Apache we Nginx-de TLS 1.3-i nädip işletmeli
TLS 1.3 Transport Layer Security (TLS) protokolynyň iň soňky wersiýasy we IETF standarty: RFC 8446 bilen bar bolan 1.2 spesifikasiýa esaslanýar. Öňkülerinden has güýçli howpsuzlyk we has ýokary öndürijilik üpjün edýär.
Bu makalada, dogry TLS şahadatnamasyny almak we Apache ýa-da Nginx web serwerlerinde ýerleşýän domeniňizdäki iň soňky TLS 1.3 wersiýa protokolyny işletmek üçin ädimme-ädim görkezeris.
- Apache 2.4.37 ýa-da has uly wersiýa.
- Nginx 1.13.0 ýa-da has uly wersiýa.
- OpenSSL wersiýasy 1.1.1 ýa-da has uly.
- Dogry düzülen DNS ýazgylary bilen dogry domen ady.
- Dogry TLS şahadatnamasy.
Geliň, şifrlemekden TLS şahadatnamasyny guruň
“Let Encrypt” -den mugt SSL şahadatnamasyny almak üçin “Acme.sh” müşderisini we görkezilişi ýaly Linux ulgamynda zerur paketleri gurmaly.
# apt install -y socat git [On Debian/Ubuntu] # dnf install -y socat git [On RHEL/CentOS/Fedora] # mkdir /etc/letsencrypt # git clone https://github.com/Neilpang/acme.sh.git # cd acme.sh # ./acme.sh --install --home /etc/letsencrypt --accountemail [email # cd ~ # /etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength 2048 # /etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength ec-256
ÜNS BERI above: aboveokardaky buýrukdaky example.com hakyky domen adyňyz bilen çalyşyň.
SSL şahadatnamasy gurlansoň, aşakda düşündirilişi ýaly domeniňizde TLS 1.3-i işletmek üçin hasam dowam edip bilersiňiz.
Nginx-de TLS 1.3-i işlediň
Aboveokardaky talaplarda belläp geçişim ýaly, TLS 1.3 Nginx 1.13 wersiýasyndan başlap goldanýar. Has köne Nginx wersiýasyny işleýän bolsaňyz, ilki bilen iň soňky wersiýa täzelemeli.
# apt install nginx # yum install nginx
Nginx wersiýasyny we Nginx-iň düzülen OpenSSL wersiýasyny barlaň (nginx wersiýasynyň azyndan 1,14 we openssl wersiýasy 1.1.1).
# nginx -V
nginx version: nginx/1.14.1 built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC) built with OpenSSL 1.1.1 FIPS 11 Sep 2018 TLS SNI support enabled ....
Indi nginx gurnamasyny başlaň, işlediň we barlaň.
# systemctl start nginx.service # systemctl enable nginx.service # systemctl status nginx.service
Indi halaýan redaktoryňyzy ulanyp, nginx vhost konfigurasiýasyny /etc/nginx/conf.d/example.com.conf faýly açyň.
# vi /etc/nginx/conf.d/example.com.conf
we ssl_protocols direktiwasyny tapyň we aşakda görkezilişi ýaly setiriň soňunda TLSv1.3 goşuň
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
}
Ahyrynda, konfigurasiýany barlaň we Nginx-i täzeden ýükläň.
# nginx -t # systemctl reload nginx.service
Apache-de TLS 1.3-i işlediň
Apache 2.4.37-den başlap, TLS 1.3-den peýdalanyp bilersiňiz. Apache-iň köne wersiýasyny işledýän bolsaňyz, ilki bilen iň soňky wersiýa täzelemeli.
# apt install apache2 # yum install httpd
Gurlandan soň, Apache we Apache-iň düzülen OpenSSL wersiýasyny barlap bilersiňiz.
# httpd -V # openssl version
Indi nginx gurnamasyny başlaň, işlediň we barlaň.
-------------- On Debian/Ubuntu -------------- # systemctl start apache2.service # systemctl enable apache2.service # systemctl status apache2.service -------------- On RHEL/CentOS/Fedora -------------- # systemctl start httpd.service # systemctl enable httpd.service # systemctl status httpd.service
Indi halaýan redaktoryňyzy ulanyp, Apache wirtual host konfigurasiýa faýlyny açyň.
# vi /etc/httpd/conf.d/vhost.conf OR # vi /etc/apache2/apache2.conf
we ssl_protocols direktiwasyny tapyň we aşakda görkezilişi ýaly setiriň soňunda TLSv1.3 goşuň.
<VirtualHost *:443>
SSLEngine On
# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
ServerAdmin [email
ServerName www.example.com
ServerAlias example.com
#DocumentRoot /data/httpd/htdocs/example.com/
DocumentRoot /data/httpd/htdocs/example_hueman/
# Log file locations
LogLevel warn
ErrorLog /var/log/httpd/example.com/httpserror.log
CustomLog "|/usr/sbin/rotatelogs /var/log/httpd/example.com/httpsaccess.log.%Y-%m-%d 86400" combined
</VirtualHost>
Ahyrynda, konfigurasiýany barlaň we Apache-i täzeden açyň.
-------------- On Debian/Ubuntu -------------- # apache2 -t # systemctl reload apache2.service -------------- On RHEL/CentOS/Fedora -------------- # httpd -t # systemctl reload httpd.service
Saýtyň TLS 1.3 ulanýandygyny barlaň
Web serweri arkaly sazlanyňyzdan soň, sahypaňyzyň Chrome 70+ wersiýasyndaky hrom brauzerini ösdüriş gurallaryny ulanyp, TLS 1.3 protokolynyň üstünde elleşýändigini barlap bilersiňiz.
Bu hemmesi. Apache ýa-da Nginx web serwerlerinde ýerleşýän domeniňizde TLS 1.3 protokolyny üstünlikli açdyňyz. Bu makala barada soraglaryňyz bar bolsa, aşakdaky teswir bölüminde sorap bilersiňiz.