[Bitrix] Hướng dẫn cấu hình SSL cho bitrix24 - 21102019

Breaking

Post Top Ad

Responsive Ads Here

Post Top Ad

Responsive Ads Here

Saturday, September 8, 2018

[Bitrix] Hướng dẫn cấu hình SSL cho bitrix24

Việc cấu hình SSL cho website nhằm enable https giúp website an toàn hơn trong việc truy cập mà không bị đánh cắp thông tin. 


Nếu không sử dụng SSL, người dùng website khi đăng nhập, khởi tạo thông tin cá nhân lên website thì hacker sẽ dễ dàng sử dụng các phương thức tấn công như Man-in-the-midle để đánh cắp thông tin.



Việc cấu hình cho Bitrix yêu cầu phải thực hiện trên 2 phần sau

1. Cấu hình trên Bitrix Virtual Application để enable HTTPS:

Sử dụng SSH truy cập vào server, tại mục Virtual application, ta chọn như sau:


- Chọn 6. Manage sites in the pool



- Chọn tiếp mục 5. Change a site's https settings


- Tại đây chọn Y để turn on HTTPS.

- Sau đó bấm 0 để exit. Như vậy là hoàn tất phần Virtual Bitrix.

2. Cấu hình trên Nginx.

Adding SSL-certificates in BitrixVA/BitrixEnv

In case, if you have a site http://site1.bx, and we need to switch the operation of the site to a protected https protocol.
Your actions should be the following:
  1. First, you need to receive SSL-certificate from Certification authority, selected by you. You should have the following files:
    • site1.bx.key - domain private key (created by you when sending a request for certificate or sent by a certification authority)
    • site1.bx.crt - domain public certificate (sent by the certification authority)
    Attention! If the default pasword-protected SSL-certifiate is modified in BitrixVA/BitrixEnv, this will cause a problem in the operation of wizards and re-launching of services. Password input will be requested continuously. To avoid such problems, it is necessary to delete password from the certificate:
    /path/to/openssl rsa -in /path/to/originalkeywithpass.key -out /path/to/newkeywithnopass.key
  2. After that, the certificates received from the authority should be uploaded, for example, in the /etc/nginx/ssl/ directory or via any file manager as per sftp protocol (for example, WinSCP).
  3. Further commands are executed in the BitrixVA/BitrixEnv Virtual appliance console (0. Exit in the main menu) or via similar actions in the file manager, as per convenience.
  4. When updating the BitrixVA/BitrixEnv Virtual Appliance, an automatic rewrite of nginx standard files can occur, that is why the config file ssl.conf shall be copied to a new file site1.bx_ssl.conf (file can have any filename). This is done for convenience, for each site, if you have several:
    cp /etc/nginx/bx/conf/ssl.conf /etc/nginx/bx/conf/site1.bx_ssl.conf
  5. Then, file /etc/nginx/bx/conf/site1.bx_ssl.conf shall be edited and location site1.bx.key (domain private key) shall be indicated as well as file site1.bx.crt (domain public certificate) in nginx ssl_certificate_key and ssl_certificate directive, respectively.
    ssl_certificate /etc/nginx/ssl/site1.bx.crt;  # domain public certificate
    ssl_certificate_key /etc/nginx/ssl/site1.bx.key; # domain private key
  6. Open file /etc/nginx/bx/site_avaliable/bx_ext_ssl_site1.bx.conf and search the line in it:
    include bx/conf/ssl.conf;
    and modify to:
    include bx/conf/site1.bx_ssl.conf;

    Note: For default site s1 (which is located in the /home/bitrix/www directory) the file name will be/etc/nginx/bx/site_avaliable/s1.ssl.conf, and for additional sites (which are created in the /home/bitrix/ext_www/host_name directory) - /etc/nginx/bx/site_avaliable/bx_ext_ssl_host_name.conf.
  7. Verify, if nginx configuration files do not contain errors:
    nginx -t
  8. If everything is ok, restart nginx:CentOS 6:
    service nginx restart
    CentOS 7:
    systemctl restart nginx.service
  9. Then, site operation can be switched only as per the protocol https, as an option in the menu 6. Mange sites in the pool > 5. Change https settings on site. Description how to do it can be found here here.
Now, even if the standard nginx configuration files are modified, after the update of BitrixVA/BitrixEnv Virtual Appliance, the site will continue to work according https protocol.

Hoàn thành.


No comments:

Post a Comment

Post Top Ad

Responsive Ads Here