Cum activam TLSv1.3 pe NGINX. VestaCP pe CentOS cu OpenSSL

In acest tutorial o sa sa vedem cum activam TLSv1.3 pe NGINX, sa intelegem putin ce inseamna acest TLS 1.3, la ce ajuta si de ce avem nevoie pe webserver ca TLS sa poata fi activat. Sa intelegem de ce pe un server cu VestaCP (CentOS sau Ubuntu) este putin mai dificil de activat TLS 1.3 decat pe un server cu cPanel. Sau pe un server unde nu avem niciun software de hosting management.

De ce este mai bun TLS 1.3 decat TLS 1.2?

TLS (Transport Layer Security) este un protocol criptografic care asigura securitatea conexiunii dintre calculator si o reteaua din care face parte. TLS este folosit in aplicatii precum: email, mesagerie, apeluri voce si video (VoIP), dar mai ales la HTTPS. Asigurand o comunicare securizata intre calculatorul sau smartphone-ul utilizatorului si serverul web al paginii accesate.

TLSv1.3 ofera o viteza mai mare de conectare client – server si un plus de securitate prin eliminarea unor algoritmi. Diferentele dintre TLSv1.2 si TLSv1.3.

Despre HTTPS, SSL (Secure Sockets Layer) am mai spus si in alte articole:

Cum activam TLSv1.3 pe NGINX. Server cu VestaCP instalat pe CentOS

Inainte sa vedem cum activam TLSv1.3 pe NGINX, trebuie sa avem un minim de cerinte sofware si librarii prezente.

  1. NGINX 1.13.x sau o versiune mai noua
  2. Un certificat TLS valid
  3. Nume de domeniu activ cu DNS configurat corect – sa fie accesibil pe internet
  4. Un certificat TLS / SSL valid. Poate fi si Let’s Encrypt.

Pe un VestaCP instalat in urma cu mult timp, avem la dispozitie doar protocolul TLS 1.2. Am vazut in multe tutoriale ca este suficient ca in nginx.conf sa adaugam urmatoarea linie pentru ca TLS 1.3 sa fie activat:

server {

  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name example.com;
  root /var/www/example.com/public;

  ssl_certificate /path/to/your/certificate.crt;
  ssl_certificate_key /path/to/your/private.key;

  ssl_protocols TLSv1.2 TLSv1.3;

Fals. Daca pe un server CentOS cu VestaCP, NGINX nu a fost compilat cu versiunea minima de OpenSSL 1.1.1.1, ssl_protocols TLSv1.2 TLSv1.3; in nginx.conf nu ne ajuta cu absolut nimic.

[root@north ~]# nginx -V
nginx version: nginx/1.22.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled

Asadar, in exemplul de mai sus Nginx 1.22.0 este compatibil cu TLSv1.3, insa nu ne ajuta libraria OpenSSL 1.0.2k-fips.

Ca sa activam TLSv1.3 pe Nginx, trebuie sa instalam mai intai librariile pentru copilare si pachetele de dezvoltare. Development Tools. Executam pe CentOS 7 liniile de comanda:

yum install gcc gcc-c++ pcre-devel zlib-devel make unzip gd-devel perl-ExtUtils-Embed libxslt-devel openssl-devel perl-Test-Simple
yum groupinstall 'Development Tools'

1. Instalam cea mai recenta versiune OpenSSL

La aceasta ora cea mai recenta versiune este OpenSSL 1.1.1p, dar din cate am observat exista deja si OpenSSL 3. Sursele le gasiti pe OpenSSL.org.

cd /usr/src
wget https://www.openssl.org/source/openssl-1.1.1p.tar.gz
tar xvf openssl-1.1.1p.tar.gz 
mv openssl-1.1.1p openssl
cd openssl
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl --libdir=/lib64 shared zlib-dynamic
make -j4
make test 
make install 

Foarte important sa rulati make test inainte de instalarea librariei. In cazul in care la test au aparut erori, nu rulati make install pana ce erorile nu sunt corectate.

La urmatorul pas, facem un backup actualului fisier binar openssl si adaugam symlink la cel nou.

mv /usr/bin/openssl /usr/bin/openssl-backup
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

In /usr/local/openssl/bin executam ldd pentru a verifica dependentele openssl. Putem verifica eventual si versiunea de openssl. Comanda openssl version.

[root@north bin]# ldd openssl
	linux-vdso.so.1 =>  (0x00007ffd20bd7000)
	libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fab09b62000)
	libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007fab09675000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007fab09471000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fab09255000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fab08e87000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fab09df5000)
[root@north bin]# openssl version
OpenSSL 1.1.1p  21 Jun 2022

In acest moment avem instalata cea mai recenta versiune de OpenSSL care suporta TLSv1.3. Putem verifica versiunile TLS / SSL suportate de librariile OpenSSL prin comanda:

[root@north bin]# openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2
TLSv1.3
[root@north bin]# 

Asta nu inseamna ca website-urile hostate pe VestaCP vor avea imediat TLS 1.3. Nici macar Nginx nu este compilat inca pentru noua versiune de OpenSSL.

Desi avem instalat OpenSSL 1.1.1p, Nginx este compilat cu vechea versiune OpenSSL 1.0.2k-fips.

[root@north bin]# nginx -V
nginx version: nginx/1.22.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
[root@north bin]# openssl version
OpenSSL 1.1.1p  21 Jun 2022
[root@north bin]# 

2. Recompilare Nginx pe VestaCP

In acest pas trebuie sa recompilam pentru OpenSSL versiunea de Nginx instalata deja pe CentOS / VestaCP. Cum am spus mai sus, in cazul meu este vorba despre nginx/1.22.0. Fiind vorba despre un webserver care are VestaCP ca sistem de administrare, inainte sa incepem recompilarea este bine sa facem un backup fisiereleor de configurare ale nginx.

Backup Nginx actual pe VestaCP

Arhivati si pastrati undeva pe server directoarele “/etc/nginx” si “/usr/local/vesta/nginx“.

Executati nginx -V si salvati intr-un fisier modulele existente.

configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
Cum activam TLSv1.3 pe NGINX
Cum activam TLSv1.3 pe NGINX

Descarcam si recompilam Nginx

Repet. Daca aveti VestaCP, descarcati versiunea de Nginx pe care o aveti deja instalata. Toate arhivele cu versiunile Nginx le gasiti pe nginx.org.

cd /usr/src
wget https://nginx.org/download/nginx-1.22.0.tar.gz 
tar xvf nginx-1.22.0.tar.gz
cd nginx-1.22.0

Recompilam modulele nginx:

./configure --prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \ 
--modules-path=/usr/lib64/nginx/modules \ 
--conf-path=/etc/nginx/nginx.conf \ 
--error-log-path=/var/log/nginx/error.log  \
--http-log-path=/var/log/nginx/access.log  \
--pid-path=/var/run/nginx.pid  \
--lock-path=/var/run/nginx.lock  \
--http-client-body-temp-path=/var/cache/nginx/client_temp  \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp  \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp  \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp  \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp  \
--user=nginx  \
--group=nginx  \
--with-compat  \
--with-file-aio  \
--with-threads  \
--with-http_addition_module  \
--with-http_auth_request_module  \
--with-http_dav_module  \
--with-http_flv_module  \
--with-http_gunzip_module  \
--with-http_gzip_static_module  \
--with-http_mp4_module  \
--with-http_random_index_module  \
--with-http_realip_module  \
--with-http_secure_link_module  \
--with-http_slice_module  \
--with-http_ssl_module  \
--with-http_stub_status_module  \
--with-http_sub_module  \
--with-http_v2_module  \
--with-mail  \
--with-mail_ssl_module  \
--with-stream  \
--with-stream_realip_module  \
--with-stream_ssl_module  \
--with-stream_ssl_preread_module  \
--with-openssl=/usr/src/openssl  \
--with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong  \
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC'  \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
make -j4
make install

Acum avem Nginx instalat si compilat cu cea mai recenta versiune de OpenSSL capabila sa suporte TLSv1.3.

[root@north bin]# nginx -V
nginx version: nginx/1.22.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.1.1p  21 Jun 2022
TLS SNI support enabled

Cum activam TLSv1.3 pentru domenii pe VestaCP

In fisierul /etc/nginx/nginx.conf adaugam urmatoarele linii:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

La nivel de domenii eu am schimbat ceva in template-urile VestaCP si pentru a activa HTTP/2. Astfel ca la adaugarea unui domeniu nou (example.com) cu Let’s Encrypt activat, am urmatorul fisier de configurare pentru SSL:

cat /home/vestacpuser/conf/web/example.com.nginx.ssl.conf 

server {
    listen      IP.IP.IP.IP:443 ssl http2;
    server_name example.com www.example.com;
    root        /home/vestacpuser/web/example.com/public_html;
    index       index.php index.html index.htm;
    access_log  /var/log/nginx/domains/example.com.log combined;
    access_log  /var/log/nginx/domains/example.com.bytes bytes;
    error_log   /var/log/nginx/domains/example.com.error.log error;

    ssl_certificate      /home/vestacpuser/conf/web/ssl.example.com.pem;
    ssl_certificate_key  /home/vestacpuser/conf/web/ssl.example.com.key;

....

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

Inainte sa restartati nginx, este bine ca inainte sa-i testati configurarea.

[root@north web]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@north web]# systemctl restart nginx

Sper ca va este de folos acest tutorial, iar daca nu reusiti ceva, lasati in comentarii detaliile problemei.

Stealth

Pasionat de tehnologie, imi place sa testez si sa scriu tutoriale despre sistemele de operare macOS, Linux, Windows, despre WordPress, WooCommerce si configurare servere web LEMP (Linux, NGINX, MySQL si PHP). Scriu pe StealthSettings.com din 2006, iar cativa ani mai tarziu am inceput sa scriu pe iHowTo.Tips tutoriale si noutati despre device-uri din ecosistemul Apple: iPhone, iPad, Apple Watch, HomePod, iMac, MacBook, AirPods si accesorii.

Leave a Reply

Your email address will not be published.

Related Articles

/ / /
Tags: / / / / / /
Back to top button