2016/03/22

啟用Apache (2.2.22) 與Opencart SSL功能 (Debian Wheezy@網樂通)

啟用Apache (2.2.22) 與Opencart SSL功能 (Debian Wheezy@網樂通) 

1. 連線到 https://www.sslforfree.com/ 依照指示下載憑證

2. 將憑證包解壓縮,依序放在
/etc/ssl/certificate.crt
/etc/ssl/private/private.key
/etc/ssl/ca_bundle.crt

3. 設定權限
# chmod 644 certificate.crt
# chmod 644 ca_bundle.crt
# chmod 640 private.key   //只有root可以讀取
# chown root:ssl-cert private.key   //屬於ssl-cert群組

4. 編輯 "預設網站SSL" 設定
# vi /etc/apache2/sites-available/default-ssl

5. 修改以下設定
SSLCertificateFile /etc/ssl/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/private.key
SSLCACertificateFile /etc/ssl/ca_bundle.crt

6. 強化SSL安全性,新增以下設定
(移除SSL v3、RC4、common DH primes漏洞)
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA

7. 啟用 "預設網站SSL"
# a2enmod ssl  //預設應該已啟動
# a2ensite default-ssl
# /etc/init.d/apache2 restart
# service apache2 reload   //這個指令也可以

8. 啟用Opencart SSL
參閱 http://www.fastcomet.com/tutorials/opencart2/enable-ssl

9. 連線至 https://www.ssllabs.com/ssltest/
檢查SSL安全評比,應該是A

其他參閱
https://becoder.org/nextvod-apaceh2-mysql-php5/
http://askubuntu.com/questions/68940/how-do-i-setup-ssl-crt-on-my-apache2-server
https://o-o-s.de/debian-wheezy-apache-logjam/10492


為Apache設定正確的Servername
(避免出現127.0.0.1.....)

1. 在以下檔案中
/etc/apache2/sites-available/default
/etc/apache2/sites-available/default-ssl

修改以下值
ServerName localhost
ServerAdmin EMAIL   //順道設定管理人電郵
Options FollowSymLinks   //移除Indexes,避免網站目錄被看到

AllowOverride All      //順道設定

2. 修改hostname
# vi /etc/hostname
SERVERNAME

3. 修改hosts
# vi /etc/hosts
127.0.0.1       SERVERNAME.DOMAIN.NAME SERVERNAME localhost
::1             SERVERNAME.DOMAIN.NAME SERVERNAME localhost

4. 重新啟動
# reboot

No comments:

Post a Comment