-
Notifications
You must be signed in to change notification settings - Fork 1
/
letsencrypt-carina-nginx.txt
115 lines (89 loc) · 4.53 KB
/
letsencrypt-carina-nginx.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
## Prasyarat:
- Docker host atau cluster Carina https://getcarina.com/
- Docker klien saya mengunakan versi berikut
ary@fuleco:~$ docker --version
Docker version 1.9.0, build 76d6bc9
- DNS "A" record set ke IP host Anda
## Buat volume untuk menyimpan berkas sertifikat
docker volume create --name letsencrypt
docker volume create --name letsencrypt-backups (optional)
## Menjalankan docker container letsencrypt sekaligus mengenerate sertifikat
docker run -it --rm -p 443:443 -p 80:80 \
-v letsencrypt:/etc/letsencrypt \
-v letsencrypt-backups:/var/lib/letsencrypt \
quay.io/letsencrypt/letsencrypt:latest \
auth -d kelas.glibogor.or.id --email glibogor@gmail.com --agree-tos
## Jika sukses, maka akan terlihat output seperti berikut:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/kelas.glibogor.or.id/fullchain.pem. Your cert will
expire on 2016-03-02. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
- If like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
## Buat parameter Diffie Hellman untuk mendapatkan best rating dari SSL Labs
docker run -it --rm \
-v letsencrypt:/etc/letsencrypt \
nginx openssl \
dhparam -out /etc/letsencrypt/live/kelas.glibogor.or.id/dhparams.pem 2048
## Verifikasi sertifikat yang sudah digenerate
docker run -it -v letsencrypt:/etc/letsencrypt \
busybox ls /etc/letsencrypt/live/kelas.glibogor.or.id
## Buat 3 berkas baru default.conf (berkas konfigurasi nginx), index.html dan lets.conf (berkas dockerfile)
## Isi berkas default.conf
server {
listen 80;
server_name kelas.glibogor.or.id;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/kelas.glibogor.or.id/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/kelas.glibogor.or.id/privkey.pem;
ssl_dhparam /etc/letsencrypt/live/kelas.glibogor.or.id/dhparams.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/kelas.glibogor.or.id/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=86400;
location / {
root /data/www;
}
}
## Isi berkas index.html
Udah Encrypted gan!
## Isi berkas Dockerfile default.conf
FROM nginx
COPY default.conf /etc/nginx/conf.d/default.conf
COPY index.html /data/www/index.html
## Buat docker image dari image nginx dengan tambahan 2 parameter default.conf dan index.html
docker build -t imageglib --file lets.conf .
## Verifikasi image docker yangg sudah dibuat
docker images
## Buat docker container, dengan image yang sudah dibuat tadi serta menghubungkan volume letsencrypt
docker run -d -p 80:80 -p 443:443 \
-v letsencrypt:/etc/letsencrypt --name containerglib imageglib
## Verifikasi
curl https://kelas.glibogor.or.id
https://www.ssllabs.com/ssltest/analyze.html?d=kelas.glibogor.or.id&latest
## Refrensi:
- https://letsencrypt.org
- https://community.letsencrypt.org/c/docs/
- http://www.slideshare.net/JoergHenning/lets-encrypt-59295465
- https://getcarina.com/docs/tutorials/nginx-with-lets-encrypt/
- https://getcarina.com/blog/weekly-news-docker-sock-letsencrypt/#note-for-previous-docker-versions
- https://hub.docker.com/_/nginx/
#MalMingGLiB - Sabtu, 14 Mei 2016