2018年10月3日 星期三

LINE BOT 匯率提醒機器人(2/3) - 使用GCP架設HTTPS server

前情提要


前一篇文章 LINE BOT 匯率提醒機器人(1/3) - 使用GCP架設Linux server 說明如何使用GCP架設一台Linux server, 但是LINE BOT是需要透過HTTPS協定進行資料傳輸的, 本篇將說明怎麼架設HTTPS server

開發重點

  1. 使用GCP服務中的GCE(Google Compute Engine)建立一台Linux server
  2. 使用GCE服務架設網站server, 網站server使用Apache架設
  3. 加入HTTPS支援 - 使用Let’s Encrypt免費SSL憑證
  4. 註冊LINE developers, 並申請LINE messaging API
  5. 使用PHP + SQLite實作LINE Bot傳送匯率到LINE群組的頻道上

使用GCP架設HTTPS server - GCP & GCE固定IP設定


由於LINE BOT需要透過IP與Linux server連線, 但GCP建立出來的GCE預設是採用浮動IP設計會造成些麻煩, 因此我們先將浮動IP改為固定IP
  1. 開啟「VPC網路」中的「外部IP位置」
  2. 將instance-1使用到的IP由臨時改為靜態

  3. 設定完成, 收工~

使用GCP架設HTTPS server - 準備domain name


此處筆者使用過去在GoDaddy購買的DNS服務設定對應的domain name, 請讀者自行根據自己的DNS廠商提供的方式設定DNS type A對應到固定IP
  1. 將DNS type A對應到固定IP

  2. Ping domain name看看, 看是否能正常ping到
  3. 收工~ 之後不需要再用IP進行連線, 只要用domain name連線即可
注意: DNS設定完後不一定馬上生效, 適情況可能會需要等待30min以上

使用GCP架設HTTPS server - HTTP服務架設


固定IP與domain name準備好後即可開始架設HTTP伺服器, 此處以apache為範例進行架設
  1. 連線到Linux server
    #使用ssh連線到Linux server shiun@Shiun:~$ ssh shiun@linebottest.alenshiun.tw The authenticity of host 'linebottest.alenshiun.tw (35.237.204.103)' can't be established. ECDSA key fingerprint is SHA256:gUSzeVS5z+RYQeJKtFQDX45EF5sGmIek7jMP6SXTNaM. # 回答yes Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'linebottest.alenshiun.tw' (ECDSA) to the list of known hosts. Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-1021-gcp x86_64) ... ... Last login: Wed Oct 3 14:23:39 2018 from 118.167.72.55 shiun@instance-1:~$
  2. 更新apt-get的套件資訊, 確保等等下載的套件為最新套件
    #更新apt-get資訊 shiun@instance-1:~$ sudo apt-get update
  3. 使用apt-get進行Ubuntu套件更新
    #進行upgrade shiun@instance-1:~$ sudo apt-get upgrade #upgrade結束後執行dist-upgrade shiun@instance-1:~$ sudo apt-get dist-upgrade
  4. 重開機, 確保重開機後機器不會掛掉............... (筆者過去中招太多次.........
    shiun@instance-1:~$ sudo reboot
  5. 下載apache套件
    shiun@instance-1:~$ sudo apt-get install apache2 Reading package lists... Done Building dependency tree ... ... ... #請輸入y Do you want to continue? [Y/n] y ... ... ...
  6. 使用瀏覽器檢查 http://linebottest.alenshiun.tw (請換成讀者的網址)是否能連線成功

使用GCP架設HTTPS server - 設定HTTP server


HTTP服務架設完後我們會看到上圖的Apache2 Ubuntu Default Page代表架設成功, 但是實務上我們會讓domain name連結到專案的網頁, 因此我們需要改變一下apache的設定
當使用者在網址上輸入 http://linebottest.alenshiun.tw 時會被導向一個顯示以下訊息的頁面

LINE BOT TEST Work!
  1. 建立專案的網頁目錄/var/www/linebottest/web
    shiun@instance-1:~$ sudo mkdir -p /var/www/linebottest/web
  2. 移動到專案的網頁目錄/var/www/linebottest/web
    shiun@instance-1:~$ cd /var/www/linebottest/web
  3. 建立預設頁面index.html
    shiun@instance-1:/var/www/linebottest/web$ sudo vi index.html #輸入LINE BOT TEST Work!並存檔離開 LINE BOT TEST Work!
  4. 移動到apache設定目錄/etc/apache2/sites-available
    shiun@instance-1:~$ cd /etc/apache2/sites-available/
  5. 新增linebottest.conf, 檔案內容如下
    shiun@instance-1:/etc/apache2/sites-available$ sudo vi linebottest.conf <VirtualHost *:80> ServerName linebottest.alenshiun.tw ServerAdmin webmaster@localhost DocumentRoot /var/www/linebottest/web <Directory /var/www/linebottest/web> Options FollowSymLinks Order allow,deny Allow from all AllowOverride all </Directory> </VirtualHost>
  6. 建立/etc/apache2/sites-available/linebottest.conf到/etc/apache2/sites-enabled的連結(捷徑)
    shiun@instance-1:$ sudo ln -s /etc/apache2/sites-available/linebottest.conf \ /etc/apache2/sites-enabled/linebottest.conf
  7. 檢查連結(捷徑)是否建立成功
    shiun@instance-1:/etc/apache2/sites-available$ ls -l /etc/apache2/sites-enabled/ total 0 lrwxrwxrwx 1 root root 35 Oct 3 04:44 000-default.conf -&gt ../sites-available/000-default.conf lrwxrwxrwx 1 root root 45 Oct 3 14:58 linebottest.conf -&gt /etc/apache2/sites-available/linebottest.conf # 建立連結成功的話就會顯示此行: linebottest.conf -&gt /etc/apache2/sites-available/linebottest.conf
  8. 重新啟動apache
    shiun@instance-1:$ sudo service apache2 restart
  9. 使用瀏覽器檢查 http://linebottest.alenshiun.tw , 顯示結果應如下圖所示

使用GCP架設HTTPS server - 設定HTTPS


為什麼會需要開啟HTTPS?

  • 傳輸有加密保證
  • 確認傳輸的目的地是合法而不是被偽造的
  • 由於LINE BOT使用到的LINE message API限制連線一定要是HTTPS

因此我們需要開啟HTTPS功能, Apache上提供SSL憑證設定功能, 我們只需要取得SSL憑證並設定上去即可

但是, 過去SSL憑證是必需要花錢買, 且價格不斐, 但近年來有個組職名為Let’s Encrypt提供免費的SSL憑證, 我們透過安裝Let’s Encrypt的憑證啟動HTTPS服務

注意: Let’s Encrypt會檢查domain name對應到的HTTP必須在80 port, HTTPS必須在443 port, 如果讀者是自訂port的請先改回80和443完成驗證後再進行port自訂

  1. 安裝Let’s Encrypt Apache SSL憑證安裝程式相依套件
    shiun@instance-1:$ sudo apt-get install software-properties-common shiun@instance-1:$ sudo add-apt-repository ppa:certbot/certbot This is the PPA for packages prepared by Debian Let's Encrypt Team and backported for Ubuntu(s). More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot #直接點擊鍵盤上的enter Press [ENTER] to continue or ctrl-c to cancel adding it gpg: keyring `/tmp/tmpqf0n3wow/secring.gpg' created gpg: keyring `/tmp/tmpqf0n3wow/pubring.gpg' created gpg: requesting key 75BCA694 from hkp server keyserver.ubuntu.com gpg: /tmp/tmpqf0n3wow/trustdb.gpg: trustdb created gpg: key 75BCA694: public key "Launchpad PPA for certbot" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) OK shiun@instance-1:$ sudo apt-get update
  2. 安裝Let’s Encrypt Apache SSL憑證安裝程式
    shiun@instance-1:$ sudo apt-get install python-certbot-apache
  3. 執行Let’s Encrypt Apache SSL憑證安裝程式
    shiun@instance-1:$ sudo certbot --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache # 請輸入你的email Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): your_email@your_email.com Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # 輸入A (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # 輸入N (Y)es/(N)o: Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: linebottest.alenshiun.tw - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input # 選擇你的domain name, 正常情況下certbot會自動抓到正確的domain name blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Performing the following challenges: http-01 challenge for linebottest.alenshiun.tw Enabled Apache rewrite module Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/linebottest-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/linebottest-le-ssl.conf Enabling available site: /etc/apache2/sites-available/linebottest-le-ssl.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # 輸入2, 我們要強制把HTTP自動導向到HTTPS Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Enabled Apache rewrite module Redirecting vhost in /etc/apache2/sites-enabled/linebottest.conf to ssl vhost in /etc/apache2/sites-available/linebottest-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://linebottest.alenshiun.tw You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=linebottest.alenshiun.tw - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/linebottest.alenshiun.tw/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/linebottest.alenshiun.tw/privkey.pem Your cert will expire on 2019-01-01. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
  4. 使用瀏覽器檢查 http://linebottest.alenshiun.tw , 設定成功的話瀏覽器會自動導向https://linebottest.alenshiun.tw
以上步驟都結束後HTTPS server架設完成

參考資料

  1. LINE BOT 匯率提醒機器人(1/3) - 使用GCP架設Linux server
張貼者:
標籤: , ,

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)