syakesaba.com
Let'sEncrypt試したメモ。およそ2時間。
ドメイン入手
お名前.comでドメインを買う。DNSサービスも使う。設定は以下
$ORIGIN syakesaba.com.
$TTL 86400
syakesaba.com. 86400 IN SOA 01.dnsv.jp. hostmaster.dnsv.jp. 1486869463 3600 900 604800 300
syakesaba.com. 86400 IN NS 01.dnsv.jp.
syakesaba.com. 86400 IN NS 02.dnsv.jp.
syakesaba.com. 86400 IN NS 03.dnsv.jp.
syakesaba.com. 86400 IN NS 04.dnsv.jp.
syakesaba.com. 3600 IN A 153.120.17.24
mail.syakesaba.com. 3600 IN A 153.120.17.24
www.syakesaba.com. 3600 IN A 153.120.17.24
syakesaba.com. 3600 IN MX 10 mail.syakesaba.com.
syakesaba.com. 3600 IN TXT "v=spf1 +ip4:153.120.17.24 ~all"
初年 1,123円 次年度から年度ごとにどんどん増額されるだろう
サーバ入手
さくらのVPSで固定IP: 153.120.17.24をGET。
スペックはdebian8 jessie 1CORE 20GB 1GBにした。セットアップは超適当。
1ヶ月2000円以下になると思う。
ホスト名の設定は以下
#vi /etc/hostname
syakesaba.com
#vi /etc/hosts
127.0.0.1 localhost syakesaba.com www.syakesaba.com
153.120.17.24 syakesaba.com www.syakesaba.com
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 localhost ip6-localnet ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nginxの入手・設定
wget "http://nginx.org/keys/nginx_signing.key"
sudo apt-key add nginx_signing.key
sudo echo "
deb http://nginx.org/packages/debian/ jessie nginx
deb-src http://nginx.org/packages/debian/ jessie nginx
" >> /etc/apt/sources.list
sudo apt-get update
sudo apt-get install nginx
echo "
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
" > /lib/systemd/system/nginx.service
systemctlで扱えるように修正
systemctl unmask nginx
systemctl enable nginx
nginxのdefaultのマスターConfigは以下
cat /etc/nginx/nginx.conf
########################
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
######################
Tweekの実施
ファイルデスクリプタとか。
http://www.mk-mode.com/octopress/2014/04/13/nginx-file-discriptor-limit/
echo 'fs.file-max=200000' >> /etc/sysctl.conf
# http://qiita.com/iwai/items/1e29adbdd269380167d2
echo 'net.ipv4.ip_local_port_range=18000 65535' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_tw_reuse=1' >> /etc/sysctl.conf
echo 'net.ipv4.ip_dynaddr=1' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_rfc1337=1' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_fin_timeout=10' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_keepalive_probes=5' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_slow_start_after_idle=0' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_max_syn_backlog=1024' >> /etc/sysctl.conf
echo 'net.core.somaxconn=65535' >> /etc/sysctl.conf
sysctl -p
Tweekの実施(nginx側)
vi /etc/nginx/nginx.conf
# XXX:APPEND
worker_processes auto; #XXX num of core
worker_rlimit_nofile 640; #XXX calc: con128 * worker5 = 640
worker_priority -5; #XXX MGMT
#worker_cpu_affinity 01 10; #XXX i have no core
#XXX:APPEND
events {
multi_accept on; #XXX better as it is
worker_connections 128; #XXX num core *128?
}
動くか試す
systemctl restart nginx
More Tweek
chmod 755 /var/log/nginx
vi /etc/nginx/nginx.conf
#XXX:APPEND
http {
server_tokens off;
}
動くか試す
systemctl restart nginx
certbotのインストール
echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee /etc/apt/sources.list.d/backports.list
sudo apt-get update
sudo apt-get install certbot -t jessie-backports
コンテンツフォルダの変更
vi /etc/nginx/conf.d/default.conf
#REPLACE
server {
server_name localhost syakesaba.com www.syakesaba.com #XXX
#XXX
location / {
root /var/www/html
}
}
#APPEND
server {
#XXX
location ~ /.well-known {
root /var/www/html
allow all;
}
}
mkdir -p /var/www/html
chown -R nginx:nginx /var/www/html
動くか試す
sudo systemctl restart nginx
certbotのアクティベーション
sudo certbot certonly -a webroot --webroot-path=/var/www/html -d syakesaba.com -d www.syakesaba.com
#IMPORTANT NOTES:
# - Congratulations! Your certificate and chain have been saved at
# /etc/letsencrypt/live/syakesaba.com/fullchain.pem. Your cert will
# expire on 2017-05-13. To obtain a new or tweaked version of this
# certificate in the future, simply run certbot again. To
# non-interactively renew *all* of your certificates, run "certbot
# renew"
# - If you like Certbot, please consider supporting our work by:
#
# Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
# Donating to EFF: https://eff.org/donate-le
ls -la /etc/letsencrypt/live/syakesaba.com/
#合計 8
#drwxr-xr-x 2 root root 4096 2月 12 13:17 .
#drwx------ 3 root root 4096 2月 12 13:17 ..
#lrwxrwxrwx 1 root root 37 2月 12 13:17 cert.pem -> ../../archive/syakesaba.com/cert1.pem
#lrwxrwxrwx 1 root root 38 2月 12 13:17 chain.pem -> ../../archive/syakesaba.com/chain1.pem
#lrwxrwxrwx 1 root root 42 2月 12 13:17 fullchain.pem -> ../../archive/syakesaba.com/fullchain1.pem
#lrwxrwxrwx 1 root root 40 2月 12 13:17 privkey.pem -> ../../archive/syakesaba.com/privkey1.pem
SSLのDH値生成
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
nginxへSSLの有効化
vi /etc/nginx/conf.d/ssl-syakesaba.com.conf
###
ssl_certificate /etc/letsencrypt/live/syakesaba.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/syakesaba.com/privkey.pem;
###
vi /etc/nginx/conf.d/ssl.conf
###
# from https://cipherli.st/ and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
###
vi /etc/nginx/conf.d/default.conf
#APPEND
server {
listen 443 ssl default_server; #XXX
listen [::]:443 ssl default_server; #XXX
include conf.d/ssl-syakesaba.com.conf; #XXX
include conf.d/ssl.conf; #XXX
}
動くか試す
systemctl restart nginx
実際にアクセスする
http://www.syakesaba.com/
https://www.syakesaba.com/
# https://www.ssllabs.com/ssltest/analyze.html?d=www.syakesaba.com&latest
1ヶ月に一回定期的に更新させる
cat /etc/cron.d/certbot
###
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew
###
vi /etc/cron.d/certbot
#REPLACE
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew && perl -e 'sleep int(rand(3600))' && /bin/systemctl restart nginx
結果
運用面は知らん