Security/Certificate/TLS: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
No edit summary
Line 74: Line 74:


|valign='top'|
|valign='top'|
* [https://stackoverflow.com/questions/52309830/ Security » Certificate » TLSv1.2 & TLSv1.3 » Apache]
* [https://stackoverflow.com/questions/52309830/ Security » Certificate » TLSv1.3 & TLSv1.2 » Apache]
* [https://www.cyberciti.biz/faq/configure-nginx-to-use-only-tls-1-2-and-1-3/ Security » Certificate » TLSv1.2 & TLSv1.3 » Nginx]
* [https://www.cyberciti.biz/faq/configure-nginx-to-use-only-tls-1-2-and-1-3/ Security » Certificate » TLSv1.3 & TLSv1.2 » Nginx]
* [https://community.letsencrypt.org/t/how-to-enable-tls-1-3-in-nginx-configuration-solved/136337/9 Security » Certificate » TLSv1.3 » Nginx]
* [[SSH/Public Key Authentication|Security » SSH » Public Key Authentication]]
* [[SSH/Public Key Authentication|Security » SSH » Public Key Authentication]]


Revision as of 14:57, 29 May 2025

# TLSv1.3 supported:
# if haproxy -v >= 1.8.1  && openssl -v >= 1.1.1
# if apache2 -v >= 2.4.36 && openssl -v >= 1.1.1
# if nginx   -v >= 1.23.4 && openssl -v >= 1.1.1

haproxy -v
openssl -v
apache2 -v
nginx   -v

Disable » TLSv1 » TLSv1.1

Enable » TLSv1.2 » TLSv1.3

Enable » TLSv1.2 » TLSv1.3 » Nginx

curl -fsSL https://ssl-config.mozilla.org/ffdhe2048.txt\
 | sudo tee /etc/nginx/dhparam.pem >/dev/null

cat << CFG | sudo tee /etc/nginx/sites-available/academia.chorke.org >/dev/null
server {
  listen 443 ssl;

  ssl on;
  server_name academia.chorke.org;
  ssl_certificate /etc/letsencrypt/live/academia.chorke.org/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/academia.chorke.org/privkey.pem;

  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1.3 TLSv1.2;
  ssl_ciphers "EECDH+AESGCM,EDH+AESGCM";
  ssl_dhparam /etc/nginx/dhparam.pem;

  # -- skipped --

  error_page 500 502 503 504 /500.html;
  client_max_body_size 25M;
  keepalive_timeout 10;
}
CFG

Enable » TLSv1.2 » TLSv1.3 » Apache

Enable » TLSv1.2 » TLSv1.3 » HAProxy

cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
SSL_CRT_LIST="$(cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done)"
cat << CFG | sudo tee /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg >/dev/null

# ##############################################################################
# https frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc

frontend           fnt_shahed_biz_ssl
   bind            *:443 ssl ${SSL_CRT_LIST}alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http

CFG

References

Retrieved from "https://wiki.chorke.org/index.php?title=Security/Certificate/TLS&oldid=14653"