Linux.nginx
Überblick
- Ich verwendet nginx als HTTP/2 Server auf einem Raspberry Pi
- PHP soll in allen Stufen möglich sein
Authentifizierung
- System-Voraussetzung
apt-get install apache2-utils
- in der Host.conf
auth_basic "Administrator’s Area"; auth_basic_user_file /etc/apache2/.htpasswd;
- in der Kommandozeile
htpasswd -bc /srv/ngx/orgamon-2.dyndns.org/.htpasswd username ***pwd***
Stufe 1, :80 HTTP-Server
apt-get install nginx apt-get install php-fpm
- orgamon-2.dyndns.org
server { listen 80 default_server; listen [::]:80 default_server; root /srv/ngx/orgamon-2.dyndns.org; index index.html index.htm index.nginx-debian.html; server_name orgamon-2.dyndns.org; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; } }
Stufe 2, :443 HTTPS-Server (TLS 1.2)
- Port 80 + 443 auf den Server lenken
apt-get install certbot certbot certonly --rsa-key-size 4096
- /etc/nginx/sites-enabled/orgamon-2.dyndns.org
server { listen 443 ssl default_server; ssl_protocols TLSv1.2; root /srv/ngx/orgamon-2.dyndns.org; index index.html index.htm index.nginx-debian.html; server_name orgamon-2.dyndns.org; ssl_certificate /etc/letsencrypt/live/orgamon-2.dyndns.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/orgamon-2.dyndns.org/privkey.pem; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; }
Stufe 3, :443 HTTP/2 Server mit TLS 1.2
server { listen 443 ssl http2; ...
Stufe 4, :443 HTTP/2 Server mit TLS 1.3 (only!)
- Es muss ein ganz aktueller Build von openssl und nginx gemacht werden: https://github.com/MatthewVance/nginx-build
wget https://github.com/MatthewVance/nginx-build/raw/master/build-nginx.sh
# ich versuche den Debug-Mode mit hineinzukompilieren: http://nginx.org/en/docs/debugging_log.html # und habe beim Build-Skript --with-debug hinzugemacht
chmod 777 build-nginx.sh ./build-nginx.sh
- Probier aus, ob wirklich openssl-1-1-1 verwendet wird
nginx -V
dhparam
openssl dhparam -out /etc/nginx/dhparam-4096.pem 4096
- Das dauert von 14:58 bis
nginx.conf
- LÖSUNG: einfach einen aktuellen Browser verwenden, TLS 1.3 "final" war einfach für die Browser zu aktuell, die hätten einen "Draft xx" erwartet.
server { # Content # server_name orgamon.com; root /srv/ngx/orgamon.com; index index.php; # location / { index index.php index.html; try_files $uri $uri/ =404; } # location ~ \.php$ { include fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; } # Transport # listen 443 ssl http2; ssl_protocols TLSv1.3; ssl_prefer_server_ciphers on; ssl_ecdh_curve auto; ssl_dhparam /etc/nginx/dhparam-4096.pem; ssl_certificate /etc/letsencrypt/live/orgamon.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/orgamon.com/privkey.pem; # Session # ssl_session_cache shared:SSL:20m; ssl_session_timeout 15m; ssl_session_tickets off; # Logging # error_log /srv/ngx/orgamon.com/error.log debug; }
todo
CAA 1 issue “letsencrypt.org”
Meilensteine
13.09.2018
- kein Erfolg, der firefix Client sagt Protokoll-Error
06.10.2018
- Es gibt neue SSL Debug Strings
- Ich will es nochmal mit TLS 1.3 versuchen
- OpenSSL 1.1.1
- nginx 1.15.5
- geht wieder nicht (TLS 1.2 geht jedoch)!
- FireFox meldet
SSL_ERROR_PROTOCOL_VERSION_ALERT
- Nginx-Debug
2018/10/05 20:18:47 [debug] 3021#3021: epoll add event: fd:9 op:1 ev:00002001 2018/10/05 20:19:05 [debug] 3021#3021: accept on 0.0.0.0:443, ready: 0 2018/10/05 20:19:05 [debug] 3021#3021: posix_memalign: 01F3F810:256 @16 2018/10/05 20:19:05 [debug] 3021#3021: *1 accept: 79.246.106.81:52415 fd:3 2018/10/05 20:19:05 [debug] 3021#3021: *1 event timer add: 3: 60000:78931291 2018/10/05 20:19:05 [debug] 3021#3021: *1 reusable connection: 1 2018/10/05 20:19:05 [debug] 3021#3021: *1 epoll add event: fd:3 op:1 ev:80002001 2018/10/05 20:19:05 [debug] 3021#3021: *1 http check ssl handshake 2018/10/05 20:19:05 [debug] 3021#3021: *1 http recv(): 1 2018/10/05 20:19:05 [debug] 3021#3021: *1 https ssl handshake: 0x16 2018/10/05 20:19:05 [debug] 3021#3021: *1 tcp_nodelay 2018/10/05 20:19:05 [debug] 3021#3021: *1 SSL_do_handshake: -1 2018/10/05 20:19:05 [debug] 3021#3021: *1 SSL_get_error: 1 2018/10/05 20:19:05 [info] 3021#3021: *1 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 79.246.106.81, server: .0.0.0:443 2018/10/05 20:19:05 [debug] 3021#3021: *1 close http connection: 3 2018/10/05 20:19:05 [debug] 3021#3021: *1 event timer del: 3: 78931291 2018/10/05 20:19:05 [debug] 3021#3021: *1 reusable connection: 0 2018/10/05 20:19:05 [debug] 3021#3021: *1 free: 01F3F810, unused: 36
root@pi3x02:~/build/openssl-1.1.1/apps# ./openssl s_client -servername orgamon.com -connect orgamon.com:443 -tls1_3 -debug
openssl s_client -connect orgamon.com:https -tls1_3 -servername orgamon.com -tlsextdebug -debug -msg -state
Stufe 5; php
apt-get install php php-fpm php-mbstring php-xml php-mysql
more, more
ssl_stapling on; resolver 192.0.2.1; ssl_trusted_certificate chain_path; ssl_stapling_verify on;
TLS1.2 ECDHE-RSA-AES256-GCM-SHA384
openssl s_client -connect orgamon.com:https -alpn h2 -debug
https://scotthelme.co.uk/ecdsa-certificates/
ECDSA
https://community.letsencrypt.org/t/howto-obtain-ecdsa-cert-in-addition-to-rsa-with-certbot/61687