Skip to main content

Free SSL Certificate & Basic Authentication with Certbot & Nginx


1. make a folder
 mkdir -p /var/www/html/.well-known/acem-challenge

2. change nginx setting for getting auth files
 vi /etc/nginx/sites-enabled/default
 location /.well-known {
   root /var/www/html;
   allow all;
 }

nginx -s stop
nginx

3. generate auth files
cd /usr/local/bin
 * https://certbot.eff.org/all-instructions/
wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto

certbot-auto certonly -a webroot --webroot-path=/var/www/html -d nagios.topzone.com
* certbot-auto certonly -a webroot --webroot-path=/var/www/html -d ldap.topzone.com -d ganglia.topzone.com -d nagios.topzone.com

Do you want to continue? [Y/n] y
Enter email address: doogee323@gmail.com
(A)gree/(C)ancel: A
(Y)es/(N)o: N

IMPORTANT NOTES:
  - Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/nagios.topzone.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/nagios.topzone.com/privkey.pem

openssl dhparam -out dhparam.pem 2048
mv dhparam.pem /etc/letsencrypt/live/nagios.topzone.com/dhparam.pem

4. make basic auth

htpasswd -cb /usr/local/nagios/etc/htpasswd.users nagiosadmin "password123!"

5. change nginx setting
 vi /etc/nginx/sites-enabled/nagios

server {
    listen 80;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

server {

    listen 443 ssl;
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/letsencrypt/live/ldap.topzone.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ldap.topzone.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    #ssl_session_tickets off;
    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/letsencrypt/live/ldap.topzone.com/dhparam.pem;  
    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;
    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/ldap.topzone.com/chain.pem;
    resolver 8.8.8.8 8.8.4.4 valid=86400;
    resolver_timeout 10;

    ## [ origin settings ] #####################################################
    server_name nagios.topzone.com;

    access_log /var/log/nginx/nagios-access.log;
    error_log /var/log/nginx/nagios-error.log;

    # basic auth
    auth_basic "Nagios Restricted Access";
    auth_basic_user_file /usr/local/nagios/etc/htpasswd.users;

    root /usr/local/nagios/share;
    index index.php index.html;

    location /.well-known {
        root /var/www/html;
        allow all;
    }

    location ~ \.cgi$ {
        root /usr/local/nagios/sbin;
        rewrite ^/nagios/cgi-bin/(.*)$ /$1;
        rewrite ^/cgi-bin/(.*)$ /$1;
        include /etc/nginx/fastcgi_params;

        fastcgi_param AUTH_USER $remote_user;
        fastcgi_param REMOTE_USER $remote_user;
        fastcgi_param SCRIPT_FILENAME /usr/local/nagios/sbin/$fastcgi_script_name;
        fastcgi_pass unix:/var/run/fcgiwrap.socket;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        fastcgi_param   SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        #fastcgi_param  PATH_INFO $fastcgi_script_name;
        include         fastcgi_params;
    }        
}

nginx -s stop
nginx

* nginx https template
 https://mozilla.github.io/server-side-tls/ssl-config-generator/

5. renewing certificate with crontab
 crontab -e

 30 2 1 * 1 /usr/local/bin/certbot-auto renew >> /var/log/le-renew.log

Comments

Post a Comment

Popular posts from this blog

DevOps JD's required skills from LinkedIn

From some of DevOps JD on linkedIn, I realised that DeveOps should be the leader of the organization. https://docs.google.com/spreadsheets/d/1P520nH0pYcAdN0rJcnMQqsgu9cV9GdknztJ92J8l7-s/pubhtml DevOps' Required Skills From LinkedIn on 8/30/16: DevOps should be the leader of the company! Yahoo Netflix Samsung Salesforce Fortinet SUM OS admin UNIX systems Unix platforms Linux administrator Linux VMs Docker VMs VMware, OpenStack, Hyper-V Openstack, KVM, VMWare Version control version control systems Git, SVN Cloud Amazon AWS AWS AWS, Azure DB MySql Oracle, MySQL, NoSQL Mysql administration and strong command of SQL MySQL RabbitMQ MySql, MongoDB, Redis, Oracle, ProgreSQL N/W TCP/IP networking, DNS, HTTP NAS Understanding of network stack, network tuning, subnet/VLANs. HAProxy, DNS, IPTable Script Lang Shell, Perl, Python, Ruby, PHP bash Python, Bash/tcsh a scripting language: Perl, Python and Unix Shell preferred Python, Perl, Ruby Python, Ruby, Shell, PHP Web LAMP stack
Post a Comment
Read more

Ubuntu GUI with VNC on Xenserver

Xenserver 에서 Ubuntu GUI 를 쓰기 위해서는 VNC 가 답인 듯... Installing Ubuntu Gnome GUI on Ubuntu Server 12.10 with VNC Update Repositories # apt-get update Install gnome and vnc: # apt-get install gnome-core vnc4server Start VNC Server: # vncserver (You’ll then be prompted to create and verify a new VNC connect password) Kill the currently running VNC Session: # vncserver -kill :1 Edit VNC startup config file: # vim .vnc/xstartup Uncomment the following line: unset SESSION_MANAGER Add the following line: gnome-session --session=gnome-classic & Comment Out the following two lines: x-terminal-emulator -geometry 1280x1024+10+10 -ls -title "$VNCDESKTOP Desktop" & x-window-manager & End result should look like: #!/bin/sh # Uncomment the following two lines for normal desktop: unset SESSION_MANAGER # exec /etc/X11/xinit/xinitrc gnome-session --session=gnome-classic & [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup [ -r $HOME/
Post a Comment
Read more

Install CoreOs on linode without VM

Install CoreOs on linode without VM 1. Add a Linode 2. Create a new Disk   CoreOS 3. Rescue > Reboot into Rescue Mode 4. Remote Access   Launch Lish Console 5. make an install script cat <<'EOF1' > install.sh # add needed package sudo apt-get update sudo apt-get install -y curl wget whois sudo apt-get install -y ca-certificates #sudo apt-get install gawk -y # get discovery url discoveryUrl=`curl https://discovery.etcd.io/new` # write cloud-config.yml cat <<EOF2 > cloud-config.yml #cloud-config users:   - name: core     groups:       - sudo       - docker coreos:   etcd:     name: node01     discovery: $discoveryUrl hostname: node01 EOF2 # get the coreos installation script #wget https://raw.github.com/coreos/init/master/bin/coreos-install wget https://raw.githubusercontent.com/coreos/init/master/bin/coreos-install # run installation chmod 755 coreos-install sudo ./coreos-install \       -d /dev/sda \       -
31 comments
Read more