先看测试结果:https://www.ssllabs.com/ssltest/analyze.html?d=cnlic.com&latest
1、全站https:重定向http请求至https
a2enmod ssl a2enmod rewrite
/etc/apache2/sites-available/cnlic80.conf内容如下:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
</VirtualHost>
/etc/apache2/sites-available/cnlic443.conf内容如下:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/cnlic_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/cnlic_com.key
</VirtualHost>
</IfModule>
a2dissite 000-default a2dissite default-ssl a2ensite cnlic80 a2ensite cnlic443
2、禁用SSLv2、SSLv3协议
/etc/apache2/sites-available/cnlic443.conf内容如下:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/cnlic_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/cnlic_com.key
</VirtualHost>
</IfModule>
3、只启用安全的SSL加密套件
/etc/apache2/sites-available/cnlic443.conf内容如下:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/cnlic_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/cnlic_com.key
SSLHonorCipherOrder On
SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA"
</VirtualHost>
</IfModule>
注:IE 6 / XP也是支持的,但需要在IE设置高级选项中打开“使用 TLS 1.0”
4、开启Strict Transport Security (HSTS)
a2enmod headers
/etc/apache2/sites-available/cnlic443.conf内容如下:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/cnlic_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/cnlic_com.key
SSLHonorCipherOrder On
SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA"
</VirtualHost>
</IfModule>
5、开启Public Key Pinning (HPKP)
pin-sha256可通过csr、crt、key、https等生成,可参考https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
openssl x509 -in /etc/apache2/ssl/cnlic_com.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
要两个,第二个可随便生成一个,不存在的也行。
/etc/apache2/sites-available/cnlic443.conf内容如下:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Public-Key-Pins "pin-sha256=\"MijrRMqLamJ5JIdQY2z07/U4iRdUqTxu5ei8+FfSKnE=\"; pin-sha256=\"b5EjL7NMkpmKiO8Q5gXMahNdgjbPIxA1u7fYkhMAWLk=\"; max-age=86400; includeSubDomains"
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/cnlic_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/cnlic_com.key
SSLHonorCipherOrder On
SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA"
</VirtualHost>
</IfModule>
6、开启OCSP stapling
/etc/apache2/sites-available/cnlic443.conf内容如下:
<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/ocsp(128000)
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Public-Key-Pins "pin-sha256=\"MijrRMqLamJ5JIdQY2z07/U4iRdUqTxu5ei8+FfSKnE=\"; pin-sha256=\"b5EjL7NMkpmKiO8Q5gXMahNdgjbPIxA1u7fYkhMAWLk=\"; max-age=86400; includeSubDomains"
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/cnlic_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/cnlic_com.key
SSLHonorCipherOrder On
SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA"
SSLUseStapling On
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors Off
</VirtualHost>
</IfModule>
7、重启apache2
service apache2 restart
原文:https://cnlic.com/?p=372
