HOME
Apache

TLS 1.3 Apache Enable ( 아파치 TLS 1.3 지원 설정)

admin 2019.04.01

환경 : CenOS 7.x / 64bit
먼저 TLS 1.3 버전을 지원하려면 Apache 버전이 최소 2.4.37 이상 / openssl 은 1.1.1 이상이어야 한다.

1. 기본 라이브러리를 설치 ( 실제 이렇게 다 필요 없지만 추후 PHP 설치시에 필요하니 설치 진행

[root@localhost ~]#yum -y install net-tools setuptool vim-enhanced lrzsz xinetd gcc gcc-c++ \
ncurses ncurses-devel cmake openssl openssl-devel libtermcap libtermcap-devel gdbm-devel zlib* \
libxml* freetype* libpng* libjpeg* gd gd-devel  libmcrypt libmcrypt-devel mhash mhash-devel \
apr apr-* libxml2 iconv unixODBC readline-devel qpixman qpixman-devel netpbm* \
libxslt* gmp gmp-devel bzip2-devel openssl-devel pcre-devel curl curl-devel \
libmcrypt libmcrypt-devel mhash mhash-devel enchant-devel enchant libicu \
libicu-devel jansson-devel libev-devel c-ares-devel zlib-devel perl-core

[root@localhost ~]#yum -y install net-tools setuptool vim-enhanced lrzsz xinetd gcc gcc-c++ \

ncurses ncurses-devel cmake openssl openssl-devel libtermcap libtermcap-devel gdbm-devel zlib* \

libxml* freetype* libpng* libjpeg* gd gd-devel libmcrypt libmcrypt-devel mhash mhash-devel \

apr apr-* libxml2 iconv unixODBC readline-devel qpixman qpixman-devel netpbm* \

libxslt* gmp gmp-devel bzip2-devel openssl-devel pcre-devel curl curl-devel \

libmcrypt libmcrypt-devel mhash mhash-devel enchant-devel enchant libicu \

libicu-devel jansson-devel libev-devel c-ares-devel zlib-devel perl-core

2. 기본 YUM 패캐지를 설치하면 mariadb와 htpd24가 설치된다 해당 버전은 remove

[root@localhost ~]# yum remove mariadb10* httpd24*

1	[root@localhost ~]# yum remove mariadb10* httpd24*

3. openssl 설치

[root@localhost ~]# wget https://www.openssl.org/source/openssl-1.1.1b.tar.gz

[root@localhost ~]# tar xvfz openssl-1.1.1b.tar.gz 

[root@localhost ~]# cd openssl-1.1.1b

[root@localhost openssl-1.1.1b]# ./config --prefix=/usr/local/openssl shared zlib

[root@localhost openssl-1.1.1b]# make

[root@localhost openssl-1.1.1b]# make install

[root@localhost openssl-1.1.1b]# echo "/usr/local/openssl/lib" >> /etc/ld.so.conf.d/openssl.conf

[root@localhost openssl-1.1.1b]# ldconfig

[root@localhost ~]# mv /usr/bin/openssl /usr/bin/openssl.old

[root@localhost ~]# ln -s /usr/local/openssl/bin/openssl /usr/bin/

[root@localhost ~]# wget https://www.openssl.org/source/openssl-1.1.1b.tar.gz

[root@localhost ~]# tar xvfz openssl-1.1.1b.tar.gz

[root@localhost ~]# cd openssl-1.1.1b

[root@localhost openssl-1.1.1b]# ./config --prefix=/usr/local/openssl shared zlib

[root@localhost openssl-1.1.1b]# make

[root@localhost openssl-1.1.1b]# make install

[root@localhost openssl-1.1.1b]# echo "/usr/local/openssl/lib" >> /etc/ld.so.conf.d/openssl.conf

[root@localhost openssl-1.1.1b]# ldconfig

[root@localhost ~]# mv /usr/bin/openssl /usr/bin/openssl.old

[root@localhost ~]# ln -s /usr/local/openssl/bin/openssl /usr/bin/

4. openssl TLSv1.3 지원체크

[root@localhost ~]# openssl ciphers -v | grep TLSv1.3
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD

[root@localhost ~]# openssl ciphers -v | grep TLSv1.3

TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD

TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD

5. Nghttp2 install

[root@localhost ~]# yum -y install jansson-devel libev-devel 

[root@localhost ~]# yum -y install nghttp2 libnghttp2-devel

[root@localhost ~]# yum -y install jansson-devel libev-devel

[root@localhost ~]# yum -y install nghttp2 libnghttp2-devel

6. Brotili 설치

[root@localhost ~]# wget https://github.com/google/brotli/archive/v1.0.7.tar.gz

[root@localhost ~]# tar xvzf v1.0.7.tar.gz

[root@localhost ~]# cd brotli-1.0.7/

[root@localhost brotli-1.0.7]# mkdir out && cd out

[root@localhost out]# ../configure-cmake

[root@localhost out]# make

[root@localhost out]# make install

[root@localhost out]# echo /usr/local/lib > /etc/ld.so.conf.d/usr-local-lib.conf

[root@localhost out]# ldconfig

[root@localhost ~]# wget https://github.com/google/brotli/archive/v1.0.7.tar.gz

[root@localhost ~]# tar xvzf v1.0.7.tar.gz

[root@localhost ~]# cd brotli-1.0.7/

[root@localhost brotli-1.0.7]# mkdir out && cd out

[root@localhost out]# ../configure-cmake

[root@localhost out]# make

[root@localhost out]# make install

[root@localhost out]# echo /usr/local/lib > /etc/ld.so.conf.d/usr-local-lib.conf

[root@localhost out]# ldconfig

7. apr apr-util 설치

[root@localhost ~]# wget https://archive.apache.org/dist/apr/apr-1.6.5.tar.bz2

[root@localhost ~]# tar xvfj apr-1.6.5.tar.bz2 

[root@localhost apr-1.6.5]# cp -a libtool libtoolT

[root@localhost apr-1.6.5]# ./configure --prefix=/usr/local/apr

[root@localhost apr-1.6.5]# make

[root@localhost apr-1.6.5]# make install

[root@localhost apr-1.6.5]# cd /root

[root@localhost ~]# wget https://archive.apache.org/dist/apr/apr-util-1.6.1.tar.bz2

[root@localhost ~]# tar -xvjf apr-util-1.6.1.tar.bz2

[root@localhost ~]# cd apr-util-1.6.1

[root@localhost apr-util-1.6.1]#  ./configure --prefix=/usr/local/apr/ --with-apr=/usr/local/apr/

[root@localhost apr-util-1.6.1]#  make

[root@localhost apr-util-1.6.1]#  make install

[root@localhost ~]# wget https://archive.apache.org/dist/apr/apr-1.6.5.tar.bz2

[root@localhost ~]# tar xvfj apr-1.6.5.tar.bz2

[root@localhost apr-1.6.5]# cp -a libtool libtoolT

[root@localhost apr-1.6.5]# ./configure --prefix=/usr/local/apr

[root@localhost apr-1.6.5]# make

[root@localhost apr-1.6.5]# make install

[root@localhost apr-1.6.5]# cd /root

[root@localhost ~]# wget https://archive.apache.org/dist/apr/apr-util-1.6.1.tar.bz2

[root@localhost ~]# tar -xvjf apr-util-1.6.1.tar.bz2

[root@localhost ~]# cd apr-util-1.6.1

[root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr/ --with-apr=/usr/local/apr/

[root@localhost apr-util-1.6.1]# make

[root@localhost apr-util-1.6.1]# make install

8. Apache install

[root@localhost apr-util-1.6.1]# cd /root

[root@localhost ~]# wget http://apache.mirror.cdnetworks.com/httpd/httpd-2.4.38.tar.gz

[root@localhost ~]# tar xvfz httpd-2.4.38.tar.gz 

[root@localhost ~]# cd  httpd-2.4.38


[root@localhost httpd-2.4.38]# ./configure --prefix=/usr/local/apache \
--enable-http2 \
--enable-brotli \
--with-brotli=/usr/local/lib \
--enable-ssl \
--with-ssl=/usr/local/openssl \
--with-apr=/usr/local/apr \
--with-apr-util=/usr/local/apr \
--enable-so \
--enable-mods-shared=all \
--enable-mpms-shared=all

[root@localhost httpd-2.4.38]# make

[root@localhost httpd-2.4.38]# make install

[root@localhost apr-util-1.6.1]# cd /root

[root@localhost ~]# wget http://apache.mirror.cdnetworks.com/httpd/httpd-2.4.38.tar.gz

[root@localhost ~]# tar xvfz httpd-2.4.38.tar.gz

[root@localhost ~]# cd httpd-2.4.38

[root@localhost httpd-2.4.38]# ./configure --prefix=/usr/local/apache \

--enable-http2 \

--enable-brotli \

--with-brotli=/usr/local/lib \

--enable-ssl \

--with-ssl=/usr/local/openssl \

--with-apr=/usr/local/apr \

--with-apr-util=/usr/local/apr \

--enable-so \

--enable-mods-shared=all \

--enable-mpms-shared=all

[root@localhost httpd-2.4.38]# make

[root@localhost httpd-2.4.38]# make install

9. mod_url install

[root@localhost httpd-2.4.38]# cd /root

[root@localhost ~]# wget http://jini.kldp.net/modurl/release/2186-mod_url-apache2-1.6.2.6.tar.bz2

[root@localhost ~]# tar xvfj 2186-mod_url-apache2-1.6.2.6.tar.bz2

[root@localhost ~]# cd mod_url-apache2/

[root@localhost mod_url-apache2]# /usr/local/apache/bin/apxs -iac mod_url.c

[root@localhost httpd-2.4.38]# cd /root

[root@localhost ~]# wget http://jini.kldp.net/modurl/release/2186-mod_url-apache2-1.6.2.6.tar.bz2

[root@localhost ~]# tar xvfj 2186-mod_url-apache2-1.6.2.6.tar.bz2

[root@localhost ~]# cd mod_url-apache2/

[root@localhost mod_url-apache2]# /usr/local/apache/bin/apxs -iac mod_url.c

10. htpd.conf 복사 및 수정

[root@localhost mod_url-apache2]# cp -a /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.ori


[root@localhost mod_url-apache2]# vi /usr/local/apache/conf/httpd.conf

[root@localhost mod_url-apache2]# cp -a /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.ori

[root@localhost mod_url-apache2]# vi /usr/local/apache/conf/httpd.conf

httpd.conf

ServerRoot "/usr/local/apache"

Listen 80

LoadModule mpm_event_module modules/mod_mpm_event.so
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbd_module modules/mod_authn_dbd.so
#LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
#LoadModule authz_dbd_module modules/mod_authz_dbd.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_form_module modules/mod_auth_form.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule allowmethods_module modules/mod_allowmethods.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule cache_module modules/mod_cache.so
#LoadModule cache_disk_module modules/mod_cache_disk.so
#LoadModule cache_socache_module modules/mod_cache_socache.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
#LoadModule socache_dbm_module modules/mod_socache_dbm.so
#LoadModule socache_memcache_module modules/mod_socache_memcache.so
LoadModule watchdog_module modules/mod_watchdog.so
#LoadModule macro_module modules/mod_macro.so
#LoadModule dbd_module modules/mod_dbd.so
#LoadModule dumpio_module modules/mod_dumpio.so
#LoadModule echo_module modules/mod_echo.so
#LoadModule buffer_module modules/mod_buffer.so
#LoadModule data_module modules/mod_data.so
#LoadModule ratelimit_module modules/mod_ratelimit.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
#LoadModule ext_filter_module modules/mod_ext_filter.so
#LoadModule request_module modules/mod_request.so
#LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
#LoadModule reflector_module modules/mod_reflector.so
#LoadModule substitute_module modules/mod_substitute.so
#LoadModule sed_module modules/mod_sed.so
#LoadModule charset_lite_module modules/mod_charset_lite.so
#LoadModule deflate_module modules/mod_deflate.so
#LoadModule xml2enc_module modules/mod_xml2enc.so
#LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule brotli_module modules/mod_brotli.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule log_debug_module modules/mod_log_debug.so
#LoadModule log_forensic_module modules/mod_log_forensic.so
#LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
#LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
#LoadModule remoteip_module modules/mod_remoteip.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_express_module modules/mod_proxy_express.so
#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
#LoadModule session_module modules/mod_session.so
#LoadModule session_cookie_module modules/mod_session_cookie.so
#LoadModule session_dbd_module modules/mod_session_dbd.so
#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
LoadModule ssl_module modules/mod_ssl.so
#LoadModule dialup_module modules/mod_dialup.so
LoadModule http2_module modules/mod_http2.so
#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
LoadModule unixd_module modules/mod_unixd.so
#LoadModule heartbeat_module modules/mod_heartbeat.so
#LoadModule heartmonitor_module modules/mod_heartmonitor.so
#LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule asis_module modules/mod_asis.so
#LoadModule info_module modules/mod_info.so
#LoadModule cgid_module modules/mod_cgid.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_lock_module modules/mod_dav_lock.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
#LoadModule actions_module modules/mod_actions.so
#LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule redurl_module      modules/mod_url.so

<IfModule unixd_module>
User nobody
Group nobody
</IfModule>

ServerAdmin you@example.com

ServerName localhost:80

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

DocumentRoot "/usr/local/apache/htdocs"

<Directory "/usr/local/apache/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>


<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>


ErrorLog "logs/error_log"

LogLevel warn

LogLevel warn
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" combined
</IfModule>


<IfModule alias_module>
    #ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
</IfModule>

<IfModule cgid_module>
</IfModule>

#<Directory "/usr/local/apache/cgi-bin">
#    AllowOverride None
#    Options None
#    Require all granted
#</Directory>

<IfModule headers_module>
    RequestHeader unset Proxy early
</IfModule>

<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-gzip .tgz
    AddEncoding x-compress .Z
    AddEncoding x-gzip .gz .tgz
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    #AddHandler cgi-script .cgi
    AddHandler type-map var
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

#MIMEMagicFile conf/magic
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html

#MaxRanges unlimited

#EnableMMAP off
#EnableSendfile on

Include conf/extra/httpd-mpm.conf

# Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf

# Fancy directory listings
#Include conf/extra/httpd-autoindex.conf

# Language settings
Include conf/extra/httpd-languages.conf

# User home directories
Include conf/extra/httpd-userdir.conf

# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf

# Virtual hosts
Include conf/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf

# Various default settings
Include conf/extra/httpd-default.conf

# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
#Include conf/extra/proxy-html.conf
</IfModule>

# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf


#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

ServerRoot "/usr/local/apache"

Listen 80

LoadModule mpm_event_module modules/mod_mpm_event.so

#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

#LoadModule mpm_worker_module modules/mod_mpm_worker.so

LoadModule authn_file_module modules/mod_authn_file.so

#LoadModule authn_dbm_module modules/mod_authn_dbm.so

#LoadModule authn_anon_module modules/mod_authn_anon.so

#LoadModule authn_dbd_module modules/mod_authn_dbd.so

#LoadModule authn_socache_module modules/mod_authn_socache.so

LoadModule authn_core_module modules/mod_authn_core.so

LoadModule authz_host_module modules/mod_authz_host.so

LoadModule authz_groupfile_module modules/mod_authz_groupfile.so

LoadModule authz_user_module modules/mod_authz_user.so

#LoadModule authz_dbm_module modules/mod_authz_dbm.so

#LoadModule authz_owner_module modules/mod_authz_owner.so

#LoadModule authz_dbd_module modules/mod_authz_dbd.so

LoadModule authz_core_module modules/mod_authz_core.so

LoadModule access_compat_module modules/mod_access_compat.so

LoadModule auth_basic_module modules/mod_auth_basic.so

#LoadModule auth_form_module modules/mod_auth_form.so

#LoadModule auth_digest_module modules/mod_auth_digest.so

#LoadModule allowmethods_module modules/mod_allowmethods.so

#LoadModule file_cache_module modules/mod_file_cache.so

#LoadModule cache_module modules/mod_cache.so

#LoadModule cache_disk_module modules/mod_cache_disk.so

#LoadModule cache_socache_module modules/mod_cache_socache.so

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

#LoadModule socache_dbm_module modules/mod_socache_dbm.so

#LoadModule socache_memcache_module modules/mod_socache_memcache.so

LoadModule watchdog_module modules/mod_watchdog.so

#LoadModule macro_module modules/mod_macro.so

#LoadModule dbd_module modules/mod_dbd.so

#LoadModule dumpio_module modules/mod_dumpio.so

#LoadModule echo_module modules/mod_echo.so

#LoadModule buffer_module modules/mod_buffer.so

#LoadModule data_module modules/mod_data.so

#LoadModule ratelimit_module modules/mod_ratelimit.so

LoadModule reqtimeout_module modules/mod_reqtimeout.so

#LoadModule ext_filter_module modules/mod_ext_filter.so

#LoadModule request_module modules/mod_request.so

#LoadModule include_module modules/mod_include.so

LoadModule filter_module modules/mod_filter.so

#LoadModule reflector_module modules/mod_reflector.so

#LoadModule substitute_module modules/mod_substitute.so

#LoadModule sed_module modules/mod_sed.so

#LoadModule charset_lite_module modules/mod_charset_lite.so

#LoadModule deflate_module modules/mod_deflate.so

#LoadModule xml2enc_module modules/mod_xml2enc.so

#LoadModule proxy_html_module modules/mod_proxy_html.so

LoadModule brotli_module modules/mod_brotli.so

LoadModule mime_module modules/mod_mime.so

LoadModule log_config_module modules/mod_log_config.so

#LoadModule log_debug_module modules/mod_log_debug.so

#LoadModule log_forensic_module modules/mod_log_forensic.so

#LoadModule logio_module modules/mod_logio.so

LoadModule env_module modules/mod_env.so

#LoadModule mime_magic_module modules/mod_mime_magic.so

#LoadModule expires_module modules/mod_expires.so

LoadModule headers_module modules/mod_headers.so

#LoadModule usertrack_module modules/mod_usertrack.so

#LoadModule unique_id_module modules/mod_unique_id.so

LoadModule setenvif_module modules/mod_setenvif.so

LoadModule version_module modules/mod_version.so

#LoadModule remoteip_module modules/mod_remoteip.so

#LoadModule proxy_module modules/mod_proxy.so

#LoadModule proxy_connect_module modules/mod_proxy_connect.so

#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so

#LoadModule proxy_http_module modules/mod_proxy_http.so

#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so

#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so

#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so

#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so

#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so

#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so

#LoadModule proxy_express_module modules/mod_proxy_express.so

#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so

#LoadModule session_module modules/mod_session.so

#LoadModule session_cookie_module modules/mod_session_cookie.so

#LoadModule session_dbd_module modules/mod_session_dbd.so

#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so

#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so

LoadModule ssl_module modules/mod_ssl.so

#LoadModule dialup_module modules/mod_dialup.so

LoadModule http2_module modules/mod_http2.so

#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so

#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so

#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so

#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so

LoadModule unixd_module modules/mod_unixd.so

#LoadModule heartbeat_module modules/mod_heartbeat.so

#LoadModule heartmonitor_module modules/mod_heartmonitor.so

#LoadModule dav_module modules/mod_dav.so

LoadModule status_module modules/mod_status.so

LoadModule autoindex_module modules/mod_autoindex.so

#LoadModule asis_module modules/mod_asis.so

#LoadModule info_module modules/mod_info.so

#LoadModule cgid_module modules/mod_cgid.so

#LoadModule dav_fs_module modules/mod_dav_fs.so

#LoadModule dav_lock_module modules/mod_dav_lock.so

#LoadModule vhost_alias_module modules/mod_vhost_alias.so

LoadModule negotiation_module modules/mod_negotiation.so

LoadModule dir_module modules/mod_dir.so

#LoadModule actions_module modules/mod_actions.so

#LoadModule speling_module modules/mod_speling.so

LoadModule userdir_module modules/mod_userdir.so

LoadModule alias_module modules/mod_alias.so

LoadModule rewrite_module modules/mod_rewrite.so

LoadModule redurl_module modules/mod_url.so

User nobody

Group nobody

</IfModule>

ServerAdmin you@example.com

ServerName localhost:80

Options FollowSymLinks

AllowOverride None

Require all denied

</Directory>

DocumentRoot "/usr/local/apache/htdocs"

Options Indexes FollowSymLinks

AllowOverride None

Require all granted

</Directory>

DirectoryIndex index.html

</IfModule>

Require all denied

</Files>

ErrorLog "logs/error_log"

LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%h %l %u %t \"%r\" %>s %b" common

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

</IfModule>

CustomLog "logs/access_log" combined

</IfModule>

#ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"

</IfModule>

</IfModule>

#<Directory "/usr/local/apache/cgi-bin">

# AllowOverride None

# Options None

# Require all granted

#</Directory>

RequestHeader unset Proxy early

</IfModule>

TypesConfig conf/mime.types

AddType application/x-gzip .tgz

AddEncoding x-compress .Z

AddEncoding x-gzip .gz .tgz

AddType application/x-compress .Z

AddType application/x-gzip .gz .tgz

#AddHandler cgi-script .cgi

AddHandler type-map var

AddType text/html .shtml

AddOutputFilter INCLUDES .shtml

</IfModule>

#MIMEMagicFile conf/magic

# Some examples:

#ErrorDocument 500 "The server made a boo boo."

#ErrorDocument 404 /missing.html

#ErrorDocument 404 "/cgi-bin/missing_handler.pl"

#ErrorDocument 402 http://www.example.com/subscription_info.html

#MaxRanges unlimited

#EnableMMAP off

#EnableSendfile on

Include conf/extra/httpd-mpm.conf

# Multi-language error messages

#Include conf/extra/httpd-multilang-errordoc.conf

# Fancy directory listings

#Include conf/extra/httpd-autoindex.conf

# Language settings

Include conf/extra/httpd-languages.conf

# User home directories

Include conf/extra/httpd-userdir.conf

# Real-time info on requests and configuration

#Include conf/extra/httpd-info.conf

# Virtual hosts

Include conf/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual

#Include conf/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)

#Include conf/extra/httpd-dav.conf

# Various default settings

Include conf/extra/httpd-default.conf

# Configure mod_proxy_html to understand HTML4/XHTML1

#Include conf/extra/proxy-html.conf

</IfModule>

# Secure (SSL/TLS) connections

Include conf/extra/httpd-ssl.conf

SSLRandomSeed startup builtin

SSLRandomSeed connect builtin

</IfModule>

11. SSL 인증서 파일이 있다는 가정하에 httpd-ssl.conf 파일 수정 ( TLS 1.3 / TLS 1.2 ENABLE )

[root@localhost html]# vi /usr/local/apache/conf/extra/httpd-ssl.conf 


Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/run/httpd/sslcache(1024000)"
SSLSessionCacheTimeout 3600
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLStrictSNIVHostCheck off

SSLProtocol -all +TLSv1.2 +TLSv1.3

SSLCipherSuite "TLS_AES_128_GCM_SHA256 \
TLS_AES_256_GCM_SHA384 \
TLS_CHACHA20_POLY1305_SHA256 \
ECDHE-ECDSA-AES128-GCM-SHA256 \
ECDHE-ECDSA-AES256-GCM-SHA384 \
ECDHE-ECDSA-AES128-SHA \
ECDHE-ECDSA-AES256-SHA \
ECDHE-ECDSA-AES128-SHA256 \
ECDHE-ECDSA-AES256-SHA384 \
ECDHE-RSA-AES128-GCM-SHA256 \
ECDHE-RSA-AES256-GCM-SHA384 \
ECDHE-RSA-AES128-SHA \
ECDHE-RSA-AES256-SHA \
ECDHE-RSA-AES128-SHA256 \
ECDHE-RSA-AES256-SHA384 \
DHE-RSA-AES128-GCM-SHA256 \
DHE-RSA-AES256-GCM-SHA384 \
DHE-RSA-AES128-SHA \
DHE-RSA-AES256-SHA \
DHE-RSA-AES128-SHA256 \
DHE-RSA-AES256-SHA256 \
EDH-RSA-DES-CBC3-SHA"

SSLHonorCipherOrder on
SSLCompression off

SSLUseStapling On
SSLStaplingCache shmcb:/run/httpd/stapling_cache(128000)


<VirtualHost *:443>
DocumentRoot /free/home/tlstest/html
ServerName xinet.kr
ServerAlias www.xinet.kr
SSLEngine on
Protocols h2 http/1.1
SetOutputFilter BROTLI_COMPRESS;DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip no-brotli dont-vary
Header always set Strict-Transport-Security "max-age=31536000"

SSLCertificateFile /usr/local/apache/conf/ssl/tlstest.xinet.kr.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl/tlstest.xinet.kr.key
SSLCertificateChainFile /usr/local/apache/conf/ssl/EncryptionEverywhereDVCA.crt
SSLCACertificateFile /usr/local/apache/conf/ssl/DigiCertRoot2.crt.cer
</VirtualHost>

[root@localhost html]# vi /usr/local/apache/conf/extra/httpd-ssl.conf

Listen 443

SSLPassPhraseDialog builtin

SSLSessionCache "shmcb:/run/httpd/sslcache(1024000)"

SSLSessionCacheTimeout 3600

SSLRandomSeed startup file:/dev/urandom 256

SSLRandomSeed connect builtin

SSLCryptoDevice builtin

SSLStrictSNIVHostCheck off

SSLProtocol -all +TLSv1.2 +TLSv1.3

SSLCipherSuite "TLS_AES_128_GCM_SHA256 \

TLS_AES_256_GCM_SHA384 \

TLS_CHACHA20_POLY1305_SHA256 \

ECDHE-ECDSA-AES128-GCM-SHA256 \

ECDHE-ECDSA-AES256-GCM-SHA384 \

ECDHE-ECDSA-AES128-SHA \

ECDHE-ECDSA-AES256-SHA \

ECDHE-ECDSA-AES128-SHA256 \

ECDHE-ECDSA-AES256-SHA384 \

ECDHE-RSA-AES128-GCM-SHA256 \

ECDHE-RSA-AES256-GCM-SHA384 \

ECDHE-RSA-AES128-SHA \

ECDHE-RSA-AES256-SHA \

ECDHE-RSA-AES128-SHA256 \

ECDHE-RSA-AES256-SHA384 \

DHE-RSA-AES128-GCM-SHA256 \

DHE-RSA-AES256-GCM-SHA384 \

DHE-RSA-AES128-SHA \

DHE-RSA-AES256-SHA \

DHE-RSA-AES128-SHA256 \

DHE-RSA-AES256-SHA256 \

EDH-RSA-DES-CBC3-SHA"

SSLHonorCipherOrder on

SSLCompression off

SSLUseStapling On

SSLStaplingCache shmcb:/run/httpd/stapling_cache(128000)

DocumentRoot /free/home/tlstest/html

ServerName xinet.kr

ServerAlias www.xinet.kr

SSLEngine on

Protocols h2 http/1.1

SetOutputFilter BROTLI_COMPRESS;DEFLATE

SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip no-brotli dont-vary

Header always set Strict-Transport-Security "max-age=31536000"

SSLCertificateFile /usr/local/apache/conf/ssl/tlstest.xinet.kr.crt

SSLCertificateKeyFile /usr/local/apache/conf/ssl/tlstest.xinet.kr.key

SSLCertificateChainFile /usr/local/apache/conf/ssl/EncryptionEverywhereDVCA.crt

SSLCACertificateFile /usr/local/apache/conf/ssl/DigiCertRoot2.crt.cer

</VirtualHost>

12. 웹브라우저에서 확인

13.웹로그에서 확인

14. ssllabs.com 평가

현재 TLS 1.3 을 지원하는 브라우저는 아래와 같다 현재 지원하는것은 Firefox , Chrome , Safari, Opera, Chrome for Android , Firefox for Android, Samsung Internet
좀 더 자세한 정보는 : https://caniuse.com/#feat=tls1-3

태그: TLS TLS 1.3

상품명
주문번호
택배사
송장번호

시골청년의 엔지니어이야기 ( 진반장 )

TLS 1.3 Apache Enable ( 아파치 TLS 1.3 지원 설정)

환경 : CenOS 7.x / 64bit
먼저 TLS 1.3 버전을 지원하려면 Apache 버전이 최소 2.4.37 이상 / openssl 은 1.1.1 이상이어야 한다.

2. 기본 YUM 패캐지를 설치하면 mariadb와 htpd24가 설치된다 해당 버전은 remove

3. openssl 설치

4. openssl TLSv1.3 지원체크

5. Nghttp2 install

6. Brotili 설치

7. apr apr-util 설치

8. Apache install

9. mod_url install

10. htpd.conf 복사 및 수정

httpd.conf

11. SSL 인증서 파일이 있다는 가정하에 httpd-ssl.conf 파일 수정 ( TLS 1.3 / TLS 1.2 ENABLE )

12. 웹브라우저에서 확인

13.웹로그에서 확인

14. ssllabs.com 평가

현재 TLS 1.3 을 지원하는 브라우저는 아래와 같다 현재 지원하는것은 Firefox , Chrome , Safari, Opera, Chrome for Android , Firefox for Android, Samsung Internet
좀 더 자세한 정보는 : https://caniuse.com/#feat=tls1-3

코멘트 쓰기 작성취소

환경 : CenOS 7.x / 64bit 먼저 TLS 1.3 버전을 지원하려면 Apache 버전이 최소 2.4.37 이상 / openssl 은 1.1.1 이상이어야 한다.

2. 기본 YUM 패캐지를 설치하면 mariadb와 htpd24가 설치된다 해당 버전은 remove

3. openssl 설치

4. openssl TLSv1.3 지원체크

5. Nghttp2 install

6. Brotili 설치

7. apr apr-util 설치

8. Apache install

9. mod_url install

10. htpd.conf 복사 및 수정

httpd.conf

11. SSL 인증서 파일이 있다는 가정하에 httpd-ssl.conf 파일 수정 ( TLS 1.3 / TLS 1.2 ENABLE )

12. 웹브라우저에서 확인

13.웹로그에서 확인

14. ssllabs.com 평가

현재 TLS 1.3 을 지원하는 브라우저는 아래와 같다 현재 지원하는것은 Firefox , Chrome , Safari, Opera, Chrome for Android , Firefox for Android, Samsung Internet 좀 더 자세한 정보는 : https://caniuse.com/#feat=tls1-3

코멘트 쓰기 작성취소

환경 : CenOS 7.x / 64bit
먼저 TLS 1.3 버전을 지원하려면 Apache 버전이 최소 2.4.37 이상 / openssl 은 1.1.1 이상이어야 한다.

현재 TLS 1.3 을 지원하는 브라우저는 아래와 같다 현재 지원하는것은 Firefox , Chrome , Safari, Opera, Chrome for Android , Firefox for Android, Samsung Internet
좀 더 자세한 정보는 : https://caniuse.com/#feat=tls1-3