让Apache在CentOS 8上加密证书的Apache
时间:2020-01-09 10:37:11 来源:igfitidea点击:
Lets Encrypt是针对Web服务器和其他用途的免费,自动化和开放的证书。
如何在CentOS 8上使用Lets Encrypt证书来保护Apache?
Lets Encrypt是由Apache Web服务器支持的网站的免费,自动和开放证书颁发机构。
该页面显示了如何使用Lets Encrypt为Apache Web服务器安装免费的SSL证书。
您将学习如何在服务器上正确部署Diffie-Hellman,以在CentOS Linux 8上获得SSL Labs A +分数。
如何使用CentOS 8上的Lets Encrypt证书保护Apache安全
获取SSL证书的过程如下:
- 在CentOS 8中为Apache HTTP服务器安装SSL/TLS模块:
sudo yum install mod_ssl - 获取acme.sh软件,运行
git clone https://github.com/Neilpang/acme.sh.git - 使用以下命令创建一个新的/.well-known/acme-challenge/目录:
mkdir -p/var/www/html/.well-known/acme-challenge / - 在您的域中获取SSL证书:
acme.sh --issue -w/DocumentRootPath/-d your-domain - 在CentOS Linux 8上为Apache配置TLS/SSL:
vi/etc/httpd/conf.d/ssl.conf - 设置cron作业以自动续订SSL/TLS证书
- 使用防火墙打开端口443(HTTPS):
sudo firewall-cmd --add-service = https
我们的示例设置如下
我的示例Lets Encrypt SSL证书在CentOS 8上保护Apache的安全。
让我们看看如何安装acme.sh客户端并在CentOS 8上使用它来从Lets Encrypt获得SSL证书。
在您开始在CentOS 8上应用所有补丁之前:
sudo yum update
步骤1为Apache安装mod_ssl
键入以下yum命令:
$ sudo yum install mod_ssl
步骤2安装acme.sh让加密客户端
您需要在CentOS 8上安装wget,才能在acme.sh上安装CentOS 8上的curl,bc,socat和git client,运行:
$ sudo yum install wget curl bc git socat
Last metadata expiration check: 0:06:51 ago on Wednesday 02 October 2019 05:49:51 PM UTC. Package wget-1.19.5-7.el8_0.1.x86_64 is already installed. Package curl-7.61.1-8.el8.x86_64 is already installed. Dependencies resolved. ========================================================================================= Package Arch Version Repository Size ========================================================================================= Installing: git x86_64 2.18.1-3.el8 AppStream 186 k socat x86_64 1.7.3.2-6.el8 AppStream 298 k bc x86_64 1.07.1-5.el8 BaseOS 129 k Installing dependencies: git-core x86_64 2.18.1-3.el8 AppStream 4.1 M git-core-doc noarch 2.18.1-3.el8 AppStream 2.3 M perl-Error noarch 1:0.17025-2.el8 AppStream 46 k perl-Git noarch 2.18.1-3.el8 AppStream 77 k perl-TermReadKey x86_64 2.37-7.el8 AppStream 40 k emacs-filesystem noarch 1:26.1-5.el8 BaseOS 69 k Transaction Summary ========================================================================================= Install 9 Packages Total download size: 7.1 M Installed size: 38 M Is this ok [y/N]: y
克隆仓库
执行以下命令:
$ cd /tmp/ $ git clone https://github.com/Neilpang/acme.sh.git
接下来,将acme.sh客户端安装到系统上,运行:
$ cd acme.sh/ $ sudo -i # cd acme.sh/ # ./acme.sh --install
现在我们需要在CentOS 8服务器上安装软件。
您必须关闭当前终端或ssh会话,然后再次重新打开以使别名生效。
或键入以下源命令:
$ sudo source ~/.bashrc
验证acme.sh是否正常运行,运行:
# acme.sh --version
输出示例:
https://github.com/Neilpang/acme.sh v2.8.3
步骤3建立acme-challenge目录
键入以下mkdir命令。
确保根据需要将$D设置为实际的DocumentRoot路径:
# D=/var/www/html/
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R apache:apache ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/
另外,创建一个目录来存储SSL证书:
# mkdir -p /etc/httpd/ssl/theitroad.local/
步骤4建立dhparams.pem档案
运行openssl命令:
# cd /etc/httpd/ssl/theitroad.local/ # openssl dhparam -out dhparams.pem -dsaparam 4096
如何在Linux上加速OpenSSL/GnuPG熵以生成随机数
如果未启用,请打开Apache服务
Apache正在运行吗?
如果没有启动Apache服务,请使用systemctl命令如下:
$ sudo systemctl status httpd.service $ sudo systemctl enable httpd.service $ sudo systemctl start httpd.service $ sudo systemctl status httpd.service
确保TCP端口80也打开
运行以下firewall-cmd命令以打开CentOS 8上的TCP端口80:
$ sudo firewall-cmd --permanent --add-service=http --zone=public $ sudo firewall-cmd --reload $ sudo firewall-cmd --list-services --zone=public
步骤5取得网域的SSL/TLS凭证
为您的域颁发证书。
语法为:
# acme.sh --issue -w /path/to/www/htmlRoot/ -d your-domain-example-com -k 2048 # acme.sh --issue -w /path/to/www/htmlRoot/ -d www.theitroad.local -k 4096 # acme.sh --issue -w /var/www/html/ -d centos8.theitroad.local -k 4096
步骤6将Apache配置为使用SSL/TLS
使用文本编辑器(例如vi命令)编辑名为/etc/httpd/conf.d/ssl.conf的文件:
$ sudo vi /etc/httpd/conf.d/ssl.conf
追加/更新如下:
### Start config for port 443 #
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLCryptoDevice builtin
### Turn on HTTP2 support #
Protocols h2 http/1.1
### Redirect all http urls to https #
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L,QSA]
#################################################
# SSL/TLS config for domain centos8.theitroad.local #
#################################################
<VirtualHost centos8.theitroad.local:443>
### Log files #
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
### No more SSL3/2 #
SSLProtocol all -SSLv3
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
### Path to certs #
SSLCertificateFile /etc/httpd/ssl/theitroad.local/centos8.theitroad.local.cer
SSLCertificateKeyFile /etc/httpd/ssl/theitroad.local/centos8.theitroad.local.key
#Forward Secrecy & Diffie Hellman ephemeral parameters
SSLOpenSSLConfCmd DHParameters "/etc/httpd/ssl/theitroad.local/dhparams.pem"
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
### OCSP stapling config
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
保存并关闭文件,然后退出vim文本编辑器。
有关更安全的SSL选项的说明
如下更新上面的配置以禁用SSL和TLS版本1/1.1。
以下是推荐用于几乎所有系统的具有各种客户端的通用Apache服务器:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder off SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
请参阅此页面以获取更多信息。
步骤7安装证书
键入以下命令:
# acme.sh --installcert -d centos8.theitroad.local \ --keypath /etc/httpd/ssl/theitroad.local/centos8.theitroad.local.key \ --fullchainpath /etc/httpd/ssl/theitroad.local/centos8.theitroad.local.cer \ --reloadcmd 'systemctl reload httpd'
步骤8在CentOS Linux 8上进行防火墙配置以打开HTTPS tcp端口443
现在,我们的Apache使用mod_ssl启动并运行。
现在是时候在CentOS 8服务器上打开TCP端口443(HTTPS),以便客户端可以连接到它了。
如下更新规则:
$ sudo firewall-cmd --permanent --add-service=https --zone=public $ sudo firewall-cmd --reload $ sudo firewall-cmd --list-services --zone=public
借助ss命令以及grep命令/egrep命令,验证端口443和80处于打开并列出状态:
$ sudo ss -tulpn $ sudo ss -tulpn | egrep ':(80|443)'
输出示例:
tcp LISTEN 0 128 *:443 *:* users:(("httpd",pid=12079,fd=9),("httpd",pid=12078,fd=9),("httpd",pid=12077,fd=9),("httpd",pid=10782,fd=9))
tcp LISTEN 0 128 *:80 *:* users:(("httpd",pid=12079,fd=4),("httpd",pid=12078,fd=4),("httpd",pid=12077,fd=4),("httpd",pid=10782,fd=4))
步骤9进行测试
制作一个名为index.html的测试页:
sudo vi /var/www/html/index.html
附加以下html:
<html>
<head>
<title>CentOS8 Apache test server - theitroad</title>
</head>
<body>
<h2>Hello, world!</h2>
<p>
I run on CentOS Linux 8. I act as a testbed for theitroad test lab.
I exist to help sysadmins and developers to help learn CentOS 8.
</p>
<hr>
<small>Apache 2 server running on CentOS 8 with Let's Encrypt</small>
</body>
</html>
保存并关闭文件。
触发网络浏览器并输入您的域,例如:
https://centos8.theitroad.local
使用SSLlabs测试站点进行测试:
https://www.ssllabs.com/ssltest/analyze.html?d=centos8.theitroad.local
步骤10 acme.sh命令
列出所有SSL/TLS证书,运行:
# acme.sh --list
续订名为server2.theitroad.local的域的证书
# acme.sh --renew -d centos8.theitroad.local
请注意,Cron作业也会尝试为您续订证书。
默认情况下按如下方式安装(您无需采取任何措施)。
要查看作业运行:
# crontab -l
输出示例:
38 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
升级acme.sh客户端:
# acme.sh --upgrade
获得帮助:
# acme.sh --help | more
