Linux.nginx
Überblick
- Ich verwendet nginx als HTTP/2 Server auf einem Raspberry Pi
- PHP soll in allen Stufen möglich sein
Auslieferung von Android-Apps
- Hinzufügen zu /etc/nginx/mime.types
application/vnd.android.package-archive apk;
Authentifizierung
- System-Voraussetzung
apt-get install apache2-utils
- in der Host.conf
auth_basic "Administrator’s Area"; auth_basic_user_file /etc/apache2/.htpasswd;
- in der Kommandozeile
htpasswd -bc /srv/ngx/orgamon-2.dyndns.org/.htpasswd username ***pwd***
Stufe 1, :80 HTTP-Server
apt-get install nginx apt-get install php-fpm php-mbstring php-xml php-mysql
- orgamon-2.dyndns.org
server {
listen 80 default_server;
listen [::]:80 default_server;
root /srv/ngx/orgamon-2.dyndns.org;
index index.html index.htm index.nginx-debian.html;
server_name orgamon-2.dyndns.org;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
}
Stufe 2, :443 HTTPS-Server (TLS 1.2)
- Port 80 + 443 auf den Server lenken
apt-get install certbot certbot certonly --rsa-key-size 4096
- /etc/nginx/sites-enabled/orgamon-2.dyndns.org
server {
listen 443 ssl default_server;
ssl_protocols TLSv1.2;
root /srv/ngx/orgamon-2.dyndns.org;
index index.html index.htm index.nginx-debian.html;
server_name orgamon-2.dyndns.org;
ssl_certificate /etc/letsencrypt/live/orgamon-2.dyndns.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/orgamon-2.dyndns.org/privkey.pem;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
}
Stufe 3, :443 HTTP/2 Server mit TLS 1.2
server {
listen 443 ssl http2;
...
Stufe 4, :443 HTTP/2 Server mit TLS 1.3 (only!)
- Es muss ein ganz aktueller Build von openssl und nginx gemacht werden: https://github.com/MatthewVance/nginx-build
wget https://github.com/MatthewVance/nginx-build/raw/master/build-nginx.sh
# ich versuche den Debug-Mode mit hineinzukompilieren: http://nginx.org/en/docs/debugging_log.html # und habe beim Build-Skript --with-debug hinzugemacht
chmod 777 build-nginx.sh ./build-nginx.sh
- Probier aus, ob wirklich openssl-1-1-1 verwendet wird
nginx -V
dhparam
openssl dhparam -out /etc/nginx/dhparam-4096.pem 4096
- Das dauerte bei mir von 14:58 h bis 23:03 h, also ca. 8 Stunden
nginx.conf
- LÖSUNG: einfach einen aktuellen Browser verwenden, TLS 1.3 "final" war einfach für die Browser zu aktuell, die hätten einen "Draft xx" erwartet.
server {
# Content
#
server_name orgamon.com;
root /srv/ngx/orgamon.com;
index index.php;
#
location / {
index index.php index.html;
try_files $uri $uri/ =404;
}
#
location ~ \.php$ {
include fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
# Transport
#
listen 443 ssl http2;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve auto;
ssl_dhparam /etc/nginx/dhparam-4096.pem;
ssl_certificate /etc/letsencrypt/live/orgamon.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/orgamon.com/privkey.pem;
# Session
#
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 15m;
ssl_session_tickets off;
# Logging
#
error_log /srv/ngx/orgamon.com/error.log debug;
}
todo
CAA 1 issue “letsencrypt.org”
Meilensteine
13.09.2018
- kein Erfolg, der firefix Client sagt Protokoll-Error
06.10.2018
- Es gibt neue SSL Debug Strings
- Ich will es nochmal mit TLS 1.3 versuchen
- OpenSSL 1.1.1
- nginx 1.15.5
- geht wieder nicht (TLS 1.2 geht jedoch)!
- FireFox meldet
SSL_ERROR_PROTOCOL_VERSION_ALERT
- Nginx-Debug
2018/10/05 20:18:47 [debug] 3021#3021: epoll add event: fd:9 op:1 ev:00002001 2018/10/05 20:19:05 [debug] 3021#3021: accept on 0.0.0.0:443, ready: 0 2018/10/05 20:19:05 [debug] 3021#3021: posix_memalign: 01F3F810:256 @16 2018/10/05 20:19:05 [debug] 3021#3021: *1 accept: 79.246.106.81:52415 fd:3 2018/10/05 20:19:05 [debug] 3021#3021: *1 event timer add: 3: 60000:78931291 2018/10/05 20:19:05 [debug] 3021#3021: *1 reusable connection: 1 2018/10/05 20:19:05 [debug] 3021#3021: *1 epoll add event: fd:3 op:1 ev:80002001 2018/10/05 20:19:05 [debug] 3021#3021: *1 http check ssl handshake 2018/10/05 20:19:05 [debug] 3021#3021: *1 http recv(): 1 2018/10/05 20:19:05 [debug] 3021#3021: *1 https ssl handshake: 0x16 2018/10/05 20:19:05 [debug] 3021#3021: *1 tcp_nodelay 2018/10/05 20:19:05 [debug] 3021#3021: *1 SSL_do_handshake: -1 2018/10/05 20:19:05 [debug] 3021#3021: *1 SSL_get_error: 1 2018/10/05 20:19:05 [info] 3021#3021: *1 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 79.246.106.81, server: .0.0.0:443 2018/10/05 20:19:05 [debug] 3021#3021: *1 close http connection: 3 2018/10/05 20:19:05 [debug] 3021#3021: *1 event timer del: 3: 78931291 2018/10/05 20:19:05 [debug] 3021#3021: *1 reusable connection: 0 2018/10/05 20:19:05 [debug] 3021#3021: *1 free: 01F3F810, unused: 36
root@pi3x02:~/build/openssl-1.1.1/apps# ./openssl s_client -servername orgamon.com -connect orgamon.com:443 -tls1_3 -debug
openssl s_client -connect orgamon.com:https -tls1_3 -servername orgamon.com -tlsextdebug -debug -msg -state
26.02.2019
more, more
ssl_stapling on;
resolver 192.0.2.1;
ssl_trusted_certificate chain_path;
ssl_stapling_verify on;
TLS1.2 ECDHE-RSA-AES256-GCM-SHA384
openssl s_client -connect orgamon.com:https -alpn h2 -debug
https://scotthelme.co.uk/ecdsa-certificates/
ECDSA
https://community.letsencrypt.org/t/howto-obtain-ecdsa-cert-in-addition-to-rsa-with-certbot/61687