Otu esi eme TLS 1.3 na Apache na Nginx
TLS 1.3 bụ ụdị kachasị ọhụrụ nke usoro iwu nchekwa nchekwa Transport (TLS) yana dabere na nkọwapụta 1.2 dị ugbu a nwere ọkọlọtọ IETF kwesịrị ekwesị: RFC 8446. Ọ na-enye nchekwa siri ike yana nkwalite arụmọrụ dị elu karịa ndị bu ya ụzọ.
N'ime edemede a, anyị ga-egosi gị ntuziaka nzọụkwụ iji nweta asambodo TLS dị irè ma mee ka usoro ụdị TLS 1.3 kachasị ọhụrụ na ngalaba gị kwadoro na sava weebụ Apache ma ọ bụ Nginx.
- Ụdị Apache 2.4.37 ma ọ bụ karịa.
- ụdị Nginx 1.13.0 ma ọ bụ karịa.
- Mepee ụdị SSL 1.1.1 ma ọ bụ karịa.
- Aha ngalaba dị irè nwere ndekọ DNS ahaziri nke ọma.
- Akwụkwọ TLS bara uru.
Wụnye Asambodo TLS site na Ka Anyị Encrypt
Iji nweta Asambodo SSL n'efu site na Let's Encrypt, ịkwesịrị ịwụnye onye ahịa Acme.sh yana ngwugwu ole na ole achọrọ na sistemụ Linux dị ka egosiri.
# apt install -y socat git [On Debian/Ubuntu] # dnf install -y socat git [On RHEL/CentOS/Fedora] # mkdir /etc/letsencrypt # git clone https://github.com/Neilpang/acme.sh.git # cd acme.sh # ./acme.sh --install --home /etc/letsencrypt --accountemail [email # cd ~ # /etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength 2048 # /etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength ec-256
IHE: Dochie example.com n'iwu dị n'elu na aha ngalaba gị.
Ozugbo itinyere asambodo SSL, ị nwere ike ịga n'ihu iji mee ka TLS 1.3 na ngalaba gị dị ka akọwara n'okpuru.
Kwado TLS 1.3 na Nginx
Dịka m kwuru na ihe ndị a chọrọ n'elu, a na-akwado TLS 1.3 malite na ụdị Nginx 1.13. Ọ bụrụ na ị na-agba ụdị Nginx ochie, ị ga-ebu ụzọ kwalite gaa na ụdị ọhụrụ.
# apt install nginx # yum install nginx
Lelee ụdị Nginx na ụdị OpenSSL nke chịkọtara Nginx megide ya (hụta na ụdị nginx dịkarịa ala 1.14 na openssl version 1.1.1).
# nginx -V
nginx version: nginx/1.14.1 built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC) built with OpenSSL 1.1.1 FIPS 11 Sep 2018 TLS SNI support enabled ....
Ugbu a bido, mee ma nyochaa nginx nwụnye.
# systemctl start nginx.service # systemctl enable nginx.service # systemctl status nginx.service
Ugbu a mepee nginx vhost nhazi /etc/nginx/conf.d/example.com.conf faịlụ site na iji nchịkọta akụkọ ọkacha mmasị gị.
# vi /etc/nginx/conf.d/example.com.conf
wee chọta ntụziaka ssl_protocols wee tinye TLSv1.3 na njedebe nke ahịrị dị ka egosiri n'okpuru.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
}
N'ikpeazụ, nyochaa nhazi ahụ wee bugharịa Nginx.
# nginx -t # systemctl reload nginx.service
Kwado TLS 1.3 na Apache
Malite na Apache 2.4.37, ị nwere ike iji TLS 1.3. Ọ bụrụ na ị na-agba ụdị Apache ochie, ị ga-ebu ụzọ kwalite gaa na ụdị ọhụrụ.
# apt install apache2 # yum install httpd
Ozugbo arụnyere, ị nwere ike nyochaa Apache na ụdị OpenSSL nke achịkọtara Apache megide ya.
# httpd -V # openssl version
Ugbu a bido, mee ma nyochaa nginx nwụnye.
-------------- On Debian/Ubuntu -------------- # systemctl start apache2.service # systemctl enable apache2.service # systemctl status apache2.service -------------- On RHEL/CentOS/Fedora -------------- # systemctl start httpd.service # systemctl enable httpd.service # systemctl status httpd.service
Ugbu a mepee faịlụ nhazi nhazi nke Apache mebere site na iji nchịkọta akụkọ ọkacha mmasị gị.
# vi /etc/httpd/conf.d/vhost.conf OR # vi /etc/apache2/apache2.conf
wee chọta ntụziaka ssl_protocols wee tinye TLSv1.3 na ngwụcha ahịrị dị ka egosiri n'okpuru.
<VirtualHost *:443>
SSLEngine On
# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
ServerAdmin [email
ServerName www.example.com
ServerAlias example.com
#DocumentRoot /data/httpd/htdocs/example.com/
DocumentRoot /data/httpd/htdocs/example_hueman/
# Log file locations
LogLevel warn
ErrorLog /var/log/httpd/example.com/httpserror.log
CustomLog "|/usr/sbin/rotatelogs /var/log/httpd/example.com/httpsaccess.log.%Y-%m-%d 86400" combined
</VirtualHost>
N'ikpeazụ, nyochaa nhazi ahụ wee bugharịa Apache.
-------------- On Debian/Ubuntu -------------- # apache2 -t # systemctl reload apache2.service -------------- On RHEL/CentOS/Fedora -------------- # httpd -t # systemctl reload httpd.service
Nyochaa saịtị na-eji TLS 1.3
Ozugbo ị haziela site na sava weebụ, ị nwere ike lelee na saịtị gị na-enyefe ụkpụrụ TLS 1.3 site na iji ngwa mmepe ihe nchọgharị chrome na ụdị Chrome 70+.
Ọ gwụla. Ị gbanyela ụkpụrụ TLS 1.3 nke ọma na ngalaba gị kwadoro na sava weebụ Apache ma ọ bụ Nginx. Ọ bụrụ na ị nwere ajụjụ ọ bụla gbasara akụkọ a, nweere onwe gị ịjụ na ngalaba nkọwa n'okpuru.