Skip to main content

Free SSL Certificate & Basic Authentication with Certbot & Nginx


1. make a folder
 mkdir -p /var/www/html/.well-known/acem-challenge

2. change nginx setting for getting auth files
 vi /etc/nginx/sites-enabled/default
 location /.well-known {
   root /var/www/html;
   allow all;
 }

nginx -s stop
nginx

3. generate auth files
cd /usr/local/bin
 * https://certbot.eff.org/all-instructions/
wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto

certbot-auto certonly -a webroot --webroot-path=/var/www/html -d nagios.topzone.com
* certbot-auto certonly -a webroot --webroot-path=/var/www/html -d ldap.topzone.com -d ganglia.topzone.com -d nagios.topzone.com

Do you want to continue? [Y/n] y
Enter email address: doogee323@gmail.com
(A)gree/(C)ancel: A
(Y)es/(N)o: N

IMPORTANT NOTES:
  - Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/nagios.topzone.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/nagios.topzone.com/privkey.pem

openssl dhparam -out dhparam.pem 2048
mv dhparam.pem /etc/letsencrypt/live/nagios.topzone.com/dhparam.pem

4. make basic auth

htpasswd -cb /usr/local/nagios/etc/htpasswd.users nagiosadmin "password123!"

5. change nginx setting
 vi /etc/nginx/sites-enabled/nagios

server {
    listen 80;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

server {

    listen 443 ssl;
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/letsencrypt/live/ldap.topzone.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ldap.topzone.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    #ssl_session_tickets off;
    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/letsencrypt/live/ldap.topzone.com/dhparam.pem;  
    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;
    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/ldap.topzone.com/chain.pem;
    resolver 8.8.8.8 8.8.4.4 valid=86400;
    resolver_timeout 10;

    ## [ origin settings ] #####################################################
    server_name nagios.topzone.com;

    access_log /var/log/nginx/nagios-access.log;
    error_log /var/log/nginx/nagios-error.log;

    # basic auth
    auth_basic "Nagios Restricted Access";
    auth_basic_user_file /usr/local/nagios/etc/htpasswd.users;

    root /usr/local/nagios/share;
    index index.php index.html;

    location /.well-known {
        root /var/www/html;
        allow all;
    }

    location ~ \.cgi$ {
        root /usr/local/nagios/sbin;
        rewrite ^/nagios/cgi-bin/(.*)$ /$1;
        rewrite ^/cgi-bin/(.*)$ /$1;
        include /etc/nginx/fastcgi_params;

        fastcgi_param AUTH_USER $remote_user;
        fastcgi_param REMOTE_USER $remote_user;
        fastcgi_param SCRIPT_FILENAME /usr/local/nagios/sbin/$fastcgi_script_name;
        fastcgi_pass unix:/var/run/fcgiwrap.socket;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        fastcgi_param   SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        #fastcgi_param  PATH_INFO $fastcgi_script_name;
        include         fastcgi_params;
    }        
}

nginx -s stop
nginx

* nginx https template
 https://mozilla.github.io/server-side-tls/ssl-config-generator/

5. renewing certificate with crontab
 crontab -e

 30 2 1 * 1 /usr/local/bin/certbot-auto renew >> /var/log/le-renew.log

Comments

Post a Comment

Popular posts from this blog

Amazon RDS Blue/Green Deployments

In order to avoid some errors I experienced when proceeding as described in the official documentation, I describe what I did in order. 1) Modify parameters of source_database * error: Blue Green Deployments requires cluster parameter group has binlog enabled. RDS Parameter groups: source-params-group binlog_format => MIXED mysql> show global variables like 'binlog_format'; 2) Insert a row after rebooting the source database, to avoid this error. * error: Correct the replication errors and then switch over. Read Replica Replication Error - IOError: 1236, reason: Got fatal error 1236 from master when reading data from binary log: 'Could not find first log file name in binary log index file' => To Fix: You need to change the data in the source database. INSERT INTO dummy_table ( `favorite_id` , `favorite_order` , `user_id` , `board_id` ) VALUES ('100001', '1', '11111', '11111'); 3) Modify the param...
Post a Comment
Read more

Fluentd for mysql in AWS

(0) preparation ulimit -n If your console shows 1024, it is insufficient. Please add following lines to your /etc/security/limits.conf file and reboot your machine. root soft nofile 65536 root hard nofile 65536 (1) install Fluentd // “Ubuntu 12.04 LTS / Precise” curl -L http://toolbelt.treasuredata.com/sh/install-ubuntu-precise.sh | sh /etc/init.d/td-agent start/stop/restart/status // test curl -X POST -d 'json={"json":"message"}' http://localhost:8888/debug.test /etc/init.d/td-agent stop chown: changing ownership of `/var/run/td-agent/td-agent.pid': Operation not permitted chown: changing ownership of `/var/run/td-agent': Operation not permitted  * Stopping td-agent td-agent                                                                                   ...
Post a Comment
Read more

Install CoreOs on linode without VM

Install CoreOs on linode without VM 1. Add a Linode 2. Create a new Disk   CoreOS 3. Rescue > Reboot into Rescue Mode 4. Remote Access   Launch Lish Console 5. make an install script cat <<'EOF1' > install.sh # add needed package sudo apt-get update sudo apt-get install -y curl wget whois sudo apt-get install -y ca-certificates #sudo apt-get install gawk -y # get discovery url discoveryUrl=`curl https://discovery.etcd.io/new` # write cloud-config.yml cat <<EOF2 > cloud-config.yml #cloud-config users:   - name: core     groups:       - sudo       - docker coreos:   etcd:     name: node01     discovery: $discoveryUrl hostname: node01 EOF2 # get the coreos installation script #wget https://raw.github.com/coreos/init/master/bin/coreos-install wget https://raw.githubusercontent.com/coreos/init/master/bin/coreos-install # run installation chmod 75...
31 comments
Read more