Linux.nginx: Unterschied zwischen den Versionen

Aus OrgaMon Wiki
Zur Navigation springen Zur Suche springen
Zeile 166: Zeile 166:
           ssl_trusted_certificate chain_path;
           ssl_trusted_certificate chain_path;
           ssl_stapling_verify on;
           ssl_stapling_verify on;
TLS1.2 ECDHE-RSA-AES256-GCM-SHA384

Version vom 8. Oktober 2018, 19:21 Uhr

Überblick

  • Ich verwendet nginx als HTTP/2 Server auf einem Raspberry Pi
  • PHP soll in allen Stufen möglich sein

Authentifizierung

  • System-Voraussetzung
apt-get install apache2-utils
  • in der Host.conf
   auth_basic           "Administrator’s Area";
   auth_basic_user_file /etc/apache2/.htpasswd;
  • in der Kommandozeile
htpasswd -bc /srv/ngx/orgamon-2.dyndns.org/.htpasswd username ***pwd***

Stufe 1, :80 HTTP-Server

apt-get install nginx
apt-get install php php-fpm
  • orgamon-2.dyndns.org
server {
       listen 80 default_server;
       listen [::]:80 default_server;

       root /srv/ngx/orgamon-2.dyndns.org;

       index index.html index.htm index.nginx-debian.html;

       server_name orgamon-2.dyndns.org;

       location / {
               # First attempt to serve request as file, then
               # as directory, then fall back to displaying a 404.
               try_files $uri $uri/ =404;
       }

       location ~ \.php$ {
               include snippets/fastcgi-php.conf;
               fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
       }

}

Stufe 2, :443 HTTPS-Server (TLS 1.2)

apt-get install certbot
certbot certonly
  • /etc/nginx/sites-enabled/orgamon-2.dyndns.org
server {

       listen 443 ssl default_server;
       ssl_protocols TLSv1.2;

       root /srv/ngx/orgamon-2.dyndns.org;

       index index.html index.htm index.nginx-debian.html;

       server_name orgamon-2.dyndns.org;

       ssl_certificate /etc/letsencrypt/live/orgamon-2.dyndns.org/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/orgamon-2.dyndns.org/privkey.pem;

       location / {
               # First attempt to serve request as file, then
               # as directory, then fall back to displaying a 404.
               try_files $uri $uri/ =404;
       }

       location ~ \.php$ {
               include snippets/fastcgi-php.conf;
               fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
       }

Stufe 3, :443 HTTP/2 Server mit TLS 1.2

server {

      listen 443 ssl http2;
...

Stufe 4, :443 HTTP/2 Server mit TLS 1.3 (only!)

wget https://github.com/MatthewVance/nginx-build/raw/master/build-nginx.sh

# ich versuche den Debug-Mode mit hineinzukompilieren: http://nginx.org/en/docs/debugging_log.html
# und habe beim Build-Skript --with-debug hinzugemacht



chmod 777 build-nginx.sh
./build-nginx.sh
  • Probier aus, ob wirklich openssl-1-1-1 verwendet wird
nginx -V


13.09.2018

  • kein Erfolg, der firefix Client sagt Protokoll-Error

06.10.2018

  • Es gibt neue SSL Debug Strings
  • Ich will es nochmal mit TLS 1.3 versuchen
  • OpenSSL 1.1.1
  • nginx 1.15.5
  • geht wieder nicht (TLS 1.2 geht jedoch)!
  • FireFox meldet
 SSL_ERROR_PROTOCOL_VERSION_ALERT
  • Nginx-Debug
2018/10/05 20:18:47 [debug] 3021#3021: epoll add event: fd:9 op:1 ev:00002001
2018/10/05 20:19:05 [debug] 3021#3021: accept on 0.0.0.0:443, ready: 0
2018/10/05 20:19:05 [debug] 3021#3021: posix_memalign: 01F3F810:256 @16
2018/10/05 20:19:05 [debug] 3021#3021: *1 accept: 79.246.106.81:52415 fd:3
2018/10/05 20:19:05 [debug] 3021#3021: *1 event timer add: 3: 60000:78931291
2018/10/05 20:19:05 [debug] 3021#3021: *1 reusable connection: 1
2018/10/05 20:19:05 [debug] 3021#3021: *1 epoll add event: fd:3 op:1 ev:80002001
2018/10/05 20:19:05 [debug] 3021#3021: *1 http check ssl handshake
2018/10/05 20:19:05 [debug] 3021#3021: *1 http recv(): 1
2018/10/05 20:19:05 [debug] 3021#3021: *1 https ssl handshake: 0x16
2018/10/05 20:19:05 [debug] 3021#3021: *1 tcp_nodelay
2018/10/05 20:19:05 [debug] 3021#3021: *1 SSL_do_handshake: -1
2018/10/05 20:19:05 [debug] 3021#3021: *1 SSL_get_error: 1
2018/10/05 20:19:05 [info] 3021#3021: *1 
 SSL_do_handshake() failed 
 (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, 
 client: 79.246.106.81, server: .0.0.0:443
2018/10/05 20:19:05 [debug] 3021#3021: *1 close http connection: 3
2018/10/05 20:19:05 [debug] 3021#3021: *1 event timer del: 3: 78931291
2018/10/05 20:19:05 [debug] 3021#3021: *1 reusable connection: 0
2018/10/05 20:19:05 [debug] 3021#3021: *1 free: 01F3F810, unused: 36

root@pi3x02:~/build/openssl-1.1.1/apps# ./openssl s_client -servername orgamon.com -connect orgamon.com:443 -tls1_3 -debug

openssl s_client -connect orgamon.com:https -tls1_3 -servername orgamon.com -tlsextdebug -debug -msg -state

todo

CAA 1 issue “letsencrypt.org”

Stufe 5; php

apt-get install php php-fpm php-mbstring php-xml php-mysql

more, more

         ssl_stapling on;
         resolver 192.0.2.1;
         ssl_trusted_certificate chain_path;
         ssl_stapling_verify on;

TLS1.2 ECDHE-RSA-AES256-GCM-SHA384
Abgerufen von „https://wiki.orgamon.org/index.php?title=Linux.nginx&oldid=27191