...
Sv translation |
---|
|
This guide generates a self-signed certificate for the haproxy service. OpenSSL Configuration
Edit the file |
...
and make various modifications (read the comments carefully!) Translations Ignore |
---|
Code Block |
---|
title | /etc/pki/tls/openssl.cnf |
---|
|
|
|
...
#
# Insert at the end:
#
[ alternate_names ]
DNS.1 = acd-lb.domain.de
DNS.2 = acd-lb.domain.local
DNS.3 = acd-lb
|
|
|
...
...
...
...
...
...
[ v3_ca ]
subjectAltName = @alternate_names
|
|
|
...
#
# Insert or modify in this section:
#
[ v3_ca ]
keyUsage = digitalSignature, keyEncipherment
|
|
|
...
#
# Change or comment in this section:
#
[ CA_default ]
copy_extensions = copy |
|
|
...
...
Generate KeysFirst, create a directory for the keys, and then generate the keys. ATTENTION: The following section also includes outputs from the system.
|
...
| mkdir /etc/ssl/newkey
openssl genrsa -out /etc/ssl/newkey/cert.key 3072
openssl req -new -x509 -key /etc/ssl/newkey/cert.key -sha256 -out /etc/ssl/newkey/cert.pem -days 730
|
|
|
...
#
# Answer the questions as follows (for example):
#
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:Bavaria
Locality Name (eg, city) [Default City]:Munich
Organization Name (eg, company) [Default Company Ltd]:jtel GmbH
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:acd-lb.domain.de
Email Address []:lewis.graham@jtel.de |
|
|
...
Prüfen des generierten Zertifikats (prüfen ob die Alternative Namen eingetragen wurden):
Check the generated certificateCheck whether the alternative names have been entered: |
...
...
...
...
# Check if all DNS names are listed with this entry:
# X509v3 Subject Alternative Name: |
|
|
...
Create and copy combined .pem |
...
...
| cat /etc/ssl/newkey/cert.key > /etc/ssl/newkey/comb.pem
cat /etc/ssl/newkey/cert.pem >> /etc/ssl/newkey/comb.pem
cp /etc/ssl/newkey/comb.pem /etc/haproxy/haproxy.pem
chmod 400 /etc/haproxy/haproxy.pem |
|
enter certificate in haproxy.cfg and adjust frontend configuration to redirect Translations Ignore |
---|
Code Block |
---|
| #
# Frontend http redirects to https
#
frontend acdportal_http
mode http
bind :80
redirect scheme https if !{ ssl_fc }
# |
|
|
...
haproxy neu laden mit service haproxy reload
# Frontend for https with certificate
#
frontend acdportal_https
mode http
bind :443 ssl crt /etc/haproxy/haproxy.pem #verify optional
... |
|
|
Sv translation |
---|
|
Diese Anleitung erzeugt ein selbst signiertes Zertifikat für den haproxy Dienst. OpenSSL Konfiguration
Die Datei /etc/pki/tls/openssl.cnf bearbeiten und diverse Modifikationen machen (Kommentare genau lesen!). Code Block |
---|
title | /etc/pki/tls/openssl.cnf |
---|
| #
# Am Ende einfügen:
#
[ alternate_names ]
DNS.1 = acd-lb.domain.de
DNS.2 = acd-lb.domain.local
DNS.3 = acd-lb
#
# In diesen Abschnitt einfügen:
#
[ v3_ca ]
subjectAltName = @alternate_names
#
# In diesen Abschnitt einfügen bzw. verändern:
#
[ v3_ca ]
keyUsage = digitalSignature, keyEncipherment
#
# In diesen Abschnitt verändern bzw. einkommentieren:
#
[ CA_default ]
copy_extensions = copy |
Keys GenerierenZuerst, ein Verzeichnis für die Keys anlegen, und dann die Keys generieren. ACHTUNG: Folgender Abschnitt beinhaltet auch Ausgaben vom System.
Code Block |
---|
| mkdir /etc/ssl/newkey
openssl genrsa -out /etc/ssl/newkey/cert.key 3072
openssl req -new -x509 -key /etc/ssl/newkey/cert.key -sha256 -out /etc/ssl/newkey/cert.pem -days 730
#
# Die Fragen wie folgt (beispielsweise) beantworten:
#
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:Bavaria
Locality Name (eg, city) [Default City]:Munich
Organization Name (eg, company) [Default Company Ltd]:jtel GmbH
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:acd-lb.domain.de
Email Address []:lewis.graham@jtel.de |
Prüfen des generierten ZertifikatsPrüfen ob die Alternative Namen eingetragen wurden: Code Block |
---|
| openssl x509 -in /etc/ssl/newkey/cert.pem -text -noout
# Prüfen ob bei diesen Eintrag alle DNS Namen stehen:
# X509v3 Subject Alternative Name: |
Kombinierte .pem erzeugen und kopieren Code Block |
---|
| cat /etc/ssl/newkey/cert.key > /etc/ssl/newkey/comb.pem
cat /etc/ssl/newkey/cert.pem >> /etc/ssl/newkey/comb.pem
cp /etc/ssl/newkey/comb.pem /etc/haproxy/haproxy.pem
chmod 400 /etc/haproxy/haproxy.pem |
Zertifikat in haproxy.cfg eintragen und Frontendkonfiguration auf umleitung anpassen Code Block |
---|
| #
# Frontend http leitet auf https um
#
frontend acdportal_http
mode http
bind :80
redirect scheme https if !{ ssl_fc }
#
# Frontend für https mit Zertifikat
#
frontend acdportal_https
mode http
bind :443 ssl crt /etc/haproxy/haproxy.pem #verify optional
... |
|
Sv translation |
---|
|
Ce guide génère un certificat auto-signé pour le service haproxy. Configuration d'OpenSSL
Editez le fichier /etc/pki/tls/openssl.cnf et apportez diverses modifications (lisez attentivement les commentaires !) Translations Ignore |
---|
Code Block |
---|
title | /etc/pki/tls/openssl.cnf |
---|
| # # Insert at the end: # [ alternate_names ] DNS.1 = acd-lb.domain.de DNS.2 = acd-lb.domain.local DNS.3 = acd-lb # # Insert in this section: # [ v3_ca ] subjectAltName = @alternate_names # # Insert or modify in this section: # [ v3_ca ] keyUsage = digitalSignature, keyEncipherment # # Change or comment in this section: # [ CA_default ] copy_extensions = copy |
|
Générer des clésD'abord, créez un répertoire pour les clés, puis générez les clés. ATTENTION: La section suivante comprend également les résultats du système.
Translations Ignore |
---|
Code Block |
---|
| mkdir /etc/ssl/newkey openssl genrsa -out /etc/ssl/newkey/cert.key 3072 openssl req -new -x509 -key /etc/ssl/newkey/cert.key -sha256 -out /etc/ssl/newkey/cert.pem -days 730 # # Répondez aux questions comme suit (par exemple) : # Vous êtes sur le point d'être invité à saisir des informations qui seront intégrées à votre demande de certificat. Ce que vous êtes sur le point d'entrer est ce qu'on appelle un nom distinctif ou un DN. Il y a de nombreux champs, mais vous pouvez en laisser certains vides. Pour certains champs, il y aura une valeur par défaut, si vous entrez ". ----- Nom du pays (code de 2 lettres) [XX]:DE Nom de l'État ou de la province (nom complet) []:Bavaria Nom de la localité (par exemple, ville) [Ville par défaut]:Munich Nom de l'organisation (par exemple, société) [Default Company Ltd]:jtel GmbH Nom de l'unité organisationnelle (par exemple, section) []:IT Nom commun (par exemple, votre nom ou le nom d'hôte de votre serveur) []:acd-lb.domain.de email []:lewis.graham@jtel.de |
|
Vérifier le certificat généréVérifiez si les noms alternatifs ont été saisis : Translations Ignore |
---|
Code Block |
---|
| openssl x509 -in /etc/ssl/newkey/cert.pem -text -noout # Check if all DNS names are listed with this entry: # X509v3 Subject Alternative Name: |
|
Créer et copier .pem combinés Translations Ignore |
---|
Code Block |
---|
| cat /etc/ssl/newkey/cert.key > /etc/ssl/newkey/comb.pem cat /etc/ssl/newkey/cert.pem >> /etc/ssl/newkey/comb.pem cp /etc/ssl/newkey/comb.pem /etc/haproxy/haproxy.pem chmod 400 /etc/haproxy/haproxy.pem |
|
entrez le certificat dans haproxy.cfg et ajustez la configuration du frontal pour rediriger Translations Ignore |
---|
Code Block |
---|
| # # Frontend http redirects to https # frontend acdportal_http mode http bind :80 redirect scheme https if !{ ssl_fc } # # Frontend for https with certificate # frontend acdportal_https mode http bind :443 ssl crt /etc/haproxy/haproxy.pem #verify optional ... |
|
|
Beispiel haproxy.cfg für SSL (Hier: Waterlogic)
Code Block |
---|
|
#---------------------------------------------------------------------
# Configuration file for the jtel acd dispatcher proxy
# See the full configuration options online.
#
# http://cbonte.github.io/haproxy-dconv/configuration-1.5.html
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
stats timeout 30s
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 10m
timeout server 10m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
# default error pages
errorfile 400 /usr/share/haproxy/400.http
errorfile 408 /usr/share/haproxy/408.http
errorfile 504 /usr/share/haproxy/504.http
errorfile 503 /usr/share/haproxy/503.http
errorfile 502 /usr/share/haproxy/502.http
errorfile 403 /usr/share/haproxy/403.http
errorfile 500 /usr/share/haproxy/500.http
#---------------------------------------------------------------------
# statistics admin level depends on the authenticated user
# you can create your passwords with the following oneliner:
#
# python -c 'import crypt; print crypt.crypt("secretpassword", "$5$a_random_salt")'
#
# 5 is the type of the hash: 5 = SHA-256
#
# 1 -> MD5
# 2a -> Blowfish (not in mainline glibc; added in some Linux distributions)
# 5 -> SHA-256 (since glibc 2.7)
# 6 -> SHA-512 (since glibc 2.7)
#
# Sample:
# python -c 'import crypt; print crypt.crypt("fireball", "$5$jhaProxy")'
#---------------------------------------------------------------------
userlist stats-auth
user admin password $5$jhaProxy$.K9OlQpRuXawri9YF5V1MaRsgxFM9EPjA9xukbd5UE.
user jtel password $5$jhaProxy$rd33gRtd4Wt5UyIclODlyjinSeH4N2DjLtKk33PNZH.
user user password $5$jhaProxy$.saE3wsZ9AzbDMk2jW9WWQqm.4.vgyZCjFdCf5dAKD6
group admin users admin,jtel
group readonly users user
#---------------------------------------------------------------------
# this is a dedicated internal HTTP frontend for administration
#---------------------------------------------------------------------
frontend haproxy
mode http
bind *:7777
acl root_req path /
redirect location /haproxy if root_req
default_backend stat_admin
#---------------------------------------------------------------------
# this is the internal HTTP dispatcher frontend for the acd portal
# with forced redirection to HTTPS
#---------------------------------------------------------------------
frontend acdportal_http
mode http
bind :80
redirect scheme https if !{ ssl_fc }
#---------------------------------------------------------------------
# this is the internal HTTPS dispatcher frontend for the acd portal
#---------------------------------------------------------------------
frontend acdportal_https
mode http
bind :443 ssl crt /etc/ssl/newkey/comb.pem #verify optional
acl soap_req url_reg ^\/CarrierPortal/AcdAgentClientService.*
acl stat_req url_reg ^\/haproxy
acl root_req path /
acl admn_req path /admin
acl mini_req path /miniclient
acl icss_req path /PBX0/MY/mypbx.css
# acl inno_req url_beg /PBX0/
timeout client 1d
option forwardfor header X-JTEL
reqadd X-Forwarded-Proto:\ https
redirect location /CarrierPortal/sysadmin/login if admn_req
redirect location /CarrierPortal/login/waterlogic/waterlogic if root_req
redirect location /CarrierPortal/mclogin/waterlogic/waterlogic if mini_req
# redirect location /CarrierPortal/ResourceDispatcher/system/skin/inno11/mypbx.css if icss_req
use_backend stat_admin if stat_req
use_backend jtel_soap if soap_req
# use_backend inno11 if inno_req
default_backend jtel_portal
#---------------------------------------------------------------------
# this backend provides the haproxy administration interface
#---------------------------------------------------------------------
backend stat_admin
mode http
acl HAUTH http_auth(stats-auth)
acl HAUTH_ADMIN http_auth_group(stats-auth) admin
stats enable
stats uri /haproxy
stats http-request auth unless HAUTH
stats admin if HAUTH_ADMIN
stats hide-version
stats refresh 60
#---------------------------------------------------------------------
# this backend provides the standard acd portal access
#---------------------------------------------------------------------
backend jtel_portal
mode http
compression algo gzip
compression type text/xml text/html text/plain text/css text/javascript
cookie SERVERID insert indirect nocache
appsession JSESSIONID len 32 timeout 3600000
balance leastconn # roundrobin
server jboss1 acd-jb1:8080 weight 1 cookie jboss1 check inter 1m
#---------------------------------------------------------------------
# this backend provides the SOAP interface access
#---------------------------------------------------------------------
backend jtel_soap
mode http
compression algo gzip
compression type text/xml text/html text/plain text/css text/javascript
balance leastconn # roundrobin
stick-table type ip size 20k
stick on src
server jboss1 acd-jb1:8080 weight 1 cookie jboss1 check inter 1m
#---------------------------------------------------------------------
# this backend provides access to the innovaphone PBX web frontend
#---------------------------------------------------------------------
#backend inno11
# mode http
# appsession session len 10 timeout 1h
# balance leastconn
# server inno11 10.10.20.72:80 weight 1 check inter 1m
|
...