Yadda ake Sanya Takaddar SSL ta CA a cikin HAProxy
HAProxy shine mai amfani da yadu, abin dogaro, wakili mai juzu'i mai girma, wanda ke ba da babban samuwa da damar daidaita nauyi don aikace-aikacen TCP da HTTP. Ta hanyar tsohuwa, an haɗa shi tare da OpenSSL, don haka yana goyan bayan ƙarewar SSL, yana ba da damar rukunin gidan yanar gizon ku/aiki don ɓoyewa da kuma ɓoye zirga-zirga tsakanin sabar shiga yanar gizonku ko sabar ƙofar aikace-aikace da aikace-aikacen abokin ciniki.
Wannan jagorar yana nuna yadda ake saita takardar shaidar CA SSL a cikin HAPorxy. Wannan jagorar yana ɗauka cewa kun riga kun karɓi takardar shaidar ku daga CA kuma kuna shirye don shigarwa da daidaita shi akan sabar HAProxy.
Fayilolin da ake sa ran sune:
- Takardar da kanta.
- Takaddun shaida na matsakaici kuma ana kiran su daure ko sarƙoƙi, da.
- Tushen CA, idan akwai, da.
- Maɓalli na sirri.
Ƙirƙiri Fayil ɗin Takaddun shaida na SSL wanda aka tsara PEM
Kafin ka saita takardar shaidar CA ɗin ku a cikin HAProxy, kuna buƙatar fahimtar cewa HAProxy yana buƙatar fayil ɗin .pem ɗaya wanda yakamata ya ƙunshi abubuwan da ke sama na duk fayilolin da ke sama, waɗanda aka haɗa cikin tsari mai zuwa:
- Maɓallin sirri wanda ke ƙarewa da
.key, (zai iya zuwa a farkon ko ƙarshen fayil ɗin). - Takaddun shaida na SSL ya biyo baya (yawanci yana ƙare da
.crt). - Sai CA-Bundle (yawanci yana ƙarewa da
.ca-bundle), da - Tushen CA, idan akwai.
Don ƙirƙirar fayil ɗin .pem, matsa zuwa cikin kundin adireshi wanda ke da fayilolin takaddun shaida misali ~/Zazzagewa, sannan gudanar da umarnin cat kamar wannan (maye gurbin sunayen fayil daidai):
$ cat example.com.key STAR_example_com/STAR_example_com.crt STAR_example_com/STAR_example_com.ca-bundle > example.com.pem
Sanya Takaddun shaida na PEM SSL a cikin HAProxy
Na gaba, loda fayil ɗin takardar shedar .pem zuwa uwar garken HAProxy ta amfani da umarnin scp kamar yadda aka nuna (maye gurbin sysadmin da 192.168.10.24 tare da sunan mai amfani na sabar nesa da adireshin IP bi da bi):
$ scp example.com.pem [email :/home/sysadmin/
Sannan ƙirƙirar kundin adireshi inda za a adana takardar shaidar .pem fayil ta amfani da umarnin mkdir sannan a kwafi fayil ɗin a ciki:
$ sudo mkdir -p /etc/ssl/example.com/ $ sudo cp example.com.pem /etc/ssl/example.com/
Na gaba, buɗe fayil ɗin sanyi na HAProxy ɗin ku kuma saita takaddun shaida a ƙarƙashin sashin masu sauraron gaba, ta amfani da sigogin ssl da crt: tsohon yana ba da damar ƙarshen SSL kuma ƙarshen yana ƙayyade wurin fayil ɗin takaddun shaida.
frontend http_frontend
mode http
bind *:80
bind *:443 ssl crt /etc/ssl/example.com/example.com.pem alpn h2,http/1.1
redirect scheme https code 301 if !{ ssl_fc }
default_backend http_servers
Ba a ba da shawarar wasu nau'ikan SSL/TLS don amfani yanzu saboda raunin da aka gano a cikinsu. Don iyakance sigar SSL ɗin da aka goyan baya, zaku iya ƙara ma'aunin ssl-min-ver kamar haka:
bind *:443 ssl crt /etc/ssl/example.com/example.com.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2
Sanya HAProxy don Miyar da HTTP zuwa HTTPS
Don tabbatar da cewa gidan yanar gizon ku yana samun damar ta hanyar HTTPS kawai, kuna buƙatar kunna HAProxy don tura duk zirga-zirgar HTTP zuwa HTTPS idan mai amfani yayi ƙoƙarin samun dama ga HTTPS (tashar jiragen ruwa 80).
Ƙara layin da ke gaba zuwa daidaitawar da ke sama:
redirect scheme https code 301 if !{ ssl_fc }
OR
http-request redirect scheme https unless { ssl_fc }
Sashen gaban ku ya kamata yanzu yayi kama da wanda ke cikin wannan tsarin samfurin:
frontend http_frontend
mode http
bind *:80
bind *:443 ssl crt /etc/ssl/example.com/example.com.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2
redirect scheme https code 301 if !{ ssl_fc }
default_backend http_servers
backend http_servers
mode http
balance roundrobin
option httpchk HEAD /
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-XSS-Protection 1;mode=block
http-response set-header X-Content-Type-Options nosniff
default-server check maxconn 5000
server http_server1 10.2.1.55:80
Ajiye fayil ɗin sanyi kuma rufe shi.
Sannan duba idan tsarin tsarin sa daidai ne ta amfani da umarni mai zuwa:
$ sudo haproxy -f /etc/haproxy/haproxy.cfg -c
Idan fayil ɗin daidaitawa yana aiki, ci gaba da sake loda sabis ɗin haproxy don ɗaukar canje-canjen kwanan nan a cikin tsarin, ta amfani da umarnin systemctl:
$ sudo systemctl reload haproxy
A ƙarshe amma ba ƙarami ba, gwada duk saitin ta hanyar shiga gidan yanar gizonku daga mai binciken gidan yanar gizo kuma tabbatar da cewa takaddun shaida yana lodi kuma mai binciken yana nuna cewa Haɗin yana da tsaro!
Shi ke nan! Muna fatan wannan jagorar ta taimaka muku saita takardar shaidar SSL a cikin software mai daidaita nauyin kaya na HAProxy. Idan kun ci karo da wasu kurakurai, sanar da mu ta hanyar bayanin da ke ƙasa. Za mu yi farin cikin taimaka muku.