Yuav ua li cas peb ntawm ZeroTech txuas Apple Safari thiab daim ntawv pov thawj cov neeg siv khoom nrog websockets

Kab lus yuav pab tau rau cov neeg uas:

• paub tias Client Cert yog dab tsi thiab nkag siab tias vim li cas nws xav tau websockets ntawm mobile Safari;
• Kuv xav tshaj tawm cov kev pabcuam hauv lub vev xaib rau ib lub voj voog ntawm tib neeg lossis tsuas yog rau kuv tus kheej xwb;
• xav tias txhua yam twb tau ua los ntawm ib tug neeg, thiab xav ua kom lub ntiaj teb no yooj yim dua thiab nyab xeeb dua.

Keeb kwm ntawm websockets pib txog 8 xyoo dhau los. Yav dhau los, txoj kev tau siv nyob rau hauv daim ntawv thov ntev http (ua tau cov lus teb): tus neeg siv lub browser xa ib daim ntawv thov mus rau lub server thiab tos kom nws teb ib yam dab tsi, tom qab cov lus teb nws txuas dua thiab tos. Tab sis ces websockets tshwm.



Ob peb xyoos dhau los, peb tau tsim peb tus kheej kev siv hauv PHP ntshiab, uas tsis tuaj yeem siv https thov, vim qhov no yog txheej txheej txuas. Tsis ntev tas los no, yuav luag tag nrho cov web servers tau kawm rau npe thov dhau https thiab txhawb kev sib txuas: txhim kho.

Thaum qhov no tshwm sim, websockets tau dhau los ua qhov kev pabcuam ua ntej rau SPA daim ntawv thov, vim tias nws yooj yim npaum li cas los muab cov ntsiab lus rau tus neeg siv ntawm qhov pib ntawm tus neeg rau zaub mov (xa xov los ntawm lwm tus neeg siv lossis rub tawm cov ntawv tshiab ntawm cov duab, ntaub ntawv, kev nthuav qhia. uas lwm tus tab tom kho tam sim no).

Txawm hais tias Client Certificate tau nyob ib puag ncig rau qee lub sijhawm, nws tseem tsis txaus ntseeg, vim nws tsim teeb meem ntau thaum sim hla nws. Thiab (tejzaum nws :slightly_smiling_face: ) yog vim li cas IOS browsers (txhua tus tsuas yog Safari) tsis xav siv nws thiab thov nws los ntawm lub khw muag ntawv pov thawj hauv zos. Cov ntawv pov thawj muaj ntau qhov zoo piv rau tus ID nkag mus / hla lossis ssh yuam sij lossis kaw cov chaw nres nkoj tsim nyog los ntawm firewall. Tab sis qhov tsis yog qhov no yog hais txog.

Hauv iOS no, cov txheej txheem rau kev txhim kho daim ntawv pov thawj yog qhov yooj yim heev (tsis yog tsis muaj qhov tshwj xeeb), tab sis feem ntau nws ua tiav raws li cov lus qhia, uas muaj ntau hauv Is Taws Nem thiab tsuas yog muaj rau Safari browser. Hmoov tsis zoo, Safari tsis paub yuav ua li cas siv Client Сert rau lub vev xaib, tab sis muaj ntau cov lus qhia hauv Is Taws Nem txog kev tsim daim ntawv pov thawj zoo li no, tab sis hauv kev xyaum qhov no tsis tuaj yeem ua tiav.

Txhawm rau nkag siab cov websockets, peb siv cov phiaj xwm hauv qab no: teeb meem/hypothesis/solution.

Teeb meem: tsis muaj kev txhawb nqa rau lub vev xaib lub vev xaib thaum tso npe thov rau cov peev txheej uas tau txais kev tiv thaiv los ntawm daim ntawv pov thawj tus neeg siv khoom ntawm Safari mobile browser rau IOS thiab lwm yam kev siv uas tau txais kev txhawb nqa daim ntawv pov thawj.

Hypotheses:

1. Nws muaj peev xwm los teeb tsa qhov kev zam rau siv daim ntawv pov thawj (paub tias yuav tsis muaj) rau websockets ntawm cov khoom siv sab hauv / sab nraud.
2. Rau websockets, koj tuaj yeem ua qhov tshwj xeeb, ruaj ntseg thiab tiv thaiv kev sib txuas uas siv cov ntu ntu ntu uas tsim tawm thaum lub sijhawm ib txwm (tsis yog-websocket) browser thov.
3. Kev sib tham ib ntus tuaj yeem siv tau siv ib tus neeg siv lub vev xaib proxy (built-in modules thiab ua haujlwm nkaus xwb).
4. Kev sib tham ib ntus tokens twb tau ua tiav raws li npaj ua Apache modules.
5. Kev sib tham ib ntus tokens tuaj yeem siv los ntawm kev tsim cov qauv kev sib cuam tshuam.

Pom lub xeev tom qab siv.

Lub hom phiaj ntawm kev ua haujlwm: kev tswj hwm cov kev pabcuam thiab kev tsim kho vaj tse yuav tsum nkag mus tau los ntawm lub xov tooj ntawm tes ntawm IOS yam tsis muaj kev pabcuam ntxiv (xws li VPN), koom ua ke thiab ruaj ntseg.

Lub hom phiaj ntxiv: txuag lub sijhawm thiab cov peev txheej / xov tooj tsheb (qee qhov kev pabcuam tsis muaj lub vev xaib tsim tsim cov kev thov tsis tsim nyog) nrog kev xa cov ntsiab lus sai dua hauv Is Taws Nem.

Yuav kuaj li cas?

1. Cov nplooj ntawv qhib:

— например, https://teamcity.yourdomain.com в мобильном браузере Safari (доступен также в десктопной версии) — вызывает успешное подключение к веб-сокетам.
— например, https://teamcity.yourdomain.com/admin/admin.html?item=diagnostics&tab=webS…— показывает ping/pong.
— например, https://rancher.yourdomain.com/p/c-84bnv:p-vkszd/workload/deployment:danidb:ph…-> viewlogs — показывает логи контейнера.

2. Los yog hauv tus tsim tawm console:

Kev ntsuam xyuas hypothesis:

1. Nws muaj peev xwm teeb tsa qhov kev zam rau siv daim ntawv pov thawj (paub tias yuav tsis muaj) rau lub vev xaib ntawm cov khoom siv sab hauv / sab nraud.

2 cov kev daws teeb meem tau pom ntawm no:

a) ntawm theem

<Location sock*> SSLVerifyClient optional </Location>
<Location /> SSLVerifyClient require </Location>

hloov qib nkag.

Txoj kev no muaj cov nram qab no nuances:

• Kev txheeb xyuas daim ntawv pov thawj tshwm sim tom qab kev thov rau cov peev txheej proxied, uas yog, tom qab thov tuav tes. Qhov no txhais tau hais tias lub npe yuav xub thauj khoom thiab tom qab ntawd txiav tawm qhov kev thov mus rau qhov kev pabcuam tiv thaiv. Qhov no yog qhov phem, tab sis tsis tseem ceeb;
• Hauv http2 raws tu qauv. Nws tseem nyob rau hauv cov cua ntsawj ntshab, thiab browser manufacturers tsis paub yuav ua li cas siv nws #info txog tls1.3 http2 post handshake (tsis ua hauj lwm tam sim no) Siv RFC 8740 "Siv TLS 1.3 nrog HTTP/2";
• Nws tsis paub meej tias yuav ua li cas koom ua ke qhov kev ua tiav no.

b) Ntawm theem pib, tso cai rau ssl yam tsis muaj daim ntawv pov thawj.

SSLVerifyClient xav tau => SSLVerifyClient xaiv tau, tab sis qhov no txo ​​qis qib kev ruaj ntseg ntawm lub npe neeg rau zaub mov, vim tias qhov kev sib txuas no yuav ua tiav yam tsis muaj daim ntawv pov thawj. Txawm li cas los xij, koj tuaj yeem txwv tsis pub nkag mus rau cov kev pabcuam proxied nrog cov lus qhia hauv qab no:

RewriteEngine        on
RewriteCond     %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteRule     .? - [F]
ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"

Cov ncauj lus kom ntxaws ntxiv tuaj yeem pom hauv kab lus hais txog ssl: Apache Server Client Certificate Authentication

Ob qho kev xaiv tau raug sim, kev xaiv "b" raug xaiv rau nws ntau yam thiab sib haum nrog http2 raws tu qauv.

Txhawm rau ua kom tiav qhov tseeb ntawm qhov kev xav no, nws tau siv ntau qhov kev sim nrog kev teeb tsa; cov qauv hauv qab no tau sim:

if = xav = rewrite

• Apache Core nta
• Cov lus qhia hauv Apache HTTP Server

Qhov tshwm sim yog cov qauv hauv qab no:

SSLVerifyClient optional
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule     .? - [F]
#ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"

#websocket for safari without cert auth
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
...
    #замещаем авторизацию по владельцу сертификата на авторизацию по номеру протокола
    SSLUserName SSl_PROTOCOL
</If>
</If>

Ua raws li kev tso cai uas twb muaj lawm los ntawm tus tswv daim ntawv pov thawj, tab sis nrog daim ntawv pov thawj uas ploj lawm, kuv yuav tsum tau ntxiv tus tswv daim ntawv pov thawj uas tsis muaj nyob hauv daim ntawv ntawm ib qho ntawm cov muaj nyob hauv SSl_PROTOCOL (tsis yog SSL_CLIENT_S_DN_CN), cov ntsiab lus ntxiv hauv cov ntaub ntawv:

Apache Module mod_ssl

2. Rau websockets, koj tuaj yeem ua qhov tshwj xeeb, ruaj ntseg thiab tiv thaiv kev sib txuas uas siv cov ntu ntu ntu uas tsim tawm thaum lub sijhawm ib txwm (tsis yog-websocket) browser thov.

Raws li kev paub dhau los, koj yuav tsum tau ntxiv ib ntu ntxiv rau kev teeb tsa txhawm rau npaj cov tokens ib ntus rau kev sib txuas hauv lub vev xaib thaum lub sijhawm thov tsis tu ncua (tsis yog lub vev xaib).

#подготовка передача себе Сookie через пользовательский браузер
<If "%{SSL:SSL_CLIENT_VERIFY} = 'SUCCESS'">
<If "%{HTTP:Upgrade} != 'websocket'">
Header set Set-Cookie "websocket-allowed=true; path=/; Max-Age=100"
</If>
</If>

#проверка Cookie для установления веб-сокет соединения
<source lang="javascript">
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
#check for exists cookie

#get and check
SetEnvIf Cookie "websocket-allowed=(.*)" env-var-name=$1

#or rewrite rule
RewriteCond %{HTTP_COOKIE} !^.*mycookie.*$

#or if
<If "%{HTTP_COOKIE} =~ /(^|; )cookie-names*=s*some-val(;|$)/ >
</If

</If>
</If>

Kev sim tau pom tias nws ua haujlwm. Nws muaj peev xwm hloov cov ncuav qab zib rau koj tus kheej los ntawm tus neeg siv tus browser.

3. Kev sib tham ib ntus tuaj yeem siv tau siv ib lub vev xaib tus neeg rau zaub mov (tsuas yog cov qauv tsim thiab ua haujlwm).

Raws li peb pom yav dhau los, Apache muaj ntau ntau ntawm cov haujlwm tseem ceeb uas tso cai rau koj los tsim cov qauv tsim. Txawm li cas los xij, peb xav tau txhais tau tias los tiv thaiv peb cov ntaub ntawv thaum nws nyob hauv tus neeg siv lub browser, yog li peb tsim kom muaj dab tsi khaws thiab vim li cas, thiab cov haujlwm ua haujlwm li cas peb yuav siv:

• Peb xav tau lub token uas tsis tuaj yeem txiav txim siab yooj yim.
• Peb xav tau ib tug token uas muaj obsolescence tsim rau hauv nws thiab muaj peev xwm los xyuas obsolescence ntawm lub server.
• Peb xav tau ib qho token uas yuav cuam tshuam nrog tus tswv ntawm daim ntawv pov thawj.

Qhov no yuav tsum muaj hashing muaj nuj nqi, ntsev, thiab hnub nyoog rau lub hnub nyoog token. Raws li cov ntaub ntawv Cov lus qhia hauv Apache HTTP Server peb muaj tag nrho tawm ntawm lub thawv sha1 thiab %{TIME}.

Qhov tshwm sim yog qhov kev tsim no:

#нет сертификата, и обращение к websocket
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
    SetEnvIf Cookie "zt-cert-sha1=([^;]+)" zt-cert-sha1=$1
    SetEnvIf Cookie "zt-cert-uid=([^;]+)" zt-cert-uid=$1
    SetEnvIf Cookie "zt-cert-date=([^;]+)" zt-cert-date=$1

#только так можно работать с переменными, полученными в env-ах в этот момент времени, более они нигде не доступны для функции хеширования (по отдельности можно, но не вместе, да и ещё с хешированием)
    <RequireAll>
        Require expr %{sha1:salt1%{env:zt-cert-date}salt3%{env:zt-cert-uid}salt2} == %{env:zt-cert-sha1}
        Require expr %{env:zt-cert-sha1} =~ /^.{40}$/
    </RequireAll>
</If>
</If>

#есть сертификат, запрашивается не websocket
<If "%{SSL:SSL_CLIENT_VERIFY} = 'SUCCESS'">
<If "%{HTTP:Upgrade} != 'websocket'">
    SetEnvIf Cookie "zt-cert-sha1=([^;]+)" HAVE_zt-cert-sha1=$1

    SetEnv zt_cert "path=/; HttpOnly;Secure;SameSite=Strict"
#Новые куки ставятся, если старых нет
    Header add Set-Cookie "expr=zt-cert-sha1=%{sha1:salt1%{TIME}salt3%{SSL_CLIENT_S_DN_CN}salt2};%{env:zt_cert}" env=!HAVE_zt-cert-sha1
    Header add Set-Cookie "expr=zt-cert-uid=%{SSL_CLIENT_S_DN_CN};%{env:zt_cert}" env=!HAVE_zt-cert-sha1
    Header add Set-Cookie "expr=zt-cert-date=%{TIME};%{env:zt_cert}" env=!HAVE_zt-cert-sha1
</If>
</If>

Lub hom phiaj tau ua tiav, tab sis muaj teeb meem nrog cov neeg rau zaub mov tsis txaus (koj tuaj yeem siv lub ncuav qab zib xyoo), uas txhais tau hais tias cov tokens, txawm tias muaj kev nyab xeeb rau kev siv sab hauv, tsis muaj kev nyab xeeb rau kev lag luam (ntau) siv.

4. Kev sib tham ib ntus tokens twb tau ua raws li npaj ua Apache modules.

Ib qho teeb meem tseem ceeb tseem nyob ntawm qhov kev rov ua dua yav dhau los - qhov tsis muaj peev xwm tswj tau token aging.

Peb tab tom nrhiav rau ib qho kev npaj ua tiav uas ua qhov no, raws li cov lus: apache token json ob yam auth

• Client authentication siv tokens raws li JSON Web Tokens
• Apache Ob-Factor (2FA) Authentication
• Yuav ua li cas ntxiv Ob-Factor Authentication rau Apache
• Nqa ob-factor authentication rau koj Apache piv txwv nrog ib qho yooj yim module nruab

Yog lawm, muaj cov qauv npaj ua tiav, tab sis lawv txhua tus tau khi rau cov kev ua tshwj xeeb thiab muaj cov khoom qub nyob rau hauv daim ntawv ntawm kev pib sib tham thiab ntxiv ncuav qab zib. Ntawd yog, tsis yog ib ntus.
Nws siv peb tsib teev los tshawb nrhiav, uas tsis tau muab cov txiaj ntsig zoo.

5. Kev sib tham ib ntus tokens tuaj yeem siv los ntawm kev tsim cov qauv ntawm kev sib cuam tshuam.

Npaj-ua modules yog qhov nyuaj heev, vim tias peb tsuas xav tau ob peb txoj haujlwm xwb.

Uas tau hais tias, qhov teeb meem nrog rau hnub yog tias Apache lub zog ua haujlwm tsis tso cai tsim hnub los ntawm lub neej yav tom ntej, thiab tsis muaj lej ntxiv / rho tawm hauv cov haujlwm ua haujlwm thaum kuaj xyuas qhov ploj lawm.

Ntawd yog, koj tsis tuaj yeem sau:

(%{env:zt-cert-date} + 30) > %{DATE}

Koj tsuas tuaj yeem sib piv ob tus lej.

Thaum tab tom nrhiav kev daws teeb meem rau Safari, kuv pom ib tsab xov xwm nthuav: Kev ruaj ntseg HomeAssistant nrog daim ntawv pov thawj cov neeg siv khoom (ua haujlwm nrog Safari / iOS)
Nws piav qhia txog ib qho piv txwv ntawm cov cai hauv Lua rau Nginx, thiab uas, raws li nws tau muab tawm, ntau heev rov ua qhov kev xav ntawm qhov ntawm qhov kev teeb tsa uas peb tau ua tiav, tshwj tsis yog kev siv hmac salting txoj kev rau hashing ( qhov no tsis pom hauv Apache).

Nws tau pom tseeb tias Lua yog ib hom lus uas muaj qhov tseeb, thiab nws muaj peev xwm ua tau ib yam dab tsi yooj yim rau Apache:

• LuaHookAccessChecker Directive
• UnsetEnv Cov Lus Qhia

Tau kawm qhov txawv nrog Nginx thiab Apache:

• modules_lua
• lua_load_resty_core

Thiab muaj cov haujlwm los ntawm Lua lus chaw tsim khoom:
22.1 - Hnub thiab Sijhawm

Peb nrhiav tau ib txoj hauv kev los teeb env variables nyob rau hauv ib tug me me Lua cov ntaub ntawv nyob rau hauv thiaj li yuav teem ib hnub los ntawm yav tom ntej los piv nrog rau tam sim no.

Nov yog qhov yooj yim Lua tsab ntawv zoo li:

require 'apache2'

function handler(r)
    local fmt = '%Y%m%d%H%M%S'
    local timeout = 3600 -- 1 hour

    r.notes['zt-cert-timeout'] = timeout
    r.notes['zt-cert-date-next'] = os.date(fmt,os.time()+timeout)
    r.notes['zt-cert-date-halfnext'] = os.date(fmt,os.time()+ (timeout/2))
    r.notes['zt-cert-date-now'] = os.date(fmt,os.time())

    return apache2.OK
end

Thiab qhov no yog li cas nws ua haujlwm tag nrho, nrog kev ua kom zoo ntawm cov ncuav qab zib thiab hloov lub token thaum ib nrab lub sij hawm los txog ua ntej lub ncuav qab zib qub (token) tas sijhawm:

SSLVerifyClient optional

#LuaScope thread
#generate event variables zt-cert-date-next
LuaHookAccessChecker /usr/local/etc/apache24/sslincludes/websocket_token.lua handler early

#запрещаем без сертификата что-то ещё, кроме webscoket
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule     .? - [F]
#ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"

#websocket for safari without certauth
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
    SetEnvIf Cookie "zt-cert=([^,;]+),([^,;]+),[^,;]+,([^,;]+)" zt-cert-sha1=$1 zt-cert-date=$2 zt-cert-uid=$3

    <RequireAll>
        Require expr %{sha1:salt1%{env:zt-cert-date}salt3%{env:zt-cert-uid}salt2} == %{env:zt-cert-sha1}
        Require expr %{env:zt-cert-sha1} =~ /^.{40}$/
        Require expr %{env:zt-cert-date} -ge %{env:zt-cert-date-now}
    </RequireAll>
   
    #замещаем авторизацию по владельцу сертификата на авторизацию по номеру протокола
    SSLUserName SSl_PROTOCOL
    SSLOptions -FakeBasicAuth
</If>
</If>

<If "%{SSL:SSL_CLIENT_VERIFY} = 'SUCCESS'">
<If "%{HTTP:Upgrade} != 'websocket'">
    SetEnvIf Cookie "zt-cert=([^,;]+),[^,;]+,([^,;]+)" HAVE_zt-cert-sha1=$1 HAVE_zt-cert-date-halfnow=$2
    SetEnvIfExpr "env('HAVE_zt-cert-date-halfnow') -ge %{TIME} && env('HAVE_zt-cert-sha1')=~/.{40}/" HAVE_zt-cert-sha1-found=1

    Define zt-cert "path=/;Max-Age=%{env:zt-cert-timeout};HttpOnly;Secure;SameSite=Strict"
    Define dates_user "%{env:zt-cert-date-next},%{env:zt-cert-date-halfnext},%{SSL_CLIENT_S_DN_CN}"
    Header set Set-Cookie "expr=zt-cert=%{sha1:salt1%{env:zt-cert-date-next}sal3%{SSL_CLIENT_S_DN_CN}salt2},${dates_user};${zt-cert}" env=!HAVE_zt-cert-sha1-found
</If>
</If>

SetEnvIfExpr "env('HAVE_zt-cert-date-halfnow') -ge %{TIME} && env('HAVE_zt-cert-sha1')=~/.{40}/" HAVE_zt-cert-sha1-found=1
работает,

а так работать не будет
SetEnvIfExpr "env('HAVE_zt-cert-date-halfnow') -ge  env('zt-cert-date-now') && env('HAVE_zt-cert-sha1')=~/.{40}/" HAVE_zt-cert-sha1-found=1 

Vim tias LuaHookAccessChecker tsuas yog qhib tom qab nkag mus saib raws li cov ntaub ntawv no los ntawm Nginx.

Txuas mus rau qhov chaw Dluab.

Ib qho ntxiv.

Feem ntau, nws tsis muaj teeb meem nyob rau hauv qhov kev txiav txim cov lus qhia tau sau rau hauv Apache (tej zaum kuj Nginx) kev teeb tsa, txij li thaum kawg txhua yam yuav raug txheeb raws li qhov kev txiav txim ntawm qhov kev thov los ntawm tus neeg siv, uas sib haum rau cov txheej txheem rau kev ua haujlwm. Lus scripts.

Ua tiav:

Pom lub xeev tom qab ua tiav (lub hom phiaj):
kev tswj hwm cov kev pabcuam thiab kev tsim kho vaj tse yog muaj los ntawm lub xov tooj ntawm tes ntawm IOS yam tsis muaj kev pabcuam ntxiv (VPN), koom ua ke thiab ruaj ntseg.

Lub hom phiaj tau ua tiav, qhov web sockets ua haujlwm thiab muaj qib kev ruaj ntseg tsis tsawg dua li daim ntawv pov thawj.

Tau qhov twg los: www.hab.com