![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2022-01-17
Software 要求
- Apache >= 2.2.23
- OpenSSL >= 1.0.1
Check Version
- httpd -v
- openssl version
測試
openssl ciphers -v 'TLSv1.2' | head -4
Centos 7
curl --tlsv1.2 https://datahunter.org
Debain 10
/etc/ssl/openssl.cnf
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Installation
Centos 6.10 有 OpenSSL 1.0.1e, 所以 upgrade Apache 就可以用到 TLS 1.2 了
(Centos 6 's Apache Version: 2.2.15)
1. Install required tools for compilation
yum groupinstall "Development Tools"
yum install file-devel pcre-devel openssl-devel zlib-devel expat-devel libnghttp2-devel -y
yum install apr apr-util
Remark
- apr: Apache Portable Runtime library
- apr-util: Apache Portable Runtime Utility library
2. Download & Unpack source code
mkdir /usr/src/httpd; cd /usr/src/httpd
URL=https://github.com/apache
curl -L $URL/apache/httpd/archive/2.2.34.tar.gz -o httpd-2.2.34.tar.gz
# httpd-2.2.34 要 apr >= 1.4.x
curl -L $URL/apr/archive/1.7.0.tar.gz -o apr-1.7.0.tar.gz
curl -L $URL/apr-util/archive/1.6.1.tar.gz -o apr-util-1.6.1.tar.gz
tar -zxf httpd-2.2.34.tar.gz
tar -zxf apr-1.7.0.tar.gz
tar -zxf apr-util-1.6.1.tar.gz
3. Apache requires APR library for compilation
mv apr-1.7.0 httpd-2.2.34/srclib/apr
mv apr-util-1.6.1 httpd-2.2.34/srclib/apr-util
4. configure & compile
cd httpd-2.2.34
./buildconf # 建立 ./configure
5. 優化
CFLAGS="-march=x86-64 -O3 -pipe"
CPPFLAGS="${CFLAGS}"
export CFLAGS CPPFLAGS
6. ./configure
./configure \ --prefix=/etc/httpd \ --exec-prefix=/etc/httpd \ --bindir=/usr/bin \ --sbindir=/usr/sbin \ --mandir=/usr/share/man \ --libdir=/usr/lib \ --sysconfdir=/etc/httpd/conf \ --includedir=/usr/include/httpd \ --libexecdir=/usr/lib/httpd/modules \ --datadir=/var/www \ --with-mpm=prefork --enable-vhost-alias \ --enable-so --with-pcre --enable-pie \ --enable-ssl --with-ssl \ --enable-authn-anon --enable-authn-alias \ --enable-reqtimeout \ --enable-rewrite \ --enable-mime-magic \ --enable-deflate \ --enable-speling \ --enable-headers --enable-expires \ --with-installbuilddir=/usr/lib/httpd/build \ --disable-userdir --disable-imagemap --disable-cgi
make -j
7. Install & Test
./httpd -V
./httpd -t # 可能會死在 Config 內的 LoadModule
8. Migrate
vim /etc/sysconfig/iptables # 在 migrate 過程中限制訪問
# Web -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT #-A INPUT -s S.S.S.S -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT #-A INPUT -s S.S.S.S -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
service httpd stop
cp -a /etc/httpd /etc/httpd.bak
mv /usr/lib/httpd/modules /usr/lib/httpd/modules.bak
mv /usr/include/httpd /usr/include/httpd.bak
make install
mv /etc/httpd/conf.d/fcgid.conf /etc/httpd/conf.d/fcgid.conf.bak
cp -a /usr/lib/httpd/modules.bak/libphp5.so /usr/lib/httpd/modules
httpd -t
httpd -DFOREGROUND
Ctrl + C
service httpd start
vhosts 's SSL config
SSLEngine on SSLProtocol -all +TLSv1.2 SSLCipherSuite HIGH:!MEDIUM:!LOW:!SSLv2:!SSLv3:!NULL SSLCertificateFile ssl/www.datahunter.org/server.crt SSLCertificateChainFile ssl/www.datahunter.org/server.ca-bundle SSLCertificateKeyFile ssl/www.datahunter.org/www.datahunter.org.key