Peb hnov cov lus "kev ruaj ntseg hauv tebchaws" txhua lub sijhawm, tab sis thaum tsoomfwv pib saib xyuas peb cov kev sib txuas lus, kaw lawv yam tsis muaj kev ntseeg siab, kev cai lij choj thiab tsis muaj lub hom phiaj meej, peb yuav tsum nug peb tus kheej cov lus nug: puas yog lawv tiv thaiv kev ruaj ntseg hauv tebchaws lossis lawv puas tiv thaiv lawv tus kheej?
- Edward Snowden
Qhov kev txiav txim siab no yog npaj los ua kom Lub Zej Zog muaj kev txaus siab rau qhov teeb meem ntawm kev ceev ntiag tug, uas, nyob rau hauv lub teeb ntawm yuav muaj feem ntau dua li yav dhau los.
Hauv cov txheej txheem:
Cov neeg txhawb nqa los ntawm cov zej zog ntawm cov chaw muab kev pabcuam hauv Internet "Medium" tab tom tsim lawv tus kheej lub tshuab tshawb nrhiav
Medium tau tsim ib txoj cai pov thawj tshiab, Medium Global Root CA. Leej twg yuav raug cuam tshuam los ntawm kev hloov pauv?
Daim ntawv pov thawj kev ruaj ntseg rau txhua lub tsev - yuav ua li cas los tsim koj tus kheej cov kev pabcuam ntawm Yggdrasil network thiab muab daim ntawv pov thawj SSL siv tau rau nws
Nco ntsoov - "Medium" yog dab tsi?
Medium (khej. Medium - "intermediary", thawj cov lus hais - Tsis txhob nug koj tus kheej. Nqa nws rov qab; kuj nyob rau hauv lus Askiv lo lus nruab nrab txhais tau tias "intermediate") - ib tug Lavxias teb sab decentralized Internet muab kev pab cuam nkag mus rau hauv lub network dawb xwb.
Lub npe tag nrho: Tus Muab Kev Pabcuam Hauv Internet Nruab Nrab. Thaum xub thawj qhov project tau xeeb ua в .
Tsim nyob rau lub Plaub Hlis 2019 ua ib feem ntawm kev tsim ib puag ncig kev sib txuas lus ywj pheej los ntawm kev muab cov neeg siv kawg nrog kev nkag mus rau Yggdrasil network cov peev txheej los ntawm kev siv Wi-Fi wireless cov ntaub ntawv xa mus.
Xav paub ntau ntxiv txog lub ntsiab lus:
Cov neeg txhawb nqa los ntawm cov zej zog ntawm cov chaw muab kev pabcuam hauv Internet "Medium" tab tom tsim lawv tus kheej lub tshuab tshawb nrhiav
Keeb kwm online , uas tus neeg muab kev pabcuam hauv Is Taws Nem kev sib faib nruab nrab siv los ua kev thauj mus los, tsis muaj nws tus kheej DNS server lossis pej xeem cov txheej txheem tseem ceeb - txawm li cas los xij, qhov yuav tsum tau muab daim ntawv pov thawj kev nyab xeeb rau Medium network kev pabcuam daws ob qhov teeb meem no.
Vim li cas koj thiaj xav tau PKI yog Yggdrasil tawm ntawm lub thawv muab lub peev xwm rau kev nkag mus ntawm cov phooj ywg?Tsis tas yuav siv HTTPS los txuas rau cov kev pabcuam hauv web ntawm Yggdrasil network yog tias koj txuas rau lawv los ntawm lub zos khiav Yggdrasil network router.
Xwb: Yggdrasil thauj yog nyob ntawm par tso cai rau koj siv kev nyab xeeb hauv Yggdrasil network - muaj peev xwm ua tsis suav tag nrho.
Qhov xwm txheej hloov pauv radically yog tias koj nkag mus rau Yggdarsil cov peev txheej intranet tsis ncaj qha, tab sis los ntawm qhov nruab nrab ntawm qhov nruab nrab - qhov nruab nrab nkag mus rau hauv network, uas yog tswj hwm los ntawm nws tus neeg teb xov tooj.
Hauv qhov no, leej twg tuaj yeem cuam tshuam cov ntaub ntawv koj xa mus:
- Access point operator. Nws yog qhov pom tseeb tias tus neeg teb xov tooj tam sim no ntawm Medium network nkag mus nkag tau tuaj yeem eavesdrop ntawm unencrypted tsheb uas dhau los ntawm nws cov khoom siv.
- intruder (). Nruab nrab muaj teeb meem zoo ib yam li , tsuas yog hais txog cov tswv yim thiab nruab nrab ntawm cov nodes.
Qhov no yog qhov nws zoo li
kev txiav txim siab: txhawm rau nkag mus rau cov kev pabcuam hauv web hauv Yggdrasil network, siv HTTPS raws tu qauv (qib 7 ). Qhov teeb meem yog tias nws tsis tuaj yeem muab daim ntawv pov thawj kev ruaj ntseg tiag tiag rau Yggdrasil network kev pabcuam los ntawm cov lus pom zoo xws li .
Yog li ntawd, peb tsim peb tus kheej daim ntawv pov thawj chaw - . Feem ntau ntawm Cov Kev Pabcuam Nruab Nrab Nruab Nrab tau kos npe los ntawm daim ntawv pov thawj kev ruaj ntseg hauv paus ntawm cov ntaub ntawv pov thawj nruab nrab "Medium Domain Validation Secure Server CA".
Qhov muaj peev xwm ntawm kev cuam tshuam hauv paus daim ntawv pov thawj ntawm cov ntawv pov thawj txoj cai yog, ntawm chav kawm, coj mus rau hauv tus account - tab sis ntawm no daim ntawv pov thawj tsim nyog ntxiv kom paub meej tias kev ncaj ncees ntawm cov ntaub ntawv xa mus thiab tshem tawm qhov muaj peev xwm ntawm MITM tawm tsam.
Cov kev pabcuam nruab nrab ntawm cov neeg ua haujlwm sib txawv muaj daim ntawv pov thawj kev ruaj ntseg sib txawv, ib txoj hauv kev lossis lwm qhov kos npe los ntawm lub hauv paus ntawv pov thawj txoj cai. Txawm li cas los xij, cov neeg ua haujlwm hauv paus CA tsis tuaj yeem mloog tau ntawm kev nkag mus nkag los ntawm cov kev pabcuam uas lawv tau kos npe rau daim ntawv pov thawj kev nyab xeeb (saib ).
Cov neeg uas muaj kev txhawj xeeb tshwj xeeb txog lawv txoj kev nyab xeeb siv tau xws li kev tiv thaiv ntxiv, xws li и .
Tam sim no, pej xeem tseem ceeb infrastructure ntawm Medium network muaj peev xwm txheeb xyuas cov xwm txheej ntawm daim ntawv pov thawj siv cov txheej txheem los yog los ntawm kev siv .
Tau mus rau qhov taw tes
Tus neeg siv pib tsim lub tshuab tshawb nrhiav rau cov kev pabcuam hauv web uas nyob ntawm Yggdrasil network. Ib qho tseem ceeb yog qhov tseeb tias qhov kev txiav txim siab ntawm IPv6 chaw nyob ntawm cov kev pabcuam thaum ua qhov kev tshawb fawb tau ua los ntawm kev xa ib daim ntawv thov mus rau DNS server nyob hauv nruab nrab network.
Lub ntsiab TLD yog .ywg. Feem ntau cov npe sau npe muaj TLD no, nrog rau ob qho kev zam: .isp и .gg.
Lub tshuab tshawb nrhiav tab tom txhim kho, tab sis nws siv tau tam sim no - tsuas yog mus saib lub vev xaib .
Koj tuaj yeem pab txhim kho qhov project, .
Medium tau tsim ib txoj cai pov thawj tshiab, Medium Global Root CA. Leej twg yuav raug cuam tshuam los ntawm kev hloov pauv?
Nag hmo, kev sim pej xeem ntawm kev ua haujlwm ntawm Medium Root CA certification center tau ua tiav. Thaum kawg ntawm kev sim, qhov ua yuam kev hauv kev ua haujlwm ntawm cov kev pabcuam pej xeem tseem ceeb tau raug kho thiab daim ntawv pov thawj hauv paus tshiab ntawm cov ntawv pov thawj "Medium Global Root CA" tau tsim.
Tag nrho cov nuances thiab cov yam ntxwv ntawm PKI tau raug coj mus rau hauv tus account - tam sim no daim ntawv pov thawj CA tshiab "Medium Global Root CA" yuav raug muab tawm tsuas yog kaum xyoo tom qab (tom qab hnub tas sijhawm). Tam sim no daim ntawv pov thawj kev ruaj ntseg tsuas yog muab los ntawm cov neeg pov thawj hauv nruab nrab - piv txwv li, "Medium Domain Validation Secure Server CA".
Daim ntawv pov thawj kev ntseeg siab zoo li cas tam sim no?
Dab tsi yuav tsum tau ua rau txhua yam ua haujlwm yog tias koj yog tus neeg siv:
Txij li qee qhov kev pabcuam siv HSTS, ua ntej siv Medium network cov peev txheej, koj yuav tsum rho tawm cov ntaub ntawv los ntawm Medium intranet peev txheej. Koj tuaj yeem ua qhov no hauv keeb kwm tab ntawm koj tus browser.
Nws tseem tsim nyog certification center "Medium Global Root CA".
Yuav ua li cas yuav tsum tau ua kom txhua yam ua haujlwm yog tias koj yog tus tswj hwm qhov system:
Koj yuav tsum rov muab daim ntawv pov thawj rau koj qhov kev pabcuam ntawm nplooj ntawv (qhov kev pabcuam tsuas yog muaj nyob rau hauv nruab nrab network).
Daim ntawv pov thawj kev ruaj ntseg rau txhua lub tsev - yuav ua li cas los tsim koj tus kheej cov kev pabcuam ntawm Yggdrasil network thiab muab daim ntawv pov thawj SSL siv tau rau nws
Vim muaj kev loj hlob ntawm tus naj npawb ntawm cov kev pabcuam intranet ntawm Medium network, yuav tsum tau muab daim ntawv pov thawj kev ruaj ntseg tshiab thiab teeb tsa lawv cov kev pabcuam kom lawv txhawb SSL tau nce.
Txij li thaum Habr yog ib qho kev pab cuam, nyob rau hauv txhua qhov tshiab digest ib qho ntawm cov txheej txheem yuav nthuav tawm cov yam ntxwv ntawm Cov Nruab Nrab network infrastructure. Piv txwv li, hauv qab no yog cov lus qhia dav dav rau kev muab daim ntawv pov thawj SSL rau koj qhov kev pabcuam.
Cov piv txwv yuav qhia lub npe sau npe ua domain.ygg, uas yuav tsum tau hloov nrog lub npe sau ntawm koj qhov kev pabcuam.
Kauj ruam 1. Tsim tus yuam sij ntiag tug thiab Diffie-Hellman tsis
openssl genrsa -out domain.ygg.key 2048Tom qab ntawd:
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048Kauj ruam 2. Tsim ib daim ntawv pov thawj kos npe thov
openssl req -new -key domain.ygg.key -out domain.ygg.csr -config domain.ygg.confCov ntaub ntawv txheem ua domain.ygg.conf:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = RU
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Moscow Oblast
localityName = Locality Name (eg, city)
localityName_default = Kolomna
organizationName = Organization Name (eg, company)
organizationName_default = ACME, Inc.
commonName = Common Name (eg, YOUR name)
commonName_max = 64
commonName_default = *.domain.ygg
[ v3_req ]
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
basicConstraints = CA:FALSE
nsCertType = server
authorityKeyIdentifier = keyid,issuer:always
crlDistributionPoints = URI:http://crl.medium.isp/Medium_Global_Root_CA.crl
authorityInfoAccess = OCSP;URI:http://ocsp.medium.isp
Kauj ruam 3. Xa daim ntawv thov daim ntawv pov thawj
Ua li no, luam cov ntsiab lus ntawm cov ntaub ntawv ua domain.ygg.csr thiab muab tshuaj txhuam rau hauv cov ntawv nyeem ntawm lub xaib .
Ua raws li cov lus qhia hauv lub vev xaib, tom qab ntawd nyem "Submit". Yog tias ua tiav, cov lus yuav raug xa mus rau email chaw nyob uas koj tau teev tseg uas muaj cov ntawv txuas nrog rau hauv daim ntawv pov thawj uas tau kos npe los ntawm ib qho kev lees paub nruab nrab.
Kauj ruam 4. Teeb tsa koj lub vev xaib server
Yog tias koj siv nginx ua koj lub vev xaib server, siv cov kev teeb tsa hauv qab no:
cov ntaub ntawv ua domain.ygg.conf hauv phau ntawv /etc/nginx/sites-available/
server {
listen [::]:80;
listen [::]:443 ssl;
root /var/www/domain.ygg;
index index.php index.html index.htm index.nginx-debian.html;
server_name domain.ygg;
include snippets/domain.ygg.conf;
include snippets/ssl-params.conf;
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; allow all; }
location ~* .(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /.ht {
deny all;
}
}
cov ntaub ntawv ssl-params.conf ib hauv phau ntawv /etc/nginx/snippets/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=15552000; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
cov ntaub ntawv ua domain.ygg.conf hauv phau ntawv /etc/nginx/snippets/
ssl_certificate /etc/ssl/certs/domain.ygg.crt;
ssl_certificate_key /etc/ssl/private/domain.ygg.key;
Daim ntawv pov thawj koj tau txais los ntawm email yuav tsum tau theej rau: /etc/ssl/certs/domain.ygg.crt. Tus yuam sij ntiag tug (domain.ygg.key) muab tso rau hauv ib phau ntawv /etc/ssl/private/.
Kauj ruam 5. Rov pib koj lub vev xaib server
sudo service nginx restartDawb Internet hauv Russia pib nrog koj
Koj tuaj yeem muab txhua yam kev pab cuam rau kev tsim Internet dawb hauv Russia hnub no. Peb tau sau ib daim ntawv teev npe raws nraim li cas koj tuaj yeem pab lub network:
- Qhia rau koj cov phooj ywg thiab cov npoj yaig txog Medium network. Qhia rau tsab xov xwm no hauv social networks lossis tus kheej blog
- Koom nrog hauv kev sib tham txog cov teeb meem kev lag luam ntawm Medium network
- Tsim koj lub vev xaib kev pabcuam ntawm Yggdrasil network thiab ntxiv rau
- Tsa koj li mus rau Medium network
Previous tsab xov xwm:
Nyeem kuj:
Peb nyob ntawm Telegram:
Tsuas yog cov neeg siv sau npe tuaj yeem koom nrog hauv daim ntawv ntsuam xyuas. thov.
Lwm txoj kev pov npav: Nws yog ib qho tseem ceeb rau peb kom paub qhov kev xav ntawm cov neeg uas tsis muaj tag nrho cov account ntawm Habre
-
↑
-
Ncua
7 cov neeg siv pov npav. 2 cov neeg siv tau txwv.
Tau qhov twg los: www.hab.com