Versions Compared

Old Version 2

changes.mady.by.user user-45924

Saved on

compared with

New Version Current

changes.mady.by.user jtel Support

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Sv translation
languageen

This guide generates a self-signed certificate for the haproxy service.

OpenSSL Configuration


Edit the file

/etc/pki/tls/openssl.cnf

...

and make various modifications (read the comments carefully!)

Translations Ignore


Code Block
title/etc/pki/tls/openssl.cnf

...

#
# Insert at the end:
#
 
[ alternate_names ]
DNS.1        = acd-lb.domain.de
DNS.2        = acd-lb.domain.local
DNS.3        = acd-lb

...

#

...

#

...

Insert in

...

this

...

section:
#

...

 
[ v3_ca ]
subjectAltName      = @alternate_names

...

 
#
# Insert or modify in this section:
#
 
[ v3_ca ]
keyUsage = digitalSignature, keyEncipherment

...

 
#
# Change or comment in this section:
#
 
[ CA_default ]
copy_extensions = copy

...

...



Generate Keys
First, create a directory for the keys, and then generate the keys.
ATTENTION: The following section also includes outputs from the system.

 Translations Ignore

 Code Block
title
...
Generate Keys
mkdir /etc/ssl/newkey
openssl genrsa -out /etc/ssl/newkey/cert.key 3072
openssl req -new -x509 -key /etc/ssl/newkey/cert.key -sha256 -out /etc/ssl/newkey/cert.pem -days 730

...
 
#
# Answer the questions as follows (for example):
#

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:Bavaria
Locality Name (eg, city) [Default City]:Munich
Organization Name (eg, company) [Default Company Ltd]:jtel GmbH
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:acd-lb.domain.de
Email Address []:lewis.graham@jtel.de
...
Prüfen des generierten Zertifikats (prüfen ob die Alternative Namen eingetragen wurden):


Check the generated certificate
Check whether the alternative names have been entered:
 Translations Ignore

 Code Block
title
...
Check
openssl x509 -in 
...
/etc/ssl/newkey/cert.pem 
...
-text -noout



...
# Check if all DNS names are listed with this entry:
# X509v3 Subject Alternative Name:
...


Create and copy combined .pem
 Translations Ignore
...

 Code Block
title
...
Combined PEM
cat /etc/ssl/newkey/cert.key > /etc/ssl/newkey/comb.pem
cat /etc/ssl/newkey/cert.pem >> /etc/ssl/newkey/comb.pem
cp /etc/ssl/newkey/comb.pem /etc/haproxy/haproxy.pem
chmod 400 /etc/haproxy/haproxy.pem


enter certificate in haproxy.cfg and adjust frontend configuration to redirect
 Translations Ignore

 Code Block
titleCombined PEM
#
# Frontend http redirects to https
#
frontend acdportal_http
        mode            http
        bind            :80
        redirect        scheme https if !{ ssl_fc }

#
...
haproxy neu laden mit service haproxy reload

# Frontend for https with certificate
#
frontend acdportal_https
        mode            http
        bind            :443 ssl crt /etc/haproxy/haproxy.pem  #verify optional
...




 Sv translation
languagede
Diese Anleitung erzeugt ein selbst signiertes Zertifikat für den haproxy Dienst.
OpenSSL Konfiguration

Die Datei /etc/pki/tls/openssl.cnf bearbeiten und diverse Modifikationen machen (Kommentare genau lesen!).
 Code Block
title/etc/pki/tls/openssl.cnf
#
# Am Ende einfügen:
#
 
[ alternate_names ]
DNS.1        = acd-lb.domain.de
DNS.2        = acd-lb.domain.local
DNS.3        = acd-lb
 
#
# In diesen Abschnitt einfügen:
#
 
[ v3_ca ]
subjectAltName      = @alternate_names
 
#
# In diesen Abschnitt einfügen bzw. verändern:
#
 
[ v3_ca ]
keyUsage = digitalSignature, keyEncipherment
 
#
# In diesen Abschnitt verändern bzw. einkommentieren:
#
 
[ CA_default ]
copy_extensions = copy

Keys Generieren
Zuerst, ein Verzeichnis für die Keys anlegen, und dann die Keys generieren.
ACHTUNG: Folgender Abschnitt beinhaltet auch Ausgaben vom System.

 Code Block
titleKeys Generieren
mkdir /etc/ssl/newkey
openssl genrsa -out /etc/ssl/newkey/cert.key 3072
openssl req -new -x509 -key /etc/ssl/newkey/cert.key -sha256 -out /etc/ssl/newkey/cert.pem -days 730
 
#
# Die Fragen wie folgt (beispielsweise) beantworten:
#

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:Bavaria
Locality Name (eg, city) [Default City]:Munich
Organization Name (eg, company) [Default Company Ltd]:jtel GmbH
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:acd-lb.domain.de
Email Address []:lewis.graham@jtel.de
Prüfen des generierten Zertifikats
Prüfen ob die Alternative Namen eingetragen wurden:
 Code Block
titlePrüfen
openssl x509 -in /etc/ssl/newkey/cert.pem -text -noout


# Prüfen ob bei diesen Eintrag alle DNS Namen stehen:
# X509v3 Subject Alternative Name:
Kombinierte .pem erzeugen und kopieren
 Code Block
titleKombinierte PEM
cat /etc/ssl/newkey/cert.key > /etc/ssl/newkey/comb.pem
cat /etc/ssl/newkey/cert.pem >> /etc/ssl/newkey/comb.pem
cp /etc/ssl/newkey/comb.pem /etc/haproxy/haproxy.pem
chmod 400 /etc/haproxy/haproxy.pem
Zertifikat in haproxy.cfg eintragen und Frontendkonfiguration auf umleitung anpassen
 Code Block
titleKombinierte PEM
#
# Frontend http leitet auf https um
#
frontend acdportal_http
        mode            http
        bind            :80
        redirect        scheme https if !{ ssl_fc }

#
# Frontend für https mit Zertifikat
#
frontend acdportal_https
        mode            http
        bind            :443 ssl crt /etc/haproxy/haproxy.pem  #verify optional
...

 Sv translation
languagefr
Ce guide génère un certificat auto-signé pour le service haproxy.
Configuration d'OpenSSL

Editez le fichier /etc/pki/tls/openssl.cnf et apportez diverses modifications (lisez attentivement les commentaires !)
 Translations Ignore

 Code Block
title/etc/pki/tls/openssl.cnf
# # Insert at the end: # [ alternate_names ] DNS.1 = acd-lb.domain.de DNS.2 = acd-lb.domain.local DNS.3 = acd-lb # # Insert in this section: # [ v3_ca ] subjectAltName = @alternate_names # # Insert or modify in this section: # [ v3_ca ] keyUsage = digitalSignature, keyEncipherment # # Change or comment in this section: # [ CA_default ] copy_extensions = copy



Générer des clés
D'abord, créez un répertoire pour les clés, puis générez les clés.
ATTENTION: La section suivante comprend également les résultats du système.

 Translations Ignore

 Code Block
titleGénérer des clés
mkdir /etc/ssl/newkey openssl genrsa -out /etc/ssl/newkey/cert.key 3072 openssl req -new -x509 -key /etc/ssl/newkey/cert.key -sha256 -out /etc/ssl/newkey/cert.pem -days 730   # # Répondez aux questions comme suit (par exemple) : # Vous êtes sur le point d'être invité à saisir des informations qui seront intégrées à votre demande de certificat. Ce que vous êtes sur le point d'entrer est ce qu'on appelle un nom distinctif ou un DN. Il y a de nombreux champs, mais vous pouvez en laisser certains vides. Pour certains champs, il y aura une valeur par défaut, si vous entrez ". ----- Nom du pays (code de 2 lettres) [XX]:DE Nom de l'État ou de la province (nom complet) []:Bavaria Nom de la localité (par exemple, ville) [Ville par défaut]:Munich Nom de l'organisation (par exemple, société) [Default Company Ltd]:jtel GmbH Nom de l'unité organisationnelle (par exemple, section) []:IT Nom commun (par exemple, votre nom ou le nom d'hôte de votre serveur) []:acd-lb.domain.de email []:lewis.graham@jtel.de


Vérifier le certificat généré
Vérifiez si les noms alternatifs ont été saisis :
 Translations Ignore

 Code Block
titleVérifiez
openssl x509 -in /etc/ssl/newkey/cert.pem -text -noout # Check if all DNS names are listed with this entry: # X509v3 Subject Alternative Name:


Créer et copier .pem combinés
 Translations Ignore

 Code Block
titlePEM combinés
cat /etc/ssl/newkey/cert.key > /etc/ssl/newkey/comb.pem cat /etc/ssl/newkey/cert.pem >> /etc/ssl/newkey/comb.pem cp /etc/ssl/newkey/comb.pem /etc/haproxy/haproxy.pem chmod 400 /etc/haproxy/haproxy.pem


entrez le certificat dans haproxy.cfg et ajustez la configuration du frontal pour rediriger
 Translations Ignore

 Code Block
titlePEM combinés
# # Frontend http redirects to https # frontend acdportal_http mode http bind :80 redirect scheme https if !{ ssl_fc } # # Frontend for https with certificate # frontend acdportal_https mode http bind :443 ssl crt /etc/haproxy/haproxy.pem #verify optional ...
Beispiel haproxy.cfg für SSL (Hier: Waterlogic)
 Code Block
titlehaproxy.cfg
#---------------------------------------------------------------------
# Configuration file for the jtel acd dispatcher proxy
# See the full configuration options online.
#
#   http://cbonte.github.io/haproxy-dconv/configuration-1.5.html
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
        log             127.0.0.1   local2

        chroot          /var/lib/haproxy
        pidfile         /var/run/haproxy.pid
        maxconn         4000
        user            haproxy
        group           haproxy
        daemon

        # turn on stats unix socket
        stats           socket /var/lib/haproxy/stats
        stats           timeout 30s

        # Default SSL material locations
        ca-base        /etc/ssl/certs
        crt-base       /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL).
        ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
        ssl-default-bind-options no-sslv3


#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
        mode            http
        log             global
        option          httplog
        option          dontlognull
        option          http-server-close
        option          forwardfor      except 127.0.0.0/8
        option          redispatch
        retries         3
        timeout         http-request    10s
        timeout         queue           1m
        timeout         connect         10s
        timeout         client          10m
        timeout         server          10m
        timeout         http-keep-alive 10s
        timeout         check           10s
        maxconn         3000

        # default error pages
        errorfile 400   /usr/share/haproxy/400.http
        errorfile 408   /usr/share/haproxy/408.http
        errorfile 504   /usr/share/haproxy/504.http
        errorfile 503   /usr/share/haproxy/503.http
        errorfile 502   /usr/share/haproxy/502.http
        errorfile 403   /usr/share/haproxy/403.http
        errorfile 500   /usr/share/haproxy/500.http


#---------------------------------------------------------------------
# statistics admin level depends on the authenticated user
# you can create your passwords with the following oneliner:
#
# python -c 'import crypt; print crypt.crypt("secretpassword", "$5$a_random_salt")'
#
# 5 is the type of the hash: 5 = SHA-256
#
# 1 -> MD5
# 2a -> Blowfish (not in mainline glibc; added in some Linux distributions)
# 5 -> SHA-256 (since glibc 2.7)
# 6 -> SHA-512 (since glibc 2.7)
#
# Sample:
# python -c 'import crypt; print crypt.crypt("fireball", "$5$jhaProxy")'
#---------------------------------------------------------------------
userlist stats-auth
        user  admin     password $5$jhaProxy$.K9OlQpRuXawri9YF5V1MaRsgxFM9EPjA9xukbd5UE.
        user  jtel      password $5$jhaProxy$rd33gRtd4Wt5UyIclODlyjinSeH4N2DjLtKk33PNZH.
        user  user      password $5$jhaProxy$.saE3wsZ9AzbDMk2jW9WWQqm.4.vgyZCjFdCf5dAKD6
        group admin     users admin,jtel
        group readonly  users user

#---------------------------------------------------------------------
# this is a dedicated internal HTTP frontend for administration
#---------------------------------------------------------------------
frontend haproxy
        mode            http
        bind            *:7777
        acl root_req    path /
        redirect        location /haproxy if root_req
        default_backend stat_admin

#---------------------------------------------------------------------
# this is the internal HTTP dispatcher frontend for the acd portal
# with forced redirection to HTTPS
#---------------------------------------------------------------------
frontend acdportal_http
        mode            http
        bind            :80
        redirect        scheme https if !{ ssl_fc }

#---------------------------------------------------------------------
# this is the internal HTTPS dispatcher frontend for the acd portal
#---------------------------------------------------------------------
frontend acdportal_https
        mode            http
        bind            :443 ssl crt /etc/ssl/newkey/comb.pem  #verify optional
        acl soap_req    url_reg ^\/CarrierPortal/AcdAgentClientService.*
        acl stat_req    url_reg ^\/haproxy
        acl root_req    path /
        acl admn_req    path /admin
        acl mini_req    path /miniclient
        acl icss_req    path /PBX0/MY/mypbx.css
#        acl inno_req    url_beg /PBX0/
        timeout         client 1d
        option          forwardfor header X-JTEL
        reqadd          X-Forwarded-Proto:\ https
        redirect        location /CarrierPortal/sysadmin/login if admn_req
        redirect        location /CarrierPortal/login/waterlogic/waterlogic if root_req
        redirect        location /CarrierPortal/mclogin/waterlogic/waterlogic if mini_req
#        redirect        location /CarrierPortal/ResourceDispatcher/system/skin/inno11/mypbx.css if icss_req
        use_backend     stat_admin  if stat_req
        use_backend     jtel_soap   if soap_req
#        use_backend     inno11      if inno_req
        default_backend jtel_portal

#---------------------------------------------------------------------
# this backend provides the haproxy administration interface
#---------------------------------------------------------------------
backend stat_admin
        mode            http
        acl             HAUTH           http_auth(stats-auth)
        acl             HAUTH_ADMIN     http_auth_group(stats-auth) admin
        stats           enable
        stats           uri /haproxy
        stats           http-request auth unless HAUTH
        stats           admin if HAUTH_ADMIN
        stats           hide-version
        stats           refresh 60

#---------------------------------------------------------------------
# this backend provides the standard acd portal access
#---------------------------------------------------------------------
backend jtel_portal
        mode            http
        compression     algo gzip
        compression     type text/xml text/html text/plain text/css text/javascript
        cookie          SERVERID insert indirect nocache
        appsession      JSESSIONID len 32 timeout 3600000
        balance         leastconn # roundrobin
        server          jboss1 acd-jb1:8080 weight 1 cookie jboss1 check inter 1m

#---------------------------------------------------------------------
# this backend provides the SOAP interface access
#---------------------------------------------------------------------
backend jtel_soap
        mode            http
        compression     algo gzip
        compression     type text/xml text/html text/plain text/css text/javascript
        balance         leastconn # roundrobin
        stick-table     type ip size 20k
        stick           on src
        server          jboss1 acd-jb1:8080 weight 1 cookie jboss1 check inter 1m

#---------------------------------------------------------------------
# this backend provides access to the innovaphone PBX web frontend
#---------------------------------------------------------------------
#backend inno11
# 	mode            http
#        appsession	session         len 10 timeout 1h
#        balance         leastconn
#        server          inno11 10.10.20.72:80 weight 1 check inter 1m
	


 
...