Jerin RHCE: Aiwatar da HTTPS ta hanyar TLS ta amfani da Sabis na Tsaro na hanyar sadarwa (NSS) don Apache - Sashe na 8


Idan kai mai kula da tsarin ne wanda ke kula da kiyayewa da kiyaye sabar gidan yanar gizo, ba za ka iya ba da damar ba da himma sosai don tabbatar da cewa bayanan da aka yi amfani da su ko shiga cikin sabar naka suna da kariya a kowane lokaci.

Domin samar da ingantaccen sadarwa tsakanin abokan ciniki na yanar gizo da sabar, an haifi ka'idar HTTPS azaman haɗin HTTP da SSL (Secure Sockets Layer) ko kuma kwanan nan, TLS (Transport Layer Security).

Saboda wasu munanan keta haddi na tsaro, an soke SSL don samun ƙarin ƙarfin TLS. Don haka, a cikin wannan labarin za mu bayyana yadda ake amintar haɗin kai tsakanin sabar gidan yanar gizon ku da abokan ciniki ta amfani da TLS.

Wannan koyawa tana ɗauka cewa kun riga kun shigar kuma kun daidaita sabar gidan yanar gizon ku ta Apache. Idan ba haka ba, da fatan za a duba labarin mai zuwa a wannan rukunin yanar gizon kafin ci gaba.

  1. Saka LAMP (Linux, MySQL/MariaDB, Apache da PHP) akan RHEL/CentOS 7

Shigar da OpenSSL da Utilities

Da farko, tabbatar cewa Apache yana gudana kuma an ba da izinin http da https duka ta hanyar Tacewar zaɓi:

# systemctl start http
# systemctl enable http
# firewall-cmd --permanent –-add-service=http
# firewall-cmd --permanent –-add-service=https

Sannan shigar da fakitin da suka dace:

# yum update && yum install openssl mod_nss crypto-utils

Muhimmi: Da fatan za a lura cewa zaku iya maye gurbin mod_nss tare da mod_ssl a cikin umarnin da ke sama idan kuna son amfani da ɗakunan karatu na OpenSSL maimakon NSS (Sabis ɗin Tsaro na Yanar Gizo) don aiwatar da TLS (wanda za ku yi amfani da shi ya rage naku gaba ɗaya, amma za mu yi amfani da NSS). a cikin wannan labarin kamar yadda ya fi ƙarfi; misali, yana goyan bayan ƙa'idodin ɓoye bayanan kwanan nan kamar PKCS #11).

A ƙarshe, cire mod_ssl idan kun zaɓi yin amfani da mod_nss, ko akasin haka.

# yum remove mod_ssl

Yana daidaita NSS (Sabis na Tsaro na Yanar Gizo)

Bayan an shigar da mod_nss, an ƙirƙiri tsohuwar fayil ɗin daidaitawar sa azaman /etc/httpd/conf.d/nss.conf. Ya kamata ku tabbatar da cewa duk umarnin Ji da VirtualHost suna nuni zuwa tashar jiragen ruwa 443 (tashar jiragen ruwa ta asali don HTTPS):

Listen 443
VirtualHost _default_:443

Sa'an nan kuma sake kunna Apache kuma duba ko an loda mod_nss module:

# apachectl restart
# httpd -M | grep nss

Bayan haka, ya kamata a yi gyare-gyare masu zuwa a cikin fayil ɗin daidaitawa /etc/httpd/conf.d/nss.conf:

1. Nuna NSS database directory. Kuna iya amfani da tsohon kundin adireshin ko ƙirƙirar sabo. A cikin wannan koyawa za mu yi amfani da tsoho:

NSSCertificateDatabase /etc/httpd/alias

2. A guji shigar da kalmar wucewa ta hannun hannu akan kowane tsarin farawa ta hanyar adana kalmar sirri zuwa kundin bayanai a /etc/httpd/nss-db-password.conf:

NSSPassPhraseDialog file:/etc/httpd/nss-db-password.conf

Inda /etc/httpd/nss-db-password.conf ya ƙunshi layi mai zuwa KAWAI kuma mypassword shine kalmar sirri da za ku saita daga baya don bayanan NSS:

internal:mypassword

Bugu da kari, ya kamata a saita izini da ikon mallakarta zuwa 0640 da tushen: apache, bi da bi:

# chmod 640 /etc/httpd/nss-db-password.conf
# chgrp apache /etc/httpd/nss-db-password.conf

3. Red Hat yana ba da shawarar kashe SSL da duk nau'ikan TLS da suka gabata zuwa TLSv1.0 saboda raunin POODLE SSLv3 (ƙarin bayani anan).

Tabbatar cewa kowane misali na umarnin NSProtocol yana karanta kamar haka (wataƙila za ku sami ɗaya kawai idan ba kwa ɗaukar bakuncin sauran runduna masu kama-da-wane):

NSSProtocol TLSv1.0,TLSv1.1

4. Apache zai ƙi sake farawa saboda wannan takardar shaidar ce ta sa hannu kuma ba za ta gane mai bayarwa a matsayin inganci ba. Don wannan dalili, a cikin wannan yanayin musamman dole ne ku ƙara:

NSSEnforceValidCerts off

5. Ko da yake ba a buƙata sosai ba, yana da mahimmanci a saita kalmar sirri don bayanan NSS:

# certutil -W -d /etc/httpd/alias