Otu esi ahazi Asambodo SSL CA na HAProxy
HAProxy bụ ihe a na-ejikarị eme ihe, nke a pụrụ ịdabere na ya, proxy na-arụ ọrụ dị elu, nke na-enye ohere dị elu na ike ịkwado ibu maka ngwa TCP na HTTP. Site na ndabara, a na-ejikọta ya na OpenSSL, si otú a na-akwado nkwụsị SSL, na-enye gị ohere izobe na decrypt trafic n'etiti ihe nkesa ntinye weebụ ma ọ bụ ihe nkesa ohere gateway na ngwa ndị ahịa.
Ntuziaka a na-egosi otu esi ahazi asambodo CA SSL na HAPorxy. Ntuziaka a na-eche na ị nwetalarị asambodo gị site na CA ma dị njikere ịwụnye na hazie ya na sava HAProxy.
Faịlụ a tụrụ anya bụ:
- Akwụkwọ ahụ n'onwe ya.
- Asambodo etiti a na-akpọkwa ngwugwu ma ọ bụ agbụ, na.
- Mkpọrọgwụ CA, ọ bụrụ na ọ dị, yana.
- Igodo nkeonwe.
Mepụta faịlụ Asambodo SSL emebere PEM
Tupu ịhazi asambodo CA gị na HAProxy, ịkwesịrị ịghọta na HAProxy chọrọ otu faịlụ .pem nke kwesịrị ịnwe ọdịnaya nke faịlụ niile dị n'elu, jikọtara ya n'usoro a:
- Igodo nkeonwe nke na-eji
.keymechie, (nwere ike ịbịa na mmalite ma ọ bụ njedebe nke faịlụ). - Sụnyere Asambodo SSL (na-ejikarị
.crtejedebe). - Mgbe ahụ CA-Bundle (na-ejikarị
.ca-bundleejedebe), yana - Mkpọrọgwụ CA, ọ bụrụ na ọ dị.
Iji mepụta faịlụ .pem, banye n'ime ndekọ aha nwere faịlụ asambodo gị dịka ~/Downloads, wee mee iwu pusi dị ka nke a (dochie aha faịlụ ndị ahụ):
$ cat example.com.key STAR_example_com/STAR_example_com.crt STAR_example_com/STAR_example_com.ca-bundle > example.com.pem
Hazie Asambodo SSL PEM na HAProxy
Na-esote, bulite faịlụ nke emepụtara naanị .pem na sava HAProxy site na iji iwu scp dị ka egosiri (dochie sysadmin na 192.168.10.24 na aha njirimara ihe nkesa dịpụrụ adịpụ na adreesị IP n'otu n'otu):
$ scp example.com.pem [email :/home/sysadmin/
Mepụta ndekọ ebe a ga-echekwa akwụkwọ .pem faịlụ site na iji iwu mkdir wee detuo faịlụ ahụ n'ime ya:
$ sudo mkdir -p /etc/ssl/example.com/ $ sudo cp example.com.pem /etc/ssl/example.com/
Na-esote, mepee faịlụ nhazi HAProxy gị wee hazie asambodo n'okpuru ngalaba ndị na-ege ntị frontend, na-eji ssl na crt paramita: nke mbụ na-enyere nkwụsị SSL aka na nke ikpeazụ na-akọwapụta ọnọdụ faịlụ akwụkwọ.
frontend http_frontend
mode http
bind *:80
bind *:443 ssl crt /etc/ssl/example.com/example.com.pem alpn h2,http/1.1
redirect scheme https code 301 if !{ ssl_fc }
default_backend http_servers
A naghị atụ aro ụfọdụ ụdị SSL/TLS maka ojiji ugbu a n'ihi adịghị ike achọpụtara na ha. Iji kpachie ụdị SSL akwadoro, ị nwere ike ịgbakwunye paramita ssl-min-ver dị ka nke a:
bind *:443 ssl crt /etc/ssl/example.com/example.com.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2
Hazie HAProxy ka ọ bụrụ ntụgharị HTTP ka ọ bụrụ HTTPS
Iji hụ na a na-enweta weebụsaịtị gị naanị site na HTTPS, ịkwesịrị ịme ka HAProxy gbanwee okporo ụzọ HTTP niile na HTTPS ma ọ bụrụ na onye ọrụ nwaa ịnweta ya na HTTP (ọdụ ụgbọ mmiri 80).
Tinye ahịrị ndị a na nhazi dị n'elu:
redirect scheme https code 301 if !{ ssl_fc }
OR
http-request redirect scheme https unless { ssl_fc }
Akụkụ ihu ihu gị kwesịrị ịdị ugbu a ka nke ahụ na nhazi nlele a:
frontend http_frontend
mode http
bind *:80
bind *:443 ssl crt /etc/ssl/example.com/example.com.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2
redirect scheme https code 301 if !{ ssl_fc }
default_backend http_servers
backend http_servers
mode http
balance roundrobin
option httpchk HEAD /
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-XSS-Protection 1;mode=block
http-response set-header X-Content-Type-Options nosniff
default-server check maxconn 5000
server http_server1 10.2.1.55:80
Chekwaa faịlụ nhazi wee mechie ya.
Wee lelee ma syntax ya ziri ezi site na iji iwu a:
$ sudo haproxy -f /etc/haproxy/haproxy.cfg -c
Ọ bụrụ na faịlụ nhazi ahụ dị irè, gaa n'ihu ma bugharịa ọrụ haproxy iji bulie mgbanwe ndị na-adịbeghị anya na nhazi ahụ, na-eji usoro systemctl:
$ sudo systemctl reload haproxy
N'ikpeazụ ma ọ dịghị ihe ọzọ, nwalee nhazi ahụ dum site na ịnweta webụsaịtị gị site na ihe nchọgharị weebụ wee hụ na akwụkwọ ahụ na-ebu nke ọma yana ihe nchọgharị ahụ na-egosi na njikọ dị nchebe!
Ọ gwụla! Anyị nwere olile anya na ntuziaka a enyerela gị aka ịhazi asambodo SSL na ngwanrọ HAProxy load balancer. Ọ bụrụ na ị zutere njehie ọ bụla, mee ka anyị mara site na ụdị nzaghachi n'okpuru. Obi ga-adị anyị ụtọ inyere gị aka.