Momwe ife ku ZeroTech tidalumikizira Apple Safari ndi satifiketi yamakasitomala ndi ma websockets
Nkhaniyi idzakhala yothandiza kwa iwo omwe:
amadziwa kuti Client Cert ndi chiyani ndipo amamvetsetsa chifukwa chake amafunikira ma websockets pa Safari yam'manja;
Ndikufuna kufalitsa mautumiki apa intaneti kwa anthu ochepa kapena kwa ine ndekha;
amaganiza kuti chilichonse chachitika kale ndi winawake, ndipo akufuna kuti dziko lapansi likhale losavuta komanso lotetezeka.
Mbiri ya ma websockets idayamba pafupifupi zaka 8 zapitazo. Poyamba, njira zinkagwiritsidwa ntchito ngati zopempha zazitali za http (kwenikweni mayankho): msakatuli wa wogwiritsa ntchito adatumiza pempho kwa seva ndikudikirira kuti ayankhe chinachake, atatha kuyankha adagwirizanitsanso ndikudikirira. Koma kenako ma websockets adawonekera.
Zaka zingapo zapitazo, tidapanga kukhazikitsa kwathu mu PHP yoyera, yomwe singagwiritse ntchito zopempha za https, chifukwa ichi ndiye cholumikizira. Osati kale kwambiri, pafupifupi ma seva onse a pa intaneti adaphunzira zopempha za proxy pa https ndi kugwirizana kwa chithandizo: kukweza.
Izi zikachitika, ma websockets adakhala pafupifupi ntchito yosasinthika ya mapulogalamu a SPA, chifukwa ndizosavuta kupereka zomwe zili kwa wogwiritsa ntchito poyambira seva (kutumiza uthenga kuchokera kwa wogwiritsa ntchito wina kapena kutsitsa mtundu watsopano wa chithunzi, chikalata, mafotokozedwe. kuti wina akukonza pano) .
Ngakhale Satifiketi Yamakasitomala yakhalapo kwanthawi yayitali, imakhalabe yosathandizidwa, chifukwa imabweretsa mavuto ambiri poyesa kuyilambalala. Ndipo (mwina :slightly_smiling_face: ) ndichifukwa chake asakatuli a IOS (onse kupatula Safari) sakufuna kuigwiritsa ntchito ndikuyipempha kuchokera ku sitolo ya satifiketi yakomweko. Zikalata zili ndi zabwino zambiri poyerekeza ndi makiyi olowera / pass kapena ssh kapena kutseka madoko ofunikira kudzera pa firewall. Koma izi siziri zomwe zikunena.
Pa iOS, njira yokhazikitsira satifiketi ndiyosavuta (osati popanda tsatanetsatane), koma nthawi zambiri imachitika molingana ndi malangizo, omwe ali ambiri pa intaneti komanso omwe amapezeka kwa osatsegula a Safari okha. Tsoka ilo, Safari sadziwa momwe angagwiritsire ntchito Client Π‘ert pazitsulo zapaintaneti, koma pali malangizo ambiri pa intaneti momwe angapangire satifiketi yotere, koma pochita izi sizingatheke.
Kuti timvetsetse ma websockets, tidagwiritsa ntchito dongosolo ili: vuto/hypothesis/ solution.
Vuto: palibe chithandizo cha socket zapaintaneti poyitanitsa zopempha kuzinthu zomwe zimatetezedwa ndi satifiketi ya kasitomala pa msakatuli wa Safari wa IOS ndi mapulogalamu ena omwe athandizira satifiketi.
Zongopeka:
Ndi zotheka kukonza zosiyana zotere kuti mugwiritse ntchito ziphaso (podziwa kuti sipadzakhala) ku ma websockets azinthu zamkati / zakunja.
Magawo akanthawi atha kukhazikitsidwa pogwiritsa ntchito seva imodzi ya proxy web (ma module omangidwa ndi ntchito zokha).
Zizindikiro zaakanthawi kochepa zakhazikitsidwa kale ngati ma module a Apache okonzeka.
Ma tokeni amgawo akanthawi atha kukhazikitsidwa mwa kupanga mwanzeru dongosolo lolumikizana.
Mkhalidwe wowoneka pambuyo pa kukhazikitsidwa.
Cholinga cha ntchito: kasamalidwe ka mautumiki ndi zomangamanga ziyenera kupezeka kuchokera pa foni yam'manja pa IOS popanda mapulogalamu owonjezera (monga VPN), ogwirizana komanso otetezeka.
Cholinga chowonjezera: kupulumutsa nthawi ndi zothandizira / kuchuluka kwa mafoni (ntchito zina zopanda socket zimatulutsa zopempha zosafunikira) ndikutumiza mwachangu zinthu pa intaneti yam'manja.
Chitsimikizo cha satifiketi chimachitika pambuyo pa pempho ku gwero la proxied, ndiko kuti, kugwirana chanza kwa positi. Izi zikutanthauza kuti woyimirayo adzatsegula kaye ndikudula pempho ku ntchito yotetezedwa. Izi ndi zoipa, koma osati zotsutsa;
Mu http2 protocol. Idakali pano, ndipo opanga osatsegula sakudziwa momwe angagwiritsire ntchito #info about tls1.3 http2 post handshake (sikugwira ntchito pano) Yambitsani RFC 8740 "Kugwiritsa TLS 1.3 ndi HTTP/2";
b) Pamlingo woyambira, lolani ssl popanda satifiketi.
SSLVerifyClient amafuna => SSLVerifyClient mwachisawawa, koma izi zimachepetsa chitetezo cha seva ya proxy, popeza kugwirizanitsa koteroko kudzakonzedwa popanda chiphaso. Komabe, mutha kukananso mwayi wopeza ma proxied ndi malangizo awa:
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteRule .? - [F]
ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"
SSLVerifyClient optional
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule .? - [F]
#ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"
#websocket for safari without cert auth
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
...
#Π·Π°ΠΌΠ΅ΡΠ°Π΅ΠΌ Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΡ ΠΏΠΎ Π²Π»Π°Π΄Π΅Π»ΡΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ° Π½Π° Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΡ ΠΏΠΎ Π½ΠΎΠΌΠ΅ΡΡ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π°
SSLUserName SSl_PROTOCOL
</If>
</If>
Poganizira za chilolezo chomwe chinalipo ndi eni satifiketi, koma ndi chiphaso chomwe sichinapezeke, ndidafunikira kuyika satifiketi yomwe sinalipo ngati imodzi mwazosintha zomwe zilipo SSl_PROTOCOL (m'malo mwa SSL_CLIENT_S_DN_CN), zambiri pazolembedwa:
Tikufuna chizindikiro chomwe chili ndi vuto lomwe lamangidwamo komanso kuthekera koyang'ana kutha kwa seva.
Tikufuna chizindikiro chomwe chidzagwirizanitsidwa ndi mwiniwake wa satifiketi.
Izi zimafuna ntchito ya hashing, mchere, ndi tsiku loti mukalamba chizindikiro. Kutengera zolembedwa Mawu mu Apache HTTP Server tapeza zonse m'bokosi sha1 ndi %{TIME}.
Cholinga chakwaniritsidwa, koma pali mavuto ndi kutha kwa seva (mungagwiritse ntchito Cookie wazaka), zomwe zikutanthauza kuti zizindikiro, ngakhale zotetezeka kuti zigwiritsidwe ntchito mkati, ndizosatetezeka ku mafakitale (misala).
4. Zizindikiro za kanthawi kochepa zakhala zikugwiritsidwa ntchito ngati ma modules apache okonzeka.
Inde, pali ma module okonzeka, koma onse amamangiriridwa kuzinthu zinazake ndipo ali ndi zinthu zakale monga kuyambitsa gawo ndi ma Cookies owonjezera. Ndiko kuti, osati kwa kanthawi.
Zinatitengera maola asanu kufufuza, zomwe sizinapereke zotsatira za konkire.
5. Zizindikiro za nthawi yochepa zimatha kukhazikitsidwa mwa kupanga mwanzeru dongosolo la kuyanjana.
Ma module okonzeka ndi ovuta kwambiri, chifukwa timangofunika ntchito zingapo.
Ndikuyang'ana njira yothetsera vuto la Safari, ndidapeza nkhani yosangalatsa: Kuteteza HomeAssistant ndi ziphaso zamakasitomala (amagwira ntchito ndi Safari/iOS)
Imalongosola chitsanzo cha kachidindo mu Lua kwa Nginx, ndipo zomwe, monga momwe zinakhalira, zimabwereza kwambiri malingaliro a gawo la kasinthidwe lomwe takhazikitsa kale, kupatula kugwiritsa ntchito njira ya hmac salting ya hashing ( izi sizinapezeke mu Apache).
Zinadziwika kuti Lua ndi chilankhulo chomveka bwino, ndipo ndizotheka kuchita zinthu zosavuta kwa Apache:
Tinapeza njira yokhazikitsira zosintha za env mufayilo yaing'ono ya Lua kuti tiyike tsiku lamtsogolo kuti tifananize ndi lomwe lilipo.
Umu ndi momwe script yosavuta ya Lua imawonekera:
require 'apache2'
function handler(r)
local fmt = '%Y%m%d%H%M%S'
local timeout = 3600 -- 1 hour
r.notes['zt-cert-timeout'] = timeout
r.notes['zt-cert-date-next'] = os.date(fmt,os.time()+timeout)
r.notes['zt-cert-date-halfnext'] = os.date(fmt,os.time()+ (timeout/2))
r.notes['zt-cert-date-now'] = os.date(fmt,os.time())
return apache2.OK
end
Ndipo umu ndi momwe zimagwirira ntchito zonse, ndikukhathamiritsa kwa kuchuluka kwa Ma cookie ndikusintha chizindikiro pamene theka la nthawi lifika Cookie (chizindikiro) chakale chisanathe: