先看测试结果:https://www.ssllabs.com/ssltest/analyze.html?d=cnlic.com&latest
1、全站https:重定向http请求至https
a2enmod ssl a2enmod rewrite
/etc/apache2/sites-available/cnlic80.conf内容如下:
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </IfModule> </VirtualHost>
/etc/apache2/sites-available/cnlic443.conf内容如下:
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine On SSLCertificateFile /etc/apache2/ssl/cnlic_com.crt SSLCertificateKeyFile /etc/apache2/ssl/cnlic_com.key </VirtualHost> </IfModule>
a2dissite 000-default a2dissite default-ssl a2ensite cnlic80 a2ensite cnlic443
2、禁用SSLv2、SSLv3协议
/etc/apache2/sites-available/cnlic443.conf内容如下:
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine On SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/apache2/ssl/cnlic_com.crt SSLCertificateKeyFile /etc/apache2/ssl/cnlic_com.key </VirtualHost> </IfModule>
3、只启用安全的SSL加密套件
/etc/apache2/sites-available/cnlic443.conf内容如下:
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine On SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/apache2/ssl/cnlic_com.crt SSLCertificateKeyFile /etc/apache2/ssl/cnlic_com.key SSLHonorCipherOrder On SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA" </VirtualHost> </IfModule>
注:IE 6 / XP也是支持的,但需要在IE设置高级选项中打开“使用 TLS 1.0”
4、开启Strict Transport Security (HSTS)
a2enmod headers
/etc/apache2/sites-available/cnlic443.conf内容如下:
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLEngine On SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/apache2/ssl/cnlic_com.crt SSLCertificateKeyFile /etc/apache2/ssl/cnlic_com.key SSLHonorCipherOrder On SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA" </VirtualHost> </IfModule>
5、开启Public Key Pinning (HPKP)
pin-sha256可通过csr、crt、key、https等生成,可参考https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
openssl x509 -in /etc/apache2/ssl/cnlic_com.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
要两个,第二个可随便生成一个,不存在的也行。
/etc/apache2/sites-available/cnlic443.conf内容如下:
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" Header always set Public-Key-Pins "pin-sha256=\"MijrRMqLamJ5JIdQY2z07/U4iRdUqTxu5ei8+FfSKnE=\"; pin-sha256=\"b5EjL7NMkpmKiO8Q5gXMahNdgjbPIxA1u7fYkhMAWLk=\"; max-age=86400; includeSubDomains" SSLEngine On SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/apache2/ssl/cnlic_com.crt SSLCertificateKeyFile /etc/apache2/ssl/cnlic_com.key SSLHonorCipherOrder On SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA" </VirtualHost> </IfModule>
6、开启OCSP stapling
/etc/apache2/sites-available/cnlic443.conf内容如下:
<IfModule mod_ssl.c> SSLStaplingCache shmcb:/var/run/ocsp(128000) <VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" Header always set Public-Key-Pins "pin-sha256=\"MijrRMqLamJ5JIdQY2z07/U4iRdUqTxu5ei8+FfSKnE=\"; pin-sha256=\"b5EjL7NMkpmKiO8Q5gXMahNdgjbPIxA1u7fYkhMAWLk=\"; max-age=86400; includeSubDomains" SSLEngine On SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/apache2/ssl/cnlic_com.crt SSLCertificateKeyFile /etc/apache2/ssl/cnlic_com.key SSLHonorCipherOrder On SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA" SSLUseStapling On SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors Off </VirtualHost> </IfModule>
7、重启apache2
service apache2 restart
原文:https://cnlic.com/?p=372