Lets-EncryptLet’s Encrypt certbot 的
Let’s Encrypt certbot 的 enhance
命令到底是什麼?
Let’s Encrypt certbot 有
enhance
一個子命令,其描述為“向現有配置添加安全增強”。我可以在 certbot 的 CLI 幫助文件中找到的唯一附加資訊是:
增強:通過向現有配置添加安全增強功能來幫助強化 TLS 配置。
仍然不清楚在現有配置中添加了哪些附魔。修改了哪些文件等…我對使用 Ubuntu + Apache HTTP Server 的配置(使用
--apache
選項)特別感興趣。
我也找不到它,所以我查看了原始碼(和另一個文件),其中指出:
security: Security parameters & server settings --rsa-key-size N Size of the RSA key. (default: 2048) --must-staple Adds the OCSP Must Staple extension to the certificate. Autoconfigures OCSP Stapling for supported setups (Apache version >= 2.3.3 ). (default: False) --redirect Automatically redirect all HTTP traffic to HTTPS for the newly authenticated vhost. (default: Ask) --no-redirect Do not automatically redirect all HTTP traffic to HTTPS for the newly authenticated vhost. (default: Ask) --hsts Add the Strict-Transport-Security header to every HTTP response. Forcing browser to always use SSL for the domain. Defends against SSL Stripping. (default: None) --uir Add the "Content-Security-Policy: upgrade-insecure- requests" header to every HTTP response. Forcing the browser to use https:// for every http:// resource. (default: None) --staple-ocsp Enables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS. (default: None) --strict-permissions Require that all configuration files are owned by the current user; only needed if your config is somewhere unsafe like /tmp/ (default: False)
並在我的測試環境中嘗試過:
certbot --authenticator webroot --installer apache [...] Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):2 Enabled Apache rewrite module Redirecting vhost in /etc/apache2/sites-enabled/example.conf to ssl vhost in /etc/apache2/sites-enabled/example.ssl.conf ------------------------------------------------------------------------------- Congratulations! You have successfully enabled https://example.com and https://www.example.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=example.com certbot enhance --hsts Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator None, Installer apache Which certificate would you like to use to enhance your configuration? ------------------------------------------------------------------------------- 1: example.com ------------------------------------------------------------------------------- Press 1 [enter] to confirm the selection (press 'c' to cancel): Which domain names would you like to enable the selected enhancements for? ------------------------------------------------------------------------------- 1: example.com 2: www.example.com ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): Adding Strict-Transport-Security header to ssl vhost in /etc/apache2/sites-enabled/example.ssl.conf certbot enhance --uir Plugins selected: Authenticator None, Installer apache Which certificate would you like to use to enhance your configuration? ------------------------------------------------------------------------------- 1: example.com ------------------------------------------------------------------------------- Press 1 [enter] to confirm the selection (press 'c' to cancel): Which domain names would you like to enable the selected enhancements for? ------------------------------------------------------------------------------- 1: example.com 2: www.example.com ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): Adding Upgrade-Insecure-Requests header to ssl vhost in /etc/apache2/sites-enabled/example.ssl.conf
您可以猜測其餘選項(沒有全部嘗試)。
它在啟用站點的 ssl.conf 中添加了以下幾行:
Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem Header always set Strict-Transport-Security "max-age=31536000" Header always set Content-Security-Policy upgrade-insecure-requests
這些在我的啟用站點的 non-ssl.conf 中:
RewriteEngine on RewriteCond %{SERVER_NAME} =www.example.com [OR] RewriteCond %{SERVER_NAME} =example.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]