Otu esi eme HTTPS maka cache Varnish site na iji Hitch na CentOS-RHEL 8
Cache Varnish enweghị nkwado ala ala maka SSL/TLS na usoro ndị ọzọ metụtara ọdụ ụgbọ mmiri 443. Ọ bụrụ na ị na-eji Varnish Cache ịkwalite arụmọrụ ngwa weebụ gị, ịkwesịrị ịwụnye na hazie mpempe ngwanrọ ọzọ a na-akpọ proxy SSL/TLS njedebe, iji rụọ ọrụ. n'akụkụ Varnish Cache iji mee ka HTTPS nwee ike.
Hitch bụ ebe mepere emepe n'efu, dabere na libev, yana proxy SSL/TLS scalable emebere maka Varnish Cache, nke na-arụ ọrụ ugbu a na Linux, OpenBSD, FreeBSD na MacOSX. Ọ na-akwụsị njikọ TLS/SSL site na ịge ntị na ọdụ ụgbọ mmiri 443 (ọdụ ụgbọ mmiri ndabara maka njikọ HTTPS) wee bufee okporo ụzọ ezoro ezo na Varnish Cache, agbanyeghị, ọ ga-arụkwa ọrụ na ndị ọzọ na-akwado ya.
Ọ na-akwado maka TLS1.2 na TLS1.3 na nketa TLS 1.0/1.1, na-akwado ALPN (Application-Layer Protocol Negotiation) na NPN (Next Protocol Negotiation) maka HTTP/2, protocol PROXY iji gosi onye ahịa IP/ọdụ ụgbọ mmiri na azụ azụ. , Njikọ oghere ngalaba UNIX na mmalite, SNI (Ngosipụta Aha Server), yana na enweghị akwụkwọ ikike. Na mgbakwunye, ọ na-arụ ọrụ nke ọma maka nnukwu nrụnye nke chọrọ ihe ruru 15,000 oghere ntị na asambodo 500,000.
Dị ka n'ihu nke akụkọ abụọ anyị gara aga gbasara ịwụnye Varnish Cache maka sava Nginx na Apache HTTP, ntuziaka a na-egosi iji mee ka HTTPS maka Varnish Cache site na iji Hitch TLS Proxy na CentOS/RHEL 8.
Ntuziaka a na-eche na ị tinyela Varnish maka sava weebụ Nginx ma ọ bụ Apache, ma ọ bụghị ya, hụ:
- Etu esi etinye Varnish Cache 6 maka sava Weebụ Nginx na CentOS/RHEL 8
- Etu esi etinye Varnish Cache 6 maka sava webụ Apache na CentOS/RHEL 8
Kwụpụ 1: Wụnye Hitch na CentOS/RHEL 8
1. A na-enye ngwugwu Hitch na ebe nchekwa EPEL (Ngwugwu Mgbakwunye maka Enterprise Linux). Iji wụnye ya, buru ụzọ mee ka EPEL rụọ ọrụ na sistemụ gị wee wụnye ngwugwu ahụ ma emechaa. Ọ bụrụ na ịnweghị ngwungwu OpenSSL arụnyere, wụnyekwa ya.
# dnf install epel-release # dnf install hitch openssl
2. Mgbe ngwugwu ngwugwu zuru ezu, ị ga-ahazi Varnish Cache ka ọ rụọ ọrụ Hitch. Ịkwesịrị ịhazi Hitch ka ị jiri asambodo SSL/TLS yana Varnish dị ka azụ azụ. Isi faịlụ nhazi nke Hitch dị na /etc/hitch/hitch.conf, nke a kọwara n'okpuru ebe a.
Kwụpụ 2: Na-ahazi Cache Varnish maka Hitch
3. Na-esote, mee ka Varnish gee ntị n'ọdụ ụgbọ mmiri ọzọ (8443 n'ọnọdụ anyị) site na iji nkwado protocol PROXY, maka nkwukọrịta na Hitch.
Ya mere, mepee faịlụ ọrụ usoro Varnish maka ndezi.
# systemctl edit --full varnish
Chọọ ahịrị ExecStart wee tinye mgbakwunye -a ọkọlọtọ nwere uru 127.0.0.1:8443,proxy. Iji uru nke 127.0.0.1:8443 pụtara Varnish ga-anabata njikọ dị n'ime (site na usoro na-agba ọsọ na otu ihe nkesa ya bụ hitch na nke a) mana ọ bụghị njikọ mpụga.
ExecStart=/usr/sbin/varnishd -a :80 -a 127.0.0.1:8443,proxy -f /etc/varnish/default.vcl -s malloc,256m
Chekwaa faịlụ ahụ wee malitegharịa ọrụ Varnish ka itinye mgbanwe ọhụrụ.
# systemctl restart varnish
Kwụpụ 3: Inweta Asambodo SSL/TLS
4. Na ngalaba a, anyị ga-akọwa otú e si emepụta SSL/TLS akwụkwọ ngwugwu a ga-eji n'okpuru Hitch. Maka ntuziaka a, anyị ga-akọwa nhọrọ dị iche iche nke otu esi eji asambodo ejiri aka ya bịa, asambodo azụmahịa, ma ọ bụ otu sitere na Let's Encrypt.
Iji mepụta asambodo ejiri aka ya bịa (nke ị ga-eji naanị na gburugburu nnwale mpaghara), ị nwere ike iji ngwa OpenSSL.
# mkdir /etc/ssl/tecmint.lan # cd /etc/ssl/tecmint.lan/ # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tecmint.lan.key -out tecmint.lan.crt
Mgbe ahụ mepụta ngwugwu nke asambodo na igodo dị ka ndị a.
# cat tecmint.crt tecmint.key >tecmint.pem
Mara: Maka iji mmepụta, ị nwere ike zụta asambodo sitere na Asambodo Asambodo azụmahịa (CA) ma ọ bụ jide asambodo efu, akpaaka na nke amaara nke ọma n'aka Let's Encrypt. Mgbe ahụ mepụta ngwugwu PEM.
Ọ bụrụ na ịzụrụ asambodo sitere na CA azụmahịa, ịkwesịrị ijikọ igodo nzuzo, asambodo na ngwugwu CA dịka egosiri.
# cat example.com.key example.com.crt example.com-ca-bundle.crt > /etc/ssl/example.com.pem
Maka Ka anyị ezoro ezo, a ga-echekwa asambodo ahụ, igodo nzuzo na agbụ zuru ezu n'okpuru /etc/letsencrypt/live/example.com/, yabụ mepụta ngwugwu dị ka egosiri.
# cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem >/etc/letsencrypt/live/example.com/example.com_bundle.pem
Nzọụkwụ 4: Ịhazi na Malite Hitch
5. Na-esote, hazie Varnish ka ọ bụrụ ihe ndabere maka Hitch ma kọwaa faịlụ SSL/TLS maka HTTPS, na faịlụ nhazi isi Hitch, mepee ya maka edezi.
# vi /etc/hitch/hitch.conf
Akụkụ ihu ihu na-akọwa adreesị IP na ọdụ ụgbọ mmiri Hitch ga-ege ntị. Nhazi ndabara bụ ịge ntị na ihe niile IPv4 na IPv6 dị na ihe nkesa na-agba ọsọ na ọdụ ụgbọ mmiri 443 ma na-ejikwa arịrịọ HTTPS na-abata, na-enyefe ha na Varnish.
Gbanwee ọdụ ụgbọ mmiri proxy ndabere ndabere site na 6086 ruo 8443 (ọdụ ụgbọ mmiri a na-ebuga arịrịọ na Varnish) na faịlụ nhazi Hitch, na-eji paramita azụ azụ. Ọzọkwa, ezipụta faịlụ asambodo site na iji paramita pem-file dị ka egosiri.
backend = "[127.0.0.1]:8443" #pem-dir = "/etc/pki/tls/private" pem-file = "/etc/ssl/tecmint.lan/tecmint.pem"
Chekwaa faịlụ ma mechie ya.
6. Ugbu a na-amalite hitch ọrụ na-enyere ya aka na-akpaghị aka na-amalite na usoro buut. Rịba ama na mgba ọkụ --now mgbe ejiri ya rụọ ọrụ, malitekwa ọrụ sistemu wee lelee ọkwa ka ịhụ ma ọ na-agba ọsọ dịka ndị a.
# systemctl enable --now hitch # systemctl status hitch
7. Tupu ịga n'ihu iji nwalee ma ọ bụrụ na ebe nrụọrụ weebụ/ngwa gị na-arụ ọrụ ugbu a na HTTPS, ịkwesịrị ikwe ka ọdụ ụgbọ mmiri HTTPS 443 dị na firewall iji kwe ka arịrịọ ndị e debere maka ọdụ ụgbọ mmiri ahụ na ihe nkesa ahụ gafere na firewall.
# firewall-cmd --zone=public --permanent --add-service=https # firewall-cmd --reload
Kwụpụ 5: Nyochaa nkwụsị SSL/TLS na Varnish Cache-Hitch Setup
8. Ọ bụ ugbu a oge iji nwalee Varnish Cache-Hitch setup. Mepee ihe nchọgharị weebụ wee jiri ngalaba ma ọ bụ IP nke ihe nkesa gị gaa na HTTPS.
https://www.example.com OR https://SERVER_IP/
Ozugbo ibe ndeksi nke ngwa weebụ gị kwajuru, lelee isi HTTP iji gosi na a na-enye ọdịnaya site na Cache Varnish.
Iji mee nke ahụ, pịa aka nri na ibe weebụ ebugoro, họrọ Nyochaa site na listi nhọrọ iji mepee ngwaọrụ ndị nrụpụta. Wee pịa taabụ Network, wee bugharịa ibe ahụ, wee họrọ arịrịọ ka ilele nkụnye eji isi mee HTTP, dị ka e gosipụtara na nseta ihuenyo na-esonụ.
Kwụpụ 6: Na-atụgharị HTTP na HTTPS na Varnish Cache
9. Iji mee ebe nrụọrụ weebụ gị naanị na HTTPS, ịkwesịrị ibugharị okporo ụzọ HTTP niile na HTTPS. Ị nwere ike ime nke a site n'ịgbakwunye nhazi ndị a na faịlụ nhazi Hitch gị.
# vi /etc/hitch/hitch.conf
Mbụ, tinye eriri mbubata std; dị n'okpuru vlc 4.0;, wee chọọ vlc_recv subroutine, nke bụ nke mbụ VCL subbroutine gburu ozugbo Varnish Cache tụgharịrị arịrịọ onye ahịa n'ime usoro data ya. Ọ bụ ebe anyị nwere ike gbanwee akwụkwọ nkụnye eji isi mee ihe wee mee synth iji redirect arịrịọ ndị ahịa.
Gbanwee ya ka ọ dị ka nke a.
sub vcl_recv {
if (std.port(server.ip) != 443) {
set req.http.location = "https://" + req.http.host + req.url;
return(synth(301));
}
}
Rịba ama na protocol PROXY na-enyere Varnish aka ịhụ ọdụ ụgbọ mmiri 443 nke Hitch site na mgbanwe nkesa.ip. Ya mere, ahịrị std.port(server.ip) na-eweghachi nọmba ọdụ ụgbọ mmiri nke enwetara njikọ ndị ahịa.
Ọ bụrụ na ọdụ ụgbọ mmiri abụghị 443 maka HTTPS (dị ka enyocha ya (std.port(server.ip)!= 443)), subroutine ga-edozi arịrịọ HTTP Ọnọdụ nkụnye eji isi mee (setịpụrụ req.http.location) na arịrịọ echekwara (“ https://” + req.http.host + req.url) naanị ịrịọ ihe nchọgharị weebụ ka ọ buo ụdị HTTPS nke ibe weebụ (ya bụ ntụgharị URL).
A ga-eziga nkụnye eji isi mee ebe ahụ na vcl_synth subroutine (nke a na-akpọ iji nloghachi(synth(301))) nwere koodu ọnọdụ HTTP nke 301 (Ebufere kpamkpam).
10. Ọzọ, tinye vcl_synth subroutine na-esonụ (otu n'ime ọtụtụ ihe eji eme ya bụ ndị ọrụ redirecting), iji hazie synth n'elu.
sub vcl_synth {
if (resp.status == 301) {
set resp.http.location = req.http.location;
set resp.status = 301;
return (deliver);
}
}
Ọ na-enyocha ma ọ bụrụ na ọkwa nzaghachi bụ 301, HTTP Ọnọdụ nkụnye eji isi mee na nzaghachi ka edobere isi okwu HTTP na arịrịọ nke bụ n'ezie redirect na HTTPS ma mee ihe omume.
Ihe iwepụta na-ewulite nzaghachi site na nzaghachi sitere na azụ azụ, na-echekwa nzaghachi na cache, ma zigara onye ahịa ya.
Chekwaa faịlụ ma mechie ya.
11. Ọzọ, tinye mgbanwe ọhụrụ na nhazi Varnish site na ịmalitegharị ọrụ ahụ. Mgbe ahụ jiri ngwá ọrụ ahịrị iwu curl iji kwado ntụgharị site na HTTP gaa na HTTPS.
# systemctl restart varnish # curl -I http://eaxmple.com/
Site na ihe nchọgharị ahụ, nzaghachi ahụ bụkwa otu ihe ahụ dị ka egosiri na nseta ihuenyo na-esonụ.
Anyị na-atụ anya na ihe niile na-arụ ọrụ nke ọma ruo ebe a. Ọ bụrụ na ọ bụghị, hapụ ikwu okwu ma ọ bụ ajụjụ site na ụdị nzaghachi n'okpuru. Maka nhọrọ nhazi ọ bụla dị elu, gaa na akwụkwọ Hitch.