ssllabs.com에서 A+ 받은 Apache / NginX SSL 설정을 공유해드린다.
Apache:
<IfModule mod_ssl.c>
<VirtualHost *:443>
....
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "-ALL EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DES"
SSLCertificateKeyFile /etc/ssl/private/your_website.key
SSLCertificateFile /etc/ssl/certs/your_website.crt
</VirtualHost>
</IfModule>
<IfModule mod_headers.c>
Header add Strict-Transport-Security "max-age=15768000"
</IfModule>
ServerTokens ProductOnly
ServerSignature Off
TraceEnable Off
저장 후 headers 모듈을 활성화하고나서 아파치 서버를 재시작해주면 된다.
sudo a2enmod headers && sudo service apache2 restart
NginX:
server {
listen 443 default_server;
server_name yourwebsite.com;
ssl on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/ssl/certs/yourwebsite.pem;
ssl_certificate_key /etc/ssl/private/yourwebsite.key;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_dhparam /etc/nginx/cert/dhparam.pem;
add_header Strict-Transport-Security "max-age=31536000";
......
}
저장 후, 2048비트 길이의 safe prime을 담은 DH prarmeter 파일을 생성하기 위해 다음의 명령어를 실행해준뒤 엔진엑스를 재시작한다.
sudo mkdir -p /etc/nginx/cert && sudo openssl dhparam 2048 -out /etc/nginx/cert/dhparam.pem
sudo nginx restart
jswlinux
Seowon Jung의 잡동사니 보관소