Nginx Hardening 및 SSL 발급 예시¶
운영 서버(Production Server) 에서 api.sncompany.com 이라는 Domain 의 SSL 인증서 발급을 진행했던 예시.
항상 --staging 발급으로 확인을 하기 때문에 Production 발급은 --force-renewal Option 을 꼭 붙임
1. Nginx 확인 및 재시작¶
sudo nginx -t && sudo systemctl reload nginx
2. ACME 확인¶
- webroot 방식일 때만 유효한 검증
- nginx plugin 방식에서는 의미 없음
echo ok | sudo tee /var/www/letsencrypt/.well-known/acme-challenge/ping >/dev/null
curl -fsS --max-time 10 http://api.sncompany.com/.well-known/acme-challenge/ping
3. Staging 발급¶
3.1 webroot 방식¶
sudo certbot certonly --webroot -w /var/www/letsencrypt -d api.sncompany.com --staging --no-eff-email --agree-tos -m sn.dev.manager@sncompany.com -v
3.2 Nginx Plugin 방식¶
sudo certbot --nginx -d api.sncompany.com --staging --no-eff-email --agree-tos -m sn.dev.manager@sncompany.com -v
4. Production 발급¶
4.1 webroot 방식¶
sudo certbot certonly --webroot -w /var/www/letsencrypt -d api.sncompany.com --force-renewal --no-eff-email --agree-tos -m sn.dev.manager@sncompany.com -v
운영 표준은 이후 Nginx 443 block 에 아래 인증서 경로를 직접 반영하는 방식임.
ssl_certificate /etc/letsencrypt/live/api.sncompany.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.sncompany.com/privkey.pem;
편의상 certbot install 을 사용할 수는 있으나 운영 표준은 아님.
sudo certbot install --cert-name api.sncompany.com
ssl-webroot.sh 사용 시에도 기본 동작은 수동 반영 기준이며,
정말 필요할 때만 AUTO_INSTALL_Nginx=1 환경변수로 자동 반영을 허용함.
4.2 Nginx Plugin 방식¶
sudo certbot --nginx -d api.sncompany.com --force-renewal --no-eff-email --agree-tos -m sn.dev.manager@sncompany.com -v
5. Nginx 확인 및 재시작¶
sudo nginx -t && sudo systemctl reload nginx
6. 인증서 확인¶
6.1 Staging 확인¶
sudo openssl x509 -in /etc/letsencrypt/live/api.sncompany.com/fullchain.pem -noout -issuer
6.2 Production 확인¶
HTTP_CODE="$(curl -sSI --connect-timeout 5 --max-time 10 https://api.sncompany.com -o /dev/null -w "%{http_code}")" && \
[ "$HTTP_CODE" != "000" ] && echo "HTTPS reachable (HTTP $HTTP_CODE)"
echo | openssl s_client -connect api.sncompany.com:443 -servername api.sncompany.com 2>/dev/null | openssl x509 -noout -issuer -subject
7. 통합 명령어¶
- 운영 표준인 Webroot 방식으로 작성됨
- 아래 예시는
certbot install을 포함하지 않음
set -e
sudo nginx -t && sudo systemctl reload nginx && \
echo ok | sudo tee /var/www/letsencrypt/.well-known/acme-challenge/ping >/dev/null && \
curl -fsS --max-time 10 http://api.sncompany.com/.well-known/acme-challenge/ping && \
sudo certbot certonly --webroot -w /var/www/letsencrypt -d api.sncompany.com --staging --no-eff-email --agree-tos -m sn.dev.manager@sncompany.com -v && \
sudo openssl x509 -in /etc/letsencrypt/live/api.sncompany.com/fullchain.pem -noout -issuer && \
sudo certbot certonly --webroot -w /var/www/letsencrypt -d api.sncompany.com --force-renewal --no-eff-email --agree-tos -m sn.dev.manager@sncompany.com -v && \
sudo nginx -t && sudo systemctl reload nginx && \
HTTP_CODE="$(curl -sSI --connect-timeout 5 --max-time 10 https://api.sncompany.com -o /dev/null -w "%{http_code}")" && \
[ "$HTTP_CODE" != "000" ] && echo "HTTPS reachable (HTTP $HTTP_CODE)" && \
echo | openssl s_client -connect api.sncompany.com:443 -servername api.sncompany.com 2>/dev/null | openssl x509 -noout -issuer -subject
8. SSL Webroot Shell Script¶
ssl-webroot.sh 참고.
sudo mv ssl-webroot.sh /usr/local/sbin/ssl-webroot
sudo chown root:root /usr/local/sbin/ssl-webroot
sudo chmod 750 /usr/local/sbin/ssl-webroot
sudo ln -s /usr/local/sbin/ssl-webroot /usr/bin/ssl-webroot
8.1 사용법¶
sudo ssl-webroot <DomainName> <E-Mail> [WebrootDir]
자동 반영이 꼭 필요한 경우:
sudo AUTO_INSTALL_Nginx=1 ssl-webroot <DomainName> <E-Mail> [WebrootDir]
8.2 Example¶
sudo ssl-webroot api.sncompany.com sn.dev.manager@sncompany.com
또는
sudo ssl-webroot api.sncompany.com sn.dev.manager@sncompany.com /var/www/letsencrypt
또는 여러개
set -e
sudo ssl-webroot api.sncompany.com sn.dev.manager@sncompany.com && \
sudo ssl-webroot community.sncompany.com sn.dev.manager@sncompany.com && \
sudo ssl-webroot image.sncompany.com sn.dev.manager@sncompany.com && \
sudo ssl-webroot platform.sncompany.com sn.dev.manager@sncompany.com && \
sudo ssl-webroot rank.sncompany.com sn.dev.manager@sncompany.com && \
sudo ssl-webroot video.sncompany.com sn.dev.manager@sncompany.com