jueves, 9 de julio de 2020

Domain + SSL - Ya con servidor

============ HABILITAR DOMINIO BASICO (SIN SSL)
--- Config del servidor web

> cd /etc/nginx/sites-available/
> sudo cp default ecommerce.snew-app.com
> sudo nano ecommerce.snew-app.com
        < cambiar el root: del directorio del proyecto 
            añadir el server_name:  dominio.com  >

> Ctrl+O + Enter + Ctrl+X ---gurardar
> cd /var/www/
NOTA: SE DEBE CREAR LA CARPETA DE LA WEB CON EL MISMO NOMBRE DEL DOMINIO PARA NO TENER PROBLEMAS EN RENOVAR CERTIFICADO
> sudo mkdir ecommerce.snew-app.com
> sudo nano ecommerce.snew-app.com/index.html
                < Hello world !!! >
> Ctrl+O + Enter + Ctrl+X ---gurardar

> sudo nginx -t
> sudo ln -s /etc/nginx/sites-available/ecommerce.snew-app.com /etc/nginx/sites-enabled/
> sudo nginx -t
> sudo  systemctl reload nginx.service 

============== Agregar dominios y subdominios al VPS
seccion(s1-s3) min:35
6. agregar dominios al VPS
a. ir a networking >> add domain
b. Create new record de tipo A
HOSTNAME = @
WILL DIRECT TO = seleccionar tu droplet
TTL (SECONDS) = 3600
y create record

6.1 crear subdominios al vps
(api,blog,assets)
a. Create new record de tipo CNAME
HOSTNAME = api (nombre subdominio)
IS AN ALIAS OF = @
TTL (SECONDS) = 3600
y create record

6.2 configurar los DNS de los dominios
en namecheap ir a Custom DNS
ns1.digitalocean.com
ns2.digitalocean.com
        ns3.digitalocean.com
        ns4.digitalocean.com


========================== Let'sEncrypt SSL
"SOLO REEMPLAZAR EL DOMINIO, en este caso: ecommerce.snew-app.com"
el path:/var/www/ecommerce.snew-app.com/www/ <- debe ser donde esta el index.html (caso ionic)

sudo acme.sh --issue -d ecommerce.snew-app.com -w /var/www/ecommerce.snew-app.com/ --force

sudo mkdir /etc/nginx/certs/ecommerce.snew-app.com

sudo acme.sh --install-cert -d ecommerce.snew-app.com --key-file /etc/nginx/certs/ecommerce.snew-app.com/key.pem --fullchain-file /etc/nginx/certs/ecommerce.snew-app.com/fullchain.pem --ca-file /etc/nginx/certs/ecommerce.snew-app.com/ca.pem --reloadcmd "systemctl force-reload nginx.service" --force



======================== CONFIGURACION SITES-AVAILABLED DE NGINX
"SOLO REEMPLAZAR EL DOMINIO, en este caso: ecommerce.snew-app.com"
contrl + k : para borrar una linea en la terminal

server {
        listen 80;
        listen [::]:80;

        server_name ecommerce.snew-app.com;
        return 301 https://ecommerce.snew-app.com$request_uri;
       # return 404;
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        ssl_certificate /etc/nginx/certs/ecommerce.snew-app.com/fullchain.pem;
        ssl_certificate_key /etc/nginx/certs/ecommerce.snew-app.com/key.pem;
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
        ssl_session_tickets off;

        # modern configuration
        ssl_protocols TLSv1.3;
        ssl_prefer_server_ciphers off;

        ##
        # Security setting
        ##

        # Avoiding iFrames from other origins
        add_header X-Frame-Options SAMEORIGIN;

        # Avoiding MIME type sniffing
        add_header X-Content-Type-Options nosniff;

        # Avoiding XSS attacks
        add_header X-XSS-Protection "1;mode=block";

        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
        add_header Strict-Transport-Security "max-age=63072000" always;

        # OCSP stapling
        ssl_stapling on;
        ssl_stapling_verify on;

        # verify chain of trust of OCSP response using Root CA and Intermediate certs
        ssl_trusted_certificate /etc/nginx/certs/ecommerce.snew-app.com/ca.pem;
        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/ecommerce.snew-app.com;

        # Add index.php to the list if you are using PHP
        index index.php index.html;

        server_name ecommerce.snew-app.com;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ /index.html;
                # try_files $uri $uri/ /index.php?$query_string; (para php)
        }

        # pass PHP scripts to FastCGI server
        #
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;

                # With php-fpm (or other unix sockets):
                fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        location ~ /\.ht {
                deny all;
        }

        # deny access to .git files
        #
        location ~ /\.git {
                deny all;
        }
}



========== OK - REINICIAR SERVIDOR WEB

> sudo nginx -t
> sudo  systemctl reload nginx.service 

NOTA: SE DEBE CREAR LA CARPETA DE LA WEB CON EL MISMO NOMBRE DEL DOMINIO PARA NO TENER PROBLEMAS EN RENOVAR CERTIFICADO
sudo ln -s ~/code/fullpizzas_com/* /var/www/fullpizzas.sandwichescriollos.com






Publicadas por a la/s
Etiquetas:

No hay comentarios.:

Publicar un comentario

Suscribirse a: Comentarios de la entrada (Atom)