Bii o ṣe le Mu TLS 1.3 ṣiṣẹ ni Apache ati Nginx
TLS 1.3 jẹ ẹya tuntun ti ilana Ilana Transport Layer Security (TLS) ati pe o da lori awọn alaye ni pato 1.2 ti o wa pẹlu boṣewa IETF to dara: RFC 8446. O pese aabo ti o lagbara ati awọn ilọsiwaju iṣẹ giga julọ lori awọn ti o ṣaju rẹ.
Ninu àpilẹkọ yii, a yoo fi itọsọna itọsọna-igbesẹ kan han ọ lati gba ijẹrisi TLS ti o wulo ati mu ilana ilana TLS 1.3 tuntun ṣẹ lori agbegbe rẹ ti o gbalejo lori Apache tabi awọn olupin ayelujara Nginx.
- Ẹya Apache 2.4.37 tabi tobi julọ.
- Ẹya Nginx 1.13.0 tabi tobi julọ.
- Ẹya OpenSSL 1.1.1 tabi tobi julọ.
- Orukọ ašẹ ti o wulo pẹlu awọn igbasilẹ DNS ti a tunto ni titọ.
- Iwe-ẹri TLS ti o wulo.
Fi Ijẹrisi TLS sii lati Jẹ ki Encrypt
Lati gba Iwe-ẹri SSL ọfẹ lati Jẹ ki Encrypt, o nilo lati fi sori ẹrọ alabara Acme.sh ati tun awọn idii diẹ ti o nilo lori eto Linux bi o ti han.
# apt install -y socat git [On Debian/Ubuntu] # dnf install -y socat git [On RHEL/CentOS/Fedora] # mkdir /etc/letsencrypt # git clone https://github.com/Neilpang/acme.sh.git # cd acme.sh # ./acme.sh --install --home /etc/letsencrypt --accountemail [email # cd ~ # /etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength 2048 # /etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength ec-256
AKIYESI: Rọpo apẹẹrẹ.com
ninu aṣẹ ti o wa loke pẹlu orukọ agbegbe rẹ gidi.
Lọgan ti o ba ti fi sii ijẹrisi SSL, o le tẹsiwaju siwaju lati jẹki TLS 1.3 lori aaye rẹ bi a ti salaye ni isalẹ.
Jeki TLS 1.3 ṣiṣẹ lori Nginx
Gẹgẹbi Mo ti mẹnuba ninu awọn ibeere loke, pe TLS 1.3 ni atilẹyin bẹrẹ lati ẹya Nginx 1.13. Ti o ba n ṣiṣẹ ẹya Nginx agbalagba, o nilo lati ṣe igbesoke akọkọ si ẹya tuntun.
# apt install nginx # yum install nginx
Ṣayẹwo ẹya Nginx ati ẹya OpenSSL eyiti a kojọ Nginx (rii daju pe ẹya nginx jẹ o kere ju 1.14 ati ẹya openssl 1.1.1).
# nginx -V
nginx version: nginx/1.14.1 built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC) built with OpenSSL 1.1.1 FIPS 11 Sep 2018 TLS SNI support enabled ....
Bayi bẹrẹ, muu ṣiṣẹ ki o jẹrisi fifi sori ẹrọ nginx.
# systemctl start nginx.service # systemctl enable nginx.service # systemctl status nginx.service
Bayi ṣii iṣeto ni nginx vhost /etc/nginx/conf.d/example.com.conf
faili nipa lilo olootu ayanfẹ rẹ.
# vi /etc/nginx/conf.d/example.com.conf
ki o wa ssl_protocols
itọsọna ki o fi TLSv1.3 sii ni opin ila bi a ti han ni isalẹ
server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name example.com; # RSA ssl_certificate /etc/letsencrypt/example.com/fullchain.cer; ssl_certificate_key /etc/letsencrypt/example.com/example.com.key; # ECDSA ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer; ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; }
Lakotan, ṣayẹwo iṣeto naa ki o tun gbe Nginx pada.
# nginx -t # systemctl reload nginx.service
Jeki TLS 1.3 ni Apache
Bibẹrẹ lati Apache 2.4.37, o le lo anfani ti TLS 1.3. Ti o ba n ṣiṣẹ ẹya ti agbalagba ti Apache, o nilo lati ṣe igbesoke akọkọ si ẹya tuntun.
# apt install apache2 # yum install httpd
Lọgan ti o fi sii, o le rii daju Apache ati ẹya OpenSSL eyiti a kojọ Afun.
# httpd -V # openssl version
Bayi bẹrẹ, muu ṣiṣẹ ki o jẹrisi fifi sori ẹrọ nginx.
-------------- On Debian/Ubuntu -------------- # systemctl start apache2.service # systemctl enable apache2.service # systemctl status apache2.service -------------- On RHEL/CentOS/Fedora -------------- # systemctl start httpd.service # systemctl enable httpd.service # systemctl status httpd.service
Bayi ṣii faili iṣeto iṣeto olupin foju Apache nipa lilo olootu ayanfẹ rẹ.
# vi /etc/httpd/conf.d/vhost.conf OR # vi /etc/apache2/apache2.conf
ki o wa ssl_protocols
itọsọna ki o fi TLSv1.3 sii ni opin ila bi a ti han ni isalẹ.
<VirtualHost *:443> SSLEngine On # RSA ssl_certificate /etc/letsencrypt/example.com/fullchain.cer; ssl_certificate_key /etc/letsencrypt/example.com/example.com.key; # ECDSA ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer; ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key; ssl_protocols TLSv1.2 TLSv1.3 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem ServerAdmin [email ServerName www.example.com ServerAlias example.com #DocumentRoot /data/httpd/htdocs/example.com/ DocumentRoot /data/httpd/htdocs/example_hueman/ # Log file locations LogLevel warn ErrorLog /var/log/httpd/example.com/httpserror.log CustomLog "|/usr/sbin/rotatelogs /var/log/httpd/example.com/httpsaccess.log.%Y-%m-%d 86400" combined </VirtualHost>
Lakotan, ṣayẹwo iṣeto naa ki o tun gbe Apache.
-------------- On Debian/Ubuntu -------------- # apache2 -t # systemctl reload apache2.service -------------- On RHEL/CentOS/Fedora -------------- # httpd -t # systemctl reload httpd.service
Daju Aye jẹ Lilo TLS 1.3
Lọgan ti o ba tunto nipasẹ olupin ayelujara kan, o le ṣayẹwo pe aaye rẹ n ṣe ọwọ lori ilana TLS 1.3 nipa lilo awọn irinṣẹ idagbasoke aṣawakiri Chrome lori ẹya Chrome 70 +.
Gbogbo ẹ niyẹn. O ti ṣaṣeyọri mu ilana TLS 1.3 ṣiṣẹ lori agbegbe rẹ ti o gbalejo lori Apache tabi awọn olupin ayelujara Nginx. Ti o ba ni awọn ibeere eyikeyi nipa nkan yii, ni ọfẹ lati beere ninu abala ọrọ ni isalẹ.