Die Datei /etc/pki/tls/openssl.cnf bearbeiten
/etc/pki/tls/openssl.cnfAm Ende einfügen: [ alternate_names ] DNS.1 = acd-lb.domain.de DNS.2 = acd-lb.domain.local DNS.3 = acd-lb In diesen Abschnitt einfügen: [ v3_ca ] subjectAltName = @alternate_names In diesen Abschnitt einfügen bzw. verändern: [ v3_ca ] keyUsage = digitalSignature, keyEncipherment In diesen Abschnitt verändern bzw. einkommentieren: [ CA_default ] copy_extensions = copy
Verzeichnis für die Keys anlegen und Generierung des Private Keys und Zertifikats:
Prüfenmkdir /etc/ssl/newkey openssl genrsa -out /etc/ssl/newkey/cert.key 3072 openssl req -new -x509 -key /etc/ssl/newkey/cert.key -sha256 -out /etc/ssl/newkey/cert.pem -days 730 Die Fragen wie folgt (beispielsweise) beantworten: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:DE State or Province Name (full name) []:Bavaria Locality Name (eg, city) [Default City]:Munich Organization Name (eg, company) [Default Company Ltd]:jtel GmbH Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:acd-lb.domain.de Email Address []:lewis.graham@jtel.de
Prüfen des generierten Zertifikats (prüfen ob die Alternative Namen eingetragen wurden):
Prüfenopenssl x509 -in cert.pem -text -noout Prüfen ob bei diesen Eintrag alle DNS Namen stehen: X509v3 Subject Alternative Name:
Combinierte .pem erzeugen:
cat cert.key > comb.pemcat cert.pem >> comb.pem
Zertifikat in haproxy.cfg eintragen:
haproxy.cfgfrontend acdportal_http mode http bind :80 redirect scheme https if !{ ssl_fc } #--------------------------------------------------------------------- # this is the internal HTTPS dispatcher frontend for the acd portal #--------------------------------------------------------------------- frontend acdportal_https mode http bind :443 ssl crt /etc/ssl/newkey/comb.pem #verify optional acl soap_req url_reg ^\/CarrierPortal/AcdAgentClientService.* acl stat_req url_reg ^\/haproxy acl root_req path / acl admn_req path /admin acl mini_req path /miniclient acl icss_req path /PBX0/MY/mypbx.css # acl inno_req url_beg /PBX0/ timeout client 1d option forwardfor header X-JTEL reqadd X-Forwarded-Proto:\ https redirect location /CarrierPortal/sysadmin/login if admn_req redirect location /CarrierPortal/login/jtel/jtel if root_req redirect location /CarrierPortal/mclogin/jtel/jtel if mini_req # redirect location /CarrierPortal/ResourceDispatcher/system/skin/inno11/mypbx.css if icss_req use_backend stat_admin if stat_req use_backend jtel_soap if soap_req # use_backend inno11 if inno_req default_backend jtel_portal
haproxy neu laden mit service haproxy reload
Beispiel haproxy.cfg für SSL (Hier: Waterlogic)
haproxy.cfg#--------------------------------------------------------------------- # Configuration file for the jtel acd dispatcher proxy # See the full configuration options online. # # http://cbonte.github.io/haproxy-dconv/configuration-1.5.html # #--------------------------------------------------------------------- #--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats stats timeout 30s # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-bind-options no-sslv3 #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will # use if not designated in their block #--------------------------------------------------------------------- defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 10m timeout server 10m timeout http-keep-alive 10s timeout check 10s maxconn 3000 # default error pages errorfile 400 /usr/share/haproxy/400.http errorfile 408 /usr/share/haproxy/408.http errorfile 504 /usr/share/haproxy/504.http errorfile 503 /usr/share/haproxy/503.http errorfile 502 /usr/share/haproxy/502.http errorfile 403 /usr/share/haproxy/403.http errorfile 500 /usr/share/haproxy/500.http #--------------------------------------------------------------------- # statistics admin level depends on the authenticated user # you can create your passwords with the following oneliner: # # python -c 'import crypt; print crypt.crypt("secretpassword", "$5$a_random_salt")' # # 5 is the type of the hash: 5 = SHA-256 # # 1 -> MD5 # 2a -> Blowfish (not in mainline glibc; added in some Linux distributions) # 5 -> SHA-256 (since glibc 2.7) # 6 -> SHA-512 (since glibc 2.7) # # Sample: # python -c 'import crypt; print crypt.crypt("fireball", "$5$jhaProxy")' #--------------------------------------------------------------------- userlist stats-auth user admin password $5$jhaProxy$.K9OlQpRuXawri9YF5V1MaRsgxFM9EPjA9xukbd5UE. user jtel password $5$jhaProxy$rd33gRtd4Wt5UyIclODlyjinSeH4N2DjLtKk33PNZH. user user password $5$jhaProxy$.saE3wsZ9AzbDMk2jW9WWQqm.4.vgyZCjFdCf5dAKD6 group admin users admin,jtel group readonly users user #--------------------------------------------------------------------- # this is a dedicated internal HTTP frontend for administration #--------------------------------------------------------------------- frontend haproxy mode http bind *:7777 acl root_req path / redirect location /haproxy if root_req default_backend stat_admin #--------------------------------------------------------------------- # this is the internal HTTP dispatcher frontend for the acd portal # with forced redirection to HTTPS #--------------------------------------------------------------------- frontend acdportal_http mode http bind :80 redirect scheme https if !{ ssl_fc } #--------------------------------------------------------------------- # this is the internal HTTPS dispatcher frontend for the acd portal #--------------------------------------------------------------------- frontend acdportal_https mode http bind :443 ssl crt /etc/ssl/newkey/comb.pem #verify optional acl soap_req url_reg ^\/CarrierPortal/AcdAgentClientService.* acl stat_req url_reg ^\/haproxy acl root_req path / acl admn_req path /admin acl mini_req path /miniclient acl icss_req path /PBX0/MY/mypbx.css # acl inno_req url_beg /PBX0/ timeout client 1d option forwardfor header X-JTEL reqadd X-Forwarded-Proto:\ https redirect location /CarrierPortal/sysadmin/login if admn_req redirect location /CarrierPortal/login/waterlogic/waterlogic if root_req redirect location /CarrierPortal/mclogin/waterlogic/waterlogic if mini_req # redirect location /CarrierPortal/ResourceDispatcher/system/skin/inno11/mypbx.css if icss_req use_backend stat_admin if stat_req use_backend jtel_soap if soap_req # use_backend inno11 if inno_req default_backend jtel_portal #--------------------------------------------------------------------- # this backend provides the haproxy administration interface #--------------------------------------------------------------------- backend stat_admin mode http acl HAUTH http_auth(stats-auth) acl HAUTH_ADMIN http_auth_group(stats-auth) admin stats enable stats uri /haproxy stats http-request auth unless HAUTH stats admin if HAUTH_ADMIN stats hide-version stats refresh 60 #--------------------------------------------------------------------- # this backend provides the standard acd portal access #--------------------------------------------------------------------- backend jtel_portal mode http compression algo gzip compression type text/xml text/html text/plain text/css text/javascript cookie SERVERID insert indirect nocache appsession JSESSIONID len 32 timeout 3600000 balance leastconn # roundrobin server jboss1 acd-jb1:8080 weight 1 cookie jboss1 check inter 1m #--------------------------------------------------------------------- # this backend provides the SOAP interface access #--------------------------------------------------------------------- backend jtel_soap mode http compression algo gzip compression type text/xml text/html text/plain text/css text/javascript balance leastconn # roundrobin stick-table type ip size 20k stick on src server jboss1 acd-jb1:8080 weight 1 cookie jboss1 check inter 1m #--------------------------------------------------------------------- # this backend provides access to the innovaphone PBX web frontend #--------------------------------------------------------------------- #backend inno11 # mode http # appsession session len 10 timeout 1h # balance leastconn # server inno11 10.10.20.72:80 weight 1 check inter 1m