生活紀錄: https

2020年7月20日星期一

SSL 證書安裝於 Nginx

參考 SSL 憑證服務操作手冊
參考檢查 HTTPS 伺服器加密協定版本
參考 https on nginx and python flask
參考 https Client and Server

取得三個證書
1. eCA 根憑證 "ROOTeCA_64.crt"
2. PublicCA G2 中繼憑證 "PublicCA2_64.crt"
3. 用戶的 SSL 伺服器憑證 "xxx...(32個英數字).crt"

# mkdir /etc/nginx/conf/Certs
放三個證書於此目錄
# cp * /etc/nginx/conf/Certs
產生可信任的CA憑證串列
# cd /etc/nginx/conf/Certs
# cat PublicCA_64.crt ROOTeCA_64.crt > caChain.crt
因 Nginx 只能使用未加密的 server key
# openssl rsa -in server.key -out server_no_pwd.key
# cat server_no_pwd.key > /etc/nginx/conf/Certs/server.key
# cat xxx...(32個英數字).crt PublicCA2_64.crt > server.pem

修改 /etc/nginx/sites-available/ 下的設定檔
ssl_certificate /etc/nginx/conf/Certs/server.pem;
ssl_certificate_key /etc/nginx/conf/Certs/server.key;
ssl_stapling on;
ssl_stapling_verify on;

ssl_trusted_certificate /etc/nginx/conf/Certs/caChain.crt;

修改 /etc/nginx/nginx.conf # 關閉有漏洞的 HTTPS SSLv3, 採用 TLS
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# ngnix -s reload

測試安全性
$ sudo apt install nmap
$ nmap --script ssl-enum-ciphers -p 8443 www.xxxx.com

Starting Nmap 7.60 ( https://nmap.org ) at 2020-07-20 14:21 CST
Nmap scan report for www.xxxx.com.tw (114.35.104.33)
Host is up (0.00057s latency).
rDNS record for 114.35.14.313: 114-35-104-33.HINET-IP.hinet.net

PORT STATE SERVICE
8443/tcp open https-alt
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
| TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
| TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

測試結果分為等級 A-F

參考中華電信 SSL 憑證服務

下載認證標章，並放置下列HTML語法到網頁

<a href="javascript:location.href='https://publicca.hinet.net/SSLQueryCert/ SSLQueryCert.jsp?Domain_name='+document.location.hostname">
<img height="126" src="SSLSeal.gif" width="90" />
</a>

2020年3月18日星期三

https on nginx and python flask

建立 python flask 的網頁伺服器
$ cat server.py
@app.route('/api/PostTime', methods=['POST'])
def post_time():
print(request.headers)
print(request.json)
result = '\n'.join([request.json['updDate'],
request.json['camera']])
print(result)
return str(result)

if __name__ == "__main__":
app.run(host="0.0.0.0", port="5000", debug=True,
# 下兩行可以啟動 https
#ssl_context=("/home/user1/Data/webapi/openssl/web1/server.crt",
# "/home/user1/Data/webapi/openssl/web1/server.key")
)

$ python3 server.py

$ cat PostTime.py

import requests

import os

data = {

'updDate': '2019-01-02T15:10:11',

'camera': 'A001',

}

os.environ['REQUESTS_CA_BUNDLE'] = '/home/user1/Data/webapi/openssl/ca/cacert.pem'

#url = 'https://127.0.0.1:5000/api/PostTime'

url = 'https://127.0.0.1:8443/api/PostTime'

headers = {'Content-Type': 'application/json'}

response = requests.post(url=url,

headers=headers,

#verify=False,

json=data)

if response.ok:

print("PostTime ok")

print(response.status_code)

print(response.text)

else:

print(response.status_code)

print(response.text)

$ python3 PostTime.py

# cat /etc/nginx/sites-available/config

server {

listen 80 default_server;

listen [::]:80 default_server;

# SSL configuration

listen 8443 ssl default_server;

listen [::]:8443 ssl default_server;

ssl_certificate /home/user1/Data/webapi/openssl/web1/server.crt;

ssl_certificate_key /home/user1/Data/webapi/openssl/web1/server.key;

root /var/www/html;

# Add index.php to the list if you are using PHP

index index.html index.htm index.nginx-debian.html;

server_name _;

location ^~ /api/ {
# 當 https 由 nginx 管控，python flask 就要走一般的 http

proxy_pass http://127.0.0.1:5000;

proxy_set_header Host $host;

}
# 設定上傳限制
client_max_body_size 10M;

}

重新啟動 nginx

# sudo nginx -s reload

網頁

2020年7月20日 星期一

SSL 證書安裝於 Nginx

2020年3月18日 星期三

https on nginx and python flask

2020年7月20日星期一

2020年3月18日星期三