Ka rongo tatou i te kupu "haumaru mo te motu" i nga wa katoa, engari ka timata te kawanatanga ki te aro turuki i a tatou korero, me te tuhi kaore he whakapae pono, he turanga ture me te kore e kitea he kaupapa, me patai tatou ki a tatou ano te patai: kei te tino tiaki ratou i te haumarutanga o te motu ranei. kei te tiaki ratou i to ratou ake?
- Edward Snowden
Ko te tikanga o tenei mahanga hei whakanui ake i te hiahia o te Hapori ki te kaupapa mo te noho muna, i runga i te whakaaro ka whai kiko ake i nga wa o mua.
Kei runga i te kaupapa:
Ko nga kaiwhaiwhai mai i te hapori o te kaiwhakarato Ipurangi "Medium" kei te hanga i a raatau ake miihini rapu
Kua whakapumautia e te Waenga tetahi mana tiwhikete hou, Medium Global Root CA. Ko wai ka pa ki nga huringa?
Tiwhikete Haumarutanga mo ia kaainga - me pehea te hanga i taau ake ratonga i runga i te whatunga Yggdrasil me te tuku i tetahi tiwhikete SSL whaimana mo tera
Whakamaumahara mai - he aha te "Waenga"?
wawaenga (Eng. wawaenga - “kaiwawao”, pepeha taketake - Kaua e patai mo to tahae. Whakahokia; i te reo pakeha hoki te kupu reo te tikanga “takawaenga”) - he kaiwhakarato Ipurangi kua wehea e Ruhia e whakarato ana i nga ratonga uru whatunga kore utu.
Ingoa katoa: Kaiwhakarato Ratonga Ipurangi Waenga. I te timatanga i whakaarohia te kaupapa hei в .
I hangaia i te Paenga-whawha 2019 hei waahanga o te hanganga o te taiao whakawhitiwhiti korero motuhake ma te whakarato i nga kaiwhakamahi mutunga ki te uru ki nga rauemi whatunga Yggdrasil ma te whakamahi i te hangarau whakawhiti raraunga ahokore Wi-Fi.
He korero ano mo te kaupapa:
Ko nga kaiwhaiwhai mai i te hapori o te kaiwhakarato Ipurangi "Medium" kei te hanga i a raatau ake miihini rapu
I te ipurangi tuatahi , e whakamahia ana e te kaiwhakarato ratonga Ipurangi Waenga hei kawe waka, kaore i a ia ake tana ake DNS, i nga hanganga matua a te iwi - heoi, na te hiahia ki te tuku tiwhikete haumarutanga mo nga ratonga whatunga Waenga i whakaoti enei raru e rua.
He aha te take e hiahia ana koe ki te PKI mena ka tukuna e Yggdrasil i waho o te pouaka te kaha ki te whakamuna i nga waka i waenga i nga hoa?Kaore he take ki te whakamahi i te HTTPS ki te hono atu ki nga ratonga tukutuku i runga i te whatunga Yggdrasil mena ka hono koe ki a raatau ma te pouara whatunga Yggdrasil e whakahaere ana i te rohe.
Ae: Ko te kawe waka a Yggdrasil kei runga ka taea e koe te whakamahi i nga rauemi i roto i te whatunga Yggdrasil - te kaha ki te whakahaere tino whakakorea.
Ka rereke te ahuatanga mena ka uru koe ki nga rauemi ipurangiroto a Yggdarsil ehara i te mea tika, engari na roto i te node takawaenga - te waahi uru whatunga Waenga, e whakahaerehia ana e tana kaiwhakahaere.
I tenei take, ko wai ka taea te whakararu i nga raraunga ka tukuna e koe:
- Kaiwhakahaere wāhi uru. E kitea ana ka taea e te kaiwhakahaere o naianei o te waahi uru whatunga Waenga te whakarongo ki nga waka kore whakamuna e haere ana i ona taputapu.
- tangata pokanoa (). He raruraru rite ki te Waenga , e pa ana ki te whakaurunga me nga pona takawaenga.
Ko te ahua tenei
whakatau: ki te uru ki nga ratonga tukutuku i roto i te whatunga Yggdrasil, whakamahia te kawa HTTPS (taumata 7 ). Ko te raru ko te kore e taea te tuku tiwhikete haumaru pono mo nga ratonga whatunga Yggdrasil na roto i nga tikanga tikanga penei .
Na reira, i whakatuu to maatau ake whare tohu tohu - . Ko te nuinga o nga ratonga i roto i te whatunga Waenga ka hainatia e te tiwhikete haumarutanga pakiaka o te mana tohu takawaenga Waenga Waenga Whakamana Haumaru Server CA.
Ko te kaha ki te whakararu i te tiwhikete pakiaka o te mana tohu, ko te tikanga, i whakaarohia - engari i konei ko te tiwhikete he mea nui ake hei whakapumau i te pono o te tuku raraunga me te whakakore i te tupono o nga whakaeke MITM.
He rereke nga tiwhikete haumarutanga o nga ratonga whatunga waenga mai i nga kaiwhakahaere rereke, i hainatia e te mana tohu pakiaka. Heoi, kaore e taea e nga kaiwhakahaere Root CA te whakarongo ki nga waka whakamunatia mai i nga ratonga kua hainatia e ratou nga tiwhikete haumarutanga (tirohia ).
Ko te hunga e tino awangawanga ana mo to raatau haumaru ka taea te whakamahi i nga tikanga penei i te whakamarumaru taapiri, penei i te и .
I tenei wa, ko nga hanganga matua o te whatunga Waenga te kaha ki te tirotiro i te mana o te tiwhikete ma te whakamahi i te kawa ma te whakamahi ranei .
Haere ki te kaupapa
Kaiwhakamahi I timata te whakawhanake i tetahi miihini rapu mo nga ratonga paetukutuku kei runga i te whatunga Yggdrasil. Ko tetahi waahanga nui ko te whakatau i nga wahitau IPv6 o nga ratonga i te wa e mahi ana i te rapunga ka mahia ma te tuku tono ki tetahi tūmau DNS kei roto i te whatunga Waenga.
Ko te TLD matua .ygg. Ko te nuinga o nga ingoa rohe kei tenei TLD, me nga waahanga e rua: .isp и .gg.
Kei te whakawhanakehia te miihini rapu, engari kua taea te whakamahi i tenei ra - tirohia noa te paetukutuku .
Ka taea e koe te awhina i te whanaketanga o te kaupapa, .
Kua whakapumautia e te Waenga tetahi mana tiwhikete hou, Medium Global Root CA. Ko wai ka pa ki nga huringa?
Inanahi nei, kua oti te whakamatautau a te iwi mo nga mahi o te pokapū tohu tohu Medium Root CA. I te mutunga o te whakamatautau, i whakatikahia nga hapa i roto i te whakahaeretanga o nga ratonga hanganga matua a te iwi, ka hangaia he tiwhikete pakiaka hou o te mana tohu "Medium Global Root CA" i hangaia.
Ko nga ahuatanga katoa me nga ahuatanga o te PKI i whakaarohia - inaianei ka tukuna te tiwhikete CA hou "Medium Global Root CA" i te tekau tau i muri mai (i muri i tona ra paunga). Inaianei ka tukuna nga tiwhikete haumarutanga e nga mana tiwhikete takawaenga anake - hei tauira, "Kaimau Whakaaetanga Rohe Waenga CA".
He aha te ahua o te mekameka tiwhikete tiwhikete inaianei?
He aha nga mahi hei mahi katoa mena he kaiwhakamahi koe:
I te mea ka whakamahi etahi ratonga i te HSTS, i mua i te whakamahi i nga rauemi whatunga Waenga, me muku koe i nga raraunga mai i nga rauemi ipurangiroto Waenga. Ka taea e koe tenei i te ripa History o to kaitirotiro.
E tika ana hoki pokapū tohu "Medium Global Root CA".
He aha nga mahi hei mahi i nga mea katoa mena he kaiwhakahaere punaha koe:
Me tuku ano e koe te tiwhikete mo to ratonga i runga i te wharangi (Kei te waatea noa te ratonga i te whatunga Waenga).
Tiwhikete Haumarutanga mo ia kaainga - me pehea te hanga i taau ake ratonga i runga i te whatunga Yggdrasil me te tuku i tetahi tiwhikete SSL whaimana mo tera
Na te tipu o te maha o nga ratonga ipurangiroto i runga i te whatunga Waenga, kua piki ake te hiahia ki te whakaputa i nga tiwhikete haumarutanga hou me te whirihora i a raatau ratonga kia tautokohia e ratou te SSL.
I te mea he rauemi hangarau a Habr, i ia keri hou ka whakaatuhia e tetahi o nga kaupapa kaupapa nga ahuatanga hangarau o te hanganga whatunga Waenga. Hei tauira, kei raro nei nga tohutohu matawhānui mo te tuku tiwhikete SSL mo to ratonga.
Ko nga tauira ka tohu i te ingoa rohe rohe.ygg, me whakakapi ki te ingoa rohe o to ratonga.
Hipanga 1. Hangaia te taviri tūmataiti me nga tawhā Diffie-Hellman
openssl genrsa -out domain.ygg.key 2048Na:
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048Hipanga 2. Waihangahia he tono hainatanga tiwhikete
openssl req -new -key domain.ygg.key -out domain.ygg.csr -config domain.ygg.confIhirangi kōnae domain.ygg.conf:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = RU
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Moscow Oblast
localityName = Locality Name (eg, city)
localityName_default = Kolomna
organizationName = Organization Name (eg, company)
organizationName_default = ACME, Inc.
commonName = Common Name (eg, YOUR name)
commonName_max = 64
commonName_default = *.domain.ygg
[ v3_req ]
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
basicConstraints = CA:FALSE
nsCertType = server
authorityKeyIdentifier = keyid,issuer:always
crlDistributionPoints = URI:http://crl.medium.isp/Medium_Global_Root_CA.crl
authorityInfoAccess = OCSP;URI:http://ocsp.medium.isp
Hipanga 3. Tukuna he tono tiwhikete
Ki te mahi i tenei, kape i nga ihirangi o te konae domain.ygg.csr ka whakapiri ki te mara kuputuhi i runga i te pae .
A pee i nga tohutohu kei runga i te paetukutuku, ka paato "Tukuna". Ki te angitu, ka tukuna he karere ki te wahitau imeera i tohua e koe kei roto he taapiri i te ahua o te tiwhikete i hainatia e tetahi mana tohu takawaenga.
Hipanga 4. Whakaritehia to tūmau tukutuku
Mena kei te whakamahi koe i te nginx hei tūmau tukutuku, whakamahia te whirihoranga e whai ake nei:
kōnae domain.ygg.conf i roto i te whaiaronga /etc/nginx/pae-wātea/
server {
listen [::]:80;
listen [::]:443 ssl;
root /var/www/domain.ygg;
index index.php index.html index.htm index.nginx-debian.html;
server_name domain.ygg;
include snippets/domain.ygg.conf;
include snippets/ssl-params.conf;
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; allow all; }
location ~* .(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /.ht {
deny all;
}
}
kōnae ssl-params.conf i roto i te whaiaronga /etc/nginx/snippets/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=15552000; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
kōnae domain.ygg.conf i roto i te whaiaronga /etc/nginx/snippets/
ssl_certificate /etc/ssl/certs/domain.ygg.crt;
ssl_certificate_key /etc/ssl/private/domain.ygg.key;
Ko te tiwhikete i whakawhiwhia ki a koe ma te imeera me kape ki: /etc/ssl/certs/domain.ygg.crt. Kī tūmataiti (domain.ygg.key) tuu ki roto i te whaiaronga /etc/ssl/private/.
Hipanga 5. Tīmataria anō tō tūmau tukutuku
sudo service nginx restartKo te Ipurangi koreutu i Russia ka timata ki a koe
Ka taea e koe te whakarato i nga awhina katoa mo te whakatuu Ipurangi koreutu i Russia i tenei ra. Kua whakahiatohia e matou he rarangi matawhānui mo te pehea e taea ai e koe te awhina i te whatunga:
- Korero ki o hoa me o hoa mahi mo te whatunga Waenga. Tiria ki tenei tuhinga i runga i nga whatunga hapori, i te rangitaki whaiaro ranei
- Me whai waahi ki te korerorero mo nga take hangarau i runga i te whatunga Waenga
- Waihangahia to ratonga tukutuku ki te whatunga Yggdrasil ka taapiri atu ki
- Whakaarahia to ki te whatunga Waenga
Tuhinga o mua:
Pānuihia hoki:
Kei runga matou i Telegram:
Ko nga kaiwhakamahi kua rehita anake ka uru ki te rangahau. tēnā.
Pooti rereke: he mea nui kia mohio tatou ki nga whakaaro o te hunga karekau he kaute katoa mo Habré
-
↑
-
↓
7 nga kaiwhakamahi i pooti. 2 nga kaiwhakamahi i aukati.
Source: will.com