간단한 웹 데모를 개발하면서 겪었던 과정을 정리하고자 한다. 전체적인 구조는 다음과 같으며 Load Balancer(A)와 Web Server(B)는 별도의 서버로 구성하였다.
그리고 SSL 인증서를 도입하고자 한다. SSL 인증서를 발급받아 Nginx에 적용하면 HTTPS로 서비스를 할 수 있다.
환경정보는 다음과 같다.
- Ubuntu 20.04
- Python 3.8
- FastAPI 0.100.1
1. 도메인 연결
SSL 인증을 도입하기 위해서는 반드시 도메인이 있어야 한다. 이 블로그를 참고해서 세팅해주자.
2. Let's Encrypt 인증서 설치
Ubuntu에 certbot
을 설치하자.
sudo apt install certbot
sudo apt install python3-certbot-nginx
이후 Nginx에 세팅할 Let's Encrypt의 인증서를 다음과 같이 발급받자. 이메일 주소, a, y, 위에서의 도메인 주소를 입력해주면 된다.
sudo certbot certonly --nginx
>>>>
aving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): (이메일 주소) ## 입력
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a ## 입력
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y ## 입력
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): example.com ## 도메인 주소 입력
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
Using default address 80 for authentication.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/happyquokka.me/privkey.pem
Your cert will expire on 2023-11-08. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- We were unable to subscribe you the EFF mailing list because your
e-mail address appears to be invalid. You can try again later by
visiting https://act.eff.org.
그러면 다음 위치에 인증서가 저장되어있다.
# example.com 대신 구입한 도메인 주소 입력
/etc/letsencrypt/live/example.com/fullchain.pem
/etc/letsencrypt/live/example.com/privkey.pem
3. Nginx에 SSL 인증서 적용
이전 글에서 Nginx로 A서버에 Load Balancer를 적용했었다. 이 상황에서 SSL 인증서도 적용하려고 한다.
/etc/nginx/sites-enabled/default
파일을 열어서 다음과 같이 설정해주자. 80번 포트로 들어오면 HTTPS로 포팅되도록 설정하고, 443포트에서 HTTPS가 서비스 되도록 설정한다.
server {
listen 80;
server_name example.com; ## 도메인 이름
rewrite ^ https://$server_name$request_uri? permanent;
}
upstream (B주소) {
server (B주소):9050;
server (B주소):9051;
}
server {
# SSL configuration
listen 443 ssl;
listen [::]:443 ssl;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name example.com; ## 도메인 이름
# example.com 대신 도메인 주소 입력
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
location / {
proxy_pass http://(B주소);
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
add_header Access-Control-Allow-Origin *;
proxy_set_header 'Access-Control-Max-Age' 1728000;
proxy_set_header 'Access-Control-Allow-Origin' '*';
proxy_set_header 'Access-Control-Allow-Credentials' 'true';
proxy_set_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
proxy_set_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
}
이후 sudo systemctl restart nginx
으로 재실행해주자.
[참고]
- https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-20-04
- https://wikidocs.net/177320
- https://stackoverflow.com/questions/41594531/how-to-deal-with-mixed-content-in-a-website-which-should-be-secured-as-https
- https://medium.com/free-code-camp/going-https-on-amazon-ec2-ubuntu-14-04-with-lets-encrypt-certbot-on-nginx-696770649e76
- https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-load-balancing-with-ssl-termination
728x90
'개발' 카테고리의 다른 글
[tmux] tmux cheat sheet (0) | 2023.09.30 |
---|---|
[Docker] Docker 용량 정리 (0) | 2023.08.30 |
[웹개발] (1) Nginx로 Load Balancer 적용하기 (2) | 2023.08.06 |
[Miniconda] Ubuntu에 Miniconda 설치하기 (0) | 2023.08.01 |
Gunicorn & Uvicorn (0) | 2023.07.09 |