Yadda ake Enable TLS 1.3 a cikin Apache da Nginx
TLS 1.3 shine sabon sigar yarjejeniya ta Layer Security Layer Security (TLS) kuma ya dogara ne da ƙayyadaddun bayanai na 1.2 tare da daidaitattun IETF: RFC 8446. Yana bayar da tsaro mai ƙarfi da haɓaka ingantaccen aiki akan magabata.
A cikin wannan labarin, za mu nuna muku jagora mataki-mataki don samun ingantaccen takaddar TLS kuma ba da damar sabuwar yarjejeniya ta TLS 1.3 akan yankinku da aka shirya akan sabar yanar gizo ta Apache ko Nginx.
- Siffar Apache 2.4.37 ko mafi girma.
- Sigar Nginx 1.13.0 ko mafi girma.
- OpenSSL sigar 1.1.1 ko mafi girma.
- Sunan yanki mai aiki tare da ingantattun bayanan DNS.
- Takaddun shaidar TLS mai inganci.
Sanya Takaddun TLS daga Bari mu Encrypt
Don samun kyautar SSL kyauta daga Bari mu Encrypt, kuna buƙatar shigar da abokin Acme.sh da kuma ƙananan fakitin da ake buƙata akan tsarin Linux kamar yadda aka nuna.
# apt install -y socat git [On Debian/Ubuntu] # dnf install -y socat git [On RHEL/CentOS/Fedora] # mkdir /etc/letsencrypt # git clone https://github.com/Neilpang/acme.sh.git # cd acme.sh # ./acme.sh --install --home /etc/letsencrypt --accountemail [email # cd ~ # /etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength 2048 # /etc/letsencrypt/acme.sh --issue --standalone --home /etc/letsencrypt -d example.com --ocsp-must-staple --keylength ec-256
NOTE: Sauya misali.com a cikin umarnin da ke sama tare da ainihin sunan yankin ku.
Da zarar kun sanya takaddun shaidar SSL, zaku iya ci gaba don kunna TLS 1.3 akan yankinku kamar yadda aka bayyana a ƙasa.
Kunna TLS 1.3 akan Nginx
Kamar yadda na ambata a cikin abubuwan da ke sama, wannan TLS 1.3 ana tallafawa yana farawa daga sigar Nginx 1.13. Idan kana amfani da tsohuwar tsohuwar hanyar Nginx, kana buƙatar fara haɓakawa zuwa sabuwar sigar.
# apt install nginx # yum install nginx
Bincika sigar Nginx da OpenSSL wacce aka hada Nginx akanta (a tabbata cewa nau'in nginx aƙalla 1.14 ne kuma 1.ss na Openssl ne 1.1.1).
# nginx -V
nginx version: nginx/1.14.1 built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC) built with OpenSSL 1.1.1 FIPS 11 Sep 2018 TLS SNI support enabled ....
Yanzu fara, kunna kuma tabbatar da shigarwar nginx.
# systemctl start nginx.service # systemctl enable nginx.service # systemctl status nginx.service
Yanzu buɗe nginx vhost sanyi /etc/nginx/conf.d/example.com.conf fayil ta amfani da editan da kuka fi so.
# vi /etc/nginx/conf.d/example.com.conf
kuma gano wuri ssl_protocols umarni kuma a haɗa TLSv1.3 a ƙarshen layin kamar yadda aka nuna a ƙasa
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
}
A ƙarshe, tabbatar da daidaitawar kuma sake shigar da Nginx.
# nginx -t # systemctl reload nginx.service
Enable TLS 1.3 a cikin Apache
Farawa daga Apache 2.4.37, zaku iya amfani da TLS 1.3. Idan kana amfani da tsohuwar sigar Apache, kana buƙatar fara haɓakawa zuwa sabuwar sigar.
# apt install apache2 # yum install httpd
Da zarar an girka, za a iya tabbatar da Apache da OpenSSL sigar da aka tattara Apache a kanta.
# httpd -V # openssl version
Yanzu fara, kunna kuma tabbatar da shigarwar nginx.
-------------- On Debian/Ubuntu -------------- # systemctl start apache2.service # systemctl enable apache2.service # systemctl status apache2.service -------------- On RHEL/CentOS/Fedora -------------- # systemctl start httpd.service # systemctl enable httpd.service # systemctl status httpd.service
Yanzu buɗe Apache mai kwalliyar kwalliyar fayil ta amfani da editan da kuka fi so.
# vi /etc/httpd/conf.d/vhost.conf OR # vi /etc/apache2/apache2.conf
kuma gano wuri ssl_protocols umarni kuma a sanya TLSv1.3 a ƙarshen layin kamar yadda aka nuna a ƙasa.
<VirtualHost *:443>
SSLEngine On
# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
ServerAdmin [email
ServerName www.example.com
ServerAlias example.com
#DocumentRoot /data/httpd/htdocs/example.com/
DocumentRoot /data/httpd/htdocs/example_hueman/
# Log file locations
LogLevel warn
ErrorLog /var/log/httpd/example.com/httpserror.log
CustomLog "|/usr/sbin/rotatelogs /var/log/httpd/example.com/httpsaccess.log.%Y-%m-%d 86400" combined
</VirtualHost>
A ƙarshe, tabbatar da daidaitawar kuma sake loda Apache.
-------------- On Debian/Ubuntu -------------- # apache2 -t # systemctl reload apache2.service -------------- On RHEL/CentOS/Fedora -------------- # httpd -t # systemctl reload httpd.service
Tabbatar da Shafin yana Amfani da TLS 1.3
Da zarar kun daidaita ta hanyar sabar yanar gizo, za ku iya bincika cewa rukunin yanar gizonku yana musafiha a kan yarjejeniyar TLS 1.3 ta amfani da kayan aikin haɓaka burauzan Chrome akan fasalin Chrome 70 +.
Shi ke nan. Kun sami nasarar kunna yarjejeniya ta TLS 1.3 akan yankinku da aka shirya akan sabar yanar gizo na Apache ko Nginx. Idan kuna da wata tambaya game da wannan labarin, ku kyauta ku yi tambaya a cikin ɓangaren sharhin da ke ƙasa.