Bii o ṣe le Mu TLS 1.3 ṣiṣẹ ni Apache ati Nginx

TLS 1.3 jẹ ẹya tuntun ti ilana Ilana Transport Layer Security (TLS) ati pe o da lori awọn alaye ni pato 1.2 ti o wa pẹlu boṣewa IETF to dara: RFC 8446. O pese aabo ti o lagbara ati awọn ilọsiwaju iṣẹ giga julọ lori awọn ti o ṣaju rẹ.

Ninu àpilẹkọ yii, a yoo fi itọsọna itọsọna-igbesẹ kan han ọ lati gba ijẹrisi TLS ti o wulo ati mu ilana ilana TLS 1.3 tuntun ṣẹ lori agbegbe rẹ ti o gbalejo lori Apache tabi awọn olupin ayelujara Nginx.

• Ẹya Apache 2.4.37 tabi tobi julọ.
• Ẹya Nginx 1.13.0 tabi tobi julọ.
• Ẹya OpenSSL 1.1.1 tabi tobi julọ.
• Orukọ ašẹ ti o wulo pẹlu awọn igbasilẹ DNS ti a tunto ni titọ.
• Iwe-ẹri TLS ti o wulo.

Fi Ijẹrisi TLS sii lati Jẹ ki Encrypt

Lati gba Iwe-ẹri SSL ọfẹ lati Jẹ ki Encrypt, o nilo lati fi sori ẹrọ alabara Acme.sh ati tun awọn idii diẹ ti o nilo lori eto Linux bi o ti han.

# apt install -y socat git  [On Debian/Ubuntu]
# dnf install -y socat git  [On RHEL/CentOS/Fedora]
# mkdir /etc/letsencrypt
# git clone https://github.com/Neilpang/acme.sh.git
# cd acme.sh 
# ./acme.sh --install --home /etc/letsencrypt --accountemail [email 
# cd ~
# /etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength 2048
# /etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength ec-256

AKIYESI: Rọpo apẹẹrẹ.com ninu aṣẹ ti o wa loke pẹlu orukọ agbegbe rẹ gidi.

Lọgan ti o ba ti fi sii ijẹrisi SSL, o le tẹsiwaju siwaju lati jẹki TLS 1.3 lori aaye rẹ bi a ti salaye ni isalẹ.

Jeki TLS 1.3 ṣiṣẹ lori Nginx

Gẹgẹbi Mo ti mẹnuba ninu awọn ibeere loke, pe TLS 1.3 ni atilẹyin bẹrẹ lati ẹya Nginx 1.13. Ti o ba n ṣiṣẹ ẹya Nginx agbalagba, o nilo lati ṣe igbesoke akọkọ si ẹya tuntun.

# apt install nginx
# yum install nginx

Ṣayẹwo ẹya Nginx ati ẹya OpenSSL eyiti a kojọ Nginx (rii daju pe ẹya nginx jẹ o kere ju 1.14 ati ẹya openssl 1.1.1).

# nginx -V

nginx version: nginx/1.14.1
built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC) 
built with OpenSSL 1.1.1 FIPS  11 Sep 2018
TLS SNI support enabled
....

Bayi bẹrẹ, muu ṣiṣẹ ki o jẹrisi fifi sori ẹrọ nginx.

# systemctl start nginx.service
# systemctl enable nginx.service
# systemctl status nginx.service

Bayi ṣii iṣeto ni nginx vhost /etc/nginx/conf.d/example.com.conf faili nipa lilo olootu ayanfẹ rẹ.

# vi /etc/nginx/conf.d/example.com.conf

ki o wa ssl_protocols itọsọna ki o fi TLSv1.3 sii ni opin ila bi a ti han ni isalẹ

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name example.com;

  # RSA
  ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
  ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
  # ECDSA
  ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
  ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_prefer_server_ciphers on;
}

Lakotan, ṣayẹwo iṣeto naa ki o tun gbe Nginx pada.

# nginx -t
# systemctl reload nginx.service

Jeki TLS 1.3 ni Apache

Bibẹrẹ lati Apache 2.4.37, o le lo anfani ti TLS 1.3. Ti o ba n ṣiṣẹ ẹya ti agbalagba ti Apache, o nilo lati ṣe igbesoke akọkọ si ẹya tuntun.

# apt install apache2
# yum install httpd

Lọgan ti o fi sii, o le rii daju Apache ati ẹya OpenSSL eyiti a kojọ Afun.

# httpd -V
# openssl version

Bayi bẹrẹ, muu ṣiṣẹ ki o jẹrisi fifi sori ẹrọ nginx.

-------------- On Debian/Ubuntu -------------- 
# systemctl start apache2.service
# systemctl enable apache2.service
# systemctl status apache2.service

-------------- On RHEL/CentOS/Fedora --------------
# systemctl start httpd.service
# systemctl enable httpd.service
# systemctl status httpd.service

Bayi ṣii faili iṣeto iṣeto olupin foju Apache nipa lilo olootu ayanfẹ rẹ.

# vi /etc/httpd/conf.d/vhost.conf
OR
# vi /etc/apache2/apache2.conf

ki o wa ssl_protocols itọsọna ki o fi TLSv1.3 sii ni opin ila bi a ti han ni isalẹ.

<VirtualHost *:443>
SSLEngine On

# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;

ssl_protocols TLSv1.2 TLSv1.3
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

     ServerAdmin [email 
     ServerName www.example.com
     ServerAlias example.com
    #DocumentRoot /data/httpd/htdocs/example.com/
    DocumentRoot /data/httpd/htdocs/example_hueman/
  # Log file locations
  LogLevel warn
  ErrorLog  /var/log/httpd/example.com/httpserror.log
  CustomLog "|/usr/sbin/rotatelogs /var/log/httpd/example.com/httpsaccess.log.%Y-%m-%d 86400" combined
</VirtualHost>

Lakotan, ṣayẹwo iṣeto naa ki o tun gbe Apache.

-------------- On Debian/Ubuntu -------------- 
# apache2 -t
# systemctl reload apache2.service

-------------- On RHEL/CentOS/Fedora --------------
# httpd -t
# systemctl reload httpd.service

Daju Aye jẹ Lilo TLS 1.3

Lọgan ti o ba tunto nipasẹ olupin ayelujara kan, o le ṣayẹwo pe aaye rẹ n ṣe ọwọ lori ilana TLS 1.3 nipa lilo awọn irinṣẹ idagbasoke aṣawakiri Chrome lori ẹya Chrome 70 +.

Gbogbo ẹ niyẹn. O ti ṣaṣeyọri mu ilana TLS 1.3 ṣiṣẹ lori agbegbe rẹ ti o gbalejo lori Apache tabi awọn olupin ayelujara Nginx. Ti o ba ni awọn ibeere eyikeyi nipa nkan yii, ni ọfẹ lati beere ninu abala ọrọ ni isalẹ.