LにCAを設置した。
groupadd -g 92 ca useradd -u 92 -g ca -d /var/lib/ca ca mkdir -p /var/lib/ca chown -R ca.ca /var/lib/ca su - ca CA_DIR=/var/lib/ca CA_URL=http://ca.tir.jp/ CA_CRT_URL=http://ca.tir.jp/ca.tir.jp.crt CA_CRL_URL=http://ca.tir.jp/ca.tir.jp.crl mkdir -p ${CA_DIR} cd ${CA_DIR} cat > openssl.ca.conf <<EOF RANDFILE = \$ENV::HOME/.rnd oid_file = \$ENV::HOME/.oid oid_section = new_oids [ new_oids ] [ ca ] default_ca = CA_default [ CA_default ] dir = ${CA_DIR} certs = \$dir/certs crl_dir = \$dir/crl database = \$dir/index.txt new_certs_dir = \$dir/newcerts certificate = \$dir/ca.cert.pem serial = \$dir/serial crl = \$dir/ca.crl.pem private_key = \$dir/private/ca.key.pem RANDFILE = \$dir/private/.rand x509_extensions = cert_plain crl_extensions = crl_ext name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days = 7 default_md = sha1 preserve = no policy = policy_anything [ policy_match ] countryName = match stateOrProvinceName = optional localityName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ cert_plain ] basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always [ cert_ca ] basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = cRLSign, keyCertSign issuerAltName = URI:${CA_CRT_URL} crlDistributionPoints = URI:${CA_CRL_URL} [ cert_server ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always nsCertType = server keyUsage = digitalSignature, keyEncipherment issuerAltName = URI:${CA_CRT_URL} crlDistributionPoints = URI:${CA_CRL_URL} [ cert_client ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always nsCertType = client, email keyUsage = nonRepudiation, digitalSignature, keyEncipherment issuerAltName = URI:${CA_CRT_URL} crlDistributionPoints = URI:${CA_CRL_URL} [ crl_ext ] #issuerAltName = issuer:copy authorityKeyIdentifier = keyid:always,issuer:always EOF cat > openssl.req.conf <<EOF RANDFILE = \$ENV::HOME/.rnd oid_file = \$ENV::HOME/.oid oid_section = new_oids [ new_oids ] [ req ] default_bits = 1024 distinguished_name = req_distinguished_name attributes = req_attributes default_md = sha1 x509_extensions = v3_plain string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = JP countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Hyogo localityName = Locality Name (eg, city) localityName_default = Kawanishi 0.organizationName = Organization Name (eg, company) 0.organizationName_default = tir.jp organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = ca commonName = Common Name (***IMPORTANT***) commonName_max = 64 emailAddress = Email Address emailAddress_default = yamada@tir.jp emailAddress_max = 64 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ v3_plain ] basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always # use only create to self-signed certificate of CA [ v3_self_ca ] basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = cRLSign, keyCertSign nsCertType = sslCA, emailCA issuerAltName = URI:${CA_CRT_URL} crlDistributionPoints = URI:${CA_CRL_URL} nsBaseUrl = ${CA_URL} nsCaRevocationUrl = ${CA_CRL_URL} nsRevocationUrl = ${CA_URL} nsRenewalUrl = ${CA_URL} nsCaPolicyUrl = ${CA_URL} EOF touch index.txt echo '01' > serial chmod 644 ca.conf index.txt serial mkdir -p certs crl newcerts private work chmod 755 . certs crl newcerts chmod 700 private work openssl genrsa -des3 -out private/ca.key.pem 1024 \ && chmod 400 private/ca.key.pem openssl req \ -config ~/openssl.req.conf \ -new \ -key private/ca.key.pem \ -out work/ca.request.pem openssl req \ -config ~/openssl.req.conf \ -extensions v3_self_ca \ -x509 \ -key private/ca.key.pem \ -in work/ca.request.pem \ -out ./ca.cert.pem \ -days 3650 openssl ca \ -config ~/openssl.ca.conf \ -gencrl \ -out ./ca.crl.pem ln -sf ca.cert.pem `openssl x509 -noout -hash < ca.cert.pem`.0 ln -sf ca.crl.pem `openssl crl -noout -hash < ca.crl.pem`.r0 rm work/ca.request.pem cat > server_keycertgen.sh <<EOF #!/bin/sh EXTENSIONS=cert_server if [ \$1 ]; then cd ${CA_DIR} || exit 1 if [ -e private/\$1.keycert.pem ]; then echo "'private/\$1.keycert.pem' already exists!" 1>&2 exit 1 else openssl genrsa -out work/\$1.key.pem 1024 \\ && chmod 400 work/\$1.key.pem \\ && openssl req \\ -config ~/openssl.req.conf \\ -new \\ -key work/\$1.key.pem \\ -out work/\$1.request.pem \\ && openssl ca \\ -config ~/openssl.ca.conf \\ -policy policy_anything \\ -extensions \${EXTENSIONS} \\ -out work/\$1.cert.pem \\ -days 365 \\ -infiles work/\$1.request.pem \\ && cat work/\$1.key.pem work/\$1.cert.pem \\ > private/\$1.keycert.pem \\ && chmod 400 private/\$1.keycert.pem \\ && echo "'private/\$1.keycert.pem' created." rm -f work/\$1.key.pem work/\$1.request.pem work/\$1.cert.pem fi else echo "usage : \$0 target-name" 1>&2 exit 1 fi EOF cat > client_keycertgen.sh <<EOF #!/bin/sh EXTENSIONS=cert_client if [ \$1 ]; then cd ${CA_DIR} || exit 1 if [ -e private/\$1.keycert.pem ]; then echo "'private/\$1.keycert.pem' already exists!" 1>&2 exit 1 else openssl genrsa -out work/\$1.key.pem 1024 \\ && chmod 400 work/\$1.key.pem \\ && openssl req \\ -config ~/openssl.req.conf \\ -new \\ -key work/\$1.key.pem \\ -out work/\$1.request.pem \\ && openssl ca \\ -config ~/openssl.ca.conf \\ -policy policy_anything \\ -extensions \${EXTENSIONS} \\ -out work/\$1.cert.pem \\ -days 365 \\ -infiles work/\$1.request.pem \\ && cat work/\$1.key.pem work/\$1.cert.pem \\ > private/\$1.keycert.pem \\ && chmod 400 private/\$1.keycert.pem \\ && echo "'private/\$1.keycert.pem' created." rm -f work/\$1.key.pem work/\$1.request.pem work/\$1.cert.pem fi else echo "usage : \$0 target-name" 1>&2 exit 1 fi EOF cat > ca_keycertgen.sh <<EOF #!/bin/sh EXTENSIONS=cert_ca if [ \$1 ]; then cd ${CA_DIR} || exit 1 if [ -e private/\$1.keycert.pem ]; then echo "'private/\$1.keycert.pem' already exists!" 1>&2 exit 1 else openssl genrsa -out work/\$1.key.pem 1024 \\ && chmod 400 work/\$1.key.pem \\ && openssl req \\ -config ~/openssl.req.conf \\ -new \\ -key work/\$1.key.pem \\ -out work/\$1.request.pem \\ && openssl ca \\ -config ~/openssl.ca.conf \\ -policy policy_anything \\ -extensions \${EXTENSIONS} \\ -out work/\$1.cert.pem \\ -days 365 \\ -infiles work/\$1.request.pem \\ && cat work/\$1.key.pem work/\$1.cert.pem \\ > private/\$1.keycert.pem \\ && chmod 400 private/\$1.keycert.pem \\ && echo "'private/\$1.keycert.pem' created." rm -f work/\$1.key.pem work/\$1.request.pem work/\$1.cert.pem fi else echo "usage : \$0 target-name" 1>&2 exit 1 fi EOF chmod a+x server_keycertgen.sh chmod a+x client_keycertgen.sh chmod a+x ca_keycertgen.sh
./server_keycertgen.sh l.so.tir.jpあとは適当にCommon Nameやパスフレーズ等を入力し、確認して承認すれば、private配下にファイルが作られる。
su -c 'openssl s_server -accept 443 -www -cert private/l.so.tir.jp.keycert.pem -CApath .'これで、
https://l.so.tir.jp/にアクセスしたところ、動作した。
以下の作業を行った。内容については後述。
mkdir -p /var/lib/squid-ssl /certkeys chmod -R 700 /certkeys cp /home/nekoie/nekoie/misc/squid/rc.squid /etc/rc.d grep squid /etc/rc.d/rc.local && ed /etc/rc.d/rc.local <<'EOP' %g/squid/ c if [ -x /etc/rc.d/rc.squid ]; then . /etc/rc.d/rc.squid fi . w q EOP rm -f /var/lib/squid/squid.conf ln -sf /home/nekoie/nekoie/misc/squid/squid.conf \ /var/lib/squid/squid.conf ln -sf /home/nekoie/nekoie/misc/squid/goshredir.scm \ /var/lib/squid/goshredir.scm /etc/rc.d/rc.squid -k shutdown /etc/rc.d/rc.squid
export SQUID_VERSION=2.5.7 export SERVER_ADDR=`hostname -i` export SERVER_NAME=`hostname -f` rm -rf /var/lib/squid mkdir -p /var/lib/squid-${SQUID_VERSION}/{logs,cache} chown -R squid.squid /var/lib/squid-${SQUID_VERSION} ln -s squid-${SQUID_VERSION} /var/lib/squid ln -s /home/nekoie/nekoie/misc/squid/errors /var/lib/squid/errors touch /var/lib/squid/goshredir.conf cat > /var/lib/squid/squid.conf <<EOF http_port ${SERVER_ADDR}:80 # https_port ${SERVER_ADDR}:443 cert=certificate.pem [key=key.pem] cache_effective_user squid visible_hostname ${SERVER_NAME} unique_hostname ${SERVER_NAME} cache_dir ufs /var/lib/squid/cache 64 16 256 cache_access_log /var/lib/squid/logs/access.log cache_log /var/lib/squid/logs/cache.log cache_store_log /var/lib/squid/logs/store.log referer_log /var/lib/squid/logs/referer.log pid_filename /var/lib/squid/logs/squid.pid emulate_httpd_log on logfile_rotate 16 coredump_dir /var/lib/squid error_directory /var/lib/squid/errors acl so_tir_jp src 210.224.176.48/28 acl to_so_tir_jp dst 210.224.176.48/28 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https #acl Safe_ports port 1025-65535 # unregistered ports acl tcpcgi_ports port 40000-40999 acl CONNECT method CONNECT redirector_access allow all http_access deny manager !localhost http_access deny !Safe_ports !tcpcgi_ports http_access deny CONNECT http_access allow to_so_tir_jp http_access deny all http_reply_access allow to_localhost http_reply_access deny all icp_access deny all cache_mem 2 MB maximum_object_size 16 MB minimum_object_size 0 KB maximum_object_size_in_memory 256 KB memory_pools_limit 4 MB request_header_max_size 8 KB request_body_max_size 1024 KB reply_header_max_size 8 KB reply_body_max_size 0 allow all pipeline_prefetch off refresh_pattern . 0 20% 4320 negative_ttl 1 minutes forwarded_for on client_persistent_connections on server_persistent_connections on redirect_program /usr/local/gauche/bin/gosh /home/nekoie/nekoie/scripts/goshredir.scm /var/lib/squid/goshredir.conf redirect_children 5 redirect_rewrites_host_header off httpd_accel_host 127.0.0.1 httpd_accel_single_host off httpd_accel_with_proxy off httpd_accel_uses_host_header on EOF /usr/local/squid/sbin/squid -f /var/lib/squid/squid.conf -z
vim /var/lib/squid/goshredir.conf
grep squid /etc/rc.d/rc.local && ed /etc/rc.d/rc.local <<'EOP' %g/squid/ d w q EOP echo /usr/local/squid/sbin/squid -f /var/lib/squid/squid.conf \ >> /etc/rc.d/rc.local
killall squid sleep 5 /usr/local/squid/sbin/squid -f /var/lib/squid/squid.conf
mkdir -p /var/lib/squid/e_tir_jp/logs cat > /var/lib/squid/e_tir_jp/squid.conf <<'EOF' http_port 210.224.176.52:80 # https_port 210.224.176.52:443 cert=certificate.pem [key=key.pem] cache_effective_user squid visible_hostname n.so.tir.jp unique_hostname n.so.tir.jp hostname_aliases 210.224.176.52 e.tir.jp cache_dir ufs /var/lib/squid/e_tir_jp/cache 64 16 256 cache_access_log /var/lib/squid/e_tir_jp/logs/access.log cache_log /var/lib/squid/e_tir_jp/logs/cache.log cache_store_log /var/lib/squid/e_tir_jp/logs/store.log referer_log /var/lib/squid/e_tir_jp/logs/referer.log pid_filename /var/lib/squid/e_tir_jp/logs/squid.pid emulate_httpd_log on logfile_rotate 16 coredump_dir /var/lib/squid/e_tir_jp error_directory /usr/local/squid-2.5.7/share/errors/English acl so_tir_jp src 210.224.176.48/28 acl to_so_tir_jp dst 210.224.176.48/28 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT # redirector_access allow all http_access deny manager !localhost http_access deny !Safe_ports http_access deny CONNECT http_access allow to_localhost http_access deny all http_reply_access allow all icp_access deny all cache_mem 2 MB maximum_object_size 16 MB minimum_object_size 0 KB maximum_object_size_in_memory 256 KB memory_pools_limit 4 MB request_header_max_size 8 KB request_body_max_size 1024 KB reply_header_max_size 8 KB reply_body_max_size 0 allow all pipeline_prefetch off refresh_pattern . 0 20% 4320 negative_ttl 1 minutes forwarded_for on client_persistent_connections on server_persistent_connections on #redirect_program /usr/local/gauche/bin/gosh /path/to/scmredir.scm configfile #redirect_children 5 #redirect_rewrites_host_header on httpd_accel_host 127.0.0.1 httpd_accel_port 40000 httpd_accel_single_host on httpd_accel_with_proxy off httpd_accel_uses_host_header off EOF chown -R squid.squid /var/lib/squid /usr/local/squid/sbin/squid -f /var/lib/squid/e_tir_jp/squid.conf -z /usr/local/squid/sbin/squid -f /var/lib/squid/e_tir_jp/squid.conf echo /usr/local/squid/sbin/squid -f /var/lib/squid/e_tir_jp/squid.conf \ >> /etc/rc.d/rc.local
groupadd -g 93 tcpcgi
TARGET=e_tir_jp PORT=40000 useradd -u $PORT -g tcpcgi -d /daemon/tcpcgi-$TARGET \ -s /bin/false -c 'service_for_tcpcgi' $TARGET mkdir -p /daemon/tcpcgi-$TARGET chown $TARGET.tcpcgi /daemon/tcpcgi-$TARGET chmod 3755 /daemon/tcpcgi-$TARGET
mkdir -p /var/log/tcpcgi-$TARGET chown logger:logger /var/log/tcpcgi-$TARGET mkdir -p /daemon/tcpcgi-$TARGET/{log,src} cat > /daemon/tcpcgi-$TARGET/run <<EOF #!/bin/sh cd src exec 2>&1 exec /usr/bin/env - PATH="\$PATH" \ /usr/local/bin/tcpserver \ -v -c32 -u$PORT -g93 -H -R \ -l127.0.0.1 127.0.0.1 $PORT \ /usr/local/gauche/bin/gosh $TARGET.scm EOF cat > /daemon/tcpcgi-$TARGET/log/run <<EOF #!/bin/sh exec setuidgid logger multilog t s16777215 n32 /var/log/tcpcgi-$TARGET EOF chmod a+x /daemon/tcpcgi-$TARGET/run \ /daemon/tcpcgi-$TARGET/log/run
cat > /daemon/tcpcgi-$TARGET/src/$TARGET.scm <<'EOF' #!/usr/bin/env gosh (use tcpcgi) (define *tcpcgi* (make <tcpcgi> :path-dispatch `(("/" "/proc/cpuinfo") ) :request-timeout 5 :response-timeout 60 :keepalive-timeout 300 :use-server-header #t )) (define (main args) (tcpcgi-main *tcpcgi* "210.224.176.52" ; SERVER_ADDR "80" ; SERVER_PORT "e.tir.jp" ; SERVER_NAME (sys-getenv "TCPREMOTEIP") ; REMOTE_ADDR (sys-getenv "TCPREMOTEPORT") ; REMOTE_PORT (sys-getenv "TCPREMOTEHOST") ; REMOTE_HOST #f ; HTTPS flag )) EOF chmod a+x /daemon/tcpcgi-$TARGET/src/$TARGET.scm chown -R $TARGET.tcpcgi /daemon/tcpcgi-$TARGET/src
ln -sf /daemon/tcpcgi-$TARGET /service
s.tir.jpでも分かりにくい気がしたので、sakura.tir.jpに更に移転。
このWiLiKiを設置していたn.tir.jpはNサーバと紛らわしいので、s.tir.jpに移転させた。
元のn.tir.jpにはリダイレクタを設置。
前に設置したtcpcgiのサービスをsquidから呼び出してみる設定の練習を行ってみた。
su - mkdir -p /var/lib/squid/gs-alpha/logs cp ~nekoie/squid.conf /var/lib/squid/gs-alpha chown -R squid.squid /var/lib/squid/gs-alpha /usr/local/squid/sbin/squid -f /var/lib/squid/gs-alpha/squid.conf -z /usr/local/squid/sbin/squid -f /var/lib/squid/gs-alpha/squid.conf echo /usr/local/squid/sbin/squid -f /var/lib/squid/gs-alpha/squid.conf \ >> /etc/rc.d/rc.local
やっぱりdaemontools経由での起動はしない事にした(主な理由は、アップデート時にややっこしくなる為)。
練習として、Cにてtcpcgiを使ったサービスの設置を行う。
groupadd -g 93 tcpcgi
TARGET=gs_alpha PORT=40000 useradd -u $PORT -g tcpcgi -d /daemon/tcpcgi-$TARGET \ -s /bin/false -c 'service_for_tcpcgi' $TARGET mkdir -p /daemon/tcpcgi-$TARGET chown $TARGET.tcpcgi /daemon/tcpcgi-$TARGET chmod 3755 /daemon/tcpcgi-$TARGETuid, gidは基本的にport番号と同じにする事にした。
mkdir -p /var/log/tcpcgi-$TARGET chown logger:logger /var/log/tcpcgi-$TARGET mkdir -p /daemon/tcpcgi-$TARGET/log ln -sf /var/log/tcpcgi-$TARGET /daemon/tcpcgi-$TARGET/log/main cat > /daemon/tcpcgi-$TARGET/run <<EOF #!/bin/sh cd src exec 2>&1 exec /usr/bin/env - PATH="\$PATH" \ /usr/local/bin/tcpserver \ -v -c32 -u40000 -g93 -H -R \ -l127.0.0.1 127.0.0.1 $PORT \ /usr/local/bin/gosh $TARGET.scm EOF cat > /daemon/tcpcgi-$TARGET/log/run <<EOF #!/bin/sh exec setuidgid logger multilog t s16777215 n32 ./main EOF chmod a+x /daemon/tcpcgi-$TARGET/run \ /daemon/tcpcgi-$TARGET/log/run
mkdir -p /daemon/tcpcgi-$TARGET/src cat > /daemon/tcpcgi-$TARGET/src/$TARGET.scm <<'EOF' #!/usr/bin/env gosh (use tcpcgi) (define *tcpcgi* (make <tcpcgi> :path-dispatch `(("/cpuinfo" "/proc/cpuinfo") ) :request-timeout 5 :response-timeout 60 :keepalive-timeout 300 :use-server-header #t )) (define (main args) (tcpcgi-main *tcpcgi* "210.224.176.50" ; SERVER_ADDR "80" ; SERVER_PORT "gs-alpha.tir.jp" ; SERVER_NAME (sys-getenv "TCPREMOTEIP") ; REMOTE_ADDR (sys-getenv "TCPREMOTEPORT") ; REMOTE_PORT (sys-getenv "TCPREMOTEHOST") ; REMOTE_HOST #f ; HTTPS flag )) EOF chmod a+x /daemon/tcpcgi-$TARGET/src/$TARGET.scm chown -R $TARGET.tcpcgi /daemon/tcpcgi-$TARGET/src
ln -sf /daemon/tcpcgi-$TARGET /service
echo -ne 'GET /cpuinfo HTTP/1.0\r\n\r\n' | nc localhost 40000