{"id":1492,"date":"2025-11-07T17:00:05","date_gmt":"2025-11-07T14:00:05","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/tls-1-3-ve-modern-sifrelerin-sicacik-mutfagi-nginx-apachede-ocsp-stapling-hsts-preload-ve-pfs-nasil-kurulur\/"},"modified":"2025-11-07T17:00:05","modified_gmt":"2025-11-07T14:00:05","slug":"tls-1-3-ve-modern-sifrelerin-sicacik-mutfagi-nginx-apachede-ocsp-stapling-hsts-preload-ve-pfs-nasil-kurulur","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/tls-1-3-ve-modern-sifrelerin-sicacik-mutfagi-nginx-apachede-ocsp-stapling-hsts-preload-ve-pfs-nasil-kurulur\/","title":{"rendered":"TLS 1.3 ve Modern \u015eifrelerin S\u0131cac\u0131k Mutfa\u011f\u0131: Nginx\/Apache\u2019de OCSP Stapling, HSTS Preload ve PFS Nas\u0131l Kurulur?"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Bugun_Sunucuda_Kucuk_Bir_Kivilcim_TLS_13le_Tanistigim_O_An\"><span class=\"toc_number toc_depth_1\">1<\/span> Bug\u00fcn Sunucuda K\u00fc\u00e7\u00fck Bir K\u0131v\u0131lc\u0131m: TLS 1.3\u2019le Tan\u0131\u015ft\u0131\u011f\u0131m O An<\/a><\/li><li><a href=\"#TLS_13un_Mutfagi_Modern_Sifre_Takimlari_ve_PFSnin_Gunluk_Hayat_Dili\"><span class=\"toc_number toc_depth_1\">2<\/span> TLS 1.3\u2019\u00fcn Mutfa\u011f\u0131: Modern \u015eifre Tak\u0131mlar\u0131 ve PFS\u2019nin G\u00fcnl\u00fck Hayat Dili<\/a><ul><li><a href=\"#Modern_sifre_takimlari_nedir_neden_umursayalim\"><span class=\"toc_number toc_depth_2\">2.1<\/span> Modern \u015fifre tak\u0131mlar\u0131 nedir, neden umursayal\u0131m?<\/a><\/li><li><a href=\"#PFSyi_Perfect_Forward_Secrecy_basitce_nasil_anlatiriz\"><span class=\"toc_number toc_depth_2\">2.2<\/span> PFS\u2019yi (Perfect Forward Secrecy) basit\u00e7e nas\u0131l anlat\u0131r\u0131z?<\/a><\/li><li><a href=\"#TLS_13un_huzuru\"><span class=\"toc_number toc_depth_2\">2.3<\/span> TLS 1.3\u2019\u00fcn huzuru<\/a><\/li><\/ul><\/li><li><a href=\"#Nginxte_TLS_13_PFS_ve_HSTS_Ocaklari_Yakiyoruz\"><span class=\"toc_number toc_depth_1\">3<\/span> Nginx\u2019te TLS 1.3, PFS ve HSTS: Ocaklar\u0131 Yak\u0131yoruz<\/a><ul><li><a href=\"#Baslangic_Sertifika_ve_zincir_dosyalari\"><span class=\"toc_number toc_depth_2\">3.1<\/span> Ba\u015flang\u0131\u00e7: Sertifika ve zincir dosyalar\u0131<\/a><\/li><li><a href=\"#Nginx_yapilandirmasi_TLS_13_ve_modern_sifreler\"><span class=\"toc_number toc_depth_2\">3.2<\/span> Nginx yap\u0131land\u0131rmas\u0131: TLS 1.3 ve modern \u015fifreler<\/a><\/li><li><a href=\"#Test_etmek_Kucuk_adimlar_net_sonuclar\"><span class=\"toc_number toc_depth_2\">3.3<\/span> Test etmek: K\u00fc\u00e7\u00fck ad\u0131mlar, net sonu\u00e7lar<\/a><\/li><\/ul><\/li><li><a href=\"#Apachede_Ayni_Gulumseme_TLS_13_OCSP_Stapling_ve_HSTS\"><span class=\"toc_number toc_depth_1\">4<\/span> Apache\u2019de Ayn\u0131 G\u00fcl\u00fcmseme: TLS 1.3, OCSP Stapling ve HSTS<\/a><ul><li><a href=\"#Moduller_ve_temel_taslar\"><span class=\"toc_number toc_depth_2\">4.1<\/span> Mod\u00fcller ve temel ta\u015flar<\/a><\/li><li><a href=\"#Apache_yapilandirmasi_Sefin_not_defteri\"><span class=\"toc_number toc_depth_2\">4.2<\/span> Apache yap\u0131land\u0131rmas\u0131: \u015eefin not defteri<\/a><\/li><li><a href=\"#Apache_testleri_ve_kucuk_tuyo\"><span class=\"toc_number toc_depth_2\">4.3<\/span> Apache testleri ve k\u00fc\u00e7\u00fck t\u00fcyo<\/a><\/li><\/ul><\/li><li><a href=\"#OCSP_Staplingin_Kulis_Hali_Zincir_DNS_ve_Ates_Hatti\"><span class=\"toc_number toc_depth_1\">5<\/span> OCSP Stapling\u2019in Kulis H\u00e2li: Zincir, DNS ve Ate\u015f Hatt\u0131<\/a><ul><li><a href=\"#Neden_trusted_zincire_ihtiyac_var\"><span class=\"toc_number toc_depth_2\">5.1<\/span> Neden \u2018trusted\u2019 zincire ihtiya\u00e7 var?<\/a><\/li><li><a href=\"#DNS_ve_firewall_ayrintilari\"><span class=\"toc_number toc_depth_2\">5.2<\/span> DNS ve firewall ayr\u0131nt\u0131lar\u0131<\/a><\/li><li><a href=\"#Yenileme_ve_gunlukler\"><span class=\"toc_number toc_depth_2\">5.3<\/span> Yenileme ve g\u00fcnl\u00fckler<\/a><\/li><\/ul><\/li><li><a href=\"#HSTS_Preloada_Ne_Zaman_Cesaret_Etmeli_Kontrollu_Bir_Yolculuk\"><span class=\"toc_number toc_depth_1\">6<\/span> HSTS Preload\u2019a Ne Zaman Cesaret Etmeli? Kontroll\u00fc Bir Yolculuk<\/a><ul><li><a href=\"#HSTSin_ozeti\"><span class=\"toc_number toc_depth_2\">6.1<\/span> HSTS\u2019in \u00f6zeti<\/a><\/li><li><a href=\"#Preload_oncesi_checklist\"><span class=\"toc_number toc_depth_2\">6.2<\/span> Preload \u00f6ncesi checklist<\/a><\/li><li><a href=\"#Basvuru_ve_dogrulama\"><span class=\"toc_number toc_depth_2\">6.3<\/span> Ba\u015fvuru ve do\u011frulama<\/a><\/li><\/ul><\/li><li><a href=\"#Performans_ve_Hata_Ayiklama_kucuk_komutlar_buyuk_rahatlik\"><span class=\"toc_number toc_depth_1\">7<\/span> Performans ve Hata Ay\u0131klama: k\u00fc\u00e7\u00fck komutlar, b\u00fcy\u00fck rahatl\u0131k<\/a><ul><li><a href=\"#Hiz_ve_sadelik\"><span class=\"toc_number toc_depth_2\">7.1<\/span> H\u0131z ve sadelik<\/a><\/li><li><a href=\"#Pratik_test_komutlari\"><span class=\"toc_number toc_depth_2\">7.2<\/span> Pratik test komutlar\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#Kenar_Vakalar_Eski_Istemciler_dertli_kutuphaneler\"><span class=\"toc_number toc_depth_1\">8<\/span> Kenar Vakalar: Eski \u0130stemciler, dertli k\u00fct\u00fcphaneler<\/a><ul><li><a href=\"#Eski_tarayicilar_ve_TLS_1011\"><span class=\"toc_number toc_depth_2\">8.1<\/span> Eski taray\u0131c\u0131lar ve TLS 1.0\/1.1<\/a><\/li><li><a href=\"#Kurumsal_denetim_cihazlari_ve_ara_katmanlar\"><span class=\"toc_number toc_depth_2\">8.2<\/span> Kurumsal denetim cihazlar\u0131 ve ara katmanlar<\/a><\/li><\/ul><\/li><li><a href=\"#Gercek_Hayattan_Kucuk_Bir_Senaryo_Adim_adim_tedirginlik_olmadan\"><span class=\"toc_number toc_depth_1\">9<\/span> Ger\u00e7ek Hayattan K\u00fc\u00e7\u00fck Bir Senaryo: Ad\u0131m ad\u0131m, tedirginlik olmadan<\/a><ul><li><a href=\"#Adim_1_Mevcut_durumu_gorun\"><span class=\"toc_number toc_depth_2\">9.1<\/span> Ad\u0131m 1: Mevcut durumu g\u00f6r\u00fcn<\/a><\/li><li><a href=\"#Adim_2_TLS_13u_acin_TLS_12yi_sadelestirin\"><span class=\"toc_number toc_depth_2\">9.2<\/span> Ad\u0131m 2: TLS 1.3\u2019\u00fc a\u00e7\u0131n, TLS 1.2\u2019yi sadele\u015ftirin<\/a><\/li><li><a href=\"#Adim_3_Staplingi_dogrulayin\"><span class=\"toc_number toc_depth_2\">9.3<\/span> Ad\u0131m 3: Stapling\u2019i do\u011frulay\u0131n<\/a><\/li><li><a href=\"#Adim_4_HSTSi_once_risksiz_acin\"><span class=\"toc_number toc_depth_2\">9.4<\/span> Ad\u0131m 4: HSTS\u2019i \u00f6nce risksiz a\u00e7\u0131n<\/a><\/li><li><a href=\"#Adim_5_Son_tur_test_ve_canli_izleme\"><span class=\"toc_number toc_depth_2\">9.5<\/span> Ad\u0131m 5: Son tur test ve canl\u0131 izleme<\/a><\/li><\/ul><\/li><li><a href=\"#Kapanis_Guvenin_Sessiz_Sesi\"><span class=\"toc_number toc_depth_1\">10<\/span> Kapan\u0131\u015f: G\u00fcvenin Sessiz Sesi<\/a><\/li><\/ul><\/div>\n<h2 id='section-1'><span id=\"Bugun_Sunucuda_Kucuk_Bir_Kivilcim_TLS_13le_Tanistigim_O_An\">Bug\u00fcn Sunucuda K\u00fc\u00e7\u00fck Bir K\u0131v\u0131lc\u0131m: TLS 1.3\u2019le Tan\u0131\u015ft\u0131\u011f\u0131m O An<\/span><\/h2>\n<p>Hi\u00e7 ba\u015f\u0131n\u0131za geldi mi? Gece vakti bir arkada\u015f\u0131n\u0131z mesaj atar: \u201cSite h\u0131zl\u0131 ama taray\u0131c\u0131 kilit ikonunda bir uyar\u0131 var, bir bakabilir misin?\u201d \u0130\u015fte o an, kahveyi tazelersiniz ve g\u00f6zler otomatik olarak sunucunun Nginx ya da Apache yap\u0131land\u0131rmas\u0131na kayar. Ben b\u00f6yle bir ak\u015fam, TLS 1.3\u2019\u00fcn ne kadar tatl\u0131 bir g\u00fc\u00e7 \u00e7arpan\u0131 oldu\u011funu, OCSP stapling\u2019in \u2018arka planda i\u015fleri ya\u011f gibi ak\u0131tan\u2019 rol\u00fcn\u00fc ve HSTS preload\u2019\u0131n, t\u00fcm mahalleyi HTTPS soka\u011f\u0131nda tutan sa\u011flam kap\u0131s\u0131n\u0131 yeniden hat\u0131rlad\u0131m. PFS ise ge\u00e7mi\u015fi g\u00fcvene alan, gelece\u011fe g\u00f6z k\u0131rpan bir \u00f6zellik gibi, adeta kasada \u2018tek kullan\u0131ml\u0131k anahtar\u2019 ta\u015f\u0131mak gibi.<\/p>\n<p>Bu yaz\u0131da, bir arkada\u015f sohbeti tad\u0131nda, \u0131slak imzal\u0131 bir rehber b\u0131rakmak istiyorum. TLS 1.3\u2019\u00fc g\u00fcvenle a\u00e7mak, modern \u015fifre tak\u0131mlar\u0131n\u0131 se\u00e7mek, OCSP stapling\u2019i do\u011fru zincirle aya\u011fa kald\u0131rmak, HSTS preload\u2019a ad\u0131m ad\u0131m ve bilin\u00e7le girmek, PFS\u2019yi standart h\u00e2line getirmek\u2026 Hepsini birlikte, Nginx ve Apache \u00fcst\u00fcnde y\u00fcr\u00fctelim. Mesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn: Mutfakta bir tarif var, malzemeler belli, pi\u015firme s\u00fcresi net. Yaln\u0131zca \u0131s\u0131y\u0131 iyi ayarlarsak, sonu\u00e7 harika olacak. Hadi ba\u015flayal\u0131m.<\/p>\n<h2 id='section-2'><span id=\"TLS_13un_Mutfagi_Modern_Sifre_Takimlari_ve_PFSnin_Gunluk_Hayat_Dili\">TLS 1.3\u2019\u00fcn Mutfa\u011f\u0131: Modern \u015eifre Tak\u0131mlar\u0131 ve PFS\u2019nin G\u00fcnl\u00fck Hayat Dili<\/span><\/h2>\n<h3><span id=\"Modern_sifre_takimlari_nedir_neden_umursayalim\">Modern \u015fifre tak\u0131mlar\u0131 nedir, neden umursayal\u0131m?<\/span><\/h3>\n<p>G\u00fcvenli bir ba\u011flant\u0131 dedi\u011fimizde, asl\u0131nda taray\u0131c\u0131 ile sunucu aras\u0131nda el s\u0131k\u0131\u015fan bir s\u00fcr\u00fc k\u00fc\u00e7\u00fck kuraldan bahsediyoruz. TLS 1.3 bu el s\u0131k\u0131\u015fmay\u0131 k\u0131salt\u0131yor, gereksiz y\u00fckleri eliyor ve daha sa\u011flam malzemelerle yola \u00e7\u0131k\u0131yor. Modern \u015fifre tak\u0131mlar\u0131nda ECDHE gibi \u2018ge\u00e7ici anahtar\u2019 kullanan y\u00f6ntemler \u00f6ne \u00e7\u0131k\u0131yor. Bu sayede her oturum i\u00e7in ayr\u0131 bir gizli anahtar olu\u015fuyor. Bu, biraz her bulu\u015fmada farkl\u0131 bir mek\u00e2nda g\u00f6r\u00fc\u015fmek gibi; biri ge\u00e7mi\u015f mek\u00e2n\u0131 bulsa bile, di\u011fer bulu\u015fmalar g\u00fcvende kal\u0131yor.<\/p>\n<h3><span id=\"PFSyi_Perfect_Forward_Secrecy_basitce_nasil_anlatiriz\">PFS\u2019yi (Perfect Forward Secrecy) basit\u00e7e nas\u0131l anlat\u0131r\u0131z?<\/span><\/h3>\n<p>Mesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn: Bir g\u00fcn kasa anahtar\u0131n\u0131z kayboldu. K\u00f6t\u00fc haber. Ama ge\u00e7mi\u015fteki kasalar tek kullan\u0131ml\u0131k anahtarla saklanm\u0131\u015fsa, ge\u00e7mi\u015fe d\u00f6n\u00fcp teker teker a\u00e7am\u0131yorlar. PFS tam olarak bunu sa\u011fl\u0131yor. ECDHE temelli \u015fifre tak\u0131mlar\u0131yla birlikte, oturum anahtarlar\u0131 k\u0131sa \u00f6m\u00fcrl\u00fc ve tek seferlik. Yani bug\u00fcn bir anahtar s\u0131zsa bile, d\u00fcn ve ondan \u00f6nceki g\u00fcn g\u00fcvenle uyuyor.<\/p>\n<h3><span id=\"TLS_13un_huzuru\">TLS 1.3\u2019\u00fcn huzuru<\/span><\/h3>\n<p>TLS 1.3, gereksiz eski y\u00f6ntemleri devreden \u00e7\u0131kar\u0131yor ve h\u0131zl\u0131 ba\u011flant\u0131 kuruyor. Bu h\u0131z, sayfa a\u00e7\u0131l\u0131\u015f\u0131nda fark edilir bir p\u00fcr\u00fczs\u00fczl\u00fck getiriyor. Ekstra g\u00fczel taraf\u0131, modern taray\u0131c\u0131larda neredeyse \u2018kur ve unut\u2019 deneyimi ya\u015fatmas\u0131. Tabii do\u011fru yap\u0131land\u0131rmayla ve ufak testlerle.<\/p>\n<h2 id='section-3'><span id=\"Nginxte_TLS_13_PFS_ve_HSTS_Ocaklari_Yakiyoruz\">Nginx\u2019te TLS 1.3, PFS ve HSTS: Ocaklar\u0131 Yak\u0131yoruz<\/span><\/h2>\n<h3><span id=\"Baslangic_Sertifika_ve_zincir_dosyalari\">Ba\u015flang\u0131\u00e7: Sertifika ve zincir dosyalar\u0131<\/span><\/h3>\n<p>\u00d6nce temel malzemeler: Ge\u00e7erli bir sertifika, \u00f6zel anahtar ve zincir (chain). Let\u2019s Encrypt kullan\u0131yorsan\u0131z genelde \u2018fullchain.pem\u2019 ve \u2018privkey.pem\u2019 ile tan\u0131\u015f\u0131rs\u0131n\u0131z. Nginx taraf\u0131nda bu dosyalar\u0131 do\u011fru g\u00f6stermek, OCSP stapling i\u00e7in ayr\u0131ca bir \u2018trusted\u2019 zincir belirtmek \u00f6nemli. Bir de g\u00fcvenilir DNS \u00e7\u00f6z\u00fcmleyici eklemek, stapling\u2019in de\u011feri i\u00e7in ger\u00e7ek bir d\u00f6n\u00fcm noktas\u0131.<\/p>\n<h3><span id=\"Nginx_yapilandirmasi_TLS_13_ve_modern_sifreler\">Nginx yap\u0131land\u0131rmas\u0131: TLS 1.3 ve modern \u015fifreler<\/span><\/h3>\n<p>A\u015fa\u011f\u0131daki \u00f6rne\u011fi, siteye \u00f6zel sunucu blo\u011funuza uygun \u015fekilde uyarlay\u0131n. Burada TLS 1.2\u2019yi modern \u015fifre tak\u0131mlar\u0131yla tutuyor, TLS 1.3\u2019\u00fc a\u00e7\u0131yor, PFS i\u00e7in e\u011filimli e\u011frileri (curve) belirliyoruz. HSTS\u2019yi dikkatle ve bilin\u00e7li a\u00e7\u0131yoruz. OCSP stapling i\u00e7in resolver ve trusted zinciri tan\u0131ml\u0131yoruz.<\/p>\n<pre class=\"language-nginx line-numbers\"><code class=\"language-nginx\">server {\n    listen 443 ssl http2;\n    server_name ornek.com www.ornek.com;\n\n    ssl_certificate \/etc\/letsencrypt\/live\/ornek.com\/fullchain.pem;\n    ssl_certificate_key \/etc\/letsencrypt\/live\/ornek.com\/privkey.pem;\n\n    # TLS s\u00fcr\u00fcmleri\n    ssl_protocols TLSv1.2 TLSv1.3;\n\n    # TLS 1.2 i\u00e7in modern \u015fifreler (TLS 1.3 kendi setini y\u00f6netir)\n    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\n                 ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';\n    ssl_prefer_server_ciphers off;\n\n    # PFS i\u00e7in e\u011friler\n    ssl_ecdh_curve X25519:secp256r1;\n\n    # Oturum ayarlar\u0131\n    ssl_session_cache shared:SSL:50m;\n    ssl_session_timeout 1d;\n    ssl_session_tickets off;\n\n    # OCSP Stapling\n    ssl_stapling on;\n    ssl_stapling_verify on;\n    resolver 1.1.1.1 8.8.8.8 valid=300s;\n    resolver_timeout 5s;\n    ssl_trusted_certificate \/etc\/letsencrypt\/live\/ornek.com\/chain.pem;\n\n    # HSTS (preload ad\u0131m\u0131na ge\u00e7meden \u00f6nce mutlaka test edin)\n    add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload' always;\n\n    # G\u00fcvenli ba\u015fl\u0131klar (temel)\n    add_header X-Content-Type-Options 'nosniff' always;\n    add_header X-Frame-Options 'SAMEORIGIN' always;\n\n    root \/var\/www\/ornek.com\/public;\n    index index.html;\n}\n<\/code><\/pre>\n<p>Buradaki \u015fifre dizilimi, yayg\u0131n ve modern taray\u0131c\u0131larla uyumlu bir \u00e7ekirdek sunuyor. TLS 1.3\u2019te \u015fifre tak\u0131m\u0131 se\u00e7imi sunucu taraf\u0131ndan de\u011fil protokol taraf\u0131ndan daha net y\u00f6netildi\u011fi i\u00e7in, odak daha \u00e7ok TLS 1.2\u2019nin temiz tutulmas\u0131nda. ssl_ecdh_curve ile X25519 ve secp256r1 genellikle temiz bir yol. ssl_session_tickets off g\u00fcvenlik a\u00e7\u0131s\u0131ndan iyi bir tercih; ta\u015f\u0131ma anahtarlar\u0131n\u0131 \u2018tak\u0131l\u0131 kalmaktan\u2019 uzak tutar.<\/p>\n<h3><span id=\"Test_etmek_Kucuk_adimlar_net_sonuclar\">Test etmek: K\u00fc\u00e7\u00fck ad\u0131mlar, net sonu\u00e7lar<\/span><\/h3>\n<p>\u0130lk kontrol\u00fc taray\u0131c\u0131yla yapars\u0131n\u0131z, ama konsol testleri net konu\u015fur. Bir OCSP stapling durumunu g\u00f6rmek i\u00e7in:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">openssl s_client -connect ornek.com:443 -status -servername ornek.com &lt; \/dev\/null | sed -n '\/OCSP response:\/,\/---\/p'\n<\/code><\/pre>\n<p>Yan\u0131ta g\u00f6m\u00fcl\u00fc bir OCSP g\u00f6r\u00fcyorsan\u0131z, stapling \u00e7al\u0131\u015f\u0131yor demektir. Ayr\u0131ca h\u0131zl\u0131 bir ba\u015fl\u0131k kontrol\u00fc i\u00e7in:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">curl -I https:\/\/ornek.com | grep -i strict-transport-security\n<\/code><\/pre>\n<p>Geli\u015fmi\u015f ve d\u0131\u015far\u0131dan bakan bir g\u00f6z i\u00e7in <a href=\"https:\/\/www.ssllabs.com\/ssltest\/\" rel=\"nofollow noopener\" target=\"_blank\">ayr\u0131nt\u0131l\u0131 SSL testi<\/a> i\u015finizi kolayla\u015ft\u0131r\u0131r. Bazen en net geribildirimler, d\u0131\u015far\u0131dan bakan bu t\u00fcr ara\u00e7larla gelir. Sonu\u00e7lar\u0131 bir kahveyle g\u00f6zden ge\u00e7irmek keyifli olabilir.<\/p>\n<h2 id='section-4'><span id=\"Apachede_Ayni_Gulumseme_TLS_13_OCSP_Stapling_ve_HSTS\">Apache\u2019de Ayn\u0131 G\u00fcl\u00fcmseme: TLS 1.3, OCSP Stapling ve HSTS<\/span><\/h2>\n<h3><span id=\"Moduller_ve_temel_taslar\">Mod\u00fcller ve temel ta\u015flar<\/span><\/h3>\n<p>Apache cephesinde mod_ssl, headers ve http2 gibi mod\u00fcller sahneye \u00e7\u0131kar. \u00c7ekirdek yap\u0131 basit: TLS 1.3\u2019\u00fc a\u00e7, TLS 1.2\u2019ye modern \u015fifreleri koy, stapling\u2019i devreye al, HSTS ba\u015fl\u0131\u011f\u0131n\u0131 dikkatle ekle. Zincir dosyalar\u0131 yine sahnede. Let\u2019s Encrypt kullananlar i\u00e7in genellikle SSLCertificateFile ve SSLCertificateKeyFile ile fullchain ve privkey g\u00f6sterilir.<\/p>\n<h3><span id=\"Apache_yapilandirmasi_Sefin_not_defteri\">Apache yap\u0131land\u0131rmas\u0131: \u015eefin not defteri<\/span><\/h3>\n<pre class=\"language-apache line-numbers\"><code class=\"language-apache\">&lt;VirtualHost *:443&gt;\n    ServerName ornek.com\n    ServerAlias www.ornek.com\n\n    Protocols h2 http\/1.1\n\n    SSLEngine on\n    SSLCertificateFile \/etc\/letsencrypt\/live\/ornek.com\/fullchain.pem\n    SSLCertificateKeyFile \/etc\/letsencrypt\/live\/ornek.com\/privkey.pem\n\n    # TLS s\u00fcr\u00fcmleri\n    SSLProtocol TLSv1.2 TLSv1.3\n\n    # TLS 1.2 i\u00e7in modern \u015fifreler\n    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\n                   ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256\n    SSLHonorCipherOrder off\n\n    # PFS i\u00e7in e\u011friler (OpenSSL 1.1.1+)\n    SSLOpenSSLConfCmd Curves X25519:secp256r1\n\n    # Oturum biletleri\n    SSLSessionTickets off\n\n    # OCSP Stapling\n    SSLUseStapling on\n    SSLStaplingResponderTimeout 5\n    SSLStaplingReturnResponderErrors off\n    SSLStaplingCache shmcb:\/var\/run\/ocsp(128000)\n\n    # HSTS\n    Header always set Strict-Transport-Security &quot;max-age=63072000; includeSubDomains; preload&quot;\n\n    DocumentRoot \/var\/www\/ornek.com\/public\n&lt;\/VirtualHost&gt;\n<\/code><\/pre>\n<p>Apache\u2019de stapling i\u00e7in Cache direktifini unutursan\u0131z, mutfakta tuzu atlam\u0131\u015f gibi olursunuz; sonu\u00e7 \u2018olmu\u015f\u2019 hissi vermez. Ayr\u0131ca Curves ayar\u0131, PFS\u2019in pratik sahnesini g\u00fczelle\u015ftirir. TLS 1.3\u2019te yine i\u015finiz kolay; as\u0131l temizlik TLS 1.2 \u015fifrelerinde.<\/p>\n<h3><span id=\"Apache_testleri_ve_kucuk_tuyo\">Apache testleri ve k\u00fc\u00e7\u00fck t\u00fcyo<\/span><\/h3>\n<p>Ba\u015fl\u0131klar i\u00e7in:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">curl -I https:\/\/ornek.com | egrep -i 'strict-transport-security|server|date'\n<\/code><\/pre>\n<p>Stapling kontrol\u00fc yine openssl s_client ile. E\u011fer zincirle ilgili hata al\u0131rsan\u0131z, genellikle k\u00f6k ve ara sertifika dosyalar\u0131n\u0131n do\u011fru g\u00f6sterilmedi\u011fini g\u00f6r\u00fcrs\u00fcn\u00fcz. B\u00f6yle durumlarda \u2018fullchain\u2019 yerine yanl\u0131\u015fl\u0131kla yaln\u0131zca \u2018cert\u2019 dosyas\u0131 verilmi\u015f olur. K\u00fc\u00e7\u00fck bir d\u00fczeltmeyle sorun \u00e7\u00f6z\u00fcl\u00fcr.<\/p>\n<h2 id='section-5'><span id=\"OCSP_Staplingin_Kulis_Hali_Zincir_DNS_ve_Ates_Hatti\">OCSP Stapling\u2019in Kulis H\u00e2li: Zincir, DNS ve Ate\u015f Hatt\u0131<\/span><\/h2>\n<h3><span id=\"Neden_trusted_zincire_ihtiyac_var\">Neden \u2018trusted\u2019 zincire ihtiya\u00e7 var?<\/span><\/h3>\n<p>Stapling, yetkili kurumdan (CA) g\u00fcncel \u2018sertifika durumu\u2019 al\u0131p, bunu el s\u0131k\u0131\u015fmaya ekliyor. Taray\u0131c\u0131 da \u201cBen bu bilgiyi CA\u2019dan al\u0131rd\u0131m, ama sunucu bana \u00e7oktan verdi\u201d diyor ve ge\u00e7i\u015f h\u0131zlan\u0131yor. Bunun i\u00e7in sunucunun CA ile konu\u015fmas\u0131 gerekli. Bu y\u00fczden ssl_trusted_certificate gibi bir ayarla, do\u011fru ara sertifikalar\u0131 g\u00f6steririz. Yanl\u0131\u015f dosya, yanl\u0131\u015f sonu\u00e7.<\/p>\n<h3><span id=\"DNS_ve_firewall_ayrintilari\">DNS ve firewall ayr\u0131nt\u0131lar\u0131<\/span><\/h3>\n<p>resolver ayar\u0131, stapling sorgular\u0131n\u0131n d\u00fczg\u00fcn \u00e7\u0131kmas\u0131 i\u00e7in kritik. G\u00fcvenilir bir DNS verin. Firewall\u2019da d\u0131\u015far\u0131ya 80\/443 \u00e7\u0131k\u0131\u015f\u0131 kapal\u0131ysa, stapling bilgisi tazelenemez. \u2018D\u0131\u015far\u0131yla nab\u0131z yoklamak\u2019 i\u00e7in k\u00fc\u00e7\u00fck bir pencere b\u0131rakmak \u015fart. Nginx\u2019te resolver_timeout gibi ufak ayarlar da a\u011f\u0131n ak\u0131\u015f\u0131n\u0131 yumu\u015fat\u0131r.<\/p>\n<h3><span id=\"Yenileme_ve_gunlukler\">Yenileme ve g\u00fcnl\u00fckler<\/span><\/h3>\n<p>Let\u2019s Encrypt otomatik yenilemede bazen zincir de\u011fi\u015fir; stapling buna hassas. Yenileme sonras\u0131nda Nginx\/Apache yeniden y\u00fcklemesi iyi bir al\u0131\u015fkanl\u0131k. Log\u2019larda \u2018OCSP\u2019 ge\u00e7en sat\u0131rlar \u00e7o\u011fu zaman en h\u0131zl\u0131 ipucudur. Hata mesaj\u0131n\u0131n dili bazen serttir ama \u00e7\u00f6z\u00fcm genellikle dosya yolu ya da DNS taraf\u0131ndad\u0131r.<\/p>\n<h2 id='section-6'><span id=\"HSTS_Preloada_Ne_Zaman_Cesaret_Etmeli_Kontrollu_Bir_Yolculuk\">HSTS Preload\u2019a Ne Zaman Cesaret Etmeli? Kontroll\u00fc Bir Yolculuk<\/span><\/h2>\n<h3><span id=\"HSTSin_ozeti\">HSTS\u2019in \u00f6zeti<\/span><\/h3>\n<p>HSTS, \u201cBu alan ad\u0131yla art\u0131k yaln\u0131zca HTTPS konu\u015faca\u011f\u0131z\u201d demek. Taray\u0131c\u0131ya net bir \u00e7er\u00e7eve \u00e7iziyor. Preload ise bir ad\u0131m daha ileri gidip, bu kural\u0131n taray\u0131c\u0131lar\u0131n i\u00e7ine \u00f6nceden yaz\u0131lmas\u0131. Yani kullan\u0131c\u0131, siteye ilk kez gelse bile do\u011frudan HTTPS\u2019e y\u00f6nlendiriliyor.<\/p>\n<h3><span id=\"Preload_oncesi_checklist\">Preload \u00f6ncesi checklist<\/span><\/h3>\n<p>Buras\u0131 \u00f6nemli. T\u00fcm alt alan adlar\u0131n\u0131z\u0131n da HTTPS oldu\u011fundan emin olun. http\u2019den https\u2019e y\u00f6nlendirme kal\u0131c\u0131 ve eksiksiz olmal\u0131. includeSubDomains ve preload parametrelerini ba\u015fl\u0131\u011fa eklemeden \u00f6nce, t\u00fcm ta\u015flar yerine otursun. \u00c7\u00fcnk\u00fc geri d\u00f6n\u00fc\u015f s\u00fcreci zahmetli olabilir. Preload listesine girmeden \u00f6nce test domainlerinde, hatta alt alanlar\u0131n her birinde k\u0131sa s\u00fcreli deneme yapmak rahatlat\u0131r.<\/p>\n<h3><span id=\"Basvuru_ve_dogrulama\">Ba\u015fvuru ve do\u011frulama<\/span><\/h3>\n<p>Haz\u0131rsan\u0131z, <a href=\"https:\/\/hstspreload.org\/\" rel=\"nofollow noopener\" target=\"_blank\">HSTS preload listesi ba\u015fvurusu<\/a> i\u00e7in birka\u00e7 alan doldurup ba\u015fvurabilirsiniz. Taray\u0131c\u0131lar bu listeyi d\u00fczenli olarak i\u00e7lerine al\u0131r. Ba\u015fvurudan sonra yine birka\u00e7 g\u00fcn g\u00f6zlemlemek, \u201cAcaba alt alanlardan biri mi eksik kald\u0131?\u201d kayg\u0131s\u0131n\u0131 minimize eder. \u0130lk kez yapt\u0131\u011f\u0131n\u0131zda i\u00e7iniz p\u0131r p\u0131r eder ama do\u011fru kurulumla p\u0131r\u0131l p\u0131r\u0131l bir sonu\u00e7 gelir.<\/p>\n<h2 id='section-7'><span id=\"Performans_ve_Hata_Ayiklama_kucuk_komutlar_buyuk_rahatlik\">Performans ve Hata Ay\u0131klama: k\u00fc\u00e7\u00fck komutlar, b\u00fcy\u00fck rahatl\u0131k<\/span><\/h2>\n<h3><span id=\"Hiz_ve_sadelik\">H\u0131z ve sadelik<\/span><\/h3>\n<p>TLS 1.3\u2019in k\u0131sa el s\u0131k\u0131\u015fmas\u0131, \u00f6zellikle uzak veri merkezlerinde fark edilir. HTTP\/2 ve HTTP\/3 ile birle\u015fince daha da tatlan\u0131r. Bu konuda dilerseniz <a href=\"https:\/\/www.dchost.com\/blog\/nginxte-tls-1-3-ocsp-stapling-ve-brotli-nasil-kurulur-hizli-ve-guvenli-httpsnin-sicacik-rehberi\/\">Nginx\u2019te TLS 1.3 ve stapling\u2019i kurarken dikkat edece\u011finiz noktalar\u0131<\/a> detayl\u0131 bir \u00f6rnek \u00fczerinden de inceleyebilirsiniz. Oradaki ak\u0131\u015f, burada anlatt\u0131klar\u0131m\u0131z\u0131 tamamlay\u0131c\u0131 nitelikte.<\/p>\n<h3><span id=\"Pratik_test_komutlari\">Pratik test komutlar\u0131<\/span><\/h3>\n<p>H\u0131zl\u0131 TLS s\u00fcr\u00fcm\u00fc ve el s\u0131k\u0131\u015fma \u00f6zetini g\u00f6rmek i\u00e7in:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">openssl s_client -connect ornek.com:443 -tls1_3 -servername ornek.com &lt; \/dev\/null | head -n 25\n<\/code><\/pre>\n<p>HTTP\/2\u2019nin a\u00e7\u0131k oldu\u011funu g\u00f6rmek i\u00e7in:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">curl -I --http2 https:\/\/ornek.com\n<\/code><\/pre>\n<p>Ba\u015fl\u0131klar\u0131n, y\u00f6nlendirmelerin ve sertifika zincirinin d\u0131\u015far\u0131dan nas\u0131l g\u00f6r\u00fcnd\u00fc\u011f\u00fcn\u00fc toplu bir rapordan okumak isterseniz <a href=\"https:\/\/www.ssllabs.com\/ssltest\/\" rel=\"nofollow noopener\" target=\"_blank\">ayr\u0131nt\u0131l\u0131 SSL testi<\/a> zaten vazge\u00e7ilmez bir durak. Bir de \u00f6rnek yap\u0131land\u0131rmalar ve g\u00fcncel \u00f6neriler i\u00e7in <a href=\"https:\/\/ssl-config.mozilla.org\/\" rel=\"nofollow noopener\" target=\"_blank\">Mozilla&#8217;n\u0131n SSL yap\u0131land\u0131rma \u00f6nerileri<\/a> mutfakta elinizin alt\u0131nda olsun; k\u00fc\u00e7\u00fck farkl\u0131l\u0131klar i\u00e7in harika bir referans.<\/p>\n<h2 id='section-8'><span id=\"Kenar_Vakalar_Eski_Istemciler_dertli_kutuphaneler\">Kenar Vakalar: Eski \u0130stemciler, dertli k\u00fct\u00fcphaneler<\/span><\/h2>\n<h3><span id=\"Eski_tarayicilar_ve_TLS_1011\">Eski taray\u0131c\u0131lar ve TLS 1.0\/1.1<\/span><\/h3>\n<p>Arada bir, \u00e7ok eski sistemlere sahip kullan\u0131c\u0131lar \u00e7\u0131kabilir. TLS 1.0 ve 1.1\u2019i kapat\u0131nca, bu k\u00fc\u00e7\u00fcc\u00fck bir kesim etkilenir. E\u011fer \u00f6zel bir B2B m\u00fc\u015fteriniz eski bir istemci kullan\u0131yorsa, onlarla konu\u015fup ge\u00e7i\u015f plan\u0131 yapmak iyi olur. K\u0131sa vadede TLS 1.2\u2019yi modern \u015fifrelerle a\u00e7\u0131k tutmak, \u00e7o\u011fu durumda yeterlidir. Ama TLS 1.3\u2019\u00fc esas al\u0131p, TLS 1.2\u2019yi bir \u2018can yele\u011fi\u2019 gibi g\u00f6rmek iyi bir bak\u0131\u015f a\u00e7\u0131s\u0131.<\/p>\n<h3><span id=\"Kurumsal_denetim_cihazlari_ve_ara_katmanlar\">Kurumsal denetim cihazlar\u0131 ve ara katmanlar<\/span><\/h3>\n<p>Kurumsal a\u011flarda SSL\/TLS\u2019i k\u0131r\u0131p izleyen cihazlar, bazen modern ayarlarla kapris yapar. B\u00f6yle bir ortamda deneme ortam\u0131nda test yapmak, canl\u0131ya ta\u015f\u0131ma s\u0131ras\u0131nda \u201cBize niye ba\u011flanamad\u0131?\u201d sorusunu en aza indirir. Gerekirse yaln\u0131zca o a\u011f i\u00e7in alternatif bir u\u00e7 nokta sunmak, \u00e7\u00f6z\u00fcme giden yolu k\u0131salt\u0131r.<\/p>\n<h2 id='section-9'><span id=\"Gercek_Hayattan_Kucuk_Bir_Senaryo_Adim_adim_tedirginlik_olmadan\">Ger\u00e7ek Hayattan K\u00fc\u00e7\u00fck Bir Senaryo: Ad\u0131m ad\u0131m, tedirginlik olmadan<\/span><\/h2>\n<h3><span id=\"Adim_1_Mevcut_durumu_gorun\">Ad\u0131m 1: Mevcut durumu g\u00f6r\u00fcn<\/span><\/h3>\n<p>\u00d6nce bir rapor al\u0131n. Sertifikalar g\u00fcncel mi, zincir do\u011fru mu, protokoller nas\u0131l? K\u00fc\u00e7\u00fck bir not defterine yaz\u0131n. HSTS yoksa, ba\u015fl\u0131\u011fa dokunmadan \u00f6nce t\u00fcm alt alanlar\u0131n\u0131z\u0131 taray\u0131n. OCSP stapling\u2019i a\u00e7madan \u00f6nce resolver ayar\u0131n\u0131z\u0131 ve firewall \u00e7\u0131k\u0131\u015f\u0131n\u0131z\u0131 netle\u015ftirin.<\/p>\n<h3><span id=\"Adim_2_TLS_13u_acin_TLS_12yi_sadelestirin\">Ad\u0131m 2: TLS 1.3\u2019\u00fc a\u00e7\u0131n, TLS 1.2\u2019yi sadele\u015ftirin<\/span><\/h3>\n<p>Nginx\/Apache \u00f6rne\u011fini uygulay\u0131n. Kod bloklar\u0131n\u0131 bire bir kopyalamak yerine alan adlar\u0131n\u0131za ve dosya yollar\u0131n\u0131za uyarlay\u0131n. ECDHE ve GCM\u2019li \u015fifreler, hem h\u0131z hem g\u00fcvenlik a\u00e7\u0131s\u0131ndan omurgan\u0131z olsun. E\u011frilerde X25519 tercih edilirse, g\u00fcncel taray\u0131c\u0131larla p\u00fcr\u00fczs\u00fcz \u00e7al\u0131\u015f\u0131r.<\/p>\n<h3><span id=\"Adim_3_Staplingi_dogrulayin\">Ad\u0131m 3: Stapling\u2019i do\u011frulay\u0131n<\/span><\/h3>\n<p>openssl s_client \u00e7\u0131kt\u0131s\u0131nda OCSP response bloklar\u0131n\u0131 g\u00f6rmek, i\u00e7 ferahlat\u0131r. E\u011fer bo\u015fsa, zincir dosyas\u0131 ve resolver ayarlar\u0131na geri d\u00f6n\u00fcn. Bazen bir SELinux ba\u011flam\u0131 ya da yetki hatas\u0131 da sebep olabilir. Log\u2019lar\u0131 sakin sakin okuyun.<\/p>\n<h3><span id=\"Adim_4_HSTSi_once_risksiz_acin\">Ad\u0131m 4: HSTS\u2019i \u00f6nce risksiz a\u00e7\u0131n<\/span><\/h3>\n<p>\u0130lk ba\u015fta preload koymadan yaln\u0131zca max-age\u2019i belirleyin. Y\u00f6nlendirmelerinizin eksiksiz oldu\u011fundan emin olun. Birka\u00e7 g\u00fcn izleyin. Sorunsuzsa includeSubDomains ve preload ile vites y\u00fckseltin. Sonra da <a href=\"https:\/\/hstspreload.org\/\" rel=\"nofollow noopener\" target=\"_blank\">HSTS preload listesi ba\u015fvurusu<\/a> ile noktay\u0131 koyun.<\/p>\n<h3><span id=\"Adim_5_Son_tur_test_ve_canli_izleme\">Ad\u0131m 5: Son tur test ve canl\u0131 izleme<\/span><\/h3>\n<p>SSLLabs raporunu bir kez daha al\u0131n. curl ve openssl komutlar\u0131yla \u00f6zetleri do\u011frulay\u0131n. CDN ya da ters vekil kullan\u0131yorsan\u0131z, u\u00e7lardan gelen ba\u015fl\u0131klar\u0131n de\u011fi\u015fmedi\u011fini kontrol edin. Sonras\u0131nda grafiklere bak\u0131n; hata say\u0131lar\u0131 a\u015fa\u011f\u0131, memnuniyet yukar\u0131 gitsin.<\/p>\n<h2 id='section-10'><span id=\"Kapanis_Guvenin_Sessiz_Sesi\">Kapan\u0131\u015f: G\u00fcvenin Sessiz Sesi<\/span><\/h2>\n<p>\u0130yi kurulmu\u015f bir TLS 1.3, modern \u015fifre tak\u0131mlar\u0131yla birlikte arkada huzurla \u00e7al\u0131\u015f\u0131r. OCSP stapling, taray\u0131c\u0131n\u0131n \u201cDurum sorgusu\u201d y\u00fck\u00fcn\u00fc omuzlar ve sayfan\u0131n p\u00fcr\u00fczs\u00fcz a\u00e7\u0131lmas\u0131na yard\u0131m eder. HSTS preload ise giri\u015f kap\u0131s\u0131na sa\u011flam bir kilit vurur; b\u00fct\u00fcn ev halk\u0131n\u0131 HTTPS soka\u011f\u0131na ta\u015f\u0131r. PFS de bug\u00fcn\u00fcn anahtar\u0131 yar\u0131n\u0131 kurtarmas\u0131n diye gizli bir kahraman gibi n\u00f6bet tutar. D\u0131\u015far\u0131dan bakan kullan\u0131c\u0131 i\u00e7in bunlar\u0131n \u00e7o\u011fu g\u00f6r\u00fcnmez, ama hissettirir.<\/p>\n<p>Pratik tavsiyem \u015fu: K\u00fc\u00e7\u00fckten ba\u015flay\u0131n, her ad\u0131m\u0131 test edin, sonra bir vites art\u0131r\u0131n. Gerekirse bir deneme alan ad\u0131yla ya da alt alanla ba\u015flay\u0131n. HSTS preload\u2019\u0131 aceleye getirmeyin; alt alanlar\u0131n\u0131z tam haz\u0131r olsun. Nginx ya da Apache taraf\u0131nda ufak bir sat\u0131r\u0131n ne kadar etkili oldu\u011funu g\u00f6rd\u00fck\u00e7e, i\u00e7inizin \u0131s\u0131nd\u0131\u011f\u0131n\u0131 fark edeceksiniz. Umar\u0131m bu rehber birka\u00e7 ak\u015fam\u00fcst\u00fcn\u00fcze keyif katar ve sizin mutfaktan \u00e7\u0131kan siteler daha g\u00fcvenli, daha p\u00fcr\u00fczs\u00fcz hissedilir. Bir sonraki yaz\u0131da g\u00f6r\u00fc\u015fmek \u00fczere; sorular\u0131n\u0131z olursa birlikte kurcalamaya bay\u0131l\u0131r\u0131m.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 Bug\u00fcn Sunucuda K\u00fc\u00e7\u00fck Bir K\u0131v\u0131lc\u0131m: TLS 1.3\u2019le Tan\u0131\u015ft\u0131\u011f\u0131m O An2 TLS 1.3\u2019\u00fcn Mutfa\u011f\u0131: Modern \u015eifre Tak\u0131mlar\u0131 ve PFS\u2019nin G\u00fcnl\u00fck Hayat Dili2.1 Modern \u015fifre tak\u0131mlar\u0131 nedir, neden umursayal\u0131m?2.2 PFS\u2019yi (Perfect Forward Secrecy) basit\u00e7e nas\u0131l anlat\u0131r\u0131z?2.3 TLS 1.3\u2019\u00fcn huzuru3 Nginx\u2019te TLS 1.3, PFS ve HSTS: Ocaklar\u0131 Yak\u0131yoruz3.1 Ba\u015flang\u0131\u00e7: Sertifika ve zincir dosyalar\u01313.2 Nginx yap\u0131land\u0131rmas\u0131: TLS 1.3 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1493,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-1492","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1492","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=1492"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1492\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/1493"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=1492"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=1492"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=1492"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}