Yadda Ake Amfani da HTTPS don Katin Varnish ta amfani da Tsutsa akan CentOS-RHEL 8


Varnish Cache bashi da tallafi na asali na SSL/TLS da sauran ladabi masu alaƙa da tashar jiragen ruwa 443. Idan kuna amfani da Varnish Cache don haɓaka ayyukan aikace-aikacen gidan yanar gizonku, kuna buƙatar girka da saita wani software ɗin da ake kira wakili na ƙarshe na SSL/TLS, don aiki tare da Varnish Cache don bawa HTTPS damar.

The Hitch hanya ce ta budewa kyauta, tushen tushe, da sikelin wakilin SSL/TLS wanda aka tsara don Varnish Cache, wanda ke aiki a halin yanzu akan Linux, OpenBSD, FreeBSD, da MacOSX. Yana dakatar da haɗin TLS/SSL ta hanyar sauraron tashar 443 (tashar tsoho don haɗin HTTPS) kuma yana tura zirga-zirgar da ba a ɓoye ba zuwa Varnish Cache, amma, yakamata yayi aiki tare da sauran bayanan baya.

Yana tallafawa TLS1.2 da TLS1.3 da tsoffin TLS 1.0/1.1, suna tallafawa ALPN (Tattaunawar Layer Aikace-aikacen) da NPN (Tattaunawar Nextulla yarjejeniya ta gaba) don HTTP/2, wata yarjejeniya ta PROXY don nuna wa abokin ciniki IP/tashar jiragen ruwa baya , UNIX haɗin soket na yanki zuwa asalin, SNI (Nuna sunan Server), tare da ba tare da takaddun shaida ba. Allyari, yana aiki da kyau don manyan shigarwa waɗanda ke buƙatar ɗakunan sauraro na 15,000 da takaddun shaida 500,000.

A matsayin ci gaba na labaran mu biyu da suka gabata game da girka Varnish Cache don Nginx da Apache HTTP sabobin, wannan jagorar yana nuna don bawa HTTPS damar Varnish Cache ta amfani da Hitch TLS Proxy akan CentOS/RHEL 8.

Wannan jagorar yana ɗauka cewa kun sanya Varnish don Nginx ko Apache sabar yanar gizo, in ba haka ba, duba:

  • Yadda ake Shigar da Vache Cache 6 don Nginx Web Server akan CentOS/RHEL 8
  • Yadda ake Shigar da Varnish Cache 6 don Apache Web Server akan CentOS/RHEL 8

Mataki 1: Shigar da Hitch a kan CentOS/RHEL 8

1. An bayar da kunshin Hitch a cikin wurin ajiyar EPEL (Packarin agesan kunshin don Ciniki Linux) Don shigar da shi, da farko kunna EPEL akan tsarinku sannan shigar da kunshin daga baya. Idan baka shigarda kunshin OpenSSL ba, shigar dashi shima.

# dnf install epel-release
# dnf install hitch openssl

2. Lokacin da girkin kunshin ya cika, dole ne ku saita Varnish Cache don aiki Hitch. Hakanan kuna buƙatar saita Hitch don amfani da takaddun shaidar SSL/TLS da Varnish azaman baya. Babban fayil ɗin daidaitawa na Hitch yana a /etc/hitch/hitch.conf, wanda aka bayyana a ƙasa.

Mataki 2: Harhadawa Varnish Cache don Hitch

3. Na gaba, bawa Varnish damar sauraron ƙarin tashar jiragen ruwa (8443 a cikin yanayinmu) ta amfani da tallafin yarjejeniya na PROXY, don sadarwa tare da Hitch.

Don haka buɗe fayil ɗin sabis na tsarin Varnish don gyarawa.

# systemctl edit --full varnish

Nemi layin ExecStart kuma ƙara ƙarin tuta -a tare da ƙimar 127.0.0.1:8443,proxy. Amfani da ƙimar 127.0.0.1:8443 yana nufin Varnish zai karɓi haɗin ciki ne kawai (daga aiwatarwar da ke gudana akan sabar ɗaya watau haɗuwa a wannan yanayin) amma ba haɗin waje ba.

ExecStart=/usr/sbin/varnishd -a :80 -a 127.0.0.1:8443,proxy -f /etc/varnish/default.vcl -s malloc,256m 

Adana fayil ɗin sannan sake kunna sabis na Varnish don amfani da sabbin canje-canje.

# systemctl restart varnish

Mataki na 3: Samun Takaddun SSL/TLS

4. A cikin wannan ɓangaren, za mu bayyana yadda za a ƙirƙiri takardar shaidar SSL/TLS don amfani da shi a ƙarƙashin Hitch. Don wannan jagorar, zamuyi bayanin zaɓuɓɓuka daban-daban na yadda ake amfani da takardar shaidar hannu, takaddar kasuwanci, ko ɗaya daga Bari mu Encrypt.

Don ƙirƙirar takardar shaidar hannu (wanda yakamata kuyi amfani dashi a cikin yanayin gwaji na gida), zaku iya amfani da kayan aikin OpenSSL.

# mkdir /etc/ssl/tecmint.lan
# cd /etc/ssl/tecmint.lan/
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout  tecmint.lan.key -out tecmint.lan.crt

Sa'an nan ƙirƙirar dam na takardar shaidar da key kamar haka.

# cat tecmint.crt tecmint.key >tecmint.pem

Lura: Don amfanin samarwa, zaku iya siyan takaddar shaida daga Hukumar Shaida ta Kasuwanci (CA) ko karɓar takaddar kyauta, ta atomatik, da cikakkiyar sananniyar takaddama daga Bari ta Encrypt. Sannan ƙirƙirar PEM dam.

Idan ka sayi satifiket daga CA na kasuwanci, kana buƙatar haɗuwa da maɓallin keɓaɓɓu, takardar shaidar, da ca ɗin CA kamar yadda aka nuna.

# cat example.com.key example.com.crt example.com-ca-bundle.crt > /etc/ssl/example.com.pem 

Don Bari mu Encrypt, takaddun shaida, maɓallin keɓaɓɓe, da cikakken sarkar za a adana a ƙarƙashin /etc/letsencrypt/live/example.com/, don haka ƙirƙirar ƙirar kamar yadda aka nuna.

# cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem >/etc/letsencrypt/live/example.com/example.com_bundle.pem

Mataki na 4: Tattaunawa da farawa

5. Na gaba, saita Varnish a matsayin mara baya ga Hitch kuma saka fayilolin takaddun SSL/TLS don amfani dasu don HTTPS, a cikin babban fayil ɗin ƙuƙwalwar Hitch, buɗe shi don gyara.

# vi /etc/hitch/hitch.conf

Sashin gaba yana bayyana adiresoshin IP da tashar Hitch za su saurara. Tsarin tsari shine saurara akan duk hanyoyin IPv4 da IPv6 waɗanda aka haɗe akan sabar kuma suna gudana akan tashar 443 kuma suna karɓar buƙatun HTTPS masu shigowa, suna ba da su zuwa Varnish.

Canja tsoffin tashar wakili ta baya daga 6086 zuwa 8443 (tashar da aka yi amfani da ita don tura buƙatun zuwa Varnish) a cikin fayil ɗin daidaitawa na Hitch, ta amfani da ma'aunin baya. Har ila yau, saka takaddun takardar shaidar ta amfani da matakan pem-file kamar yadda aka nuna.

backend = "[127.0.0.1]:8443"
#pem-dir = "/etc/pki/tls/private"
pem-file = "/etc/ssl/tecmint.lan/tecmint.pem"

Adana fayil ɗin kuma rufe shi.

6. Yanzu fara jigilar sabis kuma kunna shi ta atomatik fara a tsarin taya. Lura cewa sauyawa --yanzu lokacin amfani dashi tare da kunnawa, yana farawa sabis ɗin tsarin kuma sannan bincika halin don ganin idan yana aiki kuma yana gudana kamar haka.

# systemctl enable --now hitch
# systemctl status hitch

7. Kafin ka ci gaba da gwadawa idan shafin yanar gizon ka/aikace-aikacen ka yanzu suna aiki a kan HTTPS, kana buƙatar ba da izinin tashar sabis na HTTPS 443 a cikin Firewall don ba da damar buƙatun da aka ƙaddara don wannan tashar tashar kan sabar ta wuce ta bangon.

# firewall-cmd --zone=public --permanent --add-service=https
# firewall-cmd --reload

Mataki na 5: Gwada /arshen SSL/TLS tare da Saitin arnishajin Cache-Hitch

8. Yanzu ya zama lokaci don gwada saitin Varnish Cache-Hitch. Bude burauzar yanar gizo ka yi amfani da yankinka ko IP ɗin uwar garke don kewaya kan HTTPS.

https://www.example.com
OR
https://SERVER_IP/

Da zarar shafin manuniya na aikace-aikacen gidan yanar gizonku ya ɗora, bincika kanun HTTP don tabbatar da cewa ana amfani da abun ciki ta hanyar Varnish Cache.

Don yin hakan, danna-dama a kan shafin yanar gizon da aka ɗora, zaɓi Bincika daga jerin zaɓuɓɓuka don buɗe kayan aikin masu haɓaka. Daga nan saika latsa shafin hanyar sadarwa, saika sake loda shafin, sannan saika zabi neman don duba kanun HTTP, kamar yadda aka nuna a cikin wannan hoton.

Mataki na 6: Sauya HTTP zuwa HTTPS a cikin Varnish Cache

9. Don gudanar da gidan yanar gizonku akan HTTPS kawai, kuna buƙatar tura duk hanyoyin HTTP zuwa HTTPS. Kuna iya yin hakan ta ƙara ƙarin sanyi a cikin fayil ɗin daidaitawa na Hitch.

# vi /etc/hitch/hitch.conf 

Na farko, kara layin shigo da kaya std; a kasa vlc 4.0;, to sai ku nemi vlc_recv subroutine, wanda shine farkon VCL da aka aiwatar nan da nan bayan Varnish Cache ya gwada bukatar abokin harka cikin tsarin data na asali. Anan ne zamu iya gyara taken buƙatun da kuma aiwatar da synth don tura buƙatun abokin ciniki.

Gyara shi don kaman haka.

sub vcl_recv {
    if (std.port(server.ip) != 443) {
        set req.http.location = "https://" + req.http.host + req.url;
        return(synth(301));
    }
}

Lura cewa yarjejeniyar PROXY tana bawa Varnish damar ganin tashar sauraren Hitch ta 443 daga canjin server.ip. Don haka layin std.port (server.ip) ya dawo da lambar tashar jiragen ruwa wacce aka karɓi haɗin abokin ciniki.

Idan tashar ba 443 don HTTPS ba (kamar yadda aka bincika (std.port (server.ip)! = 443)), subroutine zai saita buƙatar HTTP Location header (saita req.http.location) zuwa amintaccen buƙata (“ https:/”+ req.http.host + req.url) kawai tambayar mai binciken gidan yanar gizo ya loda wani nau’in HTTPS na shafin yanar gizon (watau URL redirection).

Za a aika taken wurin zuwa vcl_synth subroutine (wanda ake kira ta amfani da komowa (synth (301))) tare da lambar halin HTTP na 301 (Motsi har abada).

10. Na gaba, ƙara ƙaramin vcl_synth mai zuwa (ɗayan amfanoni da yawa yana tura turawar ga masu amfani), don aiwatar da synth ɗin da ke sama.

sub vcl_synth {
        if (resp.status == 301) {
                set resp.http.location = req.http.location;
		  set resp.status = 301;
                return (deliver);
        }
}

Yana dubawa idan halin amsawa 301 ne, an saita taken HTTP Location a cikin martani zuwa taken HTTP Location a cikin buƙatar wanda a haƙiƙa turawa zuwa HTTPS kuma yana aiwatar da isar da sako.

Aikin isar da sakon yana samar da amsa tare da martani daga jakar baya, yana adana amsa a cikin ma'ajiyar, kuma yana aikawa ga abokin ciniki.

Adana fayil ɗin kuma rufe shi.

11. Har yanzu, yi amfani da sababbin canje-canje a cikin tsarin Varnish ta hanyar sake farawa sabis ɗin. Sannan yi amfani da kayan aikin layin umarni na curl don tabbatar da juyawa daga HTTP zuwa HTTPS.

# systemctl restart varnish
# curl -I http://eaxmple.com/

Daga mai binciken, amsar ma iri ɗaya ce kamar yadda aka nuna a cikin hoton da ke biye.

Muna fatan cewa komai ya yi aiki daidai har zuwa wannan lokacin. Idan ba haka ba, sauke tsokaci ko tambayoyi ta hanyar fom ɗin da ke ƙasa. Don kowane zaɓuɓɓukan daidaitawa na ci gaba, je zuwa takardun Hitch.