Debian系
# apt install apache2 # apachectl -M | grep ssl # a2enmod ssl # apt-get install software-properties-common # add-apt-repository ppa:ondrej/php # apt-get update # apt install php7.2 php7.2-mbstring php7.2-mysql php7.2-xml php7.2-gd php7.2-zipphp # apt install mariadb-server ← MariaDB公式repo # systemctl start apache2 mysql
Debian系は ufw だけでなく、iptablesルールも確認する必要がある。
# vi /etc/iptables/iptables.rules -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # /sbin/iptables-restore < /etc/iptables/iptables.rules # service apache2 restart
RH系
# yum install httpd mod_ssl # yum install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm # yum install --enablerepo=remi,remi-php72 php php-mysql php-mbstring php-gd php-xml # yum install mariadb-server # MariaDB公式repo # systemctl start httpd mariadb # firewall-cmd --add-service=http,https # yum install certbot # certbot certonly # vim /etc/httpd/conf.d/ssl.conf Apache 2.4.7以前の場合 SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem Apache 2.4.7以降の場合 SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem # firewall-cmd --remove-service=http # openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -noout -dates ← expired date # crontab -e
SSL接続を評価 A+
# vim /etc/httpd/conf.d/ssl.conf Header set Strict-Transport-Security "max-age=315360000;" ← https接続を強制(HSTS) SSLProtocol all -TLSv1 -TLSv1.1 -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5!RC4!3DES!IDEA