /srv/ngx/orgamon-2.dyndns.org/.htpasswd username ***pwd***
Stufe 1, :80 HTTP-Server
apt-get install nginx apt-get install php-fpm php-mbstring php-xml php-mysql
- orgamon-2.dyndns.org
server {
listen 80 default_server;
listen [::]:80 default_server;
root /srv/ngx/orgamon-2.dyndns.org;
index index.html index.htm index.nginx-debian.html;
server_name orgamon-2.dyndns.org;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
}
Stufe 2, :443 HTTPS-Server (TLS 1.2)
- Port 80 + 443 auf den Server lenken
apt-get install certbot certbot certonly --rsa-key-size 4096
- /etc/nginx/sites-enabled/orgamon-2.dyndns.org
server {
listen 443 ssl default_server;
ssl_protocols TLSv1.2;
root /srv/ngx/orgamon-2.dyndns.org;
index index.html index.htm index.nginx-debian.html;
server_name orgamon-2.dyndns.org;
ssl_certificate /etc/letsencrypt/live/orgamon-2.dyndns.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/orgamon-2.dyndns.org/privkey.pem;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
}
Stufe 3, :443 HTTP/2 Server mit TLS 1.2
server {
listen 443 ssl http2;
...
Stufe 4, :443 HTTP/2 Server mit TLS 1.3 (only!)
- Es muss ein ganz aktueller Build von openssl und nginx gemacht werden: https://github.com/MatthewVance/nginx-build
wget https://github.com/MatthewVance/nginx-build/raw/master/build-nginx.sh
# ich versuche den Debug-Mode mit hineinzukompilieren: http://nginx.org/en/docs/debugging_log.html # und habe beim Build-Skript --with-debug hinzugemacht
chmod 777 build-nginx.sh ./build-nginx.sh
- Probier aus, ob wirklich openssl-1-1-1 verwendet wird
nginx -V
dhparam
openssl dhparam -out /etc/nginx/dhparam-4096.pem 4096
- Das dauerte bei mir von 14:58 h bis 23:03 h, also ca. 8 Stunden
nginx.conf
- LÖSUNG: einfach einen aktuellen Browser verwenden, TLS 1.3 "final" war einfach für die Browser zu aktuell, die hätten einen "Draft xx" erwartet.
server {
# Content
#
server_name orgamon.com;
root /srv/ngx/orgamon.com;
index index.php;
#
location / {
index index.php index.html;
try_files $uri $uri/ =404;
}
#
location ~ \.php$ {
include fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
# Transport
#
listen 443 ssl http2;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve auto;
ssl_dhparam /etc/nginx/dhparam-4096.pem;
ssl_certificate /etc/letsencrypt/live/orgamon.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/orgamon.com/privkey.pem;
# Session
#
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 15m;
ssl_session_tickets off;
# Logging
#
error_log /srv/ngx/orgamon.com/error.log debug;
}
todo
CAA 1 issue “letsencrypt.org”
ssl_stapling on;
resolver 192.0.2.1;
ssl_trusted_certificate chain_path;
ssl_stapling_verify on;
TLS1.2 ECDHE-RSA-AES256-GCM-SHA384
openssl s_client -connect orgamon.com:https -alpn h2 -debug
https://scotthelme.co.uk/ecdsa-certificates/
- ECDSA
https://community.letsencrypt.org/t/howto-obtain-ecdsa-cert-in-addition-to-rsa-with-certbot/61687
Script zur Erstellung von Servern
program massConf;
{$mode objfpc}{$H+}
uses
Classes, SysUtils, Unix;
function split(s:string; Delimiter:string=';'):TStringList;
var
n : Integer;
begin
result := TStringList.create;
repeat
n := pos(Delimiter,s);
if (n>0) then
begin
result.add( copy(s,1,pred(n)));
s := copy(s,succ(n),MaxInt);
end else
begin
result.add(s);
break;
end;
until false;
end;
var
sHeaders : TStringList;
sValues : TStringList;
const
Param = 'ablagen';
function eval(s:string):string;
var
n,m : Integer;
begin
if (pos('~',s)>0) then
begin
for n := 0 to pred(sHeaders.count) do
begin
m := pos('~'+sHeaders[n]+'~',s);
if (m>0) then
begin
s :=
copy(s,1,pred(m)) +
sValues[n] +
copy(s,m+length(sHeaders[n])+2,MaxInt);
if (pos('~',s)=0) then
break;
end;
end;
end;
result := s;
end;
var
sConf : TStringList;
sParameter : TStringList;
sTemplate : TStringList;
sOutPut : TStringList;
sData : TStringList;
sCopy : TStringList;
n,m : Integer;
StartDataFlag : boolean;
// Parameter
pOutput : string;
begin
sConf := TStringList.create;
sConf.loadfromFile(Param+'.conf');
StartDataFlag := false;
sTemplate := TStringList.create;
sParameter := TStringList.create;
for n := 0 to pred(sConf.count) do
begin
if StartDataFlag then
begin
sTemplate.add(sConf[n]);
end else
begin
if (pos('#',sConf[n])<>1) then
sParameter.add(sConf[n]);
end;
if not(StartDataFlag) then
if (sConf[n]=':') then
StartDataFlag := true;
end;
sConf.free;
// Load the parameter, more to come
pOutPut := sParameter.values['Output'];
sData := TStringList.create;
sData.loadfromFile(Param+'.csv');
sHeaders := split(sData[0]);
for n := 1 to pred(sData.count) do
begin
// prepare Data
sValues := split(sData[n]);
// assume [0] is speakfull
write( sValues[0] + ' ... ' );
// Dateien sicherstellen?
for m := 0 to pred(sParameter.count) do
if (pos('cp ',sParameter[m])=1) then
begin
sCopy := split(eval(sParameter[m]),' ');
if not(FileExists(sCopy[2])) then
fpsystem('cp '+sCopy[1]+' '+sCopy[2]);
sCopy.free;
end;
// Template ausbelichten
sOutPut := TStringList.create;
for m := 0 to pred(sTemplate.count) do
sOutPut.add( eval(sTemplate[m]));
sOutPut.saveToFile(eval(pOutPut));
sOutPut.free;
// unprepare
sValues.free;
writeln('OK');
end;
sData.free;
sHeaders.free;
sTemplate.free;
sParameter.free;
end.
Meilensteine
13.09.2018
- kein Erfolg, der firefix Client sagt Protokoll-Error
06.10.2018
- Es gibt neue SSL Debug Strings
- Ich will es nochmal mit TLS 1.3 versuchen
- OpenSSL 1.1.1
- nginx 1.15.5
- geht wieder nicht (TLS 1.2 geht jedoch)!
- FireFox meldet
SSL_ERROR_PROTOCOL_VERSION_ALERT
- Nginx-Debug
2018/10/05 20:18:47 [debug] 3021#3021: epoll add event: fd:9 op:1 ev:00002001 2018/10/05 20:19:05 [debug] 3021#3021: accept on 0.0.0.0:443, ready: 0 2018/10/05 20:19:05 [debug] 3021#3021: posix_memalign: 01F3F810:256 @16 2018/10/05 20:19:05 [debug] 3021#3021: *1 accept: 79.246.106.81:52415 fd:3 2018/10/05 20:19:05 [debug] 3021#3021: *1 event timer add: 3: 60000:78931291 2018/10/05 20:19:05 [debug] 3021#3021: *1 reusable connection: 1 2018/10/05 20:19:05 [debug] 3021#3021: *1 epoll add event: fd:3 op:1 ev:80002001 2018/10/05 20:19:05 [debug] 3021#3021: *1 http check ssl handshake 2018/10/05 20:19:05 [debug] 3021#3021: *1 http recv(): 1 2018/10/05 20:19:05 [debug] 3021#3021: *1 https ssl handshake: 0x16 2018/10/05 20:19:05 [debug] 3021#3021: *1 tcp_nodelay 2018/10/05 20:19:05 [debug] 3021#3021: *1 SSL_do_handshake: -1 2018/10/05 20:19:05 [debug] 3021#3021: *1 SSL_get_error: 1 2018/10/05 20:19:05 [info] 3021#3021: *1 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 79.246.106.81, server: .0.0.0:443 2018/10/05 20:19:05 [debug] 3021#3021: *1 close http connection: 3 2018/10/05 20:19:05 [debug] 3021#3021: *1 event timer del: 3: 78931291 2018/10/05 20:19:05 [debug] 3021#3021: *1 reusable connection: 0 2018/10/05 20:19:05 [debug] 3021#3021: *1 free: 01F3F810, unused: 36
root@pi3x02:~/build/openssl-1.1.1/apps# ./openssl s_client -servername orgamon.com -connect orgamon.com:443 -tls1_3 -debug
openssl s_client -connect orgamon.com:https -tls1_3 -servername orgamon.com -tlsextdebug -debug -msg -state