New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Установить Let's Encrypt и включить https #624

Closed
mbaev opened this Issue Sep 14, 2017 · 11 comments

Comments

Projects
None yet
6 participants
@mbaev
Contributor

mbaev commented Sep 14, 2017

Для поддержания стратегии Безопасный интернет необходимо установить SSL сертификат на сайт.
Для этого нужно получить и установить любой бесплатный сертификат или подключиться к Let's Encrypt.

Это необходимо сделать для обоих серверов и всех энвайрментов.

@mbaev mbaev assigned mbaev, bsyomov, dansamara and bober2000 and unassigned mbaev Sep 14, 2017

@mbaev mbaev added the Improvement label Sep 14, 2017

@mbaev mbaev added this to the 6th November 2017 milestone Sep 14, 2017

@mbaev

This comment has been minimized.

Show comment
Hide comment
@mbaev

mbaev Sep 14, 2017

Contributor

Кто возьмётся?

Contributor

mbaev commented Sep 14, 2017

Кто возьмётся?

@dansamara

This comment has been minimized.

Show comment
Hide comment
@dansamara

dansamara Sep 14, 2017

Я могу сделать, задействовав certbot.

dansamara commented Sep 14, 2017

Я могу сделать, задействовав certbot.

@mbaev

This comment has been minimized.

Show comment
Hide comment
@mbaev

mbaev Sep 14, 2017

Contributor

Ок, супер! Оставил тебя в исполнителях.

Contributor

mbaev commented Sep 14, 2017

Ок, супер! Оставил тебя в исполнителях.

@awd-studio

This comment has been minimized.

Show comment
Hide comment
@awd-studio
Contributor

awd-studio commented Sep 14, 2017

@mbaev

This comment has been minimized.

Show comment
Hide comment
@mbaev

mbaev Sep 14, 2017

Contributor

Ох, прости @awd-studio, не увидел. Закрою ту задачу в связи с этой. Не против?

Contributor

mbaev commented Sep 14, 2017

Ох, прости @awd-studio, не увидел. Закрою ту задачу в связи с этой. Не против?

@awd-studio

This comment has been minimized.

Show comment
Hide comment
@awd-studio

awd-studio Sep 14, 2017

Contributor

Не, без разницы какая - абы работало ;)

Contributor

awd-studio commented Sep 14, 2017

Не, без разницы какая - абы работало ;)

@bober2000

This comment has been minimized.

Show comment
Hide comment
@bober2000

bober2000 Sep 14, 2017

@dansamara рекомендую https://github.com/Neilpang/acme.sh прост как угол дома, только на баше

bober2000 commented Sep 14, 2017

@dansamara рекомендую https://github.com/Neilpang/acme.sh прост как угол дома, только на баше

@mbaev mbaev added DevOps and removed Duplicate Improvement labels Oct 2, 2017

@itcrowd72

This comment has been minimized.

Show comment
Hide comment
@itcrowd72

itcrowd72 Nov 1, 2017

Member

Не успели к 6 ноября?

Member

itcrowd72 commented Nov 1, 2017

Не успели к 6 ноября?

@mbaev

This comment has been minimized.

Show comment
Hide comment
@mbaev

mbaev Nov 1, 2017

Contributor

@dansamara вроде говорил, что сделает.

Contributor

mbaev commented Nov 1, 2017

@dansamara вроде говорил, что сделает.

@dansamara

This comment has been minimized.

Show comment
Hide comment
@dansamara

dansamara Nov 2, 2017

На dev.drupal.ru и stage.drupal.ru включено https + http2
Nginx конфигурация ssl:

    ##
    # SSL Settings
    ##

    ## Use a SSL/TLS cache for SSL session resume. This needs to be
    ## here (in this context, for session resumption to work. See this
    ## thread on the Nginx mailing list:
    ## http://nginx.org/pipermail/nginx/2010-November/023736.html.
    ssl_session_tickets off;
    ssl_session_timeout 10m;
    ssl_session_cache shared:SSL:10m;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;

    ## Use only Perfect Forward Secrecy Ciphers.
    ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4:!DES-CBC3-SHA;

    # HSTS (ngx_http_headers_module is required) (1 year)
    add_header Strict-Transport-Security max-age=31536000;

    ## Curve to use for ECDH.
    ssl_ecdh_curve secp384r1;

Результаты теста: https://www.ssllabs.com/ssltest/analyze.html?d=dev.drupal.ru

dansamara commented Nov 2, 2017

На dev.drupal.ru и stage.drupal.ru включено https + http2
Nginx конфигурация ssl:

    ##
    # SSL Settings
    ##

    ## Use a SSL/TLS cache for SSL session resume. This needs to be
    ## here (in this context, for session resumption to work. See this
    ## thread on the Nginx mailing list:
    ## http://nginx.org/pipermail/nginx/2010-November/023736.html.
    ssl_session_tickets off;
    ssl_session_timeout 10m;
    ssl_session_cache shared:SSL:10m;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;

    ## Use only Perfect Forward Secrecy Ciphers.
    ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4:!DES-CBC3-SHA;

    # HSTS (ngx_http_headers_module is required) (1 year)
    add_header Strict-Transport-Security max-age=31536000;

    ## Curve to use for ECDH.
    ssl_ecdh_curve secp384r1;

Результаты теста: https://www.ssllabs.com/ssltest/analyze.html?d=dev.drupal.ru

@mbaev

This comment has been minimized.

Show comment
Hide comment
@mbaev

mbaev Nov 2, 2017

Contributor

image Этого достаточно! Спасибо!

Contributor

mbaev commented Nov 2, 2017

image Этого достаточно! Спасибо!

@mbaev mbaev closed this Nov 2, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment