Rocky Linux 9 에는 기본 openssl 3 이상이 설치되어 있음
openssl 3이상으로 컴파일하면, TLS1.2~ 만 지원하므로,
(필요 시)TLS1.0~1.3까지 지원하려면 openssl 1.1.1w 설치 후 이를 이용하도록 httpd (2.4.63등) 컴파일 필요
※ /app/httpd 에 설치하는 것으로 가정
1) TLS1.0~1.3 (호환성) 을 위해 openssl 1.1.1w 이용 시
wget https://www.openssl.org/source/openssl-1.1.1w.tar.gz
tar xvfz openssl-1.1.1w.tar.gz
cd openssl-1.1.1w
dnf install -y perl perl-core perl-FindBin
./config --prefix=/usr/local/openssl-1.1.1w
make -j4
make install./configure --prefix=/app/httpd --enable-mods-shared=all --enable-so --with-mpm=event --enable-ssl --with-ssl=/usr/local/openssl-1.1.1w
make -j4
make install
2) TLS1.2 이상 적용 시 (보안 개선)
./configure --prefix=/app/httpd --enable-mods-shared=all --enable-so --with-mpm=event --enable-ssl
make -j4
make install
1. conf/httpd.conf
Listen 80
ServerName "서버IP:80"
ServerRoot "/app/httpd"
DocumentRoot "/app/httpd/htdocs"
LoadModule unixd_module modules/mod_unixd.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
ServerTokens Prod
ServerSignature Off
TraceEnable Off
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %b" common
CustomLog "logs/access_log" common
ErrorLog "logs/error_log"
LogLevel warn
<Directory />
Options None
AllowOverride None
Require all denied
</Directory>
<Directory "/app/httpd/htdocs">
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Include conf/extra/httpd-mpm.conf
LoadModule headers_module modules/mod_headers.so
<IfModule headers_module>
Header always unset X-Powered-By
Header always unset X-CF-Powered-By
</IfModule>
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Include conf/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
ProxyPass "/api1" "http://API서버/api1"
ProxyPassReverse "/api1" "http://api서버/api1"
Header always set Access-Control-Allow-Origin "*"
2. conf/extra/httpd-ssl.conf
Listen 443
<!--S TLS 1.0 필요 시 (JDK 6 연동 등) -->
<!-- 주석 해제
SSLCipherSuite HIGH:MEDIUM:+TLSv1:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:+TLSv1:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3
SSLProxyProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3
-->
<!--E TLS 1.0 필요시 (JDK 6 연동 등) -->
<!--S TLS 1.2 이상 -->
<!-- TLS 1.0 필요시 주석 설정 -->
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLOpenSSLConfCmd Curves X25519:prime256v1:secp384r1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
<!--E TLS 1.2 이상 -->
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
ServerName "서버IP:443"
DocumentRoot "/app/httpd/htdocs"
ErrorLog "logs/error_log"
CustomLog logs/access_log common
SSLEngine on
SSLCertificateFile "conf/ssl/도메인.crt"
SSLCertificateKeyFile "conf/ssl/도메인.key"
SSLCertificateChainFile "conf/ssl/도메인.crt"
ProxyPass "/api1" "http://API서버/api1"
ProxyPassReverse "/api1" "http://api서버/api1"
Header always set Access-Control-Allow-Origin "*"
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/app/httpd/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>