Labarin zai zama da amfani ga waɗanda:
- ya san abin da Client Cert yake kuma ya fahimci dalilin da yasa yake buƙatar shafukan yanar gizo akan Safari ta hannu;
- Ina so in buga ayyukan gidan yanar gizo ga ƙayyadaddun da'irar mutane ko kuma ni kaɗai;
- yana tunanin cewa wani ya riga ya yi komai, kuma yana so ya sa duniya ta ɗan fi dacewa da aminci.
Tarihin websockets ya fara kusan shekaru 8 da suka gabata. A baya can, an yi amfani da hanyoyi ta hanyar buƙatun http mai tsawo (ainihin amsa): mai binciken mai amfani ya aika da buƙatun zuwa uwar garken kuma ya jira shi don amsa wani abu, bayan amsa ya sake haɗawa kuma ya jira. Amma sai websockets sun bayyana.
Bayan 'yan shekarun da suka gabata, mun haɓaka aiwatar da namu a cikin tsarkakakken PHP, wanda ba zai iya amfani da buƙatun https ba, tunda wannan shine layin haɗin gwiwa. Ba da dadewa ba, kusan duk sabar gidan yanar gizo sun koyi buƙatun wakili akan https da haɗin kai: haɓakawa.
Lokacin da wannan ya faru, shafukan yanar gizo sun zama kusan sabis na tsoho don aikace-aikacen SPA, saboda yadda ya dace don samar da abun ciki ga mai amfani a yunƙurin uwar garken (samar da saƙo daga wani mai amfani ko zazzage sabon sigar hoto, takarda, gabatarwa. cewa wani yana gyarawa a halin yanzu).
Kodayake Takaddun Abokin Ciniki ya kasance na ɗan lokaci kaɗan, har yanzu ba a samun tallafi sosai, saboda yana haifar da matsaloli masu yawa yayin ƙoƙarin ƙetare ta. Kuma (yiwuwa :slightly_smiling_face:) shi ya sa IOS browsers (duk ban da Safari) ba sa son amfani da shi da kuma neman shi daga gida takardar shaidar kantin sayar da. Takaddun shaida suna da fa'idodi da yawa idan aka kwatanta da shiga/wucewa ko maɓallan ssh ko rufe mahimman tashoshin jiragen ruwa ta hanyar Tacewar zaɓi. Amma ba wannan ba ne.
A kan iOS, hanya don shigar da takardar shaidar abu ne mai sauƙi (ba tare da ƙayyadaddun bayanai ba), amma gabaɗaya ana yin shi bisa ga umarnin, wanda akwai da yawa akan Intanet kuma waɗanda kawai ke samuwa ga mai binciken Safari. Abin takaici, Safari bai san yadda ake amfani da Client Cert don soket ɗin yanar gizo ba, amma akwai umarni da yawa akan Intanet akan yadda ake ƙirƙirar irin wannan takardar shaidar, amma a aikace wannan ba zai yuwu ba.
Don fahimtar websockets, mun yi amfani da shirin mai zuwa: matsala / hasashe / mafita.
Matsala: babu goyan bayan soket ɗin gidan yanar gizo lokacin da ake ba da buƙatun zuwa albarkatu waɗanda takardar shaidar abokin ciniki ke kiyaye su akan mai binciken wayar hannu ta Safari don IOS da sauran aikace-aikacen da suka ba da goyan bayan takaddun shaida.
Hasashe:
- Yana yiwuwa a saita irin wannan keɓancewar don amfani da takaddun shaida (sanin cewa babu ɗaya) zuwa rukunin yanar gizo na albarkatu na ciki/na waje.
- Don shafukan yanar gizo, za ku iya yin keɓaɓɓen haɗin gwiwa, amintacce kuma mai karewa ta amfani da zaman wucin gadi waɗanda aka ƙirƙira yayin buƙatun burauza na al'ada (wanda ba na yanar gizo ba).
- Za a iya aiwatar da zama na ɗan lokaci ta amfani da sabar gidan yanar gizo wakili ɗaya (ginayen kayayyaki da ayyuka kawai).
- An riga an aiwatar da alamun zama na wucin gadi azaman samfuran Apache da aka shirya.
- Ana iya aiwatar da alamun zama na ɗan lokaci ta hanyar zayyana tsarin hulɗar cikin hikima.
Halin bayyane bayan aiwatarwa.
Manufar aikin: gudanar da ayyuka da ababen more rayuwa ya kamata a sami dama daga wayar hannu akan IOS ba tare da ƙarin shirye-shirye ba (kamar VPN), haɗin kai kuma amintattu.
Ƙarin burin: adana lokaci da albarkatu / zirga-zirgar waya (wasu ayyuka ba tare da soket ɗin yanar gizo suna haifar da buƙatun da ba dole ba) tare da saurin isar da abun ciki akan Intanet ta hannu.
Yadda za a bincika?
1. Bude shafukan:
— например, https://teamcity.yourdomain.com в мобильном браузере Safari (доступен также в десктопной версии) — вызывает успешное подключение к веб-сокетам.
— например, https://teamcity.yourdomain.com/admin/admin.html?item=diagnostics&tab=webS…— показывает ping/pong.
— например, https://rancher.yourdomain.com/p/c-84bnv:p-vkszd/workload/deployment:danidb:ph…-> viewlogs — показывает логи контейнера.2. Ko a cikin na'ura mai haɓakawa:
Gwajin hasashe:
1. Yana yiwuwa a saita irin wannan banda don amfani da takaddun shaida (sanin cewa ba za a yi ba) zuwa kwasfan yanar gizo na albarkatu na ciki / na waje.
An sami mafita guda 2 anan:
a) Da daraja
<Location sock*> SSLVerifyClient optional </Location>
<Location /> SSLVerifyClient require </Location>
canza matakin shiga.
Wannan hanyar tana da nuances masu zuwa:
- Tabbatar da takaddun shaida yana faruwa ne bayan buƙatu zuwa ga albarkatun da aka keɓe, wato, musafaha bayan buƙatun. Wannan yana nufin cewa wakili zai fara lodi sannan kuma ya yanke buƙatar zuwa sabis mai kariya. Wannan mummunan ne, amma ba mahimmanci ba;
- A cikin ka'idar http2. Har yanzu yana kan daftarin aiki, kuma masana'antun masu binciken ba su san yadda ake aiwatar da shi ba #info game da tls1.3 http2 bayan musafaha (ba aiki yanzu) ;
- Ba a bayyana yadda za a haɗa wannan aiki ba.
b) A matakin asali, ba da izinin ssl ba tare da takaddun shaida ba.
SSLVerifyClient yana buƙatar => SSLVerifyClient zaɓi na zaɓi, amma wannan yana rage matakin tsaro na uwar garken wakili, tunda za a sarrafa irin wannan haɗin ba tare da takaddun shaida ba. Koyaya, zaku iya ƙara ƙin samun damar zuwa sabis na wakili tare da umarni mai zuwa:
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteRule .? - [F]
ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"
Ana iya samun ƙarin cikakkun bayanai a cikin labarin game da ssl:
An gwada dukkan zaɓuɓɓukan biyu, an zaɓi zaɓin “b” don dacewarsa da dacewa da ka'idar http2.
Don kammala tabbatar da wannan hasashe, an ɗauki gwaje-gwaje da yawa tare da daidaitawa; an gwada ƙira masu zuwa:
idan = bukata = sake rubutawa
Sakamakon shine ƙirar asali mai zuwa:
SSLVerifyClient optional
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule .? - [F]
#ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"
#websocket for safari without cert auth
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
...
#замещаем авторизацию по владельцу сертификата на авторизацию по номеру протокола
SSLUserName SSl_PROTOCOL
</If>
</If>
Yin la'akari da izinin da ke akwai ta mai takardar shedar, amma tare da takardar shedar da ta ɓace, dole ne in ƙara mai takardar shaidar da ba ta wanzu a cikin nau'i na ɗaya daga cikin masu canji SSl_PROTOCOL (maimakon SSL_CLIENT_S_DN_CN), ƙarin cikakkun bayanai a cikin takaddun:
2. Don shafukan yanar gizo, za ku iya yin haɗin kai na musamman, amintacce da kariya ta amfani da lokutan wucin gadi waɗanda aka samar yayin buƙatun buƙatun na al'ada (wanda ba na yanar gizo ba).
Dangane da ƙwarewar da ta gabata, kuna buƙatar ƙara ƙarin sashe zuwa daidaitawa don shirya alamun wucin gadi don haɗin haɗin yanar gizo yayin buƙatun na yau da kullun (marasa na yanar gizo).
#подготовка передача себе Сookie через пользовательский браузер
<If "%{SSL:SSL_CLIENT_VERIFY} = 'SUCCESS'">
<If "%{HTTP:Upgrade} != 'websocket'">
Header set Set-Cookie "websocket-allowed=true; path=/; Max-Age=100"
</If>
</If>
#проверка Cookie для установления веб-сокет соединения
<source lang="javascript">
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
#check for exists cookie
#get and check
SetEnvIf Cookie "websocket-allowed=(.*)" env-var-name=$1
#or rewrite rule
RewriteCond %{HTTP_COOKIE} !^.*mycookie.*$
#or if
<If "%{HTTP_COOKIE} =~ /(^|; )cookie-names*=s*some-val(;|$)/ >
</If
</If>
</If>
Gwaji ya nuna cewa yana aiki. Yana yiwuwa don canja wurin kukis zuwa kanku ta hanyar mai amfani da mai amfani.
3. Za a iya aiwatar da zaman wucin gadi ta amfani da sabar gidan yanar gizo na wakili guda ɗaya (na'urori da ayyuka da aka gina kawai).
Kamar yadda muka gano a baya, Apache yana da ayyuka masu yawa da yawa waɗanda ke ba ku damar ƙirƙirar abubuwan gini. Koyaya, muna buƙatar hanyoyin kare bayananmu yayin da yake cikin burauzar mai amfani, don haka mun kafa abin da zamu adana da me yasa, da waɗanne ayyukan ginannen za mu yi amfani da su:
- Muna buƙatar alamar da ba za a iya yankewa cikin sauƙi ba.
- Muna buƙatar alamar da ke da tsufa da aka gina a ciki da kuma ikon duba tsufa a kan uwar garke.
- Muna buƙatar alamar da za a haɗa tare da mai takardar shaidar.
Wannan yana buƙatar aikin hashing, gishiri, da kwanan wata don tsufa alamar. Dangane da takaddun muna da shi duka daga akwatin sha1 da %{TIME}.
Sakamakon shine wannan zane:
#нет сертификата, и обращение к websocket
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
SetEnvIf Cookie "zt-cert-sha1=([^;]+)" zt-cert-sha1=$1
SetEnvIf Cookie "zt-cert-uid=([^;]+)" zt-cert-uid=$1
SetEnvIf Cookie "zt-cert-date=([^;]+)" zt-cert-date=$1
#только так можно работать с переменными, полученными в env-ах в этот момент времени, более они нигде не доступны для функции хеширования (по отдельности можно, но не вместе, да и ещё с хешированием)
<RequireAll>
Require expr %{sha1:salt1%{env:zt-cert-date}salt3%{env:zt-cert-uid}salt2} == %{env:zt-cert-sha1}
Require expr %{env:zt-cert-sha1} =~ /^.{40}$/
</RequireAll>
</If>
</If>
#есть сертификат, запрашивается не websocket
<If "%{SSL:SSL_CLIENT_VERIFY} = 'SUCCESS'">
<If "%{HTTP:Upgrade} != 'websocket'">
SetEnvIf Cookie "zt-cert-sha1=([^;]+)" HAVE_zt-cert-sha1=$1
SetEnv zt_cert "path=/; HttpOnly;Secure;SameSite=Strict"
#Новые куки ставятся, если старых нет
Header add Set-Cookie "expr=zt-cert-sha1=%{sha1:salt1%{TIME}salt3%{SSL_CLIENT_S_DN_CN}salt2};%{env:zt_cert}" env=!HAVE_zt-cert-sha1
Header add Set-Cookie "expr=zt-cert-uid=%{SSL_CLIENT_S_DN_CN};%{env:zt_cert}" env=!HAVE_zt-cert-sha1
Header add Set-Cookie "expr=zt-cert-date=%{TIME};%{env:zt_cert}" env=!HAVE_zt-cert-sha1
</If>
</If>
An cimma burin, amma akwai matsaloli tare da tsohowar uwar garke (zaka iya amfani da kuki mai shekaru), wanda ke nufin cewa alamun, ko da yake lafiya don amfani da ciki, ba su da lafiya ga amfani da masana'antu (jama'a).
4. An riga an aiwatar da alamun zama na wucin gadi azaman samfuran Apache da aka shirya.
Matsala ɗaya mai mahimmanci ta kasance daga abubuwan da suka gabata - rashin ikon sarrafa tsufa.
Muna neman tsarin da aka ƙera wanda ke yin wannan, bisa ga kalmomin: apache token json auth factor biyu
Ee, akwai shirye-shiryen da aka yi, amma duk an ɗaure su da takamaiman ayyuka kuma suna da kayan tarihi a cikin hanyar fara zaman da ƙarin Kukis. Wato ba na ɗan lokaci ba.
Sai da muka dauki sa'o'i biyar muna bincike, wanda bai bayar da wani kwakkwaran sakamako ba.
5. Ana iya aiwatar da alamun zama na wucin gadi ta hanyar tsara tsarin mu'amala cikin hikima.
Shirye-shiryen da aka ƙera suna da rikitarwa sosai, saboda muna buƙatar ayyuka biyu kawai.
Wato, matsalar kwanan wata ita ce, ayyukan Apache na ciki ba sa ba da izinin samar da kwanan wata daga nan gaba, kuma babu ƙari/ragi na lissafi a cikin ayyukan da aka gina yayin duba tsufa.
Wato, ba za ku iya rubuta:
(%{env:zt-cert-date} + 30) > %{DATE}
Kuna iya kwatanta lambobi biyu kawai.
Yayin neman hanyar warware matsalar Safari, na sami labari mai ban sha'awa:
Ya bayyana misalin lambar a cikin Lua don Nginx, wanda, kamar yadda ya bayyana, yana maimaituwa sosai game da wannan ɓangaren tsarin da muka riga muka aiwatar, ban da amfani da hanyar gishirin hmac don hashing ( Ba a sami wannan a Apache ba).
Ya bayyana a sarari cewa Lua harshe ne mai ma'ana bayyananne, kuma yana yiwuwa a yi wani abu mai sauƙi ga Apache:
Bayan nazarin bambanci tare da Nginx da Apache:
Kuma akwai ayyuka daga masana'antun harshen Lua:
Mun sami wata hanya ta saita masu canjin env a cikin ƙaramin fayil ɗin Lua don saita kwanan wata daga gaba don kwatanta da na yanzu.
Wannan shine yadda rubutun Lua mai sauƙi yayi kama:
require 'apache2'
function handler(r)
local fmt = '%Y%m%d%H%M%S'
local timeout = 3600 -- 1 hour
r.notes['zt-cert-timeout'] = timeout
r.notes['zt-cert-date-next'] = os.date(fmt,os.time()+timeout)
r.notes['zt-cert-date-halfnext'] = os.date(fmt,os.time()+ (timeout/2))
r.notes['zt-cert-date-now'] = os.date(fmt,os.time())
return apache2.OK
end
Kuma wannan shine yadda duk yake aiki gabaɗaya, tare da haɓaka adadin Kukis da maye gurbin alamar lokacin da rabin lokaci ya zo kafin tsohon kuki (alama) ya ƙare:
SSLVerifyClient optional
#LuaScope thread
#generate event variables zt-cert-date-next
LuaHookAccessChecker /usr/local/etc/apache24/sslincludes/websocket_token.lua handler early
#запрещаем без сертификата что-то ещё, кроме webscoket
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule .? - [F]
#ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"
#websocket for safari without certauth
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
SetEnvIf Cookie "zt-cert=([^,;]+),([^,;]+),[^,;]+,([^,;]+)" zt-cert-sha1=$1 zt-cert-date=$2 zt-cert-uid=$3
<RequireAll>
Require expr %{sha1:salt1%{env:zt-cert-date}salt3%{env:zt-cert-uid}salt2} == %{env:zt-cert-sha1}
Require expr %{env:zt-cert-sha1} =~ /^.{40}$/
Require expr %{env:zt-cert-date} -ge %{env:zt-cert-date-now}
</RequireAll>
#замещаем авторизацию по владельцу сертификата на авторизацию по номеру протокола
SSLUserName SSl_PROTOCOL
SSLOptions -FakeBasicAuth
</If>
</If>
<If "%{SSL:SSL_CLIENT_VERIFY} = 'SUCCESS'">
<If "%{HTTP:Upgrade} != 'websocket'">
SetEnvIf Cookie "zt-cert=([^,;]+),[^,;]+,([^,;]+)" HAVE_zt-cert-sha1=$1 HAVE_zt-cert-date-halfnow=$2
SetEnvIfExpr "env('HAVE_zt-cert-date-halfnow') -ge %{TIME} && env('HAVE_zt-cert-sha1')=~/.{40}/" HAVE_zt-cert-sha1-found=1
Define zt-cert "path=/;Max-Age=%{env:zt-cert-timeout};HttpOnly;Secure;SameSite=Strict"
Define dates_user "%{env:zt-cert-date-next},%{env:zt-cert-date-halfnext},%{SSL_CLIENT_S_DN_CN}"
Header set Set-Cookie "expr=zt-cert=%{sha1:salt1%{env:zt-cert-date-next}sal3%{SSL_CLIENT_S_DN_CN}salt2},${dates_user};${zt-cert}" env=!HAVE_zt-cert-sha1-found
</If>
</If>
SetEnvIfExpr "env('HAVE_zt-cert-date-halfnow') -ge %{TIME} && env('HAVE_zt-cert-sha1')=~/.{40}/" HAVE_zt-cert-sha1-found=1
работает,
а так работать не будет
SetEnvIfExpr "env('HAVE_zt-cert-date-halfnow') -ge env('zt-cert-date-now') && env('HAVE_zt-cert-sha1')=~/.{40}/" HAVE_zt-cert-sha1-found=1
Saboda LuaHookAccessChecker za a kunna shi ne kawai bayan an duba damar shiga dangane da wannan bayanin daga Nginx.
Hanyar haɗi zuwa tushe.
Wani abu daya.
Gabaɗaya, ba kome ba a cikin wane tsari aka rubuta umarnin a cikin tsarin Apache (wataƙila kuma Nginx), tunda a ƙarshe duk abin da za a jera shi ne bisa tsarin buƙatun mai amfani, wanda ya dace da tsarin aiwatarwa. Rubutun Lua.
Kammala:
Halin bayyane bayan aiwatarwa (maƙasudi):
ana samun gudanar da ayyuka da ababen more rayuwa daga wayar hannu akan IOS ba tare da ƙarin shirye-shirye ba (VPN), haɗaka kuma amintattu.
An cimma burin, shafukan yanar gizo suna aiki kuma suna da matakin tsaro ba kasa da takaddun shaida ba.
source: www.habr.com