首页 > 其他分享 >ssl 证书部署

ssl 证书部署

时间:2023-06-29 15:33:16浏览次数:67  
标签:designacademy 证书 部署 academy will ssl design SSL your

单位的考核系统,采用ssl证书,专门做了总结

又看到一篇文章 https://www.designmycodes.com/python/setup-ssl-certificate-on-nginx-for-django-application.html

可以参考借鉴吧,有时间再读

 

Serving a HTTPS only Django Application is very important to secure your users data. If your application have user authentication it is already a good reason to start using HTTPS only. Otherwise usernames and passwords will be exposed traveling over HTTP in plain text. Meaning if a user is using a public internet connection, and he logs in your application, he is vulnerable to a sniffer attack.

It is important to not only secure login, password change and payment pages with HTTPS, but the whole application. Otherwise you will be only protecting your user base only temporarily.

In this tutorial I will guide you through all the necessary steps to correctly secure your Django Application, using an inexpensive SSL certificate from Namecheap.


Getting a SSL Certificate

The first step is to get a SSL for your Django Application. There are a few options: you can generate your own certificate, you can get a free one from Let’s Encrypt or you can purchase one from the many companies on the internet.

In this tutorial I will use a simple commercial SSL certificate by Positive SSL registered from Namecheap. You can get it for $9.00/yr clicking here.

PS: I get commission for purchases using the link above.


Generate a CSR code

CSR stand for Certificate Signing Request and it is a base64 encoded data usually generated in the server-side.

Since we will be using Nginx for the web server, we will use openssl.

Usually CSR openssl configuration contains by default the details as follows below:

  • Common Name (the domain name certificate should be issued for)
  • Country
  • State (or province)
  • Locality (or city)
  • Organization
  • Organizational Unit (Department)
  • E-mail address

To generate the CSR code run the following code in your server terminal:

openssl req -new -newkey rsa:2048 -nodes -keyout designacademy.key -out designacademy.csr
Tip: Replace designacademy with the name of your domain.

After hitting enter you should see something like that:

.............+++
....................................+++
writing new private key to 'designacademy.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:

You will be prompted a few questions:

Country Name (2 letter code) [AU]:FI
State or Province Name (full name) [Some-State]:Oulu
Locality Name (eg, city) []:Oulu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Design Codes
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:design.academy
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:samplepassword
An optional company name []:Design Codes

After answering all the questions, check if the files was created correctly:

ubuntu@designacademy:~$ ls -l
total 8
-rw-rw-r-- 1 ubuntu ubuntu 1196 May 11 14:26 designacademy.csr
-rw-rw-r-- 1 ubuntu ubuntu 1704 May 11 14:26 designacademy.key
ubuntu@designacademy:~$

Activate the SSL Certificate

Grab the contents of the file designacademy.csr and paste it into the activation page:

After submitting the data, you will be asked to confirm it. Now it is time to validate that you actually own the domain. Usually there are three different ways to validate you own a domain: Email, HTTP-based or DNS-based. Pick the most suitable option for you. In my case, DNS-based it is.

Visit the details page to get the instructions to create the CNAME (in case you have selected the DNS-based validation).

Domain Control Validation

Add a CNAME record with the given values:

Installing the SSL Certificate

After the activation process of your certificate, you should receive the necessary certificate files in your email address. It comes usually in a .zip archive containing the files:

  • design_academy.crt
  • design_academy.ca-bundle

Concatenate the two files:

cat design_academy.crt design_academy.ca-bundle >> design_academy_cert_chain.crt

Upload those files to your server using scp:

scp design_academy_cert_chain.crt [email protected]:/home/ubuntu

Now you will need two files:

  • design_academy_cert_chain.crt
  • designacademy.key (the key you genered while creating the CSR)

Copy both files to /etc/ssl/:

sudo cp designacademy_cert_chain.crt /etc/ssl/
sudo cp designacademy.key /etc/ssl/

Edit your virtual hosts file:

upstream design_academy_server {
  server unix:/opt/design_academy/run/gunicorn.sock fail_timeout=0;
}

# Redirect all non-encrypted to encrypted
server {
    server_name design.academy;
    listen 80;
    return 301 https://design.academy$request_uri;
}

server {
    server_name design.academy;

    listen 443;  # <-

    ssl on;  # <-
    ssl_certificate /etc/ssl/designacademy_cert_chain.crt;  # <-
    ssl_certificate_key /etc/ssl/designacademy.key;  # <-

    client_max_body_size 4G;

    access_log /opt/design_academy/logs/nginx-access.log;
    error_log /opt/design_academy/logs/nginx-error.log;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;  # <-
        proxy_set_header Host $http_host;
        proxy_redirect off;

        if (!-f $request_filename) {
            proxy_pass http://design_academy_server;
            break;
        }
    }
}

Restart the nginx:

sudo service nginx restart

And it is already working, serving all requests with HTTPS only:

Finally, add a few extra configurations to your settings.py:

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

Restart your Django application and it is all set up.


Conclusions

I strongly recommend reading the official Django Documentation on SSL/HTTPS before adding the extra configurations to your settings.py, as if not done correctly can seriously expose your application.

Even though I’m using the Namecheap SSL certificate as an example, the steps described in this tutorial is applicable for any commercial SSL certificate.

标签:designacademy,证书,部署,academy,will,ssl,design,SSL,your
From: https://www.cnblogs.com/lxgbky/p/17514335.html

相关文章

  • windows环境下使用Jenkins部署.net core
    前言之前学习了windows环境下使用Jenkins配置dotnetcore极简入门-chenxizhaolu-博客园(cnblogs.com)又学习了Windows下使用docker部署.NetCore-chenxizhaolu-博客园(cnblogs.com)现在将两者结合起来,通过Jenkins自动发布.netcore到Docker1、安装Jenkins参照windo......
  • PMP®证书增持 CSPM-2证书,有用吗?值得弄一个吗?
    2023年6月起,持有PMP®证书的朋友可以直接增持一个同等级证书CSPM-2,不用重新考试,不用重新学习,原PMP®证书不影响正常使用,相当于多了一个国标项目管理领域的证书。  第一步·准备资料 1、填写能力评价表2、提供2张2寸蓝底彩照(电子版另外收10元打印费)3、提供PMP®证书电子版1份4、......
  • Kubernetes(k8s) Web-UI界面(一):部署和访问仪表板(Dashboard)
    目录一.系统环境二.前言三.仪表板(Dashboard)简介四.部署Kubernetes仪表板(Dashboard)五.访问Kubernetes仪表板(Dashboard)5.1使用token登录Dashboard5.2对sa账号kubernetes-dashboard授权5.3访问Dashboard六.总结七.附加信息一.系统环境本文主要基于Kubernetes1.21.9和Linux操作......
  • docker-compose 部署java微服务项目
    1、准备条件:安装docker,安装docker-compose,docker安装可自行百度,docker-compose安装由于太慢,我这里提供两个版本:win和linux版本的百度网盘版,大家可根据需要自行下载:链接:https://pan.baidu.com/s/10W81TX6cWQqyi92xyeuZQQ提取码:2evg这里一linux系统为例:下载docker-compose-linux-......
  • 部署zabbix5.0以及使用
    前言检查防火墙是否关闭vim/etc/selinux/configSELINUX=disabled内存4G为好配置好阿里yum源实验步骤-服务端获取zabbix的下载源rpm-Uvhhttps://mirrors.aliyun.com/zabbix/zabbix/5.0/rhel/7/x86_64/zabbix-release-5.0-1.el7.noarch.rpm更换zabbix.re......
  • F5Cloud第一期如何在AWS上部署F5 VE​
    F5Cloud第一期如何在AWS上部署F5VEF5VE初始化:配置VLAN,Selfip,LOCALDNS,NTP,创建设备组,创建信任关系peer,组建双机,同步配置......
  • 在Centos7上部署Yapi
    组件版本:CentOS7Nodev12.22.9mongoDBv4.4.22Yapiv1.12.0一、安装nodenode下载地址:https://registry.npmmirror.com/binary.html?path=node/v12.22.9/下载node压缩包到本地,解压缩文件,移动并重命名node#下载压缩包到本地wgethttps://registry.npmmirror.com/-/bina......
  • 使用宝塔webhook快速部署github仓库上的项目
    1、宝塔安装webhook点击添加Hook,输入如下命令。cd/www/wwwroot/project_namegitpull点击查看密钥,可以得到hooks的地址和密钥。2、Github上设置Webhooks填入上面得到的地址和密钥 3、为了git拉取免登录,需要在服务器安装ssh证书ssh-keygen-trsacat~/.ssh/id_r......
  • 前端打包部署后接口BASE_URL不对问题解决办法
    在前端打包部署时,为了免去不同环境打包的麻烦,项目用的流水线触发方式。在这里不细说,重点说说下面情况。当项目提交打包部署后,访问压测环境或者生产环境的地址来使用项目时,发现接口报错404。 在NETWORK里发现接口的BASEURL和当前环境需要调用的后端baseurl不同。主要问题在于......
  • 免费体验Stable Diffusion deforum文转视频插件,还有deforum API 接口部署介绍!
    如何使用ServerlessDevs和函数计算快速体验部署StableDiffusion,这个是小白也能简单体验安装部署的教程.有电脑就能操作,依托阿里云原生服务.不用考虑硬件问题本篇主要讲解怎么安装跟部署自定义安装插件跟模型.以deforum文转视频插件举例.deforumapi接口自定义开发镜像定......