はじめに
RailsアプリをさくらVPSにデプロイし、ドメインを当てるところまでできたので、今度はLet’s Encryptを使用しSSL化していきます。
環境
Let's Encrypt から 発行料 無料の SSL/TLS サーバー証明書を取得する
$ sudo apt-get -y install certbot
$ sudo nginx -t
$ sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
$ ls /var/www/html index.nginx-debian.html
- 接続できるかテストしたいので一度.well-known/を作成しその中に適当なファイルを作成する。
$ vim /var/www/html/test.html
/etc/nginx/nginx.conf
の中にもう一つlocation /.well-known
のrootを作成する(ドメイン/.well-known/test.htmlで接続する設定)。
$ vim /etc/nginx/nginx.conf server { listen 0.0.0.0:80; server_name 〇〇.studio; proxy_set_header X-Forwarded-Host $host; location / { proxy_pass http://127.0.0.1:3000; } #以下追加 location /.well-known { root /var/www/html; } }
- 設定できたかどうかブラウザで確認(
ドメイン/.well-known/test
でtestの内容が表示されるはず)
成功!
参考:nginx連載5回目: nginxの設定、その3 - locationディレクティブ - インフラエンジニアway - Powered by HEARTBEATS
以下のサイトを参考に1から実行していく(debianのページを表示しています)
Certbot Instructions | Certbotcertbotの設定内容について
$ sudo certbot --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):〇〇@gmail.com(自分のメールアドレスを入力) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y(上記を読んでくださいという内容なのでyes) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: n(メール送られたくないのでnoにする) Account registered. Which names would you like to activate HTTPS for? We recommend selecting either all domains, or all domains in a VirtualHost/server block. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: 〇〇.studio(自分のメールアドレスが設定されている) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1(選択肢が一つしかないので1を選択) Requesting a certificate for 〇〇.studio Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/〇〇.studio/fullchain.pem Key is saved at: /etc/letsencrypt/live/〇〇.studio/privkey.pem This certificate expires on 2023-12-12. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. Deploying certificate Successfully deployed certificate for 〇〇.studio to /etc/nginx/nginx.conf Congratulations! You have successfully enabled HTTPS on https://〇〇.studio - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server { server_name〇〇.studio; proxy_set_header X-Forwarded-Host $host; location / { proxy_pass http://127.0.0.1:3000; } location /.well-known/ { root /var/www/html; } # ここより下が追加されている listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/〇〇.studio/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/〇〇.studio/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = 〇〇.studio) { return 301 https://$host$request_uri; } # managed by Certbot listen 0.0.0.0:80; server_name 〇〇.studio; return 404; # managed by Certbot }
- 動作確認するとログインや新規登録ができない!!!!
$ tail -f log/production.log
コマンドでlog確認
---------省略--------------- W, [2023-09-15T14:00:33.173199 #46179] WARN -- : [867f933e-1d32-4d2e-844b-a3d79f797096] HTTP Origin header (https://〇〇.studio) didn't match request.base_url (http://〇〇.studio) I, [2023-09-15T14:00:33.173449 #46179] INFO -- : [867f933e-1d32-4d2e-844b-a3d79f797096] Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms | Allocations: 371) F, [2023-09-15T14:00:33.174100 #46179] FATAL -- : [867f933e-1d32-4d2e-844b-a3d79f797096] [867f933e-1d32-4d2e-844b-a3d79f797096] ActionController::InvalidAuthenticityToken (HTTP Origin header (https://〇〇.studio) didn't match request.base_url (http://〇〇.studio)): ---------省略---------------
この中の、ここ!
ActionController::InvalidAuthenticityToken (HTTP Origin header (https://〇〇.studio) didn't match request.base_url (http://〇〇.studio)):
※HOSTとoriginはHTTPSとHTTPで違う!!!!というような内容。
/etc/nginx/nginx.conf
にHTTPSからHTTPにリダイレクトする記述を追加(proxy_set_header X-Forwarded-Proto $scheme
を追加する)
server { server_name memo.uezono.studio; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; location / { proxy_pass http://127.0.0.1:3000; } location /.well-known/ { root /var/www/html; }
参考:Nginx のリバースプロキシ設定のメモ - Qiita
$ sudo systemctl reload nginx
コマンドでnginxをリロードし、ブラウザで確認
以上です! お疲れさまでした。