1. 連線到 https://www.sslforfree.com/ 依照指示下載憑證
2. 將憑證包解壓縮,依序放在
/etc/ssl/certificate.crt
/etc/ssl/private/private.key
/etc/ssl/ca_bundle.crt
3. 設定權限
# chmod 644 certificate.crt
# chmod 644 ca_bundle.crt
# chmod 640 private.key //只有root可以讀取
# chown root:ssl-cert private.key //屬於ssl-cert群組
4. 編輯 "預設網站SSL" 設定
# vi /etc/apache2/sites-available/default-ssl
5. 修改以下設定
SSLCertificateFile /etc/ssl/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/private.key
SSLCACertificateFile /etc/ssl/ca_bundle.crt
6. 強化SSL安全性,新增以下設定
(移除SSL v3、RC4、common DH primes漏洞)
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA
7. 啟用 "預設網站SSL"
# a2enmod ssl //預設應該已啟動
# a2ensite default-ssl
# /etc/init.d/apache2 restart
# service apache2 reload //這個指令也可以
8. 啟用Opencart SSL
參閱 http://www.fastcomet.com/tutorials/opencart2/enable-ssl
9. 連線至 https://www.ssllabs.com/ssltest/
檢查SSL安全評比,應該是A
其他參閱
https://becoder.org/nextvod-apaceh2-mysql-php5/
http://askubuntu.com/questions/68940/how-do-i-setup-ssl-crt-on-my-apache2-server
https://o-o-s.de/debian-wheezy-apache-logjam/10492
為Apache設定正確的Servername
(避免出現127.0.0.1.....)
1. 在以下檔案中
/etc/apache2/sites-available/default
/etc/apache2/sites-available/default-ssl
修改以下值
ServerName localhost
ServerAdmin EMAIL //順道設定管理人電郵
Options FollowSymLinks //移除Indexes,避免網站目錄被看到
AllowOverride All //順道設定
2. 修改hostname
# vi /etc/hostname
SERVERNAME
3. 修改hosts
# vi /etc/hosts
127.0.0.1 SERVERNAME.DOMAIN.NAME SERVERNAME localhost
::1 SERVERNAME.DOMAIN.NAME SERVERNAME localhost
4. 重新啟動
# reboot
No comments:
Post a Comment