本站安全性提升


0.Warning (Update in 2019.08.24)

之前因为Wall的原因,本站在我国部分地区无法访问。
这个问题已经得到解决,即日起本站开启CDN。
同时,加密技术也将默认使用CDN提供商的设置。
以下内容是原来本站的安全设置,如今可能会有所变动。


1.HTTP升级为HTTPS

提供

  • CAA

  • 各大浏览器已支持对本站的HSTS Preloading

  • RSA 4096 位加密证书

2.加密技术增强

本站在高强度加密算法中选择兼容性较强的方案。

  • TLS 1.2:
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 等

    • 加密曲线加强为secp384r1
    • 支持RSA7680bits秘钥交换

将在不久后支持TLS1.3,关闭TLS1.1和1.0

3.更安全的Header

提供Content-Security-Policy、Feature-Policy、Referrer-Policy以提供更安全的浏览体验。

SSLLab测评

唯一没得满分的那一项是为了兼容古老的协议

简略的配置过程

申请https证书

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto certonly -d polarnova.site --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

途中需要去你的DNS服务商里添加txt记录,顺便添加CAA记录,回来按ENTER

把证书升级为4096bits

./certbot-auto --apache --rsa-key-size 4096

主配置文件

/etc/apache2/sites-enabled/001-polarnova.site.conf

#-------------------------------------------HTTP----------------------------------------------
<VirtualHost *:80>

    ServerName polarnova.site
    DocumentRoot /var/www/html/polarnova

    ErrorLog {APACHE_LOG_DIR}/error.log     CustomLog{APACHE_LOG_DIR}/access.log combined

    Header always set Content-Security-Policy "upgrade-insecure-requests"
    Header always set Feature-Policy "vibrate 'self'; sync-xhr 'self' https://polarnova.site"
    Header always set Referrer-Policy "no-referrer-when-downgrade"
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =polarnova.site
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

#-------------------------------------------HTTPS----------------------------------------------

<IfModule mod_ssl.c>
    <VirtualHost *:443>

        Protocols h2 http/1.1
        ServerName polarnova.site
        DocumentRoot /var/www/html/polarnova
        ErrorLog {APACHE_LOG_DIR}/error.log         CustomLog{APACHE_LOG_DIR}/access.log combined

        SSLEngine on
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/polarnova.site/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/polarnova.site/privkey.pem

        Header always set Content-Security-Policy "upgrade-insecure-requests"
        Header always set Feature-Policy "vibrate 'self'; sync-xhr 'self' https://polarnova.site"
        Header always set Referrer-Policy "no-referrer-when-downgrade"
        Header always set X-Frame-Options "SAMEORIGIN"
        Header always set X-XSS-Protection "1; mode=block"      
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
        Header always set X-Content-Type-Options nosniff

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>

        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

    </VirtualHost>

    SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

SSL配置文件

/etc/letsencrypt/options-ssl-apache.conf

你需要强力的加密曲线支持你的4096位证书!

当然 secp512r1是没必要的

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA

SSLOpenSSLConfCmd Curves secp384r1:prime256v1
SSLHonorCipherOrder on

SSLCompression off
SSLSessionTickets Off
SSLOptions +StrictRequire

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

重启Apache

apachectl restart

就好了

n年后重配服务器时,可能会重新写一个完整配置的过程。

发表评论

电子邮件地址不会被公开。 必填项已用*标注