Pulogalamu ya ProHoster > Blog > Ulamuliro > Kutsimikizika kwazinthu ziwiri patsambalo pogwiritsa ntchito chizindikiro cha USB. Tsopano ndi Linux
Kutsimikizika kwazinthu ziwiri patsambalo pogwiritsa ntchito chizindikiro cha USB. Tsopano ndi Linux
Π imodzi mwa nkhani zathu zam'mbuyo tinakambirana za kufunikira kwa kutsimikizika kwazinthu ziwiri pazipata zamakampani. Nthawi yapitayi tidawonetsa momwe mungakhazikitsire kutsimikizika kotetezeka mu seva ya intaneti ya IIS.
Mu ndemanga, tidafunsidwa kuti tilembe malangizo a ma seva omwe amapezeka kwambiri pa Linux - nginx ndi Apache.
Munafunsa - tinalemba.
Mukufunikira chiyani kuti muyambe?
Kugawa kwa Linux kwamakono. Ndinapanga mayeso pa MX Linux 18.2_x64. Izi sizodziwikiratu kugawa kwa seva, koma sizingatheke kuti pakhale kusiyana kulikonse kwa Debian. Kwa magawo ena, njira zopita ku library zosinthira zitha kusiyanasiyana pang'ono.
Chizindikiro. Timapitiriza kugwiritsa ntchito chitsanzo Rutoken EDS PKI, yomwe ili yabwino malinga ndi mawonekedwe othamanga kuti agwiritse ntchito makampani.
Kuti mugwire ntchito ndi chizindikiro ku Linux, muyenera kukhazikitsa maphukusi awa:
libccid libpcsclite1 pcscd pcsc-zida opensc
Kupereka ziphaso
M'nkhani zam'mbuyomu, tidadalira kuti ziphaso za seva ndi kasitomala zidzaperekedwa pogwiritsa ntchito Microsoft CA. Koma popeza tikukhazikitsa zonse mu Linux, tikuwuzaninso za njira ina yoperekera ziphaso izi - osasiya Linux.
Tidzagwiritsa ntchito XCA ngati CA (https://hohnstaedt.de/xca/), yomwe imapezeka pamagawidwe aliwonse amakono a Linux. Zochita zonse zomwe tingachite mu XCA zitha kuchitika munjira yolamula pogwiritsa ntchito zida za OpenSSL ndi pkcs11, koma kuti zikhale zosavuta komanso zomveka bwino, sitizipereka m'nkhaniyi.
Kuyamba
Ikani:
$ apt-get install xca
Ndipo timathamanga:
$ xca
Timapanga database yathu ya CA - /root/CA.xdb
Tikukulimbikitsani kusunga nkhokwe ya Certificate Authority mufoda yomwe ndi woyang'anira yekha ndi amene ali ndi mwayi. Izi ndizofunikira kuteteza makiyi achinsinsi a ziphaso za mizu, zomwe zimagwiritsidwa ntchito kusaina ziphaso zina zonse.
Pangani makiyi ndi satifiketi ya CA ya mizu
A Public Key Infrastructure (PKI) imachokera ku dongosolo la hierarchical system. Chinthu chachikulu mu dongosolo lino ndi mizu certification ulamuliro kapena muzu CA. Satifiketi yake iyenera kupangidwa kaye.
Timapanga kiyi yachinsinsi ya RSA-2048 ya CA. Kuti muchite izi, dinani pa tabu Mafungulo Achinsinsi Kankhani Chinsinsi Chatsopano ndikusankha mtundu woyenera.
Khazikitsani dzina la makiyi atsopano. Ndinatcha CA Key.
Timapereka satifiketi ya CA yokha, pogwiritsa ntchito makiyi omwe adapangidwa. Kuti muchite izi, pitani ku tabu zikalata ndikudina Satifiketi Yatsopano.
ssl_verify_client - imatanthawuza kuti mndandanda wodalirika wa satifiketi uyenera kutsimikiziridwa.
ssl_verify_depth - Imatanthawuza kuya kwa kusaka kwa chiphaso cha mizu yodalirika mu unyolo. Popeza satifiketi yathu ya kasitomala imasainidwa nthawi yomweyo pa chiphaso cha mizu, kuya kumayikidwa ku 1. Ngati chiphaso cha wosuta chasindikizidwa pa CA yapakatikati, ndiye kuti 2 iyenera kufotokozedwa mu parameter iyi, ndi zina zotero.
ssl_client_certificate - imatchula njira yopita ku chiphaso chodalirika cha mizu, chomwe chimagwiritsidwa ntchito poyang'ana chikhulupiliro cha wogwiritsa ntchito.
ssl_certificate/ssl_certificate_key - onetsani njira yopita ku setifiketi ya seva/chinsinsi chachinsinsi.
Musaiwale kuthamanga nginx -t kuti muwone ngati palibe typos mu config, ndi kuti mafayilo onse ali pamalo oyenera, ndi zina zotero.
Tsopano tiyeni tipite ndi chizindikiro. Firefox imakulimbikitsani kuti musankhe satifiketi yomwe idzasankhidwe pa seva. Sankhani satifiketi yathu.
ZIMENE MUNGACHITE!
Kukonzekera kwachitika kamodzi, ndipo monga mukuwonera pazenera la pempho la satifiketi, titha kusunga zomwe tasankha. Pambuyo pa izi, nthawi iliyonse tikalowa mu portal, tidzangofunika kuyika chizindikiro ndikulowetsa nambala ya PIN yomwe idatchulidwa panthawi yojambula. Pambuyo pa kutsimikizika kotere, seva imadziwa kale kuti ndi wogwiritsa ntchito ndani ndipo simungathe kupanga zina zowonjezera windows kuti zitsimikizidwe, koma nthawi yomweyo mulole wogwiritsa ntchitoyo ku akaunti yake.
Apache
Monga ndi nginx, palibe amene ayenera kukhala ndi vuto kukhazikitsa apache. Ngati simukudziwa kukhazikitsa seva iyi, ingogwiritsani ntchito zolembedwa zovomerezeka.
Ndipo timayamba kukhazikitsa HTTPS yathu ndi kutsimikizika kwazinthu ziwiri:
Choyamba muyenera kuyambitsa mod_ssl:
$ a2enmod ssl
Kenako yambitsani zoikamo za HTTPS zokhazikika patsambalo:
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/apache2/sites-enabled/Server.crt
SSLCertificateKeyFile /etc/apache2/sites-enabled/ServerKey.pem
SSLCACertificateFile /etc/apache2/sites-enabled/CA.crt
SSLVerifyClient require
SSLVerifyDepth 10
Monga mukuwonera, mayina a magawowa amagwirizana ndi mayina a magawo mu nginx, chifukwa chake sindiwafotokozera. Apanso, aliyense amene ali ndi chidwi ndi zambiri ndi olandiridwa ku zolembazo.
Tsopano tikuyambitsanso seva yathu:
$ service apache2 reload
$ service apache2 restart
Monga mukuwonera, kukhazikitsa kutsimikizika kwazinthu ziwiri pa seva iliyonse yapaintaneti, kaya pa Windows kapena Linux, kumatenga ola limodzi. Ndipo kukhazikitsa asakatuli kumatenga pafupifupi mphindi 5. Anthu ambiri amaganiza kuti kukhazikitsa ndikugwira ntchito ndi kutsimikizika kwazinthu ziwiri ndikovuta komanso kosamveka. Ndikukhulupirira kuti nkhani yathu idzathetsa nthano iyi, osachepera pang'ono.
Ogwiritsa ntchito olembetsedwa okha ndi omwe angatenge nawo gawo pa kafukufukuyu. Lowani muakauntichonde.
Kodi mukufunikira malangizo okhazikitsa TLS ndi ziphaso malinga ndi GOST 34.10-2012: