#---------------------------------------
# LOCATION リバースプロキシ
#---------------------------------------
# vi /etc/httpd/conf.d/wsgi.conf
<Proxy *>
Require all granted
#Order Deny,Allow
#Deny from all
#Allow from 192.168.25.146
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
<Location /office>
proxyPass http://192.168.25.146:80/office/ keepalive=On
ProxyPassReverse http://192.168.25.146:80/office/
</Location>
#----------------------------------
# VirtualHost ( 仮想ホスト )
#----------------------------------
インターフェースに複数IPを割り当てる
VLAN=global_network
VLAN_IP_1=192.168.1.241/24
VLAN_IP_1=192.168.1.242/24
VLAN_IP_1=192.168.1.243/24
VLAN_IP_1=192.168.1.244/24
VLAN_GW=192.168.1.1
nmcli c delete $VLAN
nmcli c add type ethernet ifname $DEVICE con-name "$VLAN"
nmcli c mod $VLAN ipv4.addresses $VLAN_IP_1
nmcli c mod $VLAN +ipv4.addresses $VLAN_IP_2
nmcli c mod $VLAN +ipv4.addresses $VLAN_IP_3
nmcli c mod $VLAN +ipv4.addresses $VLAN_IP_4
nmcli c mod $VLAN ipv4.method manual
nmcli c mod $VLAN connection.autoconnect yes
nmcli c mod $VLAN ipv4.gateway $VLAN_GW
nmcli c up $VLAN
# vi /etc/httpd/conf.d/httpd-vhost.conf
#-------------------------------------------
# Link Server
#-------------------------------------------
<VirtualHost *:80>
ServerName link.mydomain.example
RewriteEngine on
RewriteRule (.*)?$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</VirtualHost>
ServerName link.mydomain.example
<Proxy *>
Require all granted
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
# LogLevel warn
# TransferLog logs/ssl_access_log
ProxyPass / http://10.0.1.101:80/ keepalive=On
ProxyPassReverse / http://10.0.1.101:80/
RequestHeader set X-Forwarded-Proto "https"
SSLEngine on
# SSLv2、SSLv3, TLS1.0 TLS1.1を無効化する
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDSA+AESGCM
# SSLCipherSuite PROFILE=SYSTEM
SSLHonorCipherOrder Off
SSLCertificateFile /etc/ssl/certs/ssl-cert-link.crt
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-link.key
</VirtualHost>
# cd /etc/ssl
# ln -s ../pki/tls/private private
# apachectl configtest
# firewall-cmd --add-service=https --permanent
# firewall-cmd --reload
※ 下記は、httpdを起動すると勝手につくられる。
/etc/pki/tls/certs/localhost.crt/etc/pki/tls/private/localhost.key
※ ssl.conf内の<VirtualHost _default_:443>は、マッチしなかった場合のデフォルト
※ ssl.conf内の<VirtualHost _default_:443>は、マッチしなかった場合のデフォルト
【自己証明書】
# cd ~/Cert
# openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
# openssl genrsa -out ssl-cert-link.key 2048
# openssl req -new -key ssl-cert-link.key -out ssl-cert-link.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:link.mydomain.example
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# openssl x509 -days 3650 -req -signkey ssl-cert-link.key -in ssl-cert-link.csr -out ssl-cert-link.crt
# cp ssl-cert-link.crt /etc/ssl/certs/
# cp ssl-cert-link.key /etc/ssl/private/
# openssl req -noout -text -in ssl-cert-link.csr
# openssl x509 -text -fingerprint -noout -in ssl-cert-service.crt
# openssl x509 -text -fingerprint -noout -in ssl-cert-service.crt
URL: https://link.mydomain.example/test
URL: https://service.mydomain.example/test
URL: https://office.mydomain.example/test
※ key : RSA PRIVATE KEY(鍵)
csr: CERTIFICATE REQUES(証明書の署名リクエスト)
crt: CERTIFICATE( サーバ証明書)
csr: CERTIFICATE REQUES(証明書の署名リクエスト)
crt: CERTIFICATE( サーバ証明書)
pem: BEGIN/END行で挟んだ書式(入れ物)
0 件のコメント:
コメントを投稿