MarkSthFun needs SSL to secure HTTP connections between user browser and the site.
In particular, MarkSthFun dispatches requests via Nginx, and manage certificates via Letsencrypt & Certbot.
MarkSthFun has a certbot running on a lb host. Every time the command
ansible-playbook lb-provision.yml is run, it will ensure letsencrypt certificates are presented on the directory of
/etc/letsencrypt/live/marksth.fun/ on the lb host.
[root@frodo ~]# ls /etc/letsencrypt/live/marksth.fun/
cert.pem chain.pem fullchain.pem privkey.pem README
For those who is interested in how letsencrypt works, please refer to How It Works?.
Due to the short rotation period of letsencrypt SSL certificates (3 months), MarkSthFun will need renew certificates regularly. Fortunately, certbot with crontab can renew it without any human intervention.
[root@frodo ~]# crontab -l
#Ansible: Certbot automatic renewal.
30 3 * * * certbot renew --quiet --no-self-upgrade
Whenever an HTTPS request reaches to lb host, Nginx handles the connection and decrypts the HTTP request from the encrypted TCP traffic via the pre-defined SSL private key.
Below are all needed SSL configurations for Nginx.
[root@frodo ~]# grep ssl /etc/nginx/conf.d/shire-443.conf
listen 443 ssl;
Note that we're using
fullchain.pem as certificate, instead of
cert.pem, since the fullchain.pem includes all the needed chain of certs.
MarkSthFun doesn't support TLS v1.0 and v1.1 since they're insecure.
As of now, the SSL grade from ssllabs is B. I'll improve it to A, which will make the site more secure.