前情提要
開發重點
- 使用GCP服務中的GCE(Google Compute Engine)建立一台Linux server
- 使用GCE服務架設網站server, 網站server使用Apache架設
- 加入HTTPS支援 - 使用Let’s Encrypt免費SSL憑證
- 註冊LINE developers, 並申請LINE messaging API
- 使用PHP + SQLite實作LINE Bot傳送匯率到LINE群組的頻道上
使用GCP架設HTTPS server - GCP & GCE固定IP設定
由於LINE BOT需要透過IP與Linux server連線, 但GCP建立出來的GCE預設是採用浮動IP設計會造成些麻煩, 因此我們先將浮動IP改為固定IP
- 開啟「VPC網路」中的「外部IP位置」
- 將instance-1使用到的IP由臨時改為靜態
- 設定完成, 收工~
使用GCP架設HTTPS server - 準備domain name
此處筆者使用過去在GoDaddy購買的DNS服務設定對應的domain name, 請讀者自行根據自己的DNS廠商提供的方式設定DNS type A對應到固定IP
- 將DNS type A對應到固定IP
- Ping domain name看看, 看是否能正常ping到
- 收工~ 之後不需要再用IP進行連線, 只要用domain name連線即可
注意: DNS設定完後不一定馬上生效, 適情況可能會需要等待30min以上
使用GCP架設HTTPS server - HTTP服務架設
固定IP與domain name準備好後即可開始架設HTTP伺服器, 此處以apache為範例進行架設
- 連線到Linux server
#使用ssh連線到Linux server
shiun@Shiun:~$ ssh shiun@linebottest.alenshiun.tw
The authenticity of host 'linebottest.alenshiun.tw (35.237.204.103)' can't be established.
ECDSA key fingerprint is SHA256:gUSzeVS5z+RYQeJKtFQDX45EF5sGmIek7jMP6SXTNaM.
# 回答yes
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'linebottest.alenshiun.tw' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-1021-gcp x86_64)
...
...
Last login: Wed Oct 3 14:23:39 2018 from 118.167.72.55
shiun@instance-1:~$
- 更新apt-get的套件資訊, 確保等等下載的套件為最新套件
#更新apt-get資訊
shiun@instance-1:~$ sudo apt-get update
- 使用apt-get進行Ubuntu套件更新
#進行upgrade
shiun@instance-1:~$ sudo apt-get upgrade
#upgrade結束後執行dist-upgrade
shiun@instance-1:~$ sudo apt-get dist-upgrade
- 重開機, 確保重開機後機器不會掛掉............... (筆者過去中招太多次.........
shiun@instance-1:~$ sudo reboot
- 下載apache套件
shiun@instance-1:~$ sudo apt-get install apache2
Reading package lists... Done
Building dependency tree
...
...
...
#請輸入y
Do you want to continue? [Y/n] y
...
...
...
- 使用瀏覽器檢查 http://linebottest.alenshiun.tw (請換成讀者的網址)是否能連線成功
使用GCP架設HTTPS server - 設定HTTP server
HTTP服務架設完後我們會看到上圖的Apache2 Ubuntu Default Page代表架設成功, 但是實務上我們會讓domain name連結到專案的網頁, 因此我們需要改變一下apache的設定
當使用者在網址上輸入 http://linebottest.alenshiun.tw 時會被導向一個顯示以下訊息的頁面
LINE BOT TEST Work!
- 建立專案的網頁目錄/var/www/linebottest/web
shiun@instance-1:~$ sudo mkdir -p /var/www/linebottest/web
- 移動到專案的網頁目錄/var/www/linebottest/web
shiun@instance-1:~$ cd /var/www/linebottest/web
- 建立預設頁面index.html
shiun@instance-1:/var/www/linebottest/web$ sudo vi index.html
#輸入LINE BOT TEST Work!並存檔離開
LINE BOT TEST Work!
- 移動到apache設定目錄/etc/apache2/sites-available
shiun@instance-1:~$ cd /etc/apache2/sites-available/
- 新增linebottest.conf, 檔案內容如下
shiun@instance-1:/etc/apache2/sites-available$ sudo vi linebottest.conf
<VirtualHost *:80>
ServerName linebottest.alenshiun.tw
ServerAdmin webmaster@localhost
DocumentRoot /var/www/linebottest/web
<Directory /var/www/linebottest/web>
Options FollowSymLinks
Order allow,deny
Allow from all
AllowOverride all
</Directory>
</VirtualHost>
- 建立/etc/apache2/sites-available/linebottest.conf到/etc/apache2/sites-enabled的連結(捷徑)
shiun@instance-1:$ sudo ln -s /etc/apache2/sites-available/linebottest.conf \
/etc/apache2/sites-enabled/linebottest.conf
- 檢查連結(捷徑)是否建立成功
shiun@instance-1:/etc/apache2/sites-available$ ls -l /etc/apache2/sites-enabled/
total 0
lrwxrwxrwx 1 root root 35 Oct 3 04:44 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root 45 Oct 3 14:58 linebottest.conf -> /etc/apache2/sites-available/linebottest.conf
# 建立連結成功的話就會顯示此行: linebottest.conf -> /etc/apache2/sites-available/linebottest.conf
- 重新啟動apache
shiun@instance-1:$ sudo service apache2 restart
- 使用瀏覽器檢查 http://linebottest.alenshiun.tw , 顯示結果應如下圖所示
使用GCP架設HTTPS server - 設定HTTPS
為什麼會需要開啟HTTPS?
- 傳輸有加密保證
- 確認傳輸的目的地是合法而不是被偽造的
- 由於LINE BOT使用到的LINE message API限制連線一定要是HTTPS
因此我們需要開啟HTTPS功能, Apache上提供SSL憑證設定功能, 我們只需要取得SSL憑證並設定上去即可
但是, 過去SSL憑證是必需要花錢買, 且價格不斐, 但近年來有個組職名為Let’s Encrypt提供免費的SSL憑證, 我們透過安裝Let’s Encrypt的憑證啟動HTTPS服務
注意: Let’s Encrypt會檢查domain name對應到的HTTP必須在80 port, HTTPS必須在443 port, 如果讀者是自訂port的請先改回80和443完成驗證後再進行port自訂
- 安裝Let’s Encrypt Apache SSL憑證安裝程式相依套件
shiun@instance-1:$ sudo apt-get install software-properties-common
shiun@instance-1:$ sudo add-apt-repository ppa:certbot/certbot
This is the PPA for packages prepared by Debian Let's Encrypt Team and backported for Ubuntu(s).
More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot
#直接點擊鍵盤上的enter
Press [ENTER] to continue or ctrl-c to cancel adding it
gpg: keyring `/tmp/tmpqf0n3wow/secring.gpg' created
gpg: keyring `/tmp/tmpqf0n3wow/pubring.gpg' created
gpg: requesting key 75BCA694 from hkp server keyserver.ubuntu.com
gpg: /tmp/tmpqf0n3wow/trustdb.gpg: trustdb created
gpg: key 75BCA694: public key "Launchpad PPA for certbot" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
OK
shiun@instance-1:$ sudo apt-get update
- 安裝Let’s Encrypt Apache SSL憑證安裝程式
shiun@instance-1:$ sudo apt-get install python-certbot-apache
- 執行Let’s Encrypt Apache SSL憑證安裝程式
shiun@instance-1:$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
# 請輸入你的email
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): your_email@your_email.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# 輸入A
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# 輸入N
(Y)es/(N)o:
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: linebottest.alenshiun.tw
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
# 選擇你的domain name, 正常情況下certbot會自動抓到正確的domain name
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for linebottest.alenshiun.tw
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/linebottest-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/linebottest-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/linebottest-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# 輸入2, 我們要強制把HTTP自動導向到HTTPS
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/linebottest.conf to ssl vhost in /etc/apache2/sites-available/linebottest-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://linebottest.alenshiun.tw
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=linebottest.alenshiun.tw
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/linebottest.alenshiun.tw/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/linebottest.alenshiun.tw/privkey.pem
Your cert will expire on 2019-01-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- 使用瀏覽器檢查 http://linebottest.alenshiun.tw , 設定成功的話瀏覽器會自動導向https://linebottest.alenshiun.tw