Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

How i did SSL with let's encrypt for free

I use ubuntu v14 on vps machine. I have couple nodejs scripts running with pm2. I use https server inside js files:

const app = require('express')();

const fs = require('fs');
var privateKey = fs.readFileSync('/etc/letsencrypt/live/domain.com/privkey.pem'); // privatekey.pem
var certificate = fs.readFileSync('/etc/letsencrypt/live/domain.com/cert.pem'); // certificate.pem
var chain = fs.readFileSync('/etc/letsencrypt/live/domain.com/fullchain.pem'); // certificate.pem
const https = require('https').Server({
  key: privateKey,
  cert: certificate,
  ca: chain}, app);



In nginx i use this:





    server {



      listen 443 ssl;







      server_name domain.com www.domain.com;







     ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;



     ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;







      keepalive_timeout 10;







      location /.well-known/acme-challenge/ {



        alias /var/www/challenges/;



        try_files $uri =404;



      }







      location / {



          proxy_redirect off;



          proxy_set_header   X-Real-IP         $remote_addr;



          proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;



          proxy_set_header   X-Forwarded-Proto $scheme;



          proxy_set_header   Host              $http_host;



          proxy_set_header   X-NginX-Proxy     true;



          proxy_set_header   Connection        "";



          proxy_pass         http://pm2upstream;



     }











    }





Tried different guides and failed.



This worked:




    

  1. wget https://dl.eff.org/certbot-auto
    2. 

  2. chmod a+x ./certbot-auto
    3. 

  3. service nginx stop
    4. 

  4. ./certbot-auto certonly  & follow instructions, use auto server
    5. 

  5. reboot 0     // i hear you screaming about this, best wishes, sys admins
    6. 













No comments:
  

















Labels:
,
,
,
,






















          

        

          

        

          

        









How to check if image has no code injected?










If you let images with code injection be saved on your server, it is possible, that it's a highwayto your php files and whole database, so it is important to make sure, that if user uploads avatar, it is really an avatar, not some hacky stuff with code injected into the image.









Read more »







No comments:
  

















Labels:
,
,
,
,
















        

      









Subscribe to:
Posts (Atom)