跳到主要內容

安全性修正 - 調整 SSL 安全性設定含檢測 Rank A+ 


SSL 相關安全測試含修正



SSL 申請可以透過 SSL For Free 進行申請免費 SSL




檢測 SSL 憑證安全的十種工具



如果有使用 VirtualHost 記得加在設定裡就可以
$ vim /etc/httpd/conf/http.conf 
<VirtualHost *:80>
        RewriteEngine on
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]

        Alias /cp /var/www/cp/public
        <Directory /var/www/cp>
                AllowOverride All
        </Directory>
        <Directory /var/www/html>
        AllowOverride All
        </Directory>
        DocumentRoot /var/www/html
        ServerName www.sakura-home.com.tw
</VirtualHost>
<VirtualHost *:443>
        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
        RewriteEngine on
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]

        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
        SSLHonorCipherOrder on
        SSLCertificateFile /var/www/SSL/server.crt
        SSLCertificateKeyFile /var/www/SSL/server.key
        SSLCACertificateFile /var/www/SSL/PublicCA2_64.crt
        Alias /cp /var/www/cp/public
        <Directory /var/www/cp>
                AllowOverride All
        </Directory>
        <Directory /var/www/html>
        AllowOverride All
        </Directory>
        DocumentRoot /var/www/html
        ServerName www.sakura-home.com.tw

        ProxyRequests off
        <Proxy *>
                Order allow,deny
                Allow from all
        </Proxy>

        ProxyPass /cp !
        ProxyPass / http://127.0.0.1:3000/
        ProxyPassReverse / http://127.0.0.1:3000/
        ProxyPreserveHost on
</VirtualHost>

貼上下列指令



 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"



        RewriteEngine on



        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)



        RewriteRule .* - [F]







        SSLEngine on



        SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1



        SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256







        SSLHonorCipherOrder on



        SSLCertificateFile /var/www/SSL/server.crt



        SSLCertificateKeyFile /var/www/SSL/server.key



        SSLCACertificateFile /var/www/SSL/PublicCA2_64.crt







存檔離開編輯器後,重新啟動服務


$ service httpd restart

按照上面設定應該可以跑出基本 Rank A
可以使用這個 SSL Server Test 進行跑分並修正
https://www.ssllabs.com/ssltest/index.html

這兩個 SSLCipherSuite 跑分會顯示 weak 但是看起來都是 IE 需要的,所以留著不移除。
ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
這個是轉換的指令與範例,如果有找到 weak 或是你想放入的 chipher 
$ openssl ciphers -convert TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

OpenSSL cipher name: ECDHE-RSA-AES256-SHA384

$ openssl ciphers -convert TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

OpenSSL cipher name: ECDHE-RSA-AES128-SHA256

Cipher Suite Name (IANA)名稱對照表
https://testssl.sh/openssl-iana.mapping.html

留言

張貼留言

這個網誌中的熱門文章

安全性修正 - Apache: Disable the HTTP TRACE Method

Apache: Disable the HTTP TRACE Method 編輯 apache 的系統檔( Apache 1.3.34、2.0.55 以後版本) $ vi /etc/httpd/conf/httpd.conf 最下方找空白的地方加入 TraceEnable off 重啟 apache 服務 $ service httpd restart 測試是否正常關閉 $ curl -i -X TRACE http://www._website_.com/ HTTP/1.1 405 Method Not Allowed Date: Wed, 13 Feb 2013 14:30:32 GMT Server: Apache/2.2.15 (CentOS) Allow: Content-Length: 223 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>405 Method Not Allowed</title> </head><body> <h1>Method Not Allowed</h1> <p>The requested method TRACE is not allowed for the URL /.</p> </body></html>
張貼留言
閱讀完整內容

SSL Labs A+ 2021

可以先參考這篇進行修正,把內容放入 ssl.conf 裡基本上就有 A+  https://blog.camilord.com/2021/02/23/ssllabs-com-how-to-get-a-on-ssl-server-test-as-of-feb-2021/ 再搭配這篇調整 https://zurgl.com/how-to-get-a-100-score-on-ssl-labs-red-hat-centos-7-x-apache-lets-encrypt/
張貼留言
閱讀完整內容