LoginSignup
1
0

More than 1 year has passed since last update.

@T_Tsan(Takashi Tomokuni)

【Rocky Linux 9】13.SSL設定(Apache)

Posted at

ApacheのSSL化

Let's Encryptにて取得したSSL証明書を利用してApacheをSSL化する

mod_sslインストール

dnf install mod_ssl
mv /etc/httpd/conf.modules.d/ssl.conf /etc/httpd/conf.modules.d/ssl.conf.org

SSL基本設定

/etc/httpd/conf.modules.d/ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 3600
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLStrictSNIVHostCheck off

SSLProtocol -all +TLSv1.2 +TLSv1.3

SSLCipherSuite "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"
SSLProxyCipherSuite "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"

SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

SSLUseStapling On
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/run/httpd/stapling_cache(128000)
/etc/httpd/conf.modules.d/00-base.conf
# Required for SSL
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
/etc/httpd/conf.modules.d/10-h2.conf
LoadModule http2_module modules/mod_http2.so
/etc/httpd/conf.modules.d/10-proxy_h2.conf
LoadModule proxy_http2_module modules/mod_proxy_http2.so

バーチャルホストSSL設定

/etc/httpd/conf.d/virtualhost.example.com.conf
<VirtualHost *:80>
    ServerName      example.com
    DocumentRoot    /var/www/example.com
    ErrorLog        logs/example.com/error_log
    CustomLog       logs/example.com/access_log combined env=!nolog
</VirtualHost>

<VirtualHost *:443>
    ServerName      example.com
    DocumentRoot    /var/www/example.com
    ErrorLog        logs/example.com/ssl_error_log
    CustomLog       logs/example.com/ssl_access_log combined env=!nolog
    Protocols       h2 http/1.1

    SSLEngine       on
    SSLCertificateFile      /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
    Header always set Strict-Transport-Security "max-age=31536000"
</VirtualHost>

Apache再起動

systemctl restart httpd
1
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
0