Jinsi ya kuwezesha TLS 1.3 katika Apache na Nginx
TLS 1.3 ni toleo la hivi punde zaidi la itifaki ya Usalama wa Tabaka la Usafiri (TLS) na inategemea vipimo vilivyopo vya 1.2 vilivyo na kiwango kinachofaa cha IETF: RFC 8446. Inatoa usalama thabiti na uboreshaji wa juu wa utendakazi kuliko watangulizi wake.
Katika makala haya, tutakuonyesha mwongozo wa hatua kwa hatua ili kupata cheti halali cha TLS na kuwezesha itifaki ya hivi punde ya toleo la TLS 1.3 kwenye kikoa chako kilichopangishwa kwenye seva za wavuti za Apache au Nginx.
- Toleo la Apache 2.4.37 au zaidi.
- Toleo la Nginx 1.13.0 au zaidi.
- Toleo la OpenSSL 1.1.1 au zaidi.
- Jina halali la kikoa lililo na rekodi za DNS zilizosanidiwa ipasavyo.
- Cheti halali cha TLS.
Sakinisha Cheti cha TLS kutoka Let's Encrypt
Ili kupata Cheti cha SSL bila malipo kutoka kwa Let's Encrypt, unahitaji kusakinisha mteja wa Acme.sh na pia vifurushi vichache vinavyohitajika kwenye mfumo wa Linux kama inavyoonyeshwa.
# apt install -y socat git [On Debian/Ubuntu] # dnf install -y socat git [On RHEL/CentOS/Fedora] # mkdir /etc/letsencrypt # git clone https://github.com/Neilpang/acme.sh.git # cd acme.sh # ./acme.sh --install --home /etc/letsencrypt --accountemail [email # cd ~ # /etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength 2048 # /etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength ec-256
KUMBUKA: Badilisha example.com katika amri iliyo hapo juu na jina halisi la kikoa chako.
Pindi tu unaposakinisha cheti cha SSL, unaweza kuendelea zaidi ili kuwezesha TLS 1.3 kwenye kikoa chako kama ilivyoelezwa hapa chini.
Washa TLS 1.3 kwenye Nginx
Kama nilivyotaja katika mahitaji hapo juu, kwamba TLS 1.3 inatumika kuanzia toleo la Nginx 1.13. Ikiwa unatumia toleo la zamani la Nginx, unahitaji kwanza kupata toleo jipya zaidi.
# apt install nginx # yum install nginx
Angalia toleo la Nginx na toleo la OpenSSL ambalo Nginx iliundwa (hakikisha kwamba toleo la nginx ni angalau 1.14 na toleo la openssl 1.1.1).
# nginx -V
nginx version: nginx/1.14.1 built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC) built with OpenSSL 1.1.1 FIPS 11 Sep 2018 TLS SNI support enabled ....
Sasa anza, wezesha na uthibitishe usakinishaji wa nginx.
# systemctl start nginx.service # systemctl enable nginx.service # systemctl status nginx.service
Sasa fungua faili ya usanidi wa nginx vhost /etc/nginx/conf.d/example.com.conf ukitumia kihariri chako unachokipenda.
# vi /etc/nginx/conf.d/example.com.conf
na utafute ssl_protocols maelekezo na uambatanishe TLSv1.3 mwishoni mwa mstari kama inavyoonyeshwa hapa chini.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
}
Hatimaye, thibitisha usanidi na upakie upya Nginx.
# nginx -t # systemctl reload nginx.service
Washa TLS 1.3 katika Apache
Kuanzia Apache 2.4.37, unaweza kuchukua faida ya TLS 1.3. Ikiwa unatumia toleo la zamani la Apache, unahitaji kwanza kupata toleo jipya zaidi.
# apt install apache2 # yum install httpd
Mara tu ikiwa imewekwa, unaweza kuthibitisha Apache na toleo la OpenSSL ambalo Apache iliundwa.
# httpd -V # openssl version
Sasa anza, wezesha na uthibitishe usakinishaji wa nginx.
-------------- On Debian/Ubuntu -------------- # systemctl start apache2.service # systemctl enable apache2.service # systemctl status apache2.service -------------- On RHEL/CentOS/Fedora -------------- # systemctl start httpd.service # systemctl enable httpd.service # systemctl status httpd.service
Sasa fungua faili ya usanidi wa mwenyeji wa Apache kwa kutumia kihariri chako unachopenda.
# vi /etc/httpd/conf.d/vhost.conf OR # vi /etc/apache2/apache2.conf
na utafute ssl_protocols maagizo na uambatishe TLSv1.3 mwishoni mwa mstari kama inavyoonyeshwa hapa chini.
<VirtualHost *:443>
SSLEngine On
# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
ServerAdmin [email
ServerName www.example.com
ServerAlias example.com
#DocumentRoot /data/httpd/htdocs/example.com/
DocumentRoot /data/httpd/htdocs/example_hueman/
# Log file locations
LogLevel warn
ErrorLog /var/log/httpd/example.com/httpserror.log
CustomLog "|/usr/sbin/rotatelogs /var/log/httpd/example.com/httpsaccess.log.%Y-%m-%d 86400" combined
</VirtualHost>
Hatimaye, thibitisha usanidi na upakie upya Apache.
-------------- On Debian/Ubuntu -------------- # apache2 -t # systemctl reload apache2.service -------------- On RHEL/CentOS/Fedora -------------- # httpd -t # systemctl reload httpd.service
Thibitisha Tovuti Inatumia TLS 1.3
Baada ya kusanidi kupitia seva ya wavuti, unaweza kuangalia kama tovuti yako inapeana mkono na itifaki ya TLS 1.3 kwa kutumia zana za ukuzaji wa kivinjari cha chrome kwenye toleo la Chrome 70+.
Ni hayo tu. Umewezesha itifaki ya TLS 1.3 kwa ufanisi kwenye kikoa chako kilichopangishwa kwenye seva za wavuti za Apache au Nginx. Ikiwa una maswali yoyote kuhusu nakala hii, jisikie huru kuuliza katika sehemu ya maoni hapa chini.