Kif Tippermetti TLS 1.3 f'Apache u Nginx
TLS 1.3 hija l-aħħar verżjoni tal-protokoll tas-Sigurtà tas-Saff tat-Trasport (TLS) u hija bbażata fuq l-ispeċifikazzjonijiet eżistenti 1.2 bi standard IETF xieraq: RFC 8446. Jipprovdi sigurtà aktar b'saħħitha u titjib fil-prestazzjoni ogħla fuq il-predeċessuri tiegħu.
F'dan l-artikolu, aħna ser nuruk gwida pass pass biex tikseb ċertifikat TLS validu u nippermettu l-aħħar protokoll tal-verżjoni TLS 1.3 fuq id-dominju tiegħek ospitat fuq is-servers tal-web Apache jew Nginx.
- Apache verżjoni 2.4.37 jew akbar.
- Verżjoni Nginx 1.13.0 jew akbar.
- OpenSSL verżjoni 1.1.1 jew akbar.
- Isem ta' dominju validu b'rekords DNS konfigurati b'mod korrett.
- Ċertifikat TLS validu.
Installa Ċertifikat TLS minn Let's Encrypt
Biex tikseb Ċertifikat SSL b'xejn minn Let's Encrypt, għandek bżonn tinstalla l-klijent Acme.sh u wkoll ftit pakketti meħtieġa fuq is-sistema Linux kif muri.
# apt install -y socat git [On Debian/Ubuntu] # dnf install -y socat git [On RHEL/CentOS/Fedora] # mkdir /etc/letsencrypt # git clone https://github.com/Neilpang/acme.sh.git # cd acme.sh # ./acme.sh --install --home /etc/letsencrypt --accountemail [email # cd ~ # /etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength 2048 # /etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength ec-256
NOTA: Ibdel example.com fil-kmand ta' hawn fuq bl-isem tad-dominju reali tiegħek.
Ladarba jkollok ċertifikat SSL installat, tista' tipproċedi aktar biex tattiva TLS 1.3 fuq id-dominju tiegħek kif spjegat hawn taħt.
Ippermetti TLS 1.3 fuq Nginx
Kif semmejt fir-rekwiżiti ta 'hawn fuq, dak TLS 1.3 huwa appoġġjat li jibda mill-verżjoni Nginx 1.13. Jekk qed tħaddem il-verżjoni Nginx eqdem, l-ewwel trid taġġorna għall-aħħar verżjoni.
# apt install nginx # yum install nginx
Iċċekkja l-verżjoni Nginx u l-verżjoni OpenSSL li magħha ġie kkompilat Nginx (kun żgur li l-verżjoni nginx hija mill-inqas 1.14 u l-verżjoni openssl 1.1.1).
# nginx -V
nginx version: nginx/1.14.1 built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC) built with OpenSSL 1.1.1 FIPS 11 Sep 2018 TLS SNI support enabled ....
Issa ibda, ppermetti u vverifika l-installazzjoni nginx.
# systemctl start nginx.service # systemctl enable nginx.service # systemctl status nginx.service
Issa tiftaħ il-fajl tal-konfigurazzjoni nginx vhost /etc/nginx/conf.d/example.com.conf billi tuża l-editur favorit tiegħek.
# vi /etc/nginx/conf.d/example.com.conf
u sib id-direttiva ssl_protocols u waħħal TLSv1.3 fl-aħħar tal-linja kif muri hawn taħt
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
}
Fl-aħħarnett, ivverifika l-konfigurazzjoni u reload Nginx.
# nginx -t # systemctl reload nginx.service
Ippermetti TLS 1.3 f'Apache
Tibda minn Apache 2.4.37, tista' tieħu vantaġġ minn TLS 1.3. Jekk qed tħaddem il-verżjoni l-antika ta' Apache, l-ewwel trid taġġorna għall-aħħar verżjoni.
# apt install apache2 # yum install httpd
Ladarba tkun installata, tista' tivverifika l-Apache u l-verżjoni OpenSSL li magħha ġie kkompilat Apache.
# httpd -V # openssl version
Issa ibda, ppermetti u vverifika l-installazzjoni nginx.
-------------- On Debian/Ubuntu -------------- # systemctl start apache2.service # systemctl enable apache2.service # systemctl status apache2.service -------------- On RHEL/CentOS/Fedora -------------- # systemctl start httpd.service # systemctl enable httpd.service # systemctl status httpd.service
Issa tiftaħ il-fajl tal-konfigurazzjoni tal-host virtwali Apache billi tuża l-editur favorit tiegħek.
# vi /etc/httpd/conf.d/vhost.conf OR # vi /etc/apache2/apache2.conf
u sib id-direttiva ssl_protocols u waħħal TLSv1.3 fl-aħħar tal-linja kif muri hawn taħt.
<VirtualHost *:443>
SSLEngine On
# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
ServerAdmin [email
ServerName www.example.com
ServerAlias example.com
#DocumentRoot /data/httpd/htdocs/example.com/
DocumentRoot /data/httpd/htdocs/example_hueman/
# Log file locations
LogLevel warn
ErrorLog /var/log/httpd/example.com/httpserror.log
CustomLog "|/usr/sbin/rotatelogs /var/log/httpd/example.com/httpsaccess.log.%Y-%m-%d 86400" combined
</VirtualHost>
Fl-aħħarnett, ivverifika l-konfigurazzjoni u erġa' tagħbija Apache.
-------------- On Debian/Ubuntu -------------- # apache2 -t # systemctl reload apache2.service -------------- On RHEL/CentOS/Fedora -------------- # httpd -t # systemctl reload httpd.service
Ivverifika li s-sit qed juża TLS 1.3
Ladarba tkun ikkonfigurajt permezz ta' server tal-web, tista' tiċċekkja li s-sit tiegħek qed jagħmel handshaking fuq il-protokoll TLS 1.3 billi tuża għodod għall-iżvilupp tal-browser chrome fuq il-verżjoni Chrome 70+.
Dak kollox. Int attivajt b'suċċess il-protokoll TLS 1.3 fuq id-dominju tiegħek ospitat fuq is-servers tal-web Apache jew Nginx. Jekk għandek xi mistoqsijiet dwar dan l-artikolu, tħossok liberu li tistaqsi fit-taqsima tal-kummenti hawn taħt.