, HTTPS -. , HTTP HTTPS. , , www non-www ( ).
, Let's Encrypt Ubuntu c HTTP HTTPS nginx.
Let's Encrypt Cloud Linux
, , - "" , DNS- Mail Server .
, google.com uptime.com
, DNS-. , DNS .
Mail Server , , email ""?
DNS-, google.com https " ".
ssllabs.com, "", .
, ssl-, .
, https ssl- Let's Encrypt Linux ( "Digitalocean - Serverpilot").
Linux Virtualbox , .
, Serverpilot, , Wordpress DNS Digitalocean.
Let's Encrypt .
$ sudo git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
nginx-sp , Serverpilot 80, . .
$ sudo service nginx-sp stop
80 , , .
$ sudo ./letsencrypt-auto certonly --standalone -d yourdomain.com -d www.yourdomain.com
-d subdomain.yourdomain.com.
, , /etc/letsencrypt/live/$ domain. $domain - , . nginx-sp, :
$ sudo service nginx-sp start
, , HTTPS nginx.
/etc/nginx-sp/vhosts.d, Serverpilot ("Apps"), Serverpilot.
$ sudo su
$ cd /etc/nginx-sp/vhosts.d
Serverpilot Apps , SSL. - .
SSL /etc/nginx-sp/vhosts.d. , :
$ sudo nano yourappname.ssl.conf
yourappname , .
SSL- Nginx
, , - HTTP HTTPS nginx?
server {
server_name yourdomain.com www.yourdomain.com;
listen 80;
return 301 https://yourdomain.com$request_uri;
}
SSL, , "Mozilla SSL Configuration Generator" : mozilla.imtqy.com/server-side-tls/ssl-config-generator/
server {
server_name yourdomain.com www.yourdomain.com;
listen 80;
return 301 https://yourdomain.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
#SSL Optimization
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_ecdh_curve secp384r1;
add_header Strict-Transport-Security "max-age=31536000";
#ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4;
# verify chain of trust of OCSP response
ssl_trusted_certificate /etc/letsencrypt/live/yourdomain/chain.pem;
#root directory and logfiles
root /srv/users/serverpilot/apps/yourappname/public;
access_log /srv/users/serverpilot/log/yourappname/yourappname_nginx.access.log main;
error_log /srv/users/serverpilot/log/yourappname/yourappname_nginx.error.log;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto $scheme;
include /etc/nginx-sp/vhosts.d/yourappname.d/*.nonssl_conf;
include /etc/nginx-sp/vhosts.d/yourappname.d/*.conf;
}
"yourdomain" "yourappname" .
, Ctrl + X, . , , , sudo nano.
nginx-sp, :
$ sudo service nginx-sp restart
, ssllabs.com
"+".
90 :
$ cd /home/user/letsencrypt
$ sudo service nginx-sp stop
$ sudo -H ./letsencrypt-auto certonly --standalone -d yourdomain.com -d www.yourdomain.com
$ sudo service nginx-sp start
, HTTPS, SSL- ?
crontab :
$ sudo crontab -e
@monthly /home/ubuntu/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot -w /srv/users/serverpilot/apps/app_name/public -d domain.tld -d www.domain.tld
http, https .
, , http https, ?
Apache www non-www ( ) HTTP HTTPS
www non-www http https:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]
non-www www http https:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://www.%1%{REQUEST_URI} [L,NE,R=301]
https Apache?
, Apache, , .htaccess .
Apache?
Debian Ubuntu , "apache", Mandriva/Fedora "httpd". , :
- /etc/apache;
- /etc/apache2;
- /etc/http;
- /etc/httpd2.
:
?
Apache:
RewriteEngine On
:
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
[OR], - true, Apache ().
, HTTPS URL-, - www URL.
, , "www\." ( "www.").
www :
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule - :
RewriteRule ^ https://www.%1%{REQUEST_URI} [L,NE,R=301]
Apache URL-, :
- https: //www;
%1
: non-www ;%{REQUEST_URI}
: URI , .
:
- NE - .
- R=301 - HTTP 301.
- L - .
, , URL-:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [L,NE,R=301]
"Host: https://mydomain.com" robots.txt.
: "<link rel="canonical" href="https://…"/>" "<head>".
www non-www HTTPS .
HTTP HTTPS
http https.
Wordpress, - http://mydomain.com https://mydomain.com.
http https, src="//mydomain.com/image.jpg". , " ", https.
" - "
- http 1994 https, SSL/TLS . SSL- , .
ssl- https, , , , . . , - , : pentest-tools.com/website-vulnerability-scanning/web-server-scanner. , , , .