在CentOS 8上如何使用Lets Encrypt证书保护Apache安全
获取SSL证书的过程如下:
- 在CentOS 8中为Apache HTTP服务器安装SSL / TLS模块:
sudo yum install mod_ssl - 获取acme.sh软件,运行
git clone https:// github.com / Neilpang / acme.sh.git - 使用以下命令创建一个新的/.well-known/acme-challenge/目录:
mkdir -p / var / www / html / .well-known / acme-challenge / - 在您的域中获取SSL证书:
acme.sh --issue -w / DocumentRootPath / -d your-domain - 在CentOS Linux 8上为Apache配置TLS / SSL:
vi / etc / httpd / conf.d / ssl.conf - 设置cron作业以自动续订SSL / TLS证书
- 使用防火墙打开端口443(HTTPS):
sudo firewall-cmd --add-service = https
我们的示例设置如下
让我们看看如何安装acme.sh客户端并在CentOS 8上使用它来从Lets Encrypt获得SSL证书。在您开始在CentOS 8上应用所有补丁之前:
sudo yum update
步骤9进行测试
创建一个名为index.html的测试页:
sudo vi /var/www/html/index.html
内容以下:
<html>
<head>
<title>CentOS8 Apache test server</title>
</head>
<body>
<h2>Hello, world!</h2>
</body>
</html>
保存并关闭文件。
使用浏览器打开我们的网站:
https://centos8.onitroad.local
使用SSLlabs测试站点进行测试:
https://www.ssllabs.com/ssltest/analyze.html?d=centos8.onitroad.local
步骤2安装acme.sh,加密客户端
您需要在CentOS 8上安装wget,curl,bc,socat和git client,以便运行acme.sh。
$ sudo yum install wget curl bc git socat
克隆仓库
执行以下命令:
$ cd /tmp/ $ git clone https://github.com/Neilpang/acme.sh.git
接下来,将acme.sh客户端安装到系统上,运行:
$ cd acme.sh/ $ sudo -i # cd acme.sh/ # ./acme.sh --install
现在我们需要在CentOS 8服务器上安装软件。您必须关闭当前终端或ssh会话,然后再次重新打开以使别名生效。或键入以下source命令:
$ sudo source ~/.bashrc
验证acme.sh是否正常运行,运行:
# acme.sh --version
输出示例:
https://github.com/Neilpang/acme.sh v2.8.3
步骤1为Apache安装mod_ssl
键入以下yum命令:
$ sudo yum install mod_ssl
如何在CentOS 8上使用Lets Encrypt证书来保护Apache? Lets Encrypt是由Apache Web服务器支持的网站的免费,自动和开放证书颁发机构。本教程说明如何使用Lets Encrypt为Apache Web服务器安装免费的SSL证书。
Lets Encrypt是针对Web服务器和其他用途的免费,自动化和开放的证书。
步骤5申请域名的SSL / TLS凭证
为您的域颁发证书。语法为:
# acme.sh --issue -w /path/to/www/htmlRoot/ -d your-domain-example-com -k 2048 # acme.sh --issue -w /path/to/www/htmlRoot/ -d www.onitroad.local -k 4096 # acme.sh --issue -w /var/www/html/ -d centos8.onitroad.local -k 4096
步骤7安装证书
键入以下命令:
# acme.sh --installcert -d centos8.onitroad.local \ --keypath /etc/httpd/ssl/onitroad.local/centos8.onitroad.local.key \ --fullchainpath /etc/httpd/ssl/onitroad.local/centos8.onitroad.local.cer \ --reloadcmd 'systemctl reload httpd'
步骤4建立dhparams.pem档案
运行openssl命令:
# cd /etc/httpd/ssl/onitroad.local/ # openssl dhparam -out dhparams.pem -dsaparam 4096
如果Apache服务未启动,则启动
Apache正在运行吗?如果没有启动Apache服务,请使用systemctl命令如下:
$ sudo systemctl status httpd.service $ sudo systemctl enable httpd.service $ sudo systemctl start httpd.service $ sudo systemctl status httpd.service
确保防火墙的TCP端口80也打开
运行以下firewall-cmd命令以打开CentOS 8上的TCP端口80:
$ sudo firewall-cmd --permanent --add-service=http --zone=public $ sudo firewall-cmd --reload $ sudo firewall-cmd --list-services --zone=public
步骤3建立acme-challenge目录
键入以下mkdir命令。确保根据需要将${D}设置为实际的Apache站点DocumentRoot路径:
# D=/var/www/html/
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R apache:apache ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/
另外,创建一个目录来存储SSL证书:
# mkdir -p /etc/httpd/ssl/onitroad.local/
步骤6将Apache配置为使用SSL / TLS
使用文本编辑器(例如vi命令)编辑名为/etc/httpd/conf.d/ssl.conf的文件:
$ sudo vi /etc/httpd/conf.d/ssl.conf
修改内容如下:
### Start config for port 443 #
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLCryptoDevice builtin
### Turn on HTTP2 support #
Protocols h2 http/1.1
### Redirect all http urls to https #
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L,QSA]
#################################################
# SSL/TLS config for domain centos8.onitroad.local #
#################################################
<VirtualHost centos8.onitroad.local:443>
### Log files #
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
### No more SSL3/2 #
SSLProtocol all -SSLv3
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
### Path to certs #
SSLCertificateFile /etc/httpd/ssl/onitroad.local/centos8.onitroad.local.cer
SSLCertificateKeyFile /etc/httpd/ssl/onitroad.local/centos8.onitroad.local.key
#Forward Secrecy & Diffie Hellman ephemeral parameters
SSLOpenSSLConfCmd DHParameters "/etc/httpd/ssl/onitroad.local/dhparams.pem"
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
### OCSP stapling config
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
保存并关闭文件,然后退出编辑器。
有关更安全的SSL选项的说明
如下更新上面的配置以禁用SSL和TLS版本1 / 1.1。以下是推荐的通用Apache服务器配置:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder off SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
步骤8在CentOS Linux 8上进行防火墙配置以打开HTTPS tcp端口443
现在,我们的Apache使用mod_ssl启动并运行。在CentOS 8服务器上打开TCP端口443(HTTPS),以便客户端可以连接到它了。
$ sudo firewall-cmd --permanent --add-service=https --zone=public $ sudo firewall-cmd --reload $ sudo firewall-cmd --list-services --zone=public
借助ss命令以及grep命令/ egrep命令,验证端口443和80处于打开状态:
$ sudo ss -tulpn $ sudo ss -tulpn | egrep ':(80|443)'
输出示例:
tcp LISTEN 0 128 *:443 *:* users:(("httpd",pid=12079,fd=9),("httpd",pid=12078,fd=9),("httpd",pid=12077,fd=9),("httpd",pid=10782,fd=9))
tcp LISTEN 0 128 *:80 *:* users:(("httpd",pid=12079,fd=4),("httpd",pid=12078,fd=4),("httpd",pid=12077,fd=4),("httpd",pid=10782,fd=4))
步骤10 acme.sh相关命令
列出所有SSL / TLS证书,运行:
# acme.sh --list
续订域名server2.onitroad.local的证书
# acme.sh --renew -d centos8.onitroad.local
请注意,Cron作业也会尝试为您续订证书。默认情况下按如下方式安装(您无需采取任何措施)。要查看作业运行:
# crontab -l
输出示例:
38 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
升级acme.sh客户端:
# acme.sh --upgrade
获得帮助:
# acme.sh --help | more
日期:2019-11-20 08:54:17 来源:oir作者:oir