让我们加密SSL的安全Taiga项目管理平台

您可以通过以下链接以PDF格式下载本文来支持我们。以PDF格式下载指南关闭关闭关闭

上一篇文章描述了在CentOS 8和Ubuntu 20.04 Linux服务器上安装Taiga项目管理工具。在此博客文章中,我将向您展示如何使用“让我们加密HTTPS证书”来增强Taiga项目管理平台。 让我们加密是由非营利性互联网安全研究小组(ISRG)提供的免费,自动化和开放的证书颁发机构。

本指南假定您使用Nginx Web服务器通过域名发布Taiga。 NGINX用作静态文件Web服务器,用于服务taiga-front-dist并将代理请求发送到taiga-back。在继续本指南之前,您必须停止nginx服务。

停止Nginx服务

检查Nginx服务是否正在运行。

$ systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-10-03 00:03:47 CEST; 1 day 1h ago
 Main PID: 11870 (nginx)
    Tasks: 3 (limit: 24392)
   Memory: 5.8M
   CGroup: /system.slice/nginx.service
           ├─11870 nginx: master process /usr/sbin/nginx
           ├─11871 nginx: worker process
           └─11872 nginx: worker process

Oct 03 00:03:47 projects.hirebestengineers.com systemd[1]: Starting The nginx HTTP and reverse proxy server...
Oct 03 00:03:47 projects.hirebestengineers.com nginx[11866]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Oct 03 00:03:47 projects.hirebestengineers.com nginx[11866]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Oct 03 00:03:47 projects.hirebestengineers.com systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument
Oct 03 00:03:47 projects.hirebestengineers.com systemd[1]: Started The nginx HTTP and reverse proxy server.

如果它处于运行状态,它将停止。

sudo systemctl stop nginx

安装certbot工具

接下来,安装certbot工具,该工具可让您自动部署Let’s Encrypt证书。

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo mv certbot-auto /usr/local/bin
sudo chmod 0755 /usr/local/bin/certbot-auto

运行certbot-auto工具来安装操作系统依赖项。

certbot-auto --os-packages-only

我同意安装该软件包。

Transaction Summary
==================================================================================================================================================================
Install  36 Packages
Upgrade   1 Package

Total download size: 52 M
Is this ok [y/N]: y

让我们加密获取SSL证书

保存Taiga平台域名。

DOMAIN='projects.hirebestengineers.com'

对接收证书到期通知的电子邮件执行相同的操作。

EMAIL="[email protected]"

如果防火墙不允许使用http和https端口,请为CentOS服务器添加它们。

sudo firewall-cmd --add-service={http,https} --permanent
sudo firewall-cmd --reload

使用certbot-auto命令行工具请求证书。

certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring

期望在完全执行后看到成功消息。

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/projects.hirebestengineers.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/projects.hirebestengineers.com/privkey.pem
   Your cert will expire on 2021-01-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

然后生成强大的DH参数。

sudo openssl dhparam -out /etc/ssl/dhparam.pem 2048

验证。

$  ll /etc/ssl/dhparam.pem
-rw-r--r--. 1 root root 424 Oct  4 02:14 /etc/ssl/dhparam.pem

更新Nginx配置文件

更新Nginx配置文件以设置SSL选项。

但是,让我们先备份当前配置。

$ sudo cp /etc/nginx/conf.d/taiga.conf{,.bak-$(date +%F:%T)}
$ $ ls /etc/nginx/conf.d/
taiga.conf  taiga.conf.bak-2020-10-04:02:01:47

使用您喜欢的文件编辑器编辑taiga.conf文件-替换 域名SSL路径 用你的价值观。

sudo vim /etc/nginx/conf.d/taiga.conf

如下更新配置:

# Redirect http to https
server {   
    listen 80;
    server_name projects.hirebestengineers.com www.projects.hirebestengineers.com; # Set correct values
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name projects.hirebestengineers.com www.projects.hirebestengineers.com; # Set correct values

    large_client_header_buffers 4 32k;
    client_max_body_size 50M;
    charset utf-8;

    index index.html;

    # Frontend
    location / {
        root /home/taiga/taiga-front-dist/dist/;
        try_files $uri $uri/ /index.html;
    }

    # Backend
    location /api {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:8001/api;
        proxy_redirect off;
    }

    # Admin access (/admin/)
    location /admin {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:8001$request_uri;
        proxy_redirect off;
    }

    # Static files
    location /static {
        alias /home/taiga/taiga-back/static;
    }

    # Media files
    location /media {
        alias /home/taiga/taiga-back/media;
    }

    # Events
    location /events {
        proxy_pass http://127.0.0.1:8888/events;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_connect_timeout 7d;
        proxy_send_timeout 7d;
        proxy_read_timeout 7d;
    }

    # SSL
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Public-Key-Pins 'pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains';

    ssl on;
    ssl_certificate /etc/letsencrypt/live/projects.hirebestengineers.com/fullchain.pem;   # Set SSL cert path
    ssl_certificate_key /etc/letsencrypt/live/projects.hirebestengineers.com/privkey.pem; # Set SSL key  path
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/ssl/dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
}

验证nginx配置。

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

更新Taiga前端和后端配置

在激活HTTPS站点之前,必须先更新前端和后端配置。将方案从 httphttps 整个配置。

$ sudo su - taiga

后端配置更新:

$ vim ~/taiga-back/settings/local.py

这是我更新的配置。

from .common import *

MEDIA_URL = "https://projects.hirebestengineers.com/media/"
STATIC_URL = "https://projects.hirebestengineers.com/static/"
SITES["front"]["scheme"] = "https"
SITES["front"]["domain"] = "projects.hirebestengineers.com"

SECRET_KEY = "OQOEJNSJIQHDBQNSUQEJSNNANsqQPAASQLSMSOQND"

DEBUG = False
PUBLIC_REGISTER_ENABLED = True

DEFAULT_FROM_EMAIL = "[email protected]"
SERVER_EMAIL = DEFAULT_FROM_EMAIL

#CELERY_ENABLED = True

EVENTS_PUSH_BACKEND = "taiga.events.backends.rabbitmq.EventsPushBackend"
EVENTS_PUSH_BACKEND_OPTIONS = {"url": "amqp://taiga:[email protected]:5672/taiga"}

# Uncomment and populate with proper connection parameters
# for enable email sending. EMAIL_HOST_USER should end by @domain.tld
#EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
#EMAIL_USE_TLS = False
#EMAIL_HOST = "localhost"
#EMAIL_HOST_USER = ""
#EMAIL_HOST_PASSWORD = ""
#EMAIL_PORT = 25

# Uncomment and populate with proper connection parameters
# for enable github login/singin.
#GITHUB_API_CLIENT_ID = "yourgithubclientid"
#GITHUB_API_CLIENT_SECRET = "yourgithubclientsecret"

对前端配置文件执行相同的操作。

$ vim ~/taiga-front-dist/dist/conf.json

见下文。

{
    "api": "https://projects.hirebestengineers.com/api/v1/",
    "eventsUrl": "ws://projects.hirebestengineers.com/events",
    "eventsMaxMissedHeartbeats": 5,
    "eventsHeartbeatIntervalTime": 60000,
    "eventsReconnectTryInterval": 10000,
    "debug": true,
    "debugInfo": false,
    "defaultLanguage": "en",
    "themes": ["taiga"],
    "defaultTheme": "taiga",
    "publicRegisterEnabled": true,
    "feedbackEnabled": true,
    "supportUrl": "https://tree.taiga.io/support",
    "privacyPolicyUrl": null,
    "termsOfServiceUrl": null,
    "GDPRUrl": null,
    "maxUploadFileSize": null,
    "contribPlugins": [],
    "tribeHost": null,
    "importers": [],
    "gravatar": true,
    "rtlLanguages": ["fa"]
}

更新配置后,重新启动所有Taiga服务。

sudo systemctl restart 'taiga*'

重新启动nginx服务。

sudo systemctl restart nginx

加载Taiga Web控制台,并查看您是否从http重定向到https。

检查证书的详细信息。

让我们加密SSL的安全Taiga项目管理平台

添加自动证书续订计划任务。

# crontab -e
0 0,12 * * * root /usr/local/bin/certbot-auto renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"

类似指南:

使用Podman设置Docker容器注册表并加密SSL

让我们加密SSL证书保护您的iRedMail服务器

使用Nginx和Apache加密通配符SSL证书

您可以通过以下链接以PDF格式下载本文来支持我们。以PDF格式下载指南关闭关闭关闭

Sidebar