๐Ÿฅ‘ letsencrypt nginx์— ์ธ์ฆ ์ ์šฉํ•˜๊ธฐ(ssl)

may_soouuยท2020๋…„ 10์›” 30์ผ
6

๊ธฐ์—…ํ˜‘์—…

๋ชฉ๋ก ๋ณด๊ธฐ
2/2
post-thumbnail

์ด์ „ ๋ธ”๋กœ๊ทธ
์ด์ „ ์„ค์ •(Django + gunicorn + nginx)์„ ๋๋‚ด๊ณ  ๋„๋ฉ”์ธ ์ฃผ์†Œ๋ฅผ ์ „๋‹ฌ๋ฐ›์•˜๋‹ค.
์ด ๋„๋ฉ”์ธ์— letsencrypt๋ฅผ ์ ์šฉํ•ด์„œ ๋ณด์•ˆ ์„ค์ •์„ ํ–ˆ๋‹ค(์‰ฝ๊ฒŒ ๋งํ•ด http ๋ฅผ https ๋กœ ๋ฐ”๊พธ๋Š” ์ž‘์—…)

์šฐ์„  SSL์ด ๋ญ”์ง€ ์•Œ์•„๋ณด์ž

1. SSL (Secure Socket Layer) - ๋ณด์•ˆ์ธ์ฆ์„œ

  • SSL์€ ์ „์†ก๊ณ„์ธต๊ณผ ์‘์šฉ๊ณ„์ธต ์‚ฌ์ด์—์„œ ๋™์ž‘ํ•œ๋‹ค
    - ์ „์†ก๊ณ„์ธต : ํ”„๋กœ์„ธ์Šค๊ฐ„์˜ ์‹ ๋ขฐ์„ฑ ์žˆ๋Š” ๋ฐ์ดํ„ฐ ์ „์†ก์„ ๋‹ด๋‹นํ•˜๋Š” ๊ณ„์ธต
    - ์‘์šฉ๊ณ„์ธต : ์‚ฌ์šฉ์ž์™€ ๊ฐ€์žฅ ๊ฐ€๊นŒ์šด ๊ณ„์ธต. ์„œ๋ฒ„๋‚˜ ํด๋ผ์ด์–ธํŠธ ์‘์šฉ ํ”„๋กœ๊ทธ๋žจ์ด ์ด ๊ณ„์ธต์—์„œ ๋™์ž‘ํ•˜๋ฉฐ
    ์šฐ๋ฆฌ๊ฐ€ ์•Œ๊ณ  ์žˆ๋Š” ๋ธŒ๋ผ์šฐ์ € ๋˜ํ•œ ์ด ๊ณ„์ธต์—์„œ ๋™์ž‘ํ•œ๋‹ค
  • ํ๋ฆ„
    Transport์—์„œ ํŒจํ‚ท ๋ฐ›๊ณ  > SSL ์—์„œ ํŒจํ‚ท ์•”ํ˜ธ ํ•ด๋…ํ•˜๊ณ  > Application์— ์ „๋‹ฌ
    (๋” ๊นŠ์€ ๋‚ด์šฉ์€ ํ–ฅํ›„ ์ถ”๊ฐ€ํ•  ์˜ˆ์ •๐Ÿ’ฆ)

2. letsencrypt

Let's Encrypt ๋Š” SSL์„ ๋ฐœ๊ธ‰ํ•˜๋Š” ๊ธฐ๊ด€์œผ๋กœ ์ตœ์ƒ์œ„ ๋ฐœ๊ธ‰๊ธฐ๊ด€ ์ค‘ ํ•˜๋‚˜์ด๋‹ค.
์ ์œ ์œจ์ด ๋งค์šฐ ๋‚ฎ์ง€๋งŒ, ๋ฐœ๊ธ‰ ์ ˆ์ฐจ๊ฐ€ ๊ฐ„๋‹จํ•˜๊ณ  ๋ฌด๋ฃŒ๋‹ค

2-1. certbot ์„ค์น˜ํ•˜๊ธฐ

# ๋ฌด์–ธ๊ฐ€๋ฅผ ์„ค์น˜ํ•˜๊ธฐ ์ „์— ์•„๋ž˜ ๋ช…๋ น์–ด๋กœ ํŒจํ‚ค์ง€๋“ค์„ ์—…๋ฐ์ดํŠธ & ์—…๊ทธ๋ ˆ์ด๋“œ ์‹œ์ผœ์ค˜์•ผ ํ•œ๋‹ค
$ sudo apt-get update
$ sudo apt-get upgrade
# ์„œ๋ฒ„์— certbot ์ถ”๊ฐ€ํ•˜๊ธฐ
$ sudo apt-get-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx
$ sudo certbot --nginx -d soohyun.co.kr -d www.soohyun.co.kr

๊นŒ์ง€ ํ•˜๋ฉด, certbot์„ ์‚ฌ์šฉํ•  ์ค€๋น„๋Š” ์™„๋ฃŒ ๋๋‹ค. ๊ทธ๋Ÿฌ๋‚˜, server block์—๋Š” 80ํฌํŠธ ๊ด€๋ จ๋œ ์„ค์ •๋งŒ ๋˜์–ด ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ssl ํฌํŠธ์ธ 443 ํฌํŠธ๋„ ์„ค์ •ํ•ด์ค˜์•ผ ํ•œ๋‹ค.
์ด์ „ ๋ธ”๋กœ๊ทธ์—์„œ nginx๋ฅผ ์„ค์น˜ํ•œ ๋’ค, ์„ธํŒ… ํŒŒ์ผ ์„ค์ •ํ•ด์คฌ๋˜ ๊ณณ์— 443 ํฌํŠธ๋„ ์„ค์ •ํ•ด์ค€๋‹ค.

# ํ„ฐ๋ฏธ๋„์—์„œ ์•„๋ž˜ ๋ช…๋ น์–ด๋กœ sites-enabled / sites-enabled ์œ„์น˜๋กœ ์ด๋™
# ์•„๋ž˜ ๋‘๊ฐœ์˜ ๊ฒฝ๋กœ์— ์•„๋ž˜ ๋‚ด์šฉ ๋˜‘๊ฐ™์ด ์ž…๋ ฅํ•˜๊ธฐ

$ cd /etc/nginx/sites-enabled
$ cd /etc/nginx/sites-available

# ์•„๋ž˜ ๋‚ด์šฉ ์ž…๋ ฅ
# ๋„๋ฉ”์ธ ์ฃผ์†Œ๊ฐ€ soohyun.co.kr ์ด๋ผ๋ฉด

server {
        listen 80;
        server_name soohyun.co.kr www.soohyun.co.kr;
        charset utf-8;

        location / {
        return 307 https://soohyun.co.kr$request_uri;
        }

     #   location / {
     #           include proxy_params;
     #           proxy_pass http://4.75.234.513:8000;
     #   }


#        location /static/ {
#                alias /home/ubuntu/webform-parser/parser_server;
#        }

}


server {
        listen 443;
        listen [::]:443;
        ssl on;
        server_name soohyun.co.kr.co.kr www.soohyun.co.kr;

        ssl_certificate /etc/letsencrypt/live/soohyun.co.kr/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/soohyun.co.kr/privkey.pem;


        location / {
                include proxy_params;
                proxy_pass http://4.75.234.513:8000;
        }

}

2-2. ์žฌ์‹œ์ž‘

$ sudo nginx -t
$ sudo systemctl restrat nginx

๊ทธ๋Ÿผ http๋กœ ์ ‘์†ํ•ด๋„ https ๋กœ ์—ฐ๊ฒฐ๋˜๊ณ ,
https๋กœ ๋“ค์–ด๊ฐ€๋ฉด ๋„๋ฉ”์ธ ์ƒํƒœ์ค„์— ์ž๋ฌผ์‡  ๋ชจ์–‘์ด ๋œจ๋ฉด์„œ ๋ณด์•ˆ ์ฒ˜๋ฆฌ ๋์Œ์„ ์•Œ ์ˆ˜ ์žˆ๋‹คโ˜€๏ธ

๋!

๐ŸŒŽ ๊ทธ ์™ธ ๋ช…๋ น์–ด

# letsencrypt ๋ฒ„์ „ ํ™•์ธ
$ letsencrypt --version

# ์šฐ๋ถ„ํˆฌ ๋ฒ„์ „ ํ™•์ธ
$ cat /etc/issue

# ์–ด๋–ค ์ธ์ฆ์„œ๊ฐ€ ์žˆ๋Š”์ง€ ํ™•์ธํ•˜๋Š” ๋ช…๋ น์–ด
$ sudo certbot certificates

์ฐธ๊ณ 1
์ฐธ๊ณ 2
์ฐธ๊ณ 3

profile
back-end ๊ฐœ๋ฐœ์ž

3๊ฐœ์˜ ๋Œ“๊ธ€

comment-user-thumbnail
2021๋…„ 3์›” 30์ผ

Secure Socket Lasyer
์˜คํƒ€ ๋ฐœ๊ฒฌํ•ด์„œ ์•Œ๋ ค๋“œ๋ฆฝ๋‹ˆ๋‹ค!

1๊ฐœ์˜ ๋‹ต๊ธ€