Let's Encrypt certbot 的“enhance”命令到底有什么作用?

tag-icon tag-icon lets-encrypt certbot
Let's Encrypt certbot 的“enhance”命令到底有什么作用?

Let's Encrypt certbot 有enhance一个带描述的子命令“为您现有的配置添加安全增强功能”。

我唯一能找到的补充信息是 certbot 的 CLI 帮助文件是:

增强:通过在现有配置中添加安全增强功能来帮助强化 TLS 配置。

但仍不清楚现有配置中添加了哪些附魔。修改了哪些文件等等...我对使用 Ubuntu + Apache HTTP Server(使用--apache选项)的配置特别感兴趣。

答案1

我也找不到,所以我看了来源(和另一份文件) 指出:

security:
  Security parameters & server settings

  --rsa-key-size N      Size of the RSA key. (default: 2048)
  --must-staple         Adds the OCSP Must Staple extension to the
                        certificate. Autoconfigures OCSP Stapling for
                        supported setups (Apache version >= 2.3.3 ). (default:
                        False)
  --redirect            Automatically redirect all HTTP traffic to HTTPS for
                        the newly authenticated vhost. (default: Ask)
  --no-redirect         Do not automatically redirect all HTTP traffic to
                        HTTPS for the newly authenticated vhost. (default:
                        Ask)
  --hsts                Add the Strict-Transport-Security header to every HTTP
                        response. Forcing browser to always use SSL for the
                        domain. Defends against SSL Stripping. (default: None)
  --uir                 Add the "Content-Security-Policy: upgrade-insecure-
                        requests" header to every HTTP response. Forcing the
                        browser to use https:// for every http:// resource.
                        (default: None)
  --staple-ocsp         Enables OCSP Stapling. A valid OCSP response is
                        stapled to the certificate that the server offers
                        during TLS. (default: None)
  --strict-permissions  Require that all configuration files are owned by the
                        current user; only needed if your config is somewhere
                        unsafe like /tmp/ (default: False)

并在我的测试环境中尝试了它:

certbot --authenticator webroot --installer apache

[...]
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):2

Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/example.conf to ssl vhost in /etc/apache2/sites-enabled/example.ssl.conf

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://example.com and https://www.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com



certbot enhance --hsts

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator None, Installer apache

Which certificate would you like to use to enhance your configuration?
-------------------------------------------------------------------------------
1: example.com
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel):

Which domain names would you like to enable the selected enhancements for?
-------------------------------------------------------------------------------
1: example.com
2: www.example.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Adding Strict-Transport-Security header to ssl vhost in /etc/apache2/sites-enabled/example.ssl.conf



certbot enhance --uir

Plugins selected: Authenticator None, Installer apache

Which certificate would you like to use to enhance your configuration?
-------------------------------------------------------------------------------
1: example.com
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel):

Which domain names would you like to enable the selected enhancements for?
-------------------------------------------------------------------------------
1: example.com
2: www.example.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Adding Upgrade-Insecure-Requests header to ssl vhost in /etc/apache2/sites-enabled/example.ssl.conf

您可以猜测其余的选项(并未全部尝试)。

它将以下行添加到我已启用站点的 ssl.conf 中:

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Header always set Strict-Transport-Security "max-age=31536000"
Header always set Content-Security-Policy upgrade-insecure-requests

这些在我的站点启用的 non-ssl.conf 中:

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

相关内容