Sv translation |
---|
|
Recently, more use has been made of so-called OCSP stapling instead of CRL (Certificate Revocation Lists). See also: https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol If OCSP stapling should be activated in haproxy, the following procedure is used. See also this website: https://icicimov.github.io/blog/server/HAProxy-OCSP-stapling/ for a very good manual and explanation on which our manual here is based. check haproxy.cfgCheck that the stats socket is activated. If a different socket is specified, the script must be adjusted below (two lines before exit 0 - in the socat command). Translations Ignore |
---|
Code Block |
---|
| global
stats socket /var/lib/haproxy/stats
stats timeout 30s |
|
install socat Translations Ignore |
---|
Code Block |
---|
| yum -y install socat |
|
Create script for OCSP stapling and make it executable Translations Ignore |
---|
Code Block |
---|
title | Script for OCSP stapling |
---|
| cat <<'EOFF' > /usr/local/bin/haproxy_ocsp_update.sh
#!/bin/bash
# Certificates path and names
DIR="/etc/haproxy"
CERT="haproxy.pem"
# Get the issuer URI, download it's certificate and convert into PEM format
ISSUER_URI=$(openssl x509 -in ${DIR}/${CERT} -text -noout | grep 'CA Issuers' | cut -d: -f2,3)
ISSUER_NAME=$(echo ${ISSUER_URI##*/} | while read -r fname; do echo ${fname%.*}; done)
wget -q -O- $ISSUER_URI | openssl x509 -inform DER -outform PEM -out ${DIR}/${ISSUER_NAME}.pem
# Get the OCSP URL from the certificate
ocsp_url=$(openssl x509 -noout -ocsp_uri -in ${DIR}/${CERT})
# Extract the hostname from the OCSP URL
ocsp_host=$(echo $ocsp_url | cut -d/ -f3)
# Create/update the ocsp response file and update HAProxy
openssl ocsp -noverify -no_nonce -issuer ${DIR}/${ISSUER_NAME}.pem -cert ${DIR}/${CERT} -url $ocsp_url -header Host $ocsp_host -respout ${DIR}/${CERT}.ocsp
[[ $? -eq 0 ]] && [[ $(pidof haproxy) ]] && [[ -s ${DIR}/${CERT}.ocsp ]] && echo "set ssl ocsp-response $(/usr/bin/base64 -w 10000 ${DIR}/${CERT}.ocsp)" | socat stdio unix-connect:/var/run/haproxy.sock
exit 0
EOFF
chmod +x /usr/local/bin/haproxy_ocsp_update.sh
|
|
Test the scriptRun the script with: /usr/local/bin/haproxy_ocsp_update.sh Example return:
Translations Ignore |
---|
Code Block |
---|
/etc/haproxy/haproxy.pem: good
This Update: Mar 25 15:33:54 2019 GMT
Next Update: Mar 28 15:33:54 2019 GMT |
|
Activate CRON job for script
This will execute the script every day. Translations Ignore |
---|
Code Block |
---|
| cat <<EOFF >> /etc/crontab
0 0 * * * root /usr/local/bin/haproxy_ocsp_update.sh
EOFF |
|
|
Sv translation |
---|
|
In letzter Zeit wird mehr Gebrauch von das sogenannte OCSP stapling gemacht, anstatt CRL (Certificate Revocation Lists). Siehe auch https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol Falls das OCSP stapling in haproxy aktiviert werden soll, wird folgende Prozedur angewendet. Siehe auch diese Webseite: https://icicimov.github.io/blog/server/HAProxy-OCSP-stapling/ für eine |
...
sehr gute Anleitung und Erklärung dazu, auf den unsere Anleitung hier basiert. haproxy.cfg prüfenPrüfen, dass der stats socket aktiviert ist. |
...
Falls ein anderer Socket angegeben ist, muss das Skript unten angepasst werden (zwei Zeilen vor exit 0 - im socat befehl). Translations Ignore |
---|
Code Block |
---|
| global
stats socket /var/lib/haproxy/stats
stats timeout 30s |
|
socat installieren Translations Ignore |
---|
Code Block |
---|
| yum -y install socat |
|
Skript für OCSP stapling anlegen und Ausführbar machen | Skript für | cat <<EOFF > /usr/local/bin/haproxy_ocsp_update.sh
#!/bin/bash
# Certificates path and names
DIR="/etc/haproxy"
CERT="haproxy.pem"
# Get the issuer URI, download it's certificate and convert into PEM format
ISSUER_URI=\$(openssl x509 -in \${DIR}/\${CERT} -text -noout | grep 'CA Issuers' | cut -d: -f2,3)
ISSUER_NAME=\$(echo \${ISSUER_URI##*/} | while read -r fname; do echo \${fname%.*}; done)
wget -q -O- \$ISSUER_URI | openssl x509 -inform DER -outform PEM -out \${DIR}/\${ISSUER_NAME}.pem
# Get the OCSP URL from the certificate
ocsp_url=\$(openssl x509 -noout -ocsp_uri -in \${DIR}/\${CERT})
# Extract the hostname from the OCSP URL
ocsp_host=\$(echo \$ocsp_url | cut -d/ -f3)
# Create/update the ocsp response file and update HAProxy
openssl ocsp -noverify -no_nonce -issuer \${DIR}/\${ISSUER_NAME}.pem -cert \${DIR}/\${CERT} -url \$ocsp_url -header Host \$ocsp_host -respout \${DIR}/\${CERT}.ocsp
[[ \$? -eq 0 ]] && [[ \$(pidof haproxy) ]] && [[ -s \${DIR}/\${CERT}.ocsp ]] && echo "set ssl ocsp-response \$(/usr/bin/base64 -w 10000 \${DIR}/\${CERT}.ocsp)" | socat stdio unix-connect:/var/lib/haproxy/stats
exit 0
EOFF
chmod +x /usr/local/bin/haproxy_ocsp_update.sh
|
|
|
...
Skript testenDen Skript ausführen mit: /usr/local/bin/haproxy_ocsp_update.sh Beispiel-Ausgabe: Translations Ignore |
---|
Code Block |
---|
/etc/haproxy/haproxy.pem: good
This Update: Mar 25 15:33:54 2019 GMT
Next Update: Mar 28 15:33:54 2019 GMT |
|
CRON Job für Skript aktivierenHiermit wird der Skript jeden Tag ausgeführt. global
cat <<EOFF >> /etc/crontab
0 0 * * * root |
| stats socket /usr/local/bin/haproxy_ocsp_update.sh
EOFF |
|
|
Sv translation |
---|
|
Récemment, on a eu davantage recours à ce qu'on appelle l'agrafage OCSP au lieu des LCR (listes de révocation de certificats). Voir aussi: https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol Si l'agrafage OCSP doit être activé en haproxy, la procédure suivante est utilisée. Voir aussi ce site web : https://icicimov.github.io/blog/server/HAProxy-OCSP-stapling/ for a very good manual and explanation on which our manual here is based. consultez haproxy.cfgVérifiez que la prise de statistiques est activée. Si une socket différente est spécifiée, le script doit être ajusté ci-dessous (deux lignes avant la sortie 0 - dans la commande socat). Translations Ignore |
---|
Code Block |
---|
| global stats socket /var/lib/haproxy/ |
| stats
stats timeout 30s |
frontend acdportal_https
mode http
bind :443 ssl crt /etc/haproxy/haproxy.pem #verify optional
Falls ein Intermediate-Zertifikat eingefügt werden muss (Beispiel Sales-Force falls der Zertifizierungschain nicht bei SalesForce bekannt ist), kann dies wie folgt geschehen:
- Rechter Mausklick auf die Zertifizierung im Browser:
Image Removed
- Details des Zertifikats anzeigen lassen:
Image Removed
Image Removed
- Intermediate Zertifikat anzeigen lassen:
Image Removed
Image Removed
Image Removed#
- Auf den lokalen Rechner speichern:
Image Removed
Die Datei dann mit einem Text-Editor editieren, dann den Inhalt des Intermediate-Zertifikats in die Datei haproxy.pem ganz unten hineinkopieren.
Dann:
...
installer socat Translations Ignore |
---|
Code Block |
---|
| yum -y install socat |
|
Créer un script pour l'agrafage OCSP et le rendre exécutable Translations Ignore |
---|
Code Block |
---|
title | Script pour l'agrafage OCSP |
---|
| cat <<'EOFF' > /usr/local/bin/haproxy_ocsp_update.sh #!/bin/bash # Certificates path and names DIR="/etc/haproxy" CERT="haproxy.pem" # Get the issuer URI, download it's certificate and convert into PEM format ISSUER_URI=$(openssl x509 -in ${DIR}/${CERT} -text -noout | grep 'CA Issuers' | cut -d: -f2,3) ISSUER_NAME=$(echo ${ISSUER_URI##*/} | while read -r fname; do echo ${fname%.*}; done) wget -q -O- $ISSUER_URI | openssl x509 -inform DER -outform PEM -out ${DIR}/${ISSUER_NAME}.pem # Get the OCSP URL from the certificate ocsp_url=$(openssl x509 -noout -ocsp_uri -in ${DIR}/${CERT}) # Extract the hostname from the OCSP URL ocsp_host=$(echo $ocsp_url | cut -d/ -f3) # Create/update the ocsp response file and update HAProxy openssl ocsp -noverify -no_nonce -issuer ${DIR}/${ISSUER_NAME}.pem -cert ${DIR}/${CERT} -url $ocsp_url -header Host $ocsp_host -respout ${DIR}/${CERT}.ocsp [[ $? -eq 0 ]] && [[ $(pidof haproxy) ]] && [[ -s ${DIR}/${CERT}.ocsp ]] && echo "set ssl ocsp-response $(/usr/bin/base64 -w 10000 ${DIR}/${CERT}.ocsp)" | socat stdio unix-connect:/var/run/haproxy.sock exit 0 EOFF chmod +x /usr/local/bin/haproxy_ocsp_update.sh |
|
Tester le scriptExécutez le script avec: /usr/local/bin/haproxy_ocsp_update.sh Exemple de retour :
Translations Ignore |
---|
Code Block |
---|
/etc/haproxy/haproxy.pem: good This Update: 25 Mar 15:33:54 2019 GMT Prochaine mise à jour : 28 Mar 15:33:54 2019 GMT |
|
Activer le job CRON pour le script
Cela permettra d'exécuter le scénario tous les jours. Translations Ignore |
---|
Code Block |
---|
| cat <<EOFF >> /etc/crontab 0 0 * * * root /usr/local/bin/haproxy_ocsp_update.sh EOFF |
|
|