구거시간 아파치 서버 업데이트

Prerequisites

This guide is for Ubuntu 14.04 (), 14.04 (Trusty), 16.04 (Xenial), 18.04 (Bionic) and 18.10 (Cosmic). You will upgrade to Apache 2.4.37 and OpenSSL 1.1.1. If you are seeing this post weeks or months later, these version numbers wouldn't be the same.

Add Ondřej's Apache repository

At the time of writing, even Ubuntu 18.10 repository has Apache 2.4.35. We want to be the coolest kids in the block, so we use a separate PPA maintained by Ondřej Surý. He is putting an enormous effort to maintain these packages, and once you have TLS 1.3 running, I suggest you take a look at his well-deserved donations page.

To add the repo, enter these commands in terminal:

add-apt-repository ppa:ondrej/apache2
apt-get update

add-apt-repository ppa:ondrej/apache2
apt-get update

This will import signing keys and update the package meta information.

Now, you can simply run the following to install / update your Apache installation:

apt install apache2

apt install apache2

You will notice that you are also upgrading your OpenSSL version. You can check if you are using the correct OpenSSL version from openssl version command. Make sure it is 1.1.1 or later.

Enable TLS 1.3

The default configuration option should have TLS 1.3 enabled by default. However, let's make double check.

In Apache, the TLS protocols are controlled by the SSLProtocol directive. The main value of this directive is set at /etc/apache2/mods-available/ssl.conf file. Locate it, and make sure you have something like all -SSLv2 -SSLv3. This is to enable all supported TLS versions, but remove ancient SSLv2 and SSLv3. While you are at it, I also suggest that you disable TLSv1 and TLSv1.1 because they are quite old protocols and the more push we make to phrase them out, the better. I'm not here to push my own security advice, so it's totally up to you.

Restart Apache

Enabling TLS 1.3 in Apache is so simple, restarting Apache can be put into its own heading:

service apache2 restart

service apache2 restart