Tutorial SSL Gratis Let’s Encrypt di Ubuntu 16.04 + Nginx (Digitalocean)

SSL Security

Sebelum melakukan langkah di bawah ini pastikan situs Anda sudah bisa diakses lewat http, jika belum bisa cara mengaturnya bisa ikuti panduan Konfigurasi LEMP (Linux Ubuntu 16.04 + Nginx + MySQL 5.7 + PHP 7)

1. Install Let’s Encrypt

Langkah ini hanya perlu dilakukan 1x untuk tiap server/droplet. Jika anda sudah pernah memasang sertifikat ssl dan ingin memasang sertifikat untuk domain lain, langkah ini bisa dilewati.

Update package list

apt-get update

Install Let’s encrypt

apt-get install letsencrypt

2. Generate SSL Certificate

letsencrypt certonly -a webroot --webroot-path=/var/www/www.kenc0ur.com -d kenc0ur.com -d www.kenc0ur.com

* ganti /var/www/www.kenc0ur.com dengan path root domain anda
* ganti kenc0ur.com dan www.kenc0ur.com dengan domain anda
* Setelah berhasil maka akan muncul pemberitahuan seperti di bawah ini, catat folder sertifikat sslnya.

Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/kenc0ur.com/fullchain.pem. Your cert will
expire on 2017-05-09. To obtain a new version of the certificate in
the future, simply run Let’s Encrypt again.

Catat folder sertificat ssl tersebut

3. Generate Diffie-Hellman parameter for DHE ciphersuites

Langkah ini hanya perlu dilakukan 1x untuk tiap server/droplet. Jika anda sudah pernah menggenerate Diffie-Hellman parameter sebelumnya, langkah ini bisa dilewati.

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

* Proses ini butuh waktu beberapa menit, tunggu saja

4. Edit Virtual Host

nano /etc/nginx/sites-available/www.kenc0ur.com

* ganti www.kenc0ur.com sesuai dengan file v-host yang kamu buat sebelumnya

ganti port 80 menjadi 443 ssl http2.
Sebelumnya:

listen 80;
listen [::]:80;

Ganti menjadi:

listen 443 ssl http2;
listen [::]:443 ssl http2;

tambahkan kode ini di luar bracket server:

server {
       listen         80;
       listen    [::]:80;
       server_name    www.kenc0ur.com;
       return         301 https://$server_name$request_uri;
}

Tambahkan kode ini di dalam braket server utama:

ssl_certificate /etc/letsencrypt/live/kenc0ur.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/kenc0ur.com/privkey.pem;
ssl_dhparam  /etc/ssl/certs/dhparam.pem;

* ganti /etc/letsencrypt/live/kenc0ur.com/ sesuai dengan folder ssl certificate yang keluar di langkah 2

Secara keseluruhan, lihat perbandingan kedua v-host dibawah ini, sebelum dan sesudah diedit.

Sebelum diedit:

server {
	server_name  kenc0ur.com;
	rewrite ^(.*) http://www.kenc0ur.com$1 permanent;
}

server {
	server_name www.kenc0ur.com;
	listen 80;
	listen [::]:80;
	root /var/www/www.kenc0ur.com;
	index index.html index.htm index.nginx-debian.html index.php;
	location / {
		try_files $uri $uri/ /index.php?q=$uri&$args;
	}

	location ~ \.php$ {
		include /etc/nginx/fastcgi_params;
		include snippets/fastcgi-php.conf;
		fastcgi_buffers 8 256k;
		fastcgi_buffer_size 128k;
		fastcgi_intercept_errors on;
		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	}

	location ~* \.(css|js|png|jpg|jpeg|gif|ico)$ {
		expires 1w;
	}

	location ~ /\.ht {
	  deny all;
	 }
}

Sesudah diedit (lihat baris yang ditandai untuk melihat bagian yang telah diedit)

server {
	server_name  kenc0ur.com;
	rewrite ^(.*) http://www.kenc0ur.com$1 permanent;
}

server {
       listen         80;
       listen    [::]:80;
       server_name    www.kenc0ur.com;
       return         301 https://$server_name$request_uri;
}

server {
	server_name www.kenc0ur.com;
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	ssl_certificate /etc/letsencrypt/live/kenc0ur.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/kenc0ur.com/privkey.pem;
	ssl_dhparam  /etc/ssl/certs/dhparam.pem;
	root /var/www/www.kenc0ur.com;
	index index.html index.htm index.nginx-debian.html index.php;
	location / {
		try_files $uri $uri/ /index.php?q=$uri&$args;
	}

	location ~ \.php$ {
		include /etc/nginx/fastcgi_params;
		include snippets/fastcgi-php.conf;
		fastcgi_buffers 8 256k;
		fastcgi_buffer_size 128k;
		fastcgi_intercept_errors on;
		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	}

	location ~* \.(css|js|png|jpg|jpeg|gif|ico)$ {
		expires 1w;
	}

	location ~ /\.ht {
	  deny all;
	 }
}

5. Edit File nginx.conf

nano /etc/nginx/nginx.conf

Cari code ssl_prefer_server_ciphers on; lalu tambahkan code ini di bawahnya:

ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 1h;

6. Retart Nginx

service nginx restart

Cara Setting GeoIP dengan Nginx di Ubuntu 16.04 (VPS DigitalOcean)

internet map

Cek apakah Nginx sudah support geoip

nginx -V

Hasilnya kurang lebih:

root@server1:~# nginx -V
nginx version: nginx/1.10.0 (Ubuntu)
built with OpenSSL 1.0.2g-fips 1 Mar 2016
TLS SNI support enabled
configure arguments: –with-cc-opt=’-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2′ –with-ld-opt=’-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now’ –prefix=/usr/share/nginx –conf-path=/etc/nginx/nginx.conf –http-log-path=/var/log/nginx/access.log –error-log-path=/var/log/nginx/error.log –lock-path=/var/lock/nginx.lock –pid-path=/run/nginx.pid –http-client-body-temp-path=/var/lib/nginx/body –http-fastcgi-temp-path=/var/lib/nginx/fastcgi –http-proxy-temp-path=/var/lib/nginx/proxy –http-scgi-temp-path=/var/lib/nginx/scgi –http-uwsgi-temp-path=/var/lib/nginx/uwsgi –with-debug –with-pcre-jit –with-ipv6 –with-http_ssl_module –with-http_stub_status_module –with-http_realip_module –with-http_auth_request_module –with-http_addition_module –with-http_dav_module –with-http_geoip_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_image_filter_module –with-http_v2_module –with-http_sub_module –with-http_xslt_module –with-stream –with-stream_ssl_module –with-mail –with-mail_ssl_module –with-threads

Jika ada bagian seperti yang berwarna merah berarti sudah support geoip, lanjutkan..

Download GeoIP database

mkdir /etc/nginx/geoip
cd /etc/nginx/geoip
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
gunzip GeoIP.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gunzip GeoLiteCity.dat.gz

Setting Nginx

nano /etc/nginx/nginx.conf

Tambahkan code seperti yang di haghlight berikut ini di bagian http {…}

[...]
http {

 ##
 # Basic Settings
 ##

 geoip_country /etc/nginx/geoip/GeoIP.dat; # the country IP database
 geoip_city /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database
[...]

edit fastcgi_params:

nano /etc/nginx/fastcgi_params

Tambahkan kode ini:

### SET GEOIP Variables ###
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;

fastcgi_param GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
fastcgi_param GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
fastcgi_param GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
fastcgi_param GEOIP_REGION $geoip_region;
fastcgi_param GEOIP_CITY $geoip_city;
fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
fastcgi_param GEOIP_LATITUDE $geoip_latitude;
fastcgi_param GEOIP_LONGITUDE $geoip_longitude;

Edit vhost untuk namadomainkamu:

nano /etc/nginx/sites-available/namadomainkamu

Edit bagian location ~ \.php$ { …. } menjadi seperti ini (lihat bagian yang di highlight):

[...]
location ~ \.php$ {
include /etc/nginx/fastcgi_params;

[...]

Reload Nginx dan restart php-fpm

service nginx reload
service php7.0-fpm restart

GeoIP sudah siap digunakan.

Cara penggunaan dan contoh script test

<html>
<body>
<?php

$geoip_country_code = getenv(GEOIP_COUNTRY_CODE);
/*
$geoip_country_code = $_SERVER['GEOIP_COUNTRY_CODE']; // works as well
*/
$geoip_country_code3 = getenv(GEOIP_COUNTRY_CODE3);
$geoip_country_name = getenv(GEOIP_COUNTRY_NAME);

$geoip_city_country_code = getenv(GEOIP_CITY_COUNTRY_CODE);
$geoip_city_country_code3 = getenv(GEOIP_CITY_COUNTRY_CODE3);
$geoip_city_country_name = getenv(GEOIP_CITY_COUNTRY_NAME);
$geoip_region = getenv(GEOIP_REGION);
$geoip_city = getenv(GEOIP_CITY);
$geoip_postal_code = getenv(GEOIP_POSTAL_CODE);
$geoip_city_continent_code = getenv(GEOIP_CITY_CONTINENT_CODE);
$geoip_latitude = getenv(GEOIP_LATITUDE);
$geoip_longitude = getenv(GEOIP_LONGITUDE);

echo 'country_code: '.$geoip_country_code.'<br>';
echo 'country_code3: '.$geoip_country_code3.'<br>';
echo 'country_name: '.$geoip_country_name.'<br>';

echo 'city_country_code: '.$geoip_city_country_code.'<br>';
echo 'city_country_code3: '.$geoip_city_country_code3.'<br>';
echo 'city_country_name: '.$geoip_city_country_name.'<br>';
echo 'region: '.$geoip_region.'<br>';
echo 'city: '.$geoip_city.'<br>';
echo 'postal_code: '.$geoip_postal_code.'<br>';
echo 'city_continent_code: '.$geoip_city_continent_code.'<br>';
echo 'latitude: '.$geoip_latitude.'<br>';
echo 'longitude: '.$geoip_longitude.'<br>';

?>
</body>
</html>

Konfigurasi LEMP (Linux Ubuntu 16.04 + Nginx + MySQL 5.7 + PHP 7)

LEMP (Linux, Nginx, MySQL, PHP)

LEMP singkatan dari Linux, Nginx (dibaca: Engine X), MySQL, PHP

Install MySQL 5.7

apt-get -y install mysql-server mysql-client

To secure the database server and remove the anonymous user and test database, run the mysql_secure_installation command.

mysql_secure_installation

Enter password for user root: <-- masukin password
Would you like to setup VALIDATE PASSWORD plugin? <-- y jika ingin aktifin fitur ini, atau enter jika tidak
Change the password for root ? <-- ENTER
Remove anonymous users? <-- y
Disallow root login remotely? <-- y
Remove test database and access to it? <-- y
Reload privilege tables now? <-- y

Install Nginx

apt-get -y install nginx

Jalankan nginx

service nginx start

Install PHP 7.0

apt-get -y install php7.0-fpm

Setting Nginx

nano /etc/nginx/sites-available/namadomain.com

default vhost untuk web yang menggunakan www

server {
    server_name  namadomain.com;
    rewrite ^(.*) http://www.namadomain.com$1 permanent;
}

server {
 server_name www.namadomain.com;
 listen 80;
 listen [::]:80;
 root /var/www/namadomain.com;
 index index.html index.htm index.nginx-debian.html index.php;
 location / {
 try_files $uri $uri/ /index.php?q=$uri&$args;
 }
 location ~ \.php$ {
 include snippets/fastcgi-php.conf;
 fastcgi_buffers 8 256k;
 fastcgi_buffer_size 128k;
 fastcgi_intercept_errors on;
 include fastcgi_params;
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 fastcgi_pass unix:/run/php/php7.0-fpm.sock;
 }
 location ~ /\.ht {
  deny all;
 }
}

buat symlink:

ln -s /etc/nginx/sites-available/namadomain.com /etc/nginx/sites-enabled/

reload nginx

service nginx reload

edit /etc/php/7.0/fpm/php.ini

nano /etc/php/7.0/fpm/php.ini

ubah cgi.fix_pathinfo menjadi 0 dan uncomment,

[...]
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
; what PATH_INFO is.  For more information on PATH_INFO, see the cgi specs.  Setting
; this to 1 will cause PHP CGI to fix its paths to conform to the spec.  A setting
; of zero causes PHP to behave as before.  Default is 1.  You should fix your scripts
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
; http://php.net/cgi.fix-pathinfo
cgi.fix_pathinfo=0
[...]

reload php-fpm

service php7.0-fpm reload

Mendapatkan support MySQL di PHP 7

Mendapatkan support MySQL di PHP 7 dan beberapa modul lain

apt-get -y install php7.0-fpm php7.0-common php7.0-mysql php-apcu php7.0-gd php7.0-curl php7.0-zip php7.0-json php7.0-xml php7.0-xmlrpc

modul lain bisa dilihat dengan command:

apt-cache search php7.0

Install PHPMyAdmin

Command untuk menginstall phpMyAdmin di ubuntu:

apt-get update
apt-get install phpmyadmin

Pindah ke directory web, misal:

cd /var/www/namadomain.com/

lalu buat shortcut:

ln -s /usr/share/phpmyadmin

phpMyAdmin bisa diakses di namadomain.com/phpmyadmin/

Cara Install + Setting Nginx, MySQL, dan PHP 5 di Ubuntu

Setting firewall terlebih dahulu:

ufw allow ssh
ufw allow http
ufw logging off
ufw enable

Install MySQL:

apt-get update
apt-get install mysql-server

Install PHP 5:

apt-get install php5-fpm php-pear php5-common php5-mysql php-apc php5-gd php5-curl

Edit /etc/php5/fpm/php.ini lalu di bagian bawah tambahkan:

[apc]
apc.write_lock = 1
apc.slam_defense = 0

Edit /etc/php5/fpm/pool.d/www.conf
lalu cari code ini:

listen = /var/run/php5-fpm.sock

Di bawahnya tambahkan:

listen.owner = nginx
listen.group = nginx
listen.mode = 0660

Lalu cari code ini:

user = www-data
group = www-data

dan ganti dengan:

user = nginx
group = nginx

Install Nginx:
Download signing key:

cd /tmp/
wget http://nginx.org/keys/nginx_signing.key
apt-key add /tmp/nginx_signing.key

Lalu jalankan command ini:

echo "deb http://nginx.org/packages/ubuntu/ lucid nginx" >> /etc/apt/sources.list
echo "deb-src http://nginx.org/packages/ubuntu/ lucid nginx" >> /etc/apt/sources.list
apt-get update

Download dan install nginx:

apt-get install nginx

Edit /etc/nginx/nginx.conf, lalu di bagian http tambahkan kode ini:

port_in_redirect off;
gzip  on;
gzip_types text/css text/xml text/javascript application/x-javascript;
gzip_vary on;

Pindah ke folder /etc/nginx/conf.d dan buat file baru: /etc/nginx/conf.d/drop dengan menjalankan command ini:

cd /etc/nginx/conf.d
nano /etc/nginx/conf.d/drop

Isi file drop itu dengan:

# Most sites won't have configured favicon or robots.txt
# and since its always grabbed, turn it off in access log
# and turn off it's not-found error in the error log
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location = /apple-touch-icon.png { access_log off; log_not_found off; }
location = /apple-touch-icon-precomposed.png { access_log off; log_not_found off; }

# Rather than just denying .ht* in the config, why not deny
# access to all .invisible files
location ~ /\. { deny  all; access_log off; log_not_found off; }

Ganti file /etc/nginx/conf.d/default.conf dengan:
*konfigurasi di bawah untuk web yang menggunakan www (redirect non www ke www)
**ganti namadomain dengan nama domain kamu

server {
    server_name  namadomain.com;
    rewrite ^(.*) http://www.namadomain.com$1 permanent;
}

server {
    ## Your website name goes here.
    server_name www.namadomain.com;
    ## Your only path reference.
    root /var/www/namadomain.com/;
    listen 80;
    ## This should be in your http block and if it is, it's not needed here.
    index index.html index.htm index.php;

    include conf.d/drop;

        location / {
                # This is cool because no php is touched for static content
			try_files $uri $uri/ /index.php?q=$uri&$args;
        }

        location ~ \.php$ {
            fastcgi_buffers 8 256k;
            fastcgi_buffer_size 128k;
            fastcgi_intercept_errors on;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
        }

        location ~* \.(css|js|png|jpg|jpeg|gif|ico)$ {
                expires 1w;
        }

}

Install PHPMyAdmin:

apt-get install phpmyadmin

Pindah ke directory web, misal:

cd /var/www/namadomain.com/

lalu buat shortcut:

ln -s /usr/share/phpmyadmin

Kode CSS Agar Text URL yang Panjang Tidak Keluar dari Area

Text URL yang panjang keluar dari area.
Sebelum. Text URL yang panjang keluar dari area.

Kode CSS:

.nama-class {
  word-wrap: break-word;
}

Hasil:

Sesudah. URL yang panjang tidak lagi keluar.
Sesudah. URL yang panjang tidak lagi keluar.

Kode CSS agar support semua browser:

-ms-word-break: break-all;

/* Be VERY careful with this, breaks normal words wh_erever */
word-break: break-all;

/* Non standard for webkit */
word-break: break-word;

-webkit-hyphens: auto;
-moz-hyphens: auto;
hyphens: auto;

Kode CSS di atas support: Internet Explorer 8+, Firefox 6+, iOS 4.2, Safari 5.1+ and Chrome 13+

Cara Menginstall ElasticSearch di Ubuntu

install Java JRE yg headless. Kalo lupa, cari pakai:

apt-cache search jre

Kemudian install:

apt-get install openjdk-7-jre-headless

Download ElasticSearch dariĀ http://www.elasticsearch.org/overview/elkdownloads/

wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.2.1.deb

Install file yang tadi di download:

dpkg -i elasticsearch-1.2.1.deb

Tes apakah ElasticSearch sudah terintall dengan benar:

curl -XGET localhost:9200

*Catatan tambahan:
Cara menjalankan elasticsearch:

sudo /etc/init.d/elasticsearch start