11个不稳定版本
| 0.6.2 | 2023年1月3日 |
|---|---|
| 0.5.3 | 2021年9月22日 |
| 0.5.1 | 2021年5月8日 |
| 0.4.0 | 2020年5月24日 |
在 HTTP服务器 中排名 346
每月下载量 31
69KB
1.5K SLoC
acme-redirect(1)
一个小巧的http守护进程,用于响应acme挑战,并将其他所有内容重定向到https。
一个最小配置看起来像这样
# cat /etc/acme-redirect.d/example.com.conf
[cert]
name = "example.com"
dns_names = [
"example.com",
"www.example.com",
]
exec = [
"systemctl reload nginx",
]
您不需要编辑其他任何内容。启动acme-redirect守护进程
systemctl enable --now acme-redirect
确保服务正在正确运行并且重定向按预期工作。确保您的A和AAAA记录指向正确的服务器,并通过从我们的本地守护进程获取一个随机证明来检查一切是否正常工作。
acme-redirect check
如果为每个名称都显示“OK”,则可以请求真实证书
acme-redirect renew
如果成功,则应设置自动续订
systemctl enable --now acme-redirect-renew.timer
证书位于此处
/var/lib/acme-redirect/live/example.com/fullchain
/var/lib/acme-redirect/live/example.com/privkey
示例配置如下所示
nginx
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /var/lib/acme-redirect/live/example.com/fullchain;
ssl_certificate_key /var/lib/acme-redirect/live/example.com/privkey;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /var/lib/acme-redirect/live/example.com/chain;
resolver 127.0.0.1;
# ...
}
apache
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /var/lib/acme-redirect/live/example.com/fullchain
SSLCertificateKeyFile /var/lib/acme-redirect/live/example.com/privkey
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
lighttpd
server.modules += ("mod_openssl")
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.privkey= "/var/lib/acme-redirect/live/example.com/privkey"
ssl.pemfile= "/var/lib/acme-redirect/live/example.com/fullchain"
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
#ssl.ca-file= "/var/lib/acme-redirect/live/example.com/chain" # (needed in $SERVER["socket"] before lighttpd 1.4.56 if ssl.pemfile in $HTTP["host"])
}
安装
Arch Linux
pacman -S acme-redirect
基于Debian
目前支持:buster
apt install debian-keyring
gpg -a --export --keyring /usr/share/keyrings/debian-maintainers.gpg [email protected] | apt-key add -
apt-key adv --keyserver keyserver.ubuntu.com --refresh-keys [email protected]
echo deb https://apt.vulns.sexy stable main >> /etc/apt/sources.list.d/apt-vulns-sexy.list
apt update && apt install acme-redirect
从源代码构建
git clone https://github.com/kpcyrd/acme-redirect.git
cd acme-redirect/
cargo build --release
install -Dm 755 -t /usr/bin \
target/release/acme-redirect
install -Dm 644 contrib/confs/acme-redirect.conf -t /etc
install -Dm 644 contrib/confs/certs.d/example.com.conf /etc/acme-redirect.d/example.com.conf.sample
install -Dm 644 -t /etc/systemd/system \
contrib/systemd/acme-redirect-renew.service \
contrib/systemd/acme-redirect-renew.timer \
contrib/systemd/acme-redirect.service
install -Dm 644 contrib/systemd/acme-redirect.sysusers /etc/sysusers.d/acme-redirect.conf
install -Dm 644 contrib/systemd/acme-redirect.tmpfiles /etc/tmpfiles.d/acme-redirect.conf
sudo systemd-sysusers
sudo systemd-tmpfiles --create
状态
我从2020年夏季开始在生产中使用此软件(北半球,大约5月)。
开发
mkdir -vp tmp/challs
export ACME_CONFIG="$PWD/contrib/confs/acme-redirect.conf"
export ACME_CONFIG_DIR="$PWD/contrib/confs/certs.d/"
export ACME_CHALL_DIR="$PWD/tmp/"
export ACME_DATA_DIR="$PWD/tmp/"
cargo run -- status
cargo run -- daemon -B '[::]:8080' -v
boxxy
acme-redirect使用setuid和chroot在接收请求之前降低权限。这可以通过boxxy进行检查。
mkdir -vp tmp/web
sudo chown root. tmp/web
cargo build --examples
(cd tmp/web && sudo ../../target/debug/examples/boxxy)
许可证
GPLv3+
依赖项
~23–38MB
~654K SLoC