3. Configuration SSL Lighttp (HTTPS avec Letsencrypt)

Modérateurs : TEAM THE C@TZ, MODERATEURS

N4T0R4
TEAM THE C@TZ
TEAM THE C@TZ
Messages : 30
Enregistré le : dim. 28 juil. 2019 09:36

3. Configuration SSL Lighttp (HTTPS avec Letsencrypt)

Message non lu par N4T0R4 »

apt install letsencrypt

Création d'un certificat :

certbot certonly --webroot -w /var/www -d mondomaine.net -d www.mondomaine.net

cd /etc/letsencrypt/live/mondomaine.net/

cat privkey.pem cert.pem > combined.pem

Ajouter un sous domaine à un certificat existant :

certbot certonly --expand -d mondomaine.net -d sous.mondomaine.net

Créer un Diffie-Hellman (dhparam) :

mkdir /etc/lighttpd/ssl

openssl dhparam -out /etc/lighttpd/ssl/dhparam.pem 4096

Configurer Lighttp :

mkdir /etc/lighttpd/conf-hosts

nano /etc/lighttpd/conf-hosts/hosts-ssl.conf

$SERVER["socket"] == ":443" {
#protocol = "https://"

ssl.engine = "enable"
server.name = "mondomaine.net"
server.document-root = "/var/www/"

# Environment flag for HTTPS enabled
#setenv.add-environment = "HTTPS" => "on"

# pemfile is cert + privkey,
# ca-file is the intermediate
# chain in one file
ssl.dh-file = "/etc/lighttpd/ssl/dhparam.pem"
ssl.ca-file = "/etc/letsencrypt/live/mondomaine.net/fullchain.pem"
ssl.pemfile = "/etc/letsencrypt/live/mondomaine.net/combined.pem"

$HTTP["host"] == "www.mondomaine.net" {
server.document-root = "/var/www/mondomaine.net/"
ssl.ca-file = "/etc/letsencrypt/live/www.mondomaine.net/fullchain.pem"
ssl.pemfile = "/etc/letsencrypt/live/www.mondomaine.net/combined.pem"
}

# ECDH/ECDHE ciphers curve strength (see `openssl ecparam -list_curves`)
ssl.ec-curve = "secp384r1"

# Make the server prefer the order of the server side cipher suite instead of the client suite.
# This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
# This option is enabled by default, but only used if ssl.cipher-list is set.
#
ssl.honor-cipher-order = "enable"

# Mitigate BEAST attack:
#
# A stricter base cipher suite. For details see:
# http://blog.ivanristic.com/2011/10/miti ... n-tls.html
#
#ssl.cipher-list = "ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-CHACHA20-POLY1305 AES128+EECDH:AES128+EDH:!aNULL:!eNULL"
ssl.cipher-list = "HIGH"

# Mitigate CVE-2009-3555 by disabling client triggered renegotation
# This is enabled by default.
#
ssl.disable-client-renegotiation = "enable"

# HSTS (15768000 seconds = 6 months)
setenv.set-response-header = (
"Strict-Transport-Security" => "max-age=15768000; includeSubdomains; preload",
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff"
)

# Disable SSLv2 because is insecure
ssl.use-sslv2 = "disable"

# Disable SSLv3 (can break compatibility with some old browser) /cares
ssl.use-sslv3 = "disable"
}


cd /etc/lighttpd/conf-enabled

ln -s ../conf-hosts/hosts-ssl.conf .

Forcer la redirection vers HTTPS :

cd /etc/lighttpd/conf-hosts

nano https.conf

$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}


cd /etc/lighttpd/conf-enabled

ln -s ../conf-hosts/https.conf .

Test SSL :

https://www.ssllabs.com/ssltest/

Révoquer un certivicat :

certbot revoke --cert-path /etc/letsencrypt/archive/mondomaine.net/cert1.pem

ou

rm -rf /etc/letsencrypt/{live,renewal,archive}/{nondomaine.net,monautredomaine.net}.conf

Egalement :

certbot delete

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which certificate would you like to delete?
-------------------------------------------------------------------------------
1: www.domain1.com
2: www.domain2.com
3: www.mydomain.com
4: www.domain3.com
5: www.domain4.com
6: www.domain5.com
-------------------------------------------------------------------------------
Select the appropriate number [1-6] then [enter] (press 'c' to cancel): 3

-------------------------------------------------------------------------------
Deleted all files relating to certificate www.mydomain.com.
-------------------------------------------------------------------------------

Répondre