2005/01/30 11:06:10 JST

Lのsquidで、作ったサーバ証明書でhttpsが問題無く動作する事を確認した。

2005/01/30 03:05:46 JST

LにCAを設置した。

groupadd -g 92 ca
useradd -u 92 -g ca -d /var/lib/ca ca
mkdir -p /var/lib/ca
chown -R ca.ca /var/lib/ca
su - ca
CA_DIR=/var/lib/ca
CA_URL=http://ca.tir.jp/
CA_CRT_URL=http://ca.tir.jp/ca.tir.jp.crt
CA_CRL_URL=http://ca.tir.jp/ca.tir.jp.crl
mkdir -p ${CA_DIR}
cd ${CA_DIR}
cat > openssl.ca.conf <<EOF
RANDFILE    = \$ENV::HOME/.rnd
oid_file    = \$ENV::HOME/.oid
oid_section = new_oids

[ new_oids ]

[ ca ]
  default_ca              = CA_default

[ CA_default ]
  dir                     = ${CA_DIR}
  certs                   = \$dir/certs
  crl_dir                 = \$dir/crl
  database                = \$dir/index.txt
  new_certs_dir           = \$dir/newcerts
  certificate             = \$dir/ca.cert.pem
  serial                  = \$dir/serial
  crl                     = \$dir/ca.crl.pem
  private_key             = \$dir/private/ca.key.pem
  RANDFILE                = \$dir/private/.rand
  x509_extensions         = cert_plain
  crl_extensions          = crl_ext
  name_opt                = ca_default
  cert_opt                = ca_default

  default_days            = 365
  default_crl_days        = 7
  default_md              = sha1
  preserve                = no
  policy                  = policy_anything

[ policy_match ] 
  countryName             = match 
  stateOrProvinceName     = optional 
  localityName            = match 
  organizationName        = match 
  organizationalUnitName  = optional 
  commonName              = supplied 
  emailAddress            = optional

[ policy_anything ]
  countryName             = optional
  stateOrProvinceName     = optional
  localityName            = optional
  organizationName        = optional
  organizationalUnitName  = optional
  commonName              = supplied
  emailAddress            = optional

[ cert_plain ]
  basicConstraints        = CA:true
  subjectKeyIdentifier    = hash
  authorityKeyIdentifier  = keyid,issuer:always

[ cert_ca ]
  basicConstraints        = CA:true
  subjectKeyIdentifier    = hash
  authorityKeyIdentifier  = keyid:always,issuer:always
  keyUsage                = cRLSign, keyCertSign
  issuerAltName           = URI:${CA_CRT_URL}
  crlDistributionPoints   = URI:${CA_CRL_URL}

[ cert_server ]
  basicConstraints        = CA:FALSE
  subjectKeyIdentifier    = hash
  authorityKeyIdentifier  = keyid:always,issuer:always
  nsCertType              = server
  keyUsage                = digitalSignature, keyEncipherment
  issuerAltName           = URI:${CA_CRT_URL}
  crlDistributionPoints   = URI:${CA_CRL_URL}

[ cert_client ]
  basicConstraints        = CA:FALSE
  subjectKeyIdentifier    = hash
  authorityKeyIdentifier  = keyid:always,issuer:always
  nsCertType              = client, email
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  issuerAltName           = URI:${CA_CRT_URL}
  crlDistributionPoints   = URI:${CA_CRL_URL}

[ crl_ext ]
  #issuerAltName           = issuer:copy
  authorityKeyIdentifier  = keyid:always,issuer:always

EOF
cat > openssl.req.conf <<EOF
RANDFILE    = \$ENV::HOME/.rnd
oid_file    = \$ENV::HOME/.oid
oid_section = new_oids

[ new_oids ]

[ req ]
  default_bits            = 1024
  distinguished_name      = req_distinguished_name
  attributes              = req_attributes
  default_md              = sha1
  x509_extensions         = v3_plain
  string_mask             = nombstr

[ req_distinguished_name ]
  countryName                     = Country Name (2 letter code)
  countryName_default             = JP
  countryName_min                 = 2
  countryName_max                 = 2
  stateOrProvinceName             = State or Province Name (full name)
  stateOrProvinceName_default     = Hyogo
  localityName                    = Locality Name (eg, city)
  localityName_default            = Kawanishi
  0.organizationName              = Organization Name (eg, company)
  0.organizationName_default      = tir.jp
  organizationalUnitName          = Organizational Unit Name (eg, section)
  organizationalUnitName_default  = ca
  commonName                      = Common Name (***IMPORTANT***)
  commonName_max                  = 64
  emailAddress                    = Email Address
  emailAddress_default            = yamada@tir.jp
  emailAddress_max                = 64

[ req_attributes ]
  challengePassword               = A challenge password
  challengePassword_min           = 4
  challengePassword_max           = 20
  unstructuredName                = An optional company name

[ v3_plain ]
  basicConstraints                = CA:true
  subjectKeyIdentifier            = hash
  authorityKeyIdentifier          = keyid:always,issuer:always

# use only create to self-signed certificate of CA
[ v3_self_ca ]
  basicConstraints                = CA:true
  subjectKeyIdentifier            = hash
  authorityKeyIdentifier          = keyid:always,issuer:always
  keyUsage                        = cRLSign, keyCertSign
  nsCertType                      = sslCA, emailCA
  issuerAltName                   = URI:${CA_CRT_URL}
  crlDistributionPoints           = URI:${CA_CRL_URL}
  nsBaseUrl                       = ${CA_URL}
  nsCaRevocationUrl               = ${CA_CRL_URL}
  nsRevocationUrl                 = ${CA_URL}
  nsRenewalUrl                    = ${CA_URL}
  nsCaPolicyUrl                   = ${CA_URL}

EOF
touch index.txt
echo '01' > serial
chmod 644 ca.conf index.txt serial
mkdir -p certs crl newcerts private work
chmod 755 . certs crl newcerts
chmod 700 private work
openssl genrsa -des3 -out private/ca.key.pem 1024 \
  && chmod 400 private/ca.key.pem
openssl req \
  -config ~/openssl.req.conf \
  -new \
  -key private/ca.key.pem \
  -out work/ca.request.pem
openssl req \
  -config ~/openssl.req.conf \
  -extensions v3_self_ca \
  -x509 \
  -key private/ca.key.pem \
  -in work/ca.request.pem \
  -out ./ca.cert.pem \
  -days 3650
openssl ca \
  -config ~/openssl.ca.conf \
  -gencrl \
  -out ./ca.crl.pem
ln -sf ca.cert.pem `openssl x509 -noout -hash < ca.cert.pem`.0
ln -sf ca.crl.pem `openssl crl -noout -hash < ca.crl.pem`.r0
rm work/ca.request.pem
cat > server_keycertgen.sh <<EOF
#!/bin/sh
EXTENSIONS=cert_server
if [ \$1 ]; then
  cd ${CA_DIR} || exit 1
  if [ -e private/\$1.keycert.pem ]; then
    echo "'private/\$1.keycert.pem' already exists!" 1>&2
    exit 1
  else
    openssl genrsa -out work/\$1.key.pem 1024 \\
      && chmod 400 work/\$1.key.pem \\
      && openssl req \\
        -config ~/openssl.req.conf \\
        -new \\
        -key work/\$1.key.pem \\
        -out work/\$1.request.pem \\
      && openssl ca \\
        -config ~/openssl.ca.conf \\
        -policy policy_anything \\
        -extensions \${EXTENSIONS} \\
        -out work/\$1.cert.pem \\
        -days 365 \\
        -infiles work/\$1.request.pem \\
      && cat work/\$1.key.pem work/\$1.cert.pem \\
        > private/\$1.keycert.pem \\
      && chmod 400 private/\$1.keycert.pem \\
      && echo "'private/\$1.keycert.pem' created."
    rm -f work/\$1.key.pem work/\$1.request.pem work/\$1.cert.pem
  fi
else
  echo "usage : \$0 target-name" 1>&2
  exit 1
fi
EOF
cat > client_keycertgen.sh <<EOF
#!/bin/sh
EXTENSIONS=cert_client
if [ \$1 ]; then
  cd ${CA_DIR} || exit 1
  if [ -e private/\$1.keycert.pem ]; then
    echo "'private/\$1.keycert.pem' already exists!" 1>&2
    exit 1
  else
    openssl genrsa -out work/\$1.key.pem 1024 \\
      && chmod 400 work/\$1.key.pem \\
      && openssl req \\
        -config ~/openssl.req.conf \\
        -new \\
        -key work/\$1.key.pem \\
        -out work/\$1.request.pem \\
      && openssl ca \\
        -config ~/openssl.ca.conf \\
        -policy policy_anything \\
        -extensions \${EXTENSIONS} \\
        -out work/\$1.cert.pem \\
        -days 365 \\
        -infiles work/\$1.request.pem \\
      && cat work/\$1.key.pem work/\$1.cert.pem \\
        > private/\$1.keycert.pem \\
      && chmod 400 private/\$1.keycert.pem \\
      && echo "'private/\$1.keycert.pem' created."
    rm -f work/\$1.key.pem work/\$1.request.pem work/\$1.cert.pem
  fi
else
  echo "usage : \$0 target-name" 1>&2
  exit 1
fi
EOF
cat > ca_keycertgen.sh <<EOF
#!/bin/sh
EXTENSIONS=cert_ca
if [ \$1 ]; then
  cd ${CA_DIR} || exit 1
  if [ -e private/\$1.keycert.pem ]; then
    echo "'private/\$1.keycert.pem' already exists!" 1>&2
    exit 1
  else
    openssl genrsa -out work/\$1.key.pem 1024 \\
      && chmod 400 work/\$1.key.pem \\
      && openssl req \\
        -config ~/openssl.req.conf \\
        -new \\
        -key work/\$1.key.pem \\
        -out work/\$1.request.pem \\
      && openssl ca \\
        -config ~/openssl.ca.conf \\
        -policy policy_anything \\
        -extensions \${EXTENSIONS} \\
        -out work/\$1.cert.pem \\
        -days 365 \\
        -infiles work/\$1.request.pem \\
      && cat work/\$1.key.pem work/\$1.cert.pem \\
        > private/\$1.keycert.pem \\
      && chmod 400 private/\$1.keycert.pem \\
      && echo "'private/\$1.keycert.pem' created."
    rm -f work/\$1.key.pem work/\$1.request.pem work/\$1.cert.pem
  fi
else
  echo "usage : \$0 target-name" 1>&2
  exit 1
fi
EOF
chmod a+x server_keycertgen.sh
chmod a+x client_keycertgen.sh
chmod a+x ca_keycertgen.sh

秘密鍵のパスフレーズは、いつものから、最初と最後の要素のみを採用。全て小文字。
試しに作ってみる。
```
./server_keycertgen.sh l.so.tir.jp
```
あとは適当にCommon Nameやパスフレーズ等を入力し、確認して承認すれば、private配下にファイルが作られる。

早速試してみる。

su -c 'openssl s_server -accept 443 -www -cert private/l.so.tir.jp.keycert.pem -CApath .'

これで、

https://l.so.tir.jp/

にアクセスしたところ、動作した。

2005/01/29 02:26:26 JST

以下の作業を行った。内容については後述。

mkdir -p /var/lib/squid-ssl /certkeys
chmod -R 700 /certkeys
cp /home/nekoie/nekoie/misc/squid/rc.squid /etc/rc.d
grep squid /etc/rc.d/rc.local && ed /etc/rc.d/rc.local <<'EOP'
%g/squid/
c
if [ -x /etc/rc.d/rc.squid ]; then
  . /etc/rc.d/rc.squid
fi
.
w
q
EOP
rm -f /var/lib/squid/squid.conf
ln -sf /home/nekoie/nekoie/misc/squid/squid.conf \
  /var/lib/squid/squid.conf
ln -sf /home/nekoie/nekoie/misc/squid/goshredir.scm \
  /var/lib/squid/goshredir.scm
/etc/rc.d/rc.squid -k shutdown
/etc/rc.d/rc.squid

ssl専用squid設置用ディレクトリを準備。
sslの証明書(秘密鍵込み)置き場を準備。
rc.squidを設置し、rc.localを修正。
goshredir.scmの場所を移動。

2005/01/27 04:49:59 JST

rootで間違えて、/var/lib/squid/errorsを消すつもりで、/var/lib/squid全体をrm -rfしてしまった。三台とも。

仕方が無い＆良い機会なので、このタイミングでsquid一匹体制に変更する事にする。

export SQUID_VERSION=2.5.7
export SERVER_ADDR=`hostname -i`
export SERVER_NAME=`hostname -f`
rm -rf /var/lib/squid
mkdir -p /var/lib/squid-${SQUID_VERSION}/{logs,cache}
chown -R squid.squid /var/lib/squid-${SQUID_VERSION}
ln -s squid-${SQUID_VERSION} /var/lib/squid
ln -s /home/nekoie/nekoie/misc/squid/errors /var/lib/squid/errors
touch /var/lib/squid/goshredir.conf
cat > /var/lib/squid/squid.conf <<EOF
http_port ${SERVER_ADDR}:80
# https_port ${SERVER_ADDR}:443 cert=certificate.pem [key=key.pem]
cache_effective_user squid
visible_hostname ${SERVER_NAME}
unique_hostname ${SERVER_NAME}

cache_dir   ufs  /var/lib/squid/cache 64 16 256
cache_access_log /var/lib/squid/logs/access.log
cache_log        /var/lib/squid/logs/cache.log
cache_store_log  /var/lib/squid/logs/store.log
referer_log      /var/lib/squid/logs/referer.log
pid_filename     /var/lib/squid/logs/squid.pid
emulate_httpd_log on
logfile_rotate 16
coredump_dir     /var/lib/squid
error_directory  /var/lib/squid/errors

acl so_tir_jp src 210.224.176.48/28
acl to_so_tir_jp dst 210.224.176.48/28
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
#acl Safe_ports port 1025-65535 # unregistered ports
acl tcpcgi_ports port 40000-40999
acl CONNECT method CONNECT

redirector_access allow all
http_access deny manager !localhost
http_access deny !Safe_ports !tcpcgi_ports
http_access deny CONNECT
http_access allow to_so_tir_jp
http_access deny all
http_reply_access allow to_localhost
http_reply_access deny all
icp_access deny all

cache_mem 2 MB
maximum_object_size 16 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 256 KB
memory_pools_limit 4 MB
request_header_max_size 8 KB
request_body_max_size 1024 KB
reply_header_max_size 8 KB
reply_body_max_size 0 allow all
pipeline_prefetch off
refresh_pattern . 0 20% 4320
negative_ttl 1 minutes
forwarded_for on
client_persistent_connections on
server_persistent_connections on

redirect_program /usr/local/gauche/bin/gosh /home/nekoie/nekoie/scripts/goshredir.scm /var/lib/squid/goshredir.conf
redirect_children 5
redirect_rewrites_host_header off

httpd_accel_host 127.0.0.1
httpd_accel_single_host off
httpd_accel_with_proxy off
httpd_accel_uses_host_header on
EOF
/usr/local/squid/sbin/squid -f /var/lib/squid/squid.conf -z

この後、goshredir.confを適切に修正しておく。コレは三台バラバラなので、手作業で行うしか無い。
```
vim /var/lib/squid/goshredir.conf
```

rc.localのsquid起動行を修正する。

grep squid /etc/rc.d/rc.local && ed /etc/rc.d/rc.local <<'EOP'
%g/squid/
d
w
q
EOP
echo /usr/local/squid/sbin/squid -f /var/lib/squid/squid.conf \
>> /etc/rc.d/rc.local

まだ動いているsquidをkillしてから起動させる。

killall squid
sleep 5
/usr/local/squid/sbin/squid -f /var/lib/squid/squid.conf

2005/01/24 03:15:24 JST

引き続き、e.tir.jpのsquidを設定した。

mkdir -p /var/lib/squid/e_tir_jp/logs
cat > /var/lib/squid/e_tir_jp/squid.conf <<'EOF'
http_port 210.224.176.52:80
# https_port 210.224.176.52:443 cert=certificate.pem [key=key.pem]
cache_effective_user squid
visible_hostname n.so.tir.jp
unique_hostname n.so.tir.jp
hostname_aliases 210.224.176.52 e.tir.jp

cache_dir   ufs  /var/lib/squid/e_tir_jp/cache 64 16 256
cache_access_log /var/lib/squid/e_tir_jp/logs/access.log
cache_log        /var/lib/squid/e_tir_jp/logs/cache.log
cache_store_log  /var/lib/squid/e_tir_jp/logs/store.log
referer_log      /var/lib/squid/e_tir_jp/logs/referer.log
pid_filename     /var/lib/squid/e_tir_jp/logs/squid.pid
emulate_httpd_log on
logfile_rotate 16
coredump_dir     /var/lib/squid/e_tir_jp
error_directory  /usr/local/squid-2.5.7/share/errors/English

acl so_tir_jp src 210.224.176.48/28
acl to_so_tir_jp dst 210.224.176.48/28
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl Safe_ports port 1025-65535  # unregistered ports
acl CONNECT method CONNECT

# redirector_access allow all
http_access deny manager !localhost
http_access deny !Safe_ports
http_access deny CONNECT
http_access allow to_localhost
http_access deny all
http_reply_access allow all
icp_access deny all

cache_mem 2 MB
maximum_object_size 16 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 256 KB
memory_pools_limit 4 MB
request_header_max_size 8 KB
request_body_max_size 1024 KB
reply_header_max_size 8 KB
reply_body_max_size 0 allow all
pipeline_prefetch off
refresh_pattern . 0 20% 4320
negative_ttl 1 minutes
forwarded_for on
client_persistent_connections on
server_persistent_connections on

#redirect_program /usr/local/gauche/bin/gosh /path/to/scmredir.scm configfile
#redirect_children 5
#redirect_rewrites_host_header on

httpd_accel_host 127.0.0.1
httpd_accel_port 40000
httpd_accel_single_host on
httpd_accel_with_proxy off
httpd_accel_uses_host_header off
EOF
chown -R squid.squid /var/lib/squid
/usr/local/squid/sbin/squid -f /var/lib/squid/e_tir_jp/squid.conf -z
/usr/local/squid/sbin/squid -f /var/lib/squid/e_tir_jp/squid.conf
echo /usr/local/squid/sbin/squid -f /var/lib/squid/e_tir_jp/squid.conf \
>> /etc/rc.d/rc.local

2005/01/23 20:30:21 JST

前略、自分サイトのd.tir.jpを、Nサーバのe.tir.jpとして移転する事にした。
- 設置手順は、Cサーバのgs-alpha?とほぼ同様。

tcpcgiグループ作成
```
groupadd -g 93 tcpcgi
```

e.tir.jp用アカウント作成

TARGET=e_tir_jp PORT=40000
useradd -u $PORT -g tcpcgi -d /daemon/tcpcgi-$TARGET \
-s /bin/false -c 'service_for_tcpcgi' $TARGET
mkdir -p /daemon/tcpcgi-$TARGET
chown $TARGET.tcpcgi /daemon/tcpcgi-$TARGET
chmod 3755 /daemon/tcpcgi-$TARGET

daemontools用設定設置

mkdir -p /var/log/tcpcgi-$TARGET
chown logger:logger /var/log/tcpcgi-$TARGET
mkdir -p /daemon/tcpcgi-$TARGET/{log,src}
cat > /daemon/tcpcgi-$TARGET/run <<EOF
#!/bin/sh
cd src
exec 2>&1
exec /usr/bin/env - PATH="\$PATH" \
/usr/local/bin/tcpserver \
-v -c32 -u$PORT -g93 -H -R \
-l127.0.0.1 127.0.0.1 $PORT \
/usr/local/gauche/bin/gosh $TARGET.scm
EOF
cat > /daemon/tcpcgi-$TARGET/log/run <<EOF
#!/bin/sh
exec setuidgid logger multilog t s16777215 n32 /var/log/tcpcgi-$TARGET
EOF
chmod a+x /daemon/tcpcgi-$TARGET/run \
/daemon/tcpcgi-$TARGET/log/run

仮の実行スクリプト設置

cat > /daemon/tcpcgi-$TARGET/src/$TARGET.scm <<'EOF'
#!/usr/bin/env gosh
(use tcpcgi)
(define *tcpcgi*
  (make <tcpcgi>
    :path-dispatch `(("/" "/proc/cpuinfo")
                     )
    :request-timeout 5
    :response-timeout 60
    :keepalive-timeout 300
    :use-server-header #t
    ))
(define (main args)
  (tcpcgi-main
    *tcpcgi*
    "210.224.176.52" ; SERVER_ADDR
    "80" ; SERVER_PORT
    "e.tir.jp" ; SERVER_NAME
    (sys-getenv "TCPREMOTEIP") ; REMOTE_ADDR
    (sys-getenv "TCPREMOTEPORT") ; REMOTE_PORT
    (sys-getenv "TCPREMOTEHOST") ; REMOTE_HOST
    #f ; HTTPS flag
    ))
EOF
chmod a+x /daemon/tcpcgi-$TARGET/src/$TARGET.scm
chown -R $TARGET.tcpcgi /daemon/tcpcgi-$TARGET/src

サービス開始
```
ln -sf /daemon/tcpcgi-$TARGET /service
```

この後、squidを設定する。

2005/01/15 15:13:27 JST

squid, mysqlと同様に、gaucheも、複数バージョンを別ディレクトリにインストールするように直したいが……。
- インストールし直した。gauche-0.8.3:20050115に記述。

2005/01/14 16:05:18 JST

s.tir.jpでも分かりにくい気がしたので、sakura.tir.jpに更に移転。

sakura.tir.ne.jpと紛らわしい気がしていたが、もう使わなさそうな気がするので。多分。

2005/01/14 15:44:08 JST

このWiLiKiを設置していたn.tir.jpはNサーバと紛らわしいので、s.tir.jpに移転させた。

元のn.tir.jpにはリダイレクタを設置。

2005/01/14 10:28:58 JST

前に設置したtcpcgiのサービスをsquidから呼び出してみる設定の練習を行ってみた。

su -
mkdir -p /var/lib/squid/gs-alpha/logs
cp ~nekoie/squid.conf /var/lib/squid/gs-alpha
chown -R squid.squid /var/lib/squid/gs-alpha
/usr/local/squid/sbin/squid -f /var/lib/squid/gs-alpha/squid.conf -z
/usr/local/squid/sbin/squid -f /var/lib/squid/gs-alpha/squid.conf
echo /usr/local/squid/sbin/squid -f /var/lib/squid/gs-alpha/squid.conf \
>> /etc/rc.d/rc.local

やっぱりdaemontools経由での起動はしない事にした(主な理由は、アップデート時にややっこしくなる為)。

2005/01/13 10:45:34 JST

練習として、Cにてtcpcgiを使ったサービスの設置を行う。

最初に、tcpcgi用のアカウントのグループを作成する事にした。
```
groupadd -g 93 tcpcgi
```
サービス名と、内部で使用するport番号を決める。
- 今回は、「gs_alpha」と「40000」とした。

サービスのアカウントを作成する。

TARGET=gs_alpha PORT=40000
useradd -u $PORT -g tcpcgi -d /daemon/tcpcgi-$TARGET \
-s /bin/false -c 'service_for_tcpcgi' $TARGET
mkdir -p /daemon/tcpcgi-$TARGET
chown $TARGET.tcpcgi /daemon/tcpcgi-$TARGET
chmod 3755 /daemon/tcpcgi-$TARGET

uid, gidは基本的にport番号と同じにする事にした。

/daemon内に、daemontools経由でtcpserverを起動し、multilogでロギングするようにする。

mkdir -p /var/log/tcpcgi-$TARGET
chown logger:logger /var/log/tcpcgi-$TARGET
mkdir -p /daemon/tcpcgi-$TARGET/log
ln -sf /var/log/tcpcgi-$TARGET /daemon/tcpcgi-$TARGET/log/main
cat > /daemon/tcpcgi-$TARGET/run <<EOF
#!/bin/sh
cd src
exec 2>&1
exec /usr/bin/env - PATH="\$PATH" \
/usr/local/bin/tcpserver \
-v -c32 -u40000 -g93 -H -R \
-l127.0.0.1 127.0.0.1 $PORT \
/usr/local/bin/gosh $TARGET.scm
EOF
cat > /daemon/tcpcgi-$TARGET/log/run <<EOF
#!/bin/sh
exec setuidgid logger multilog t s16777215 n32 ./main
EOF
chmod a+x /daemon/tcpcgi-$TARGET/run \
/daemon/tcpcgi-$TARGET/log/run

/daemon/tcpcgi-gs_alpha/srcに、gs_alpha.scmとそのモジュールを用意。

まだ全然出来ていないので、今回はコレだけ。

mkdir -p /daemon/tcpcgi-$TARGET/src
cat > /daemon/tcpcgi-$TARGET/src/$TARGET.scm <<'EOF'
#!/usr/bin/env gosh
(use tcpcgi)
(define *tcpcgi*
  (make <tcpcgi>
    :path-dispatch `(("/cpuinfo" "/proc/cpuinfo")
                     )
    :request-timeout 5
    :response-timeout 60
    :keepalive-timeout 300
    :use-server-header #t
    ))
(define (main args)
  (tcpcgi-main
    *tcpcgi*
    "210.224.176.50" ; SERVER_ADDR
    "80" ; SERVER_PORT
    "gs-alpha.tir.jp" ; SERVER_NAME
    (sys-getenv "TCPREMOTEIP") ; REMOTE_ADDR
    (sys-getenv "TCPREMOTEPORT") ; REMOTE_PORT
    (sys-getenv "TCPREMOTEHOST") ; REMOTE_HOST
    #f ; HTTPS flag
    ))
EOF
chmod a+x /daemon/tcpcgi-$TARGET/src/$TARGET.scm
chown -R $TARGET.tcpcgi /daemon/tcpcgi-$TARGET/src

サービス開始。
```
ln -sf /daemon/tcpcgi-$TARGET /service
```

ncで動作確認してみる。

echo -ne 'GET /cpuinfo HTTP/1.0\r\n\r\n' | nc localhost 40000

あとは、適当に80番でreverse-proxyとしてsquidを動かすだけ。
また、/daemon/tcpcgi-gs_alpha/src配下を楽に更新できるようにもしておく事。

2005/01/11 09:26:11 JST

pw:tcpcgiが一通り動くようになったので、インストールした。
- squidを設定し、何か適当なウェブアプリを作って置いてみる予定。

最終更新 : 2005/01/30 11:06:10 JST

日誌:200501