Taug kev raws txoj kev txhim kho cov txheej txheem, kuv txiav txim siab ua kom tiav cov lus nug thaum ub thiab mob siab - yam tsis muaj kev taw qhia tsis tsim nyog, muab lub sijhawm rau cov npoj yaig (tus tsim tawm, cov neeg sim, cov thawj coj, thiab lwm yam) los tswj hwm lawv lub tshuab virtual hauv ovirt. Ovirt muaj ntau yam uas yuav tsum tau teeb tsa los daws kuv qhov teeb meem: lub web interface nws tus kheej, noVNC console thiab uploading disk duab.
Kuv tsis pom lub pob "Ua Tsis Zoo", yog li kuv qhia koj cov pob qhov twg kuv tau tig los daws qhov teeb meem no. Tag nrho cov lus qhia hauv qab no txiav:
DISCLAIMER:
Ua ntej pib, Kuv xav kos koj cov xim rau qhov tseeb tias vim qee yam tsis paub rau kuv, cov chaw tsim kho vaj tse tsim nyob rau hauv cov cheeb tsam ntiag tug lan, hauv zos, thiab lwm yam.
Kuv tsis paub dab tsi tiv thaiv kuv los ntawm kev siv lub koom haum lub npe hauv thaj chaw pej xeem. Piv txwv li, es tsis txhob ntawm Alex-GLuck-Awesome-Company.local sau npe, koj tuaj yeem siv qhov chaw zoo rau lub tuam txhab lub vev xaib Alex-GLuck-Awesome-Company.com.
Yog tias koj ntshai tias koj yuav tsis tuaj yeem taug qab cov thawj tswj hwm hauv koj lub koom haum, thiab qhov no yuav ua txhaum ib yam dab tsi, tom qab ntawd rau tus nqi qis 100 rubles ib xyoos koj tuaj yeem yuav ib qho chaw cais rau aglac.com infrastructure.
Vim li cas nws thiaj li muaj txiaj ntsig ntau dua los siv cov npe hauv thaj chaw pej xeem:
1. Koj lub koom haum muaj cov kev pabcuam uas pej xeem siv tau: vpn ua, kev sib qhia cov ntaub ntawv (seafile, nextcloud), thiab lwm yam. Kev teeb tsa kev sib txuas lus ntawm cov kev pabcuam no feem ntau yog qhov teeb meem me ntsis, thiab peb yuav tsis tiv thaiv MitM tawm tsam vim nws nyuaj (tsis yog tiag tiag).
Lossis koj muaj ib qho chaw nyob hauv chaw ua haujlwm, thiab lwm qhov los ntawm Is Taws Nem, thiab cov kev sib txuas no yuav tsum tau khaws cia, uas ua rau peb tsis muaj peev txheej tshwj xeeb. Zoo, cov neeg ua haujlwm yuav tsum nco ntsoov qhov chaw sib txawv, uas tsis yooj yim.
2. Koj tuaj yeem siv daim ntawv pov thawj pub dawb rau kev nkag mus rau koj cov kev pabcuam sab hauv.
Koj tus kheej PKI yog qhov kev pabcuam uas yuav tsum tau txais kev txhawb nqa; 100 rubles ib xyoos rau lub sijhawm siv PKI los ntawm cov tub ceev xwm pub dawb ntau dua li them nyiaj rau lub sijhawm ntawm cov neeg ua haujlwm uas tuaj yeem siv rau lwm yam haujlwm.
3. Thaum siv koj tus kheej daim ntawv pov thawj txoj cai, koj yuav muab cov lus hais rau hauv lub log ntawm koj cov neeg ua haujlwm nyob deb thiab cov npoj yaig uas xav ua haujlwm nrog BYOD (nqa lawv lub laptops, xov tooj, ntsiav tshuaj) thiab koj tswj tsis tau lawv cov cuab yeej. Lawv nqa Macs, Linux, Androids, iOS, Windows - tsis muaj qhov taw tes rau kev txhawb nqa zoo li no.
Nyob rau hauv txhua yam, tau kawg, muaj kev zam, thiab cov tsev txhab nyiaj nrog lwm cov lag luam hnyav uas tau tsim txoj cai ruaj ntseg yuav tsis tuaj yeem txhim kho kev pabcuam rau lawv cov neeg ua haujlwm.
Rau lawv, muaj cov ntawv pov thawj them nyiaj uas tuaj yeem kos npe rau lawv daim ntawv pov thawj CA rau qee qhov nyiaj (Google "kev pabcuam kos npe hauv paus").
Muaj lwm yam laj thawj vim li cas nws thiaj li muaj txiaj ntsig ntau dua los siv pej xeem sau npe (qhov tseem ceeb tshaj plaws yog tias nws yog koj), tab sis tsab xov xwm no tsis yog hais txog qhov ntawd.
Lub ntsiab lus yog ...
CEEB TOOM! Yog tias koj ntxiv Let's Encrypt CA daim ntawv pov thawj rau ovirt cov npe ntseeg, nws yuav cuam tshuam rau kev ruaj ntseg ntawm koj lub cev!
Thawj qhov koj yuav tsum tau them sai sai rau yog tias nthuav tawm Ovirt interfaces rau hauv Is Taws Nem yog kev coj ua tsis zoo, vim tias Qhov no ua rau tsis muaj kev nkag siab zoo, thiab tsim kev hem thawj ntxiv.
Yog li ntawd, koj yuav tsum tau txais daim ntawv pov thawj ntawm ib qho ntawm peb bastion hosts, thiab tom qab ntawd hloov daim ntawv pov thawj thiab tus yuam sij rau peb tus tswv tsev nrog ovirt-cav.
Peb ntxiv qhov chaw nyob sab nraud ntawm peb tus tswv tsev bastion rau dns nrog peb lub npe ovirt ovirtengine.example.com, Kuv yuav tawm hauv lub installation ntawm certbot thiab nginx qab lub scenes (yuav ua li cas qhov no twb tau piav nyob rau hauv Habré).
Teeb tsa njinx version>= 1.15.7
/etc/nginx/conf.d/default.conf
server {
server_name _;
listen 80 default_server;
location /robots.txt { alias /usr/share/nginx/html/robots.txt; }
location /.well-known {
root /usr/share/nginx/html;
}
location / {
return 444;
}
}
server {
server_name _;
listen 443 ssl http2 default_server;
location /robots.txt { alias /usr/share/nginx/html/robots.txt; }
location /.well-known {
root /usr/share/nginx/html;
}
ssl_certificate /etc/nginx/ssl/$ssl_server_name/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/$ssl_server_name/privkey.pem;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
# позволяем серверу прикреплять OCSP-ответы, тем самым уменьшая время загрузки страниц у пользователей
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
location / {
return 444;
}
}
Tom qab ntawd peb tau txais peb daim ntawv pov thawj thiab tus yuam sij:
certbot certonly --nginx -d ovirtengine.example.com
Archive peb daim ntawv pov thawj thiab tus yuam sij:
tar Phczf /tmp/ovirtengine.example.com.tgz /etc/letsencrypt/live/ovirtengine.example.com
Download tau lub archive los ntawm tus tswv tsev bastion thiab upload nws rau peb lub cav ovirt:
scp bastion-host:/tmp/ovirtengine.example.com.tgz /tmp/
scp /tmp/ovirtengine.example.com.tgz ovirtengine.example.com:/
Cia peb mus rau lub hom phiaj
Tom ntej no, peb nthuav tawm peb cov ntaub ntawv archive thiab tsim symlinks kom yooj yim nkag siab txog cov ntaub ntawv qhov chaw:
tar Pxzf /ovirtengine.example.com.tgz && rm -f ovirtengine.example.com.tgz
mkdir -p /etc/letsencrypt/live
ln -f -s /etc/letsencrypt/live /etc/pki/letsencrypt
Peb teeb tsa lub built-in pki hauv Ovirt kom lub khw java daim ntawv pov thawj (openjdk) siv los txheeb xyuas daim ntawv pov thawj:
cat << EOF > /etc/ovirt-engine/engine.conf.d/99-setup-pki.conf
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
EOF
Peb hloov lub CA los ntawm cia peb encrypt rau hauv der hom thiab ntxiv rau ovirt java trust store daim ntawv pov thawj khw (qhov no yog ib lub thawv uas muaj cov npe ntawm daim ntawv pov thawj, xws li ib tug system yog siv nyob rau hauv java):
openssl x509 -outform der -in /etc/pki/letsencrypt/ovirtengine.example.com/chain.pem -out /tmp/ovirtengine.example.com.chain.der
keytool -import -alias "Let's Encrypt Authority X3" -file /tmp/ovirtengine.example.com.chain.der -keystore /etc/pki/ovirt-engine/.truststore -storepass $(grep '^ENGINE_PKI_TRUST_STORE_PASSWORD' /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf | cut -f 2 -d '"')
rm -f /tmp/ovirtengine.example.com.chain.der
Peb kho qhov teeb tsa SSL rau apache, ntxiv qhov ntsuas los txhawb kev sib txuas thiab tshem tawm qhov tsis muaj rau CA uas yuav tsum tau kuaj xyuas daim ntawv pov thawj (los ntawm lub neej ntawd, cov txheej txheem ntawm kev ntseeg siab CAs yuav raug siv los kuaj xyuas):
sed -r -i 's|^(SSLCACertificateFile.*)|#1|g' /etc/httpd/conf.d/ssl.conf
sed -r -i '0,/(^#?SSLCACertificateFile.*)/ s//1nOptions FollowSymlinks/' /etc/httpd/conf.d/ssl.conf
Tom qab ntawd, nyob rau hauv rooj plaub no, peb rov qab cov ntaub ntawv qub tsim los ntawm ovirt's tsis siv neeg PKI thiab hloov lawv nrog symlinks nrog cov ntaub ntawv los ntawm Let's Encrypt:
ln -f -s /etc/pki/letsencrypt/ovirtengine.example.com/fullchain.pem /etc/pki/ovirt-engine/apache-chain.pem
services=( 'apache' 'imageio-proxy' 'websocket-proxy' )
for i in "${services[@]}"; do
cp /etc/pki/ovirt-engine/certs/$i.cer{,."$( date +%F )".bak}
cp /etc/pki/ovirt-engine/keys/$i.key.nopass{,."$( date +%F )".bak}
ln -f -s /etc/pki/letsencrypt/ovirtengine.example.com/privkey.pem /etc/pki/ovirt-engine/keys/$i.key.nopass
ln -f -s /etc/pki/letsencrypt/ovirtengine.example.com/cert.pem /etc/pki/ovirt-engine/certs/{apache,imageio-proxy,websocket-proxy}.cer
done
Peb rov kho SElinux cov ntsiab lus ntawm cov ntaub ntawv thiab rov pib peb cov kev pabcuam (httpd, ovirt-engine, ovirt-imageio-proxy, ovirt-websocket-proxy):
restorecon -Rv /etc/pki
systemctl restart httpd ovirt-engine ovirt-imageio-proxy ovirt-websocket-proxy
httpd — lub vas sab server apache
ovirt-engine - ovirt web interface
ovirt-imageio-proxy - daemon rau rub tawm cov duab disk
ovirt-websocket-proxy - kev pabcuam rau khiav noVNC console
Tag nrho cov saum toj no tau sim ntawm Ovirt version 4.2.
Tsis siv neeg rov ua dua daim ntawv pov thawj ntawm ovirt
Raws li kev ruaj ntseg zoo, yuav tsum tsis txhob muaj kev sib txuas ntawm tus tswv tsev bastion thiab ovirt, thiab daim ntawv pov thawj tsuas yog muab rau 3 lub hlis xwb. Qhov no yog qhov teeb meem tsis sib haum xeeb txog qhov kuv tau ua raws li kev rov ua dua tshiab ntawm daim ntawv pov thawj.
Kuv muaj ib phau ntawv ua si uas ua haujlwm rau tus thawj coj txhua hnub thaum 5 teev sawv ntxov raws li lub sijhawm. Phau ntawv no mus rau lub ovirt, xyuas lub sij hawm siv tau ntawm daim ntawv pov thawj, thiab yog tias muaj tsawg dua 5 hnub ua ntej tas sij hawm, nws mus rau tus tswv tsev bastion thiab pib hloov kho daim ntawv pov thawj.
Tom qab hloov kho daim ntawv pov thawj, nws khaws cov ntawv tais ceev tseg nrog cov ntaub ntawv, rub nws mus rau Forman host thiab unzips nws mus rau Ovirt host. Tom qab ntawd SElinux rov qab cov ntsiab lus ntawm cov ntaub ntawv thiab rov pib peb cov kev pabcuam.
Tau qhov twg los: www.hab.com
