Security/Certificate/TLS: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
Line 14: Line 14:
==Disable » TLSv1 » TLSv1.1==
==Disable » TLSv1 » TLSv1.1==
==Enable » TLSv1.2 » TLSv1.3==
==Enable » TLSv1.2 » TLSv1.3==
'''Security » Certificate » TLS » cid.chorke.org'''
www.cdn77.com/tls-test/result?domain=cid.chorke.org
'''Security » Certificate » TLS » auto.loanplus.io'''
www.cdn77.com/tls-test/result?domain=auto.loanplus.io
'''Security » Certificate » TLS » apix.loanplus.io'''
www.cdn77.com/tls-test/result?domain=apix.loanplus.io
===Enable » TLSv1.2 » TLSv1.3 » Nginx===
===Enable » TLSv1.2 » TLSv1.3 » Nginx===
* [https://ssl-config.mozilla.org/#server=nginx&version=1.27.3&config=intermediate&openssl=3.4.0&ocsp=false&guideline=5.7 Security » Certificate » TLS » Configuration Generator » Nginx]
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
curl -fsSL https://ssl-config.mozilla.org/ffdhe2048.txt\
curl -fsSL https://ssl-config.mozilla.org/ffdhe2048.txt\
Line 44: Line 54:


===Enable » TLSv1.2 » TLSv1.3 » Apache===
===Enable » TLSv1.2 » TLSv1.3 » Apache===
* [https://ssl-config.mozilla.org/#server=apache&version=2.4.60&config=intermediate&openssl=3.4.0&ocsp=false&guideline=5.7 Security » Certificate » TLS » Configuration Generator » Apache]
===Enable » TLSv1.2 » TLSv1.3 » HAProxy===
===Enable » TLSv1.2 » TLSv1.3 » HAProxy===
* [https://ssl-config.mozilla.org/#server=haproxy&version=3.0&config=intermediate&openssl=3.4.0&guideline=5.7 Security » Certificate » TLS » Configuration Generator » HAProxy]
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
Line 60: Line 74:
CFG
CFG
</syntaxhighlight>
</syntaxhighlight>
===Enable » TLSv1.2 » TLSv1.3 » PostgreSQL===
* [https://ssl-config.mozilla.org/#server=postgresql&version=17.2&config=intermediate&openssl=3.4.0&guideline=5.7 Security » Certificate » TLS » Configuration Generator » PostgreSQL]


==References==
==References==

Revision as of 02:18, 3 June 2025

# TLSv1.3 supported:
# if haproxy -v >= 1.8.1  && openssl -v >= 1.1.1
# if apache2 -v >= 2.4.36 && openssl -v >= 1.1.1
# if nginx   -v >= 1.23.4 && openssl -v >= 1.1.1

openssl  version
openssl -v
haproxy -v
apache2 -v
nginx   -v

Disable » TLSv1 » TLSv1.1

Enable » TLSv1.2 » TLSv1.3

Security » Certificate » TLS » cid.chorke.org
www.cdn77.com/tls-test/result?domain=cid.chorke.org

Security » Certificate » TLS » auto.loanplus.io
www.cdn77.com/tls-test/result?domain=auto.loanplus.io

Security » Certificate » TLS » apix.loanplus.io
www.cdn77.com/tls-test/result?domain=apix.loanplus.io

Enable » TLSv1.2 » TLSv1.3 » Nginx

curl -fsSL https://ssl-config.mozilla.org/ffdhe2048.txt\
 | sudo tee /etc/nginx/dhparam.pem >/dev/null

cat << CFG | sudo tee /etc/nginx/sites-available/academia.chorke.org >/dev/null
server {
  listen 443 ssl;

  ssl on;
  server_name academia.chorke.org;
  ssl_certificate /etc/letsencrypt/live/academia.chorke.org/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/academia.chorke.org/privkey.pem;

  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1.3 TLSv1.2;
# ssl_dhparam /etc/nginx/dhparam.pem;
# ssl_ciphers "EECDH+AESGCM,EDH+AESGCM";
  ssl_ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305";

# -- skipped --

  error_page 500 502 503 504 /500.html;
  client_max_body_size 25M;
  keepalive_timeout 10;
}
CFG

Enable » TLSv1.2 » TLSv1.3 » Apache

Enable » TLSv1.2 » TLSv1.3 » HAProxy

cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
SSL_CRT_LIST="$(cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done)"
cat << CFG | sudo tee /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg >/dev/null

# ##############################################################################
# https frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc

frontend           fnt_shahed_biz_ssl
   bind            *:443 ssl ${SSL_CRT_LIST}alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http

CFG

Enable » TLSv1.2 » TLSv1.3 » PostgreSQL

References

Retrieved from "https://wiki.chorke.org/index.php?title=Security/Certificate/TLS&oldid=14697"