Bii O ṣe le Jeki HTTPS fun Kaṣe Varnish ni lilo Hitch lori CentOS-RHEL 8
Kaṣe Varnish ko ni atilẹyin abinibi fun SSL/TLS ati awọn ilana miiran ti o ni nkan ṣe pẹlu ibudo 443. Ti o ba nlo Kaṣe Varnish lati ṣe alekun iṣẹ ohun elo wẹẹbu rẹ, o nilo lati fi sori ẹrọ ati tunto nkan elo sọfitiwia miiran ti a pe ni aṣoju ifopinsi SSL/TLS, lati ṣiṣẹ lẹgbẹẹ Varnish Cache lati jẹki HTTPS.
Hitch jẹ orisun ṣiṣi ọfẹ, ti o da lori libev, ati aṣoju SSL/TLS ti iwọn ti a ṣe apẹrẹ fun Kaṣe Varnish, eyiti o n ṣiṣẹ lọwọlọwọ lori Linux, OpenBSD, FreeBSD, ati MacOSX. O fopin si awọn asopọ TLS/SSL nipasẹ gbigbọran lori ibudo 443 (ibudo aiyipada fun awọn isopọ HTTPS) ati siwaju ijabọ ti ko ni ikọkọ si Varnish Cache, sibẹsibẹ, o yẹ ki o ṣiṣẹ pẹlu awọn ẹhin miiran pẹlu.
O ṣe atilẹyin fun TLS1.2 ati TLS1.3 ati ohun-ini TLS 1.0/1.1, ṣe atilẹyin ALPN (Idunadura Ilana Ilana-Layer Ohun elo) ati NPN (Idunadura Iṣeduro Itele) fun HTTP/2, ilana PROXY lati ṣe ifihan alabara IP/ibudo si ẹhin kan , UNIX awọn isopọ socket domain si ipilẹṣẹ, SNI (Ifihan Orukọ olupin), pẹlu ati laisi awọn iwe-ẹri egan. Ni afikun, o ṣiṣẹ daradara fun awọn fifi sori ẹrọ nla ti o nilo to awọn iho tẹtisi 15,000 ati awọn iwe-ẹri 500,000.
Gẹgẹbi itesiwaju awọn nkan iṣaaju wa meji nipa fifi Kaṣe Varnish sii fun awọn olupin Nginx ati Apache HTTP, itọsọna yii fihan lati mu HTTPS ṣiṣẹ fun Kaṣe Varnish ni lilo Hitch TLS Aṣoju lori CentOS/RHEL 8.
Itọsọna yii dawọle pe o ti fi Varnish sori ẹrọ fun Nginx tabi olupin ayelujara Apache, bibẹkọ, wo:
- Bii o ṣe le Fi Kaṣe 6 Varnish sii fun Nginx Web Server lori CentOS/RHEL 8
- Bii o ṣe le Fi Kaṣe Varnish 6 sori ẹrọ fun Apamọ wẹẹbu Afun lori CentOS/RHEL 8
Igbesẹ 1: Fi Hitch sori CentOS/RHEL 8
1. A pese package Hitch ni ibi ipamọ EPEL (Awọn idii Afikun fun Linux Idawọlẹ). Lati fi sii, akọkọ jeki EPEL lori eto rẹ lẹhinna fi sori ẹrọ package lẹhinna. Ti o ko ba ni package OpenSSL ti fi sori ẹrọ, fi sii daradara.
# dnf install epel-release # dnf install hitch openssl
2. Nigbati fifi sori package ba pari, iwọ yoo ni lati tunto Kaṣe Varnish lati ṣiṣẹ Hitch. O tun nilo lati tunto Hitch lati lo awọn iwe-ẹri SSL/TLS rẹ ati Varnish bi ẹhin kan. Faili iṣeto akọkọ ti Hitch wa ni /etc/hitch/hitch.conf, eyiti o ṣalaye ni isalẹ.
Igbesẹ 2: Ṣiṣatunṣe Kaṣe Varnish fun Hitch
3. Nigbamii, jẹ ki Varnish lati tẹtisi ibudo afikun (8443 ninu ọran wa) nipa lilo atilẹyin ilana PROXY, fun awọn ibaraẹnisọrọ pẹlu Hitch.
Nitorinaa ṣii faili iṣẹ eto eto Varnish fun ṣiṣatunkọ.
# systemctl edit --full varnish
Wa laini ExecStart ki o fikun afikun Flag -a pẹlu iye 127.0.0.1:8443,proxy. Lilo iye ti 127.0.0.1:8443 tumọ si pe Varnish yoo gba asopọ inu nikan (lati awọn ilana ti n ṣiṣẹ lori olupin kanna ie hitch ninu ọran yii) ṣugbọn kii ṣe awọn asopọ ita.
ExecStart=/usr/sbin/varnishd -a :80 -a 127.0.0.1:8443,proxy -f /etc/varnish/default.vcl -s malloc,256m
Fipamọ faili naa lẹhinna tun bẹrẹ iṣẹ Varnish lati lo awọn ayipada tuntun.
# systemctl restart varnish
Igbesẹ 3: Gbigba Awọn iwe-ẹri SSL/TLS
4. Ni apakan yii, a yoo ṣalaye bi o ṣe ṣẹda iwe ijẹrisi SSL/TLS lati ṣee lo labẹ Hitch. Fun itọsọna yii, a yoo ṣalaye awọn aṣayan oriṣiriṣi ti bi o ṣe le lo ijẹrisi ti a fowo si ti ara ẹni, ijẹrisi iṣowo, tabi ọkan lati Jẹ ki Encrypt.
Lati ṣẹda ijẹrisi ti a fowo si ti ara ẹni (eyiti o yẹ ki o lo nikan ni agbegbe idanwo agbegbe), o le lo ọpa OpenSSL.
# mkdir /etc/ssl/tecmint.lan # cd /etc/ssl/tecmint.lan/ # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tecmint.lan.key -out tecmint.lan.crt
Lẹhinna ṣẹda lapapo ti ijẹrisi ati bọtini bi atẹle.
# cat tecmint.crt tecmint.key >tecmint.pem
Akiyesi: Fun lilo iṣelọpọ, o le ra ijẹrisi kan lati Alaṣẹ Ijẹrisi Iṣowo (CA) tabi gba ọfẹ, adaṣe, ati ijẹrisi ti a mọ ni kikun lati Jẹ ki Encrypt. Lẹhinna ṣẹda lapapo PEM kan.
Ti o ba ra ijẹrisi kan lati CA ti iṣowo, o nilo lati dapọ bọtini ikọkọ, ijẹrisi naa, ati lapapo CA bi o ti han.
# cat example.com.key example.com.crt example.com-ca-bundle.crt > /etc/ssl/example.com.pem
Fun Jẹ ki Encrypt, ijẹrisi, bọtini ikọkọ, ati ẹwọn kikun yoo wa ni fipamọ labẹ /etc/letsencrypt/live/example.com/, nitorinaa ṣẹda lapapo bi o ti han.
# cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem >/etc/letsencrypt/live/example.com/example.com_bundle.pem
Igbese 4: Tito leto ati Bibẹrẹ Hitch
5. Nigbamii, tunto Varnish bi ẹhin fun Hitch ki o ṣọkasi awọn faili ijẹrisi SSL/TLS lati lo fun HTTPS, ninu faili iṣeto akọkọ Hitch, ṣii fun ṣiṣatunkọ.
# vi /etc/hitch/hitch.conf
Abala iwaju ti ṣalaye awọn adirẹsi IP ati ibudo Hitch yoo tẹtisi. Iṣeto ni aiyipada ni lati tẹtisi lori gbogbo awọn atọkun IPv4 ati IPv6 ti a so lori olupin ati ṣiṣe lori ibudo 443 ati mu awọn ibeere HTTPS ti nwọle, fifun wọn si Varnish.
Yi ibudo aṣoju aiyipada pada lati 6086 si 8443 (ibudo ti a lo lati firanṣẹ siwaju awọn ibeere si Varnish) ninu faili iṣeto Hitch, ni lilo paramita ẹhin. Pẹlupẹlu, ṣọkasi faili ijẹrisi nipa lilo paramita faili pem bi o ti han.
backend = "[127.0.0.1]:8443" #pem-dir = "/etc/pki/tls/private" pem-file = "/etc/ssl/tecmint.lan/tecmint.pem"
Fipamọ faili naa ki o pa.
6. Bayi bẹrẹ iṣẹ iṣẹ hitch ki o muu ṣiṣẹ lati bẹrẹ laifọwọyi ni bata eto. Akiyesi pe - bayi yipada nigba lilo pẹlu muu ṣiṣẹ, bẹrẹ iṣẹ eto bakanna ati lẹhinna ṣayẹwo ipo lati rii boya o wa ni oke ati ṣiṣe bi atẹle.
# systemctl enable --now hitch # systemctl status hitch
7. Ṣaaju ki o to tẹsiwaju lati ṣe idanwo ti oju opo wẹẹbu/ohun elo rẹ ba n ṣiṣẹ lọwọlọwọ lori HTTPS, o nilo lati gba ibudo iṣẹ HTTPS 443 ni ogiriina lati gba awọn ibeere ti a pinnu fun ibudo yẹn lori olupin lati kọja nipasẹ ogiriina.
# firewall-cmd --zone=public --permanent --add-service=https # firewall-cmd --reload
Igbesẹ 5: Idanwo ifopinsi SSL/TLS pẹlu Ipilẹ Kaṣe-Hitch Varnish
8. O to akoko lati ṣe idanwo iṣeto Vache Cache-Hitch. Ṣii ẹrọ lilọ kiri lori ayelujara kan ki o lo ašẹ rẹ tabi IP olupin lati ṣe lilọ kiri lori HTTPS.
https://www.example.com OR https://SERVER_IP/
Lọgan ti oju-iwe atọka ti ohun elo wẹẹbu rẹ ti rù, ṣayẹwo awọn akọle HTTP lati jẹrisi pe a nṣe akoonu nipasẹ Vache Cache.
Lati ṣe eyi, tẹ-ọtun lori oju-iwe wẹẹbu ti o rù, yan Ṣayẹwo lati inu atokọ awọn aṣayan lati ṣii awọn irinṣẹ idagbasoke. Lẹhinna tẹ lori Nẹtiwọọki taabu, ati Tun gbee oju-iwe naa, lẹhinna yan ibeere kan lati wo awọn akọle HTTP, bi a ti ṣe afihan ninu sikirinifoto atẹle.
Igbesẹ 6: Ìtúnjúwe HTTP si HTTPS ni Kaṣe Varnish
9. Lati ṣiṣe oju opo wẹẹbu rẹ lori HTTPS nikan, o nilo lati ṣe atunṣe gbogbo ijabọ HTTP si HTTPS. O le ṣe eyi nipa fifi iṣeto ni atẹle ninu faili iṣeto Hitch rẹ.
# vi /etc/hitch/hitch.conf
Ni akọkọ, ṣafikun laini wọle std; kan ni isalẹ vlc 4.0 ;, lẹhinna wo fun vlc_recv subroutine, eyiti o jẹ akọkọ subcroine VCL ti a pa lẹsẹkẹsẹ lẹhin Varnish Kaṣe ti ṣe itusilẹ ibeere alabara sinu ipilẹ data ipilẹ. O wa ni ibi ti a le ṣe atunṣe awọn akọle ibeere ati ṣiṣẹ synth lati ṣe atunṣe awọn ibeere alabara.
Ṣe atunṣe lati wo eleyi.
sub vcl_recv {
if (std.port(server.ip) != 443) {
set req.http.location = "https://" + req.http.host + req.url;
return(synth(301));
}
}
Akiyesi pe ilana PROXY n jẹ ki Varnish lati wo ibudo tẹtisi Hitch 443 lati oniyipada olupin.ip. Nitorinaa laini std.port (server.ip) da nọmba ibudo pada lori eyiti a gba asopọ asopọ alabara.
Ti ibudo ko ba jẹ 443 fun HTTPS (bi a ti ṣayẹwo nipasẹ (std.port (server.ip)! = 443)), subroutine naa yoo ṣeto akọle HTTP Ipo ibeere (ṣeto req.http.location) si ibeere to ni aabo (“ https:/”+ req.http.host + req.url) nirọrun beere aṣawakiri wẹẹbu lati fifuye ẹya HTTPS ti oju-iwe wẹẹbu (ie URL redirection).
A yoo fi akọsori Ipo ranṣẹ si subroutine vcl_synth (eyiti a pe ni lilo ipadabọ (synth (301))) pẹlu koodu ipo HTTP ti 301 (Ti a gbe lọ patapata).
10. Itele, ṣafikun atẹle vcl_synth subroutine (ọkan ninu ọpọlọpọ awọn lilo awọn ọran rẹ n ṣe atunṣe awọn olumulo), lati ṣe ilana synth loke.
sub vcl_synth {
if (resp.status == 301) {
set resp.http.location = req.http.location;
set resp.status = 301;
return (deliver);
}
}
O ṣayẹwo ti ipo idahun ba jẹ 301, akọle akọle ipo HTTP ninu idahun ti ṣeto si akọle HTTP Location ninu ibeere eyiti o jẹ otitọ atunṣe si HTTPS ati ṣiṣe iṣe ifijiṣẹ kan.
Iṣe jiṣẹ kọ idahun pẹlu idahun lati ẹhin, o tọju idahun ni ibi ipamọ, ati firanṣẹ si alabara.
Fipamọ faili naa ki o pa.
11. Lẹẹkan si, lo awọn ayipada tuntun ninu iṣeto Varnish nipa tun bẹrẹ iṣẹ naa. Lẹhinna lo ọpa ila-aṣẹ curl lati jẹrisi iyipada lati HTTP si HTTPS.
# systemctl restart varnish # curl -I http://eaxmple.com/
Lati aṣawakiri, idahun naa tun jẹ kanna bi o ṣe han ninu sikirinifoto atẹle.
A nireti pe ohun gbogbo ti ṣiṣẹ daradara titi di aaye yii. Ti kii ba ṣe bẹ, sọ asọye silẹ tabi awọn ibeere nipasẹ fọọmu esi ni isalẹ. Fun eyikeyi awọn aṣayan iṣeto ni ilọsiwaju, lọ si iwe Hitch.