Code-server with Nginx, SSL 인증서 적용
- Code-server에 Nginx 구성 후 SSL(Let’s Encrypt 무료)인증서를 적용해봅니다. (Update: Mar 13, 2021)
환경 구성
- OS: CentOS 8.3.2011 (on Oracle cloud VM)
!참고 - 이전 글의 Coder-server & Nginx 구성 이 진행되어 SSL 인증서를 적용 합니다 - Code-server: 3.9.0-amd64.rpm
- Nginx: v1.14.1 (with yum)
1. Install certbot-nginx
; dns-01 방식으로 진행합니다. (도메인은 변경없이, server ip와 sub-domain은 변경 가능)
; 공인ip를 요구하는 http-01 방식도 가능하지만 언제든 다른 곳, ip로 변경할 수 있도록 보류
USER1@ ~]$ sudo yum install -y certbot python3-certbot-nginx
USER1@ ~]$ sudo certbot -d vm2.mydomain.com --manual --preferred-challenges dns certonly
(...생략...)
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): {myEmail}@hotmail.com
(...생략...)
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
;news, campains…? No.
(...생략...)
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Requesting a certificate for vm2.mydomain.com
Performing the following challenges:
dns-01 challenge for vm2.mydomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.vm2.mydomain.com with the following value:
-FzP4bCvVVXm1p9TTB7v8FCc80TejN83FhKTuIOnQwQ
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
; 여기에서는 위의 도메인 TXT 레코드 등록과 nslookup 확인 후 진행합니다.
; 개인 도메인을 등록해 사용중인 cloudflare
DNS 서비스에 등록했습니다.
;TXT 레코드 등록 확인
USER1@ ~]$ dig -t txt _acme-challenge.vm2.mydomain.com
; <<>> DiG 9.10.6 <<>> -t txt _acme-challenge.vm2.mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35168
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
(...생략...)
;; ANSWER SECTION:
_acme-challenge.vm2.mydomain.com. 286 IN TXT "-FzP4bCvVVXm1p9TTB7v8FCc80TejN83FhKTuIOnQwQ"
(...생략...)
;nslookup 확인 후, {Enter키 입력} 다시 진행합니다.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.vm2.mydomain.com with the following value:
-FzP4bCvVVXm1p9TTB7v8FCc80TejN83FhKTuIOnQwQ
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/vm2.mydomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/vm2.mydomain.com/privkey.pem
Your certificate will expire on 2021-06-11. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
2. Nginx 인증서 적용
; 정상 완료되면 /etc/nginx/sites-enabled/code-server.conf 파일에 인증서 설정이 수정되어 있습니다.
; 다른 글의 Ubuntu 인증서 적용 과정에서의 http to https 리디렉션 설정이 생략되어 추가로 넣었습니다.
; Liten {http port} 를 삭제하거나 주석처리합니다.
[변경 후]
upstream vm2-code-server {
server 127.0.0.1:8080;
}
server {
#listen 7788;
#listen [::]:7788;
server_name vm2.mydomain.com;
location / {
proxy_pass http://vm2-code-server;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Accept-Encoding gzip;
auth_basic "Authentication Page";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_buffering off;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/vm2.mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/vm2.mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
; (Ubuntu 설정 과정에는 자동 추가되는) http → https redirection 설정을 원한다면 추가해줍니다.
server {
if ($host = vm2.mydomain.com) {
return 301 https://$host$request_uri;
}
listen 80 ;
listen [::]:80 ;
server_name vm2.mydomain.com;
return 404;
}
;설정 완료된 파일
upstream vm2-code-server {
server 127.0.0.1:8080;
}
server {
#listen 7788;
#listen [::]:7788;
server_name vm2.mydomain.com;
location / {
proxy_pass http://vm2-code-server;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Accept-Encoding gzip;
auth_basic "Authentication Page";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_buffering off;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/vm2.mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/vm2.mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Redirection http to https
server {
if ($host = vm2.mydomain.com) {
return 301 https://$host$request_uri;
}
listen 80 ;
listen [::]:80 ;
server_name vm2.mydomain.com;
return 404;
}
USER1@ ~]$ sudo systemctl restart nginx.service
3. 인증서 자동 갱신
;root권한 cronjob으로 만료 2주전에 갱신되도록 설정합니다.
USER1@ ~]$ touch RenewCert.sh; chmod 700 RenewCert.sh
USER1@ ~]$ vi RenewCert.sh
#!/bin/bash
VALID=($(certbot certificates | grep VALID))
VALID_DATE=$(expr ${VALID[5]})
#인증서 갱신시 dns 레코드를 수정해야되어 webroot 인증으로 자동 갱신 변경
#if [ $VALID_DATE -lt 15 ]; then
# echo "\r" | certbot --text --agree-tos -d vm2.mydomain.com --manual --preferred-challenges dns --expand --renew-by-default --manual-public-ip-logging-ok certonly --post-hook "systemctl restart nginx.service"
#fi
if [ $VALID_DATE -lt 15 ]; then
echo "\r" | /bin/letsencrypt certonly --webroot --webroot-path /usr/share/nginx/html/ --agree-tos -d vm2.mydomain.com --renew-by-default --post-hook "/usr/bin/systemctl restart nginx.service"
fi
[USER1@vm2 cronjobs]$ sudo vi /etc/crontab
55 13 * * * root /bin/sh /home/USER1/RenewCert.sh > /dev/null 2>&1
참고 글
;Centos에서 code-server, nignx proxy, certbot 을 구성하며 몰랐던 부분도 많이 배웠네요. 먼저 진행하며 공유해주신 분들께 감사드립니다.