
<p class="wp-block-paragraph">éåéå¸ï¼é 便çåçè¨ï¼è¥æé¯èª¤è«ä¸ææã </p>



<p class="wp-block-paragraph">æ¬ç¯ä½¿ç¨ CentOS7 å apache2.4.6 çæ¬å¯¦ä½ã</p>



<p class="wp-block-paragraph">æ¬ç¯ä½¿ç¨TWNICç¾ä»£å網路åå®æª¢æ¸¬å·¥å ·æ¸¬è©¦ï¼<a href="https://check.twnic.tw/" title="https://check.twnic.tw/">https://check.twnic.tw/</a></p>



<!--more-->



<p class="wp-block-paragraph">以ä¸ä»¥TWNICæª¢æ¸¬å·¥å ·é ç®éæ¢èªªæè¨å®éç¨ï¼</p>



<h2 class="wp-block-heading">HTTPSçæ ï¼</h2>



<p class="wp-block-paragraph">å®è£mod_sslåopenssl</p>



<pre class="wp-block-preformatted">yum install mod_ssl openssl</pre>



<p class="wp-block-paragraph">éåapacheæåï¼</p>



<pre class="wp-block-preformatted">sudo service httpd restart</pre>



<p class="wp-block-paragraph">ä¸å³æèãä¸ç¹¼æèåç§é°è³ä¼ºæå¨</p>



<p class="wp-block-paragraph">編輯 /etc/httpd/conf.d/ssl.conf ä¸¦æ¼ <;VirtualHost _default_:443>; æ¨ç±¤å §å ä¸(æä¿®æ¹)以ä¸åè¡</p>



<pre class="wp-block-preformatted">SSLEngine on
SSLCertificateFile /yourpath/cert.pem
SSLCertificateKeyFile /yourpath/privkey.pem
SSLCertificateChainFile /yourpath/chain.pem</pre>



<p class="wp-block-paragraph">éåapacheæåï¼</p>



<pre class="wp-block-preformatted">sudo service httpd restart</pre>



<h2 class="wp-block-heading">HTTPSéå°åï¼</h2>



<p class="wp-block-paragraph">編輯 /etc/httpd/conf/httpd.conf æ¼ <;VirtualHost *:80>; æ¨ç±¤å §å ä¸ä¸è¡ï¼</p>



<pre class="wp-block-preformatted">RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://kerker.website %{REQUEST_URI} [R=301,L]</pre>



<p class="wp-block-paragraph">éåapacheæåï¼</p>



<pre class="wp-block-preformatted">sudo service httpd restart</pre>



<h2 class="wp-block-heading">HSTSï¼</h2>



<p class="wp-block-paragraph">編輯 /etc/httpd/conf.modules.d/00-base.conf å¦ææ²æä¸é¢éä¸è¡å°±æå®å ä¸å»ï¼</p>



<pre class="wp-block-preformatted">LoadModule headers_module modules/mod_headers.so</pre>



<p class="wp-block-paragraph">éåapacheæåï¼</p>



<pre class="wp-block-preformatted">sudo service httpd restart</pre>



<p class="wp-block-paragraph">編輯 /etc/httpd/conf/httpd.conf æ¼ <;VirtualHost>; æ¨ç±¤å §å ä¸ä¸è¡ï¼</p>



<pre class="wp-block-preformatted">LoadModule headers_module modules/mod_headers.so</pre>



<p class="wp-block-paragraph">編輯 /etc/httpd/conf.d/ssl.conf åæ¨£æ¼ <;VirtualHost>; æ¨ç±¤å §å ä¸ä¸è¡ï¼</p>



<pre class="wp-block-preformatted">LoadModule headers_module modules/mod_headers.so</pre>



<p class="wp-block-paragraph">éåapacheæåï¼</p>



<pre class="wp-block-preformatted">sudo service httpd restart</pre>



<h2 class="wp-block-heading">TLSçæ¬ï¼</h2>



<p class="wp-block-paragraph">編輯 /etc/httpd/conf.d/ssl.conf å ä¸(æä¿®æ¹)ä¸è¡ï¼</p>



<pre class="wp-block-preformatted">SSLProtocol all -SSLv3 -TLSv1 -TLSv1</pre>



<p class="wp-block-paragraph">éåapacheæåï¼</p>



<pre class="wp-block-preformatted">sudo service httpd restart</pre>



<h2 class="wp-block-heading">å å¯æ¼ç®æ³ï¼</h2>



<p class="wp-block-paragraph">編輯 /etc/httpd/conf.d/ssl.conf å ä¸(æä¿®æ¹)ä¸è¡ï¼</p>



<pre class="wp-block-preformatted">SSLCipherSuite AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH</pre>



<p class="wp-block-paragraph">éåapacheæåï¼</p>



<pre class="wp-block-preformatted">sudo service httpd restart</pre>



<h2 class="wp-block-heading">SECURE RENEGOTIATIONï¼</h2>



<p class="wp-block-paragraph">è«å°OpenSSL æ´æ°è³ 0.9.8m çæ¬ä»¥ä¸ã</p>



<h2 class="wp-block-heading">Certificate</h2>



<p class="wp-block-paragraph">æ¬é 檢æ¥ç¶²ç«æ使ç¨ä¹æèæ¯å¦ç¬¦åè¦ç¯ï¼æªç¬¦åè¦ç¯è è«èªè¡æ´æ符åè¦ç¯ä¹æèã</p>



<ol class="wp-block-list" type="1"><li>trust chain of certificateï¼ç¶²ç«ä½¿ç¨å¯ä¿¡CAï¼å¯ä½¿ç¨å è²»SSLæèï¼å¦éçå©çµç¹ç¶²è·¯å®å ¨ç 究å°çµ( ISRG) çéçLet’s Encrypt æèã</li><li>public key of certificateï¼éé°é·åº¦2048ä½å ã</li><li>signature of certificateï¼ä½¿ç¨SHA256以ä¸éæ¹æ¼ç®æ³ã</li><li>domain name on certificateï¼ä½¿ç¨çæè網åè網ç«ç¶²åä¸è´æ使ç¨Wildcard SSL æèï¼æ使ç¨Wildcard SSL æèã</li></ol>

Apache HTTPS啟用及安全性設定(CentOS)
