O le a aoga le tusiga ia i latou e:
- iloa le Client Cert ma malamalama pe aisea e manaʻomia ai upega tafaʻilagi i luga o Safari feaveaʻi;
- Ou te manaʻo e faʻasalalau 'auʻaunaga i luga ole laiga i se liʻo faʻatapulaʻa o tagata pe naʻo aʻu lava;
- manatu o mea uma ua uma ona faia e se tasi, ma e manaʻo e faʻafaigofie ma saogalemu le lalolagi.
O le talafaasolopito o websockets na amata ile 8 tausaga talu ai. I le taimi muamua, o metotia na faʻaaogaina i le tulaga o talosaga umi http (tali moni lava): na tuʻuina atu e le tagata suʻesuʻe se talosaga i le 'auʻaunaga ma faʻatali mo ia e tali se mea, pe a uma le tali na toe fesoʻotaʻi ma faʻatali. Ae na aliali mai ai upega tafa'ilagi.
I nai tausaga talu ai, na matou atiina ae ai a matou lava faʻatinoga i le PHP mama, lea e le mafai ona faʻaogaina talosaga https, talu ai o le fesoʻotaʻiga lea. E leʻi leva atu, toetoe lava o 'upega tafaʻilagi uma na aʻoaʻoina e sui talosaga ile https ma lagolago fesoʻotaʻiga:faʻaleleia.
Ina ua tupu lenei mea, o websockets na toetoe lava a le aoga auaunaga mo SPA talosaga, aua o le a le faigofie e tuʻuina atu mea i le tagata faʻaoga i le amataga o le 'auʻaunaga (faʻasalalau se feʻau mai se isi tagata faʻaoga pe download se ata fou o se ata, pepa, faʻaaliga o lo'o fa'atonu e se isi tagata i le taimi nei).
E ui ina fai si leva o iai le Client Certificate, ae o lo'o tumau pea le le lelei o le lagolagoina, aua e fa'atupu ai le tele o fa'afitauli pe a taumafai e pasi. Ma (atonu :slightly_smiling_face: ) o le mea lea e le manaʻo ai tagata suʻesuʻe IOS (seʻi vagana Safari) e faʻaaogaina ma talosagaina mai le faleoloa tusi faamaonia. O tusi pasi e tele mea lelei pe a faʻatusatusa i le saini / pasi poʻo ssh ki poʻo le tapunia o ports talafeagai e ala i se pa puipui. Ae le o le mea lena e uiga i ai.
I luga o iOS, o le faʻatulagaga mo le faʻapipiʻiina o se tusi faamaonia e matua faigofie lava (e le o ni mea faʻapitoa), ae i se tulaga lautele e faia e tusa ai ma faʻatonuga, lea e tele i luga ole Initaneti ma e naʻo avanoa mo le Safari browser. Ae paga lea, e le iloa e Safari le faʻaogaina o le Client Сert mo sockets web, ae o loʻo i ai le tele o faʻatonuga i luga ole Initaneti ile auala e fai ai sea tusi faamaonia, ae i le faʻatinoga e le mafai ona maua.
Ina ia malamalama i websockets, sa matou faʻaogaina le fuafuaga lenei: faafitauli/talitonuga/fofo.
Faafitauli: e leai se lagolago mo sockets i luga ole laiga pe a sui talosaga i punaoa o loʻo puipuia e se tagata faʻamaonia tusi faamaonia i luga o le Safari feaveaʻi suʻesuʻe mo IOS ma isi talosaga na mafai ai ona lagolagoina tusi faamaonia.
Manatu:
- E mafai ona fetuutuunai sea tuusaunoaga e faaaoga tusi faamaonia (iloa o le a leai) i websockets o punaoa i totonu / fafo.
- Mo websockets, e mafai ona e faia se fesoʻotaʻiga tulaga ese, malupuipuia ma puipuia e faʻaaoga ai taimi le tumau e faʻatupuina i le taimi masani (non-websocket) talosaga suʻesuʻe.
- E mafai ona fa'atino sauniga le tumau e fa'aaoga ai le 'upega tafa'ilagi sui e tasi (na'o modules ma galuega fa'atino).
- Ua mae'a ona fa'atinoina fa'ailoga le tumau e avea ma fa'aoga Apache ua saunia.
- E mafai ona faʻatinoina faʻailoga le tumau e ala i le fuafuaina lelei o le fausaga o fegalegaleaiga.
Tulaga va'aia pe a uma ona fa'atino.
Manulauti o le galuega: pulega o auaunaga ma atina'e e tatau ona maua mai se telefoni fe'avea'i ile IOS e aunoa ma ni polokalame fa'aopoopo (e pei ole VPN), fa'atasi ma malupuipuia.
Sini fa'aopoopo: sefe taimi ma punaoa/telefoni fe'avea'i (o nisi 'au'aunaga e aunoa ma ni 'upega tafa'ilagi e fa'atupu ai talosaga e le mana'omia) fa'atasi ai ma le fa'avavevave o le tu'uina atu o mea i luga ole Initaneti feavea'i.
E faapefea ona siaki?
1. Itulau tatala:
— например, https://teamcity.yourdomain.com в мобильном браузере Safari (доступен также в десктопной версии) — вызывает успешное подключение к веб-сокетам.
— например, https://teamcity.yourdomain.com/admin/admin.html?item=diagnostics&tab=webS…— показывает ping/pong.
— например, https://rancher.yourdomain.com/p/c-84bnv:p-vkszd/workload/deployment:danidb:ph…-> viewlogs — показывает логи контейнера.2. Po'o totonu o le fa'amafanafanaga fa'atupu:
Su'ega manatu:
1. E mafai ona fetuutuunai sea tuusaunoaga e faaaoga tusi faamaonia (iloa o le a leai se tasi) i luga o upega tafaʻilagi o punaoa i totonu / fafo.
2 fofo na maua iinei:
a) I le tulaga
<Location sock*> SSLVerifyClient optional </Location>
<Location /> SSLVerifyClient require </Location>
sui tulaga avanoa.
O lenei metotia e iai ni nuances:
- O le fa'amaoniaina o le tusi pasi e tupu pe a mae'a se talosaga i le punaoa sui, o lona uiga, lafo lima talosaga. O lona uiga o le sui o le a muamua uta ona tipi ese lea o le talosaga i le auaunaga puipuia. E leaga lenei mea, ae e le faitio;
- I le http2 protocol. O lo'o iai pea i le fa'ata'ita'iga, ma e le'o iloa e le au fai su'esu'e pe fa'apefea ona fa'atino #info e uiga i le tls1.3 http2 post lulu lima (e le o galue nei) ;
- E le o manino pe faʻafefea ona tuʻufaʻatasia lenei gaioiga.
b) I se tulaga faʻavae, faʻatagaina ssl e aunoa ma se tusi faamaonia.
SSLVerifyClient mana'omia => SSLVerifyClient faitalia, ae fa'aitiitia le tulaga saogalemu o le sui sui, talu ai o sea feso'ota'iga o le a fa'agasolo e aunoa ma se tusi faamaonia. Ae ui i lea, e mafai ona e faʻafitia atili le avanoa i auʻaunaga faʻasalalau faʻatasi ma le faʻatonuga nei:
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteRule .? - [F]
ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"
E mafai ona maua nisi faʻamatalaga auiliili ile tusiga e uiga ile ssl:
O filifiliga uma e lua na faʻataʻitaʻiina, o le filifiliga "b" na filifilia mo lona faʻaogaina ma le fetaui ma le http2 protocol.
Ina ia faʻamaeʻaina le faʻamaoniga o lenei manatu, na manaʻomia ai le tele o faʻataʻitaʻiga ma le faʻatulagaina o mamanu nei na faʻataʻitaʻiina:
afai = mana'omia = toe tusi
O le taunuuga o le mamanu autu lea:
SSLVerifyClient optional
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule .? - [F]
#ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"
#websocket for safari without cert auth
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
...
#замещаем авторизацию по владельцу сертификата на авторизацию по номеру протокола
SSLUserName SSl_PROTOCOL
</If>
</If>
I le amanaia o le faʻatagaina o loʻo i ai nei a le tagata e ona le tusi faamaonia, ae o loʻo misi se tusi faamaonia, e tatau ona ou faʻaopopoina se tagata e le o iai se tusi faamaonia i le tulaga o se tasi o avanoa avanoa SSl_PROTOCOL (nai lo SSL_CLIENT_S_DN_CN), nisi faʻamatalaga i totonu o faʻamaumauga:
2. Mo websockets, e mafai ona e faia se fesoʻotaʻiga tulaga ese, malupuipuia ma puipuia e faʻaaoga ai taimi le tumau e faʻatupuina i le taimi ole talosaga suʻesuʻe masani (non-websocket).
Faʻavae i luga o le poto masani muamua, e tatau ona e faʻaopoopoina se vaega faʻaopoopo i le faʻatulagaga ina ia mafai ai ona saunia ni faʻailoga le tumau mo fesoʻotaʻiga i luga ole laiga i le taimi ole talosaga masani (non-web socket).
#подготовка передача себе Сookie через пользовательский браузер
<If "%{SSL:SSL_CLIENT_VERIFY} = 'SUCCESS'">
<If "%{HTTP:Upgrade} != 'websocket'">
Header set Set-Cookie "websocket-allowed=true; path=/; Max-Age=100"
</If>
</If>
#проверка Cookie для установления веб-сокет соединения
<source lang="javascript">
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
#check for exists cookie
#get and check
SetEnvIf Cookie "websocket-allowed=(.*)" env-var-name=$1
#or rewrite rule
RewriteCond %{HTTP_COOKIE} !^.*mycookie.*$
#or if
<If "%{HTTP_COOKIE} =~ /(^|; )cookie-names*=s*some-val(;|$)/ >
</If
</If>
</If>
O suʻega na faʻaalia ai e aoga. E mafai ona fa'aliliu Kuki ia te oe lava e ala ile su'esu'ega a le tagata fa'aoga.
3. E mafai ona fa'atinoina sauniga le tumau e fa'aaoga ai le tasi sui 'upega tafa'ilagi (na'o modules ma galuega fa'atino).
E pei ona matou iloa muamua, o Apache o loʻo i ai le tele o galuega autu e mafai ai e oe ona fatuina ni faʻavae. Ae ui i lea, matou te manaʻomia ni auala e puipuia ai a matou faʻamatalaga aʻo iai i totonu o le suʻesuʻega a le tagata faʻaoga, o lea matou te faʻamautuina ai mea e teu ma pe aisea, ma o a galuega faʻapipiʻi o le a matou faʻaogaina:
- Matou te manaʻomia se faʻailoga e le faigofie ona faʻavasegaina.
- Matou te manaʻomia se faʻailoga ua faʻapipiʻiina i totonu ma le mafai ona siaki le tuai i luga o le 'auʻaunaga.
- Matou te manaʻomia se faʻailoga o le a fesoʻotaʻi ma lē e ona le tusi faamaonia.
O lenei mea e manaʻomia ai se galuega faʻapipiʻi, se masima, ma se aso e matua ai le faailoga. Faʻavae i luga o faʻamaumauga matou te maua uma mai le pusa sha1 ma %{TIME}.
O le taunuuga o le mamanu lenei:
#нет сертификата, и обращение к websocket
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
SetEnvIf Cookie "zt-cert-sha1=([^;]+)" zt-cert-sha1=$1
SetEnvIf Cookie "zt-cert-uid=([^;]+)" zt-cert-uid=$1
SetEnvIf Cookie "zt-cert-date=([^;]+)" zt-cert-date=$1
#только так можно работать с переменными, полученными в env-ах в этот момент времени, более они нигде не доступны для функции хеширования (по отдельности можно, но не вместе, да и ещё с хешированием)
<RequireAll>
Require expr %{sha1:salt1%{env:zt-cert-date}salt3%{env:zt-cert-uid}salt2} == %{env:zt-cert-sha1}
Require expr %{env:zt-cert-sha1} =~ /^.{40}$/
</RequireAll>
</If>
</If>
#есть сертификат, запрашивается не websocket
<If "%{SSL:SSL_CLIENT_VERIFY} = 'SUCCESS'">
<If "%{HTTP:Upgrade} != 'websocket'">
SetEnvIf Cookie "zt-cert-sha1=([^;]+)" HAVE_zt-cert-sha1=$1
SetEnv zt_cert "path=/; HttpOnly;Secure;SameSite=Strict"
#Новые куки ставятся, если старых нет
Header add Set-Cookie "expr=zt-cert-sha1=%{sha1:salt1%{TIME}salt3%{SSL_CLIENT_S_DN_CN}salt2};%{env:zt_cert}" env=!HAVE_zt-cert-sha1
Header add Set-Cookie "expr=zt-cert-uid=%{SSL_CLIENT_S_DN_CN};%{env:zt_cert}" env=!HAVE_zt-cert-sha1
Header add Set-Cookie "expr=zt-cert-date=%{TIME};%{env:zt_cert}" env=!HAVE_zt-cert-sha1
</If>
</If>
Ua ausia le sini, ae o loʻo i ai faʻafitauli i le faʻaogaina o le server (e mafai ona e faʻaogaina se Kuki tausaga le matua), o lona uiga o faʻailoga, e ui lava e saogalemu mo le faʻaoga i totonu, e le saogalemu mo le faʻaaogaina o pisinisi (mass).
4. Ua uma ona faʻatinoina faʻailoga le tumau e avea ma faʻaoga Apache ua saunia.
E tasi le fa'afitauli taua na tumau mai le fa'asologa muamua - o le le mafai ona fa'atonutonu le matua o fa'ailoga.
O loʻo matou suʻeina se module ua saunia e faia lenei mea, e tusa ai ma upu: apache token json two factor auth
Ioe, o loʻo i ai mea faʻapipiʻi ua saunia, ae o loʻo nonoa uma i gaioiga faʻapitoa ma iai mea faʻapitoa i le tulaga o le amataina o se sauniga ma Kuki faaopoopo. O lona uiga, e le mo sina taimi.
E lima itula na matou suʻesuʻe ai, lea e leʻi maua ai se faʻamaoniga mautinoa.
5. E mafai ona faʻatinoina faʻailoga le tumau e ala i le fuafuaina lelei o le fausaga o fegalegaleaiga.
O modules ua saunia e faigata tele, aua e na o ni nai galuega e manaʻomia.
O le mea lea, o le faʻafitauli i le aso e le faʻatagaina ai e Apache le fausiaina o se aso mai le lumanaʻi, ma e leai se numera faʻaopoopo / toesea i totonu o galuega faʻapipiʻi pe a siaki mo le tuai.
O lona uiga, e le mafai ona e tusia:
(%{env:zt-cert-date} + 30) > %{DATE}
E mafai ona e faʻatusatusa numera e lua.
A o ou suʻeina se fofo mo le faʻafitauli Safari, na ou mauaina se tala manaia:
O loʻo faʻamatalaina se faʻataʻitaʻiga o le code i Lua mo Nginx, ma, e pei ona iʻu i ai, e toe faʻafoʻisia le faʻaogaina o lena vaega o le faʻatulagaga ua uma ona matou faʻatinoina, sei vagana ai le faʻaogaina o le hmac salting method for hashing ( e leʻi maua lenei mea i Apache).
Na manino mai o Lua o se gagana e manino le mafaufau, ma e mafai ona fai se mea faigofie mo Apache:
I le suʻesuʻeina o le eseesega ma Nginx ma Apache:
Ma avanoa faigaluega mai le gaosiga o le gagana Lua:
Na matou maua se auala e seti ai env fesuiaiga i se faila laitiiti Lua ina ia mafai ona seti se aso mai le lumanaʻi e faʻatusatusa i le taimi nei.
E fa'apea le fa'ailoga faigofie a Lua:
require 'apache2'
function handler(r)
local fmt = '%Y%m%d%H%M%S'
local timeout = 3600 -- 1 hour
r.notes['zt-cert-timeout'] = timeout
r.notes['zt-cert-date-next'] = os.date(fmt,os.time()+timeout)
r.notes['zt-cert-date-halfnext'] = os.date(fmt,os.time()+ (timeout/2))
r.notes['zt-cert-date-now'] = os.date(fmt,os.time())
return apache2.OK
end
Ma o le auala lenei e galue uma ai, faatasi ai ma le faʻamautuina o le numera o Kuki ma le suia o le faʻailoga pe a oʻo mai le afa o le taimi aʻo leʻi muta le Kuki tuai (faailoga):
SSLVerifyClient optional
#LuaScope thread
#generate event variables zt-cert-date-next
LuaHookAccessChecker /usr/local/etc/apache24/sslincludes/websocket_token.lua handler early
#запрещаем без сертификата что-то ещё, кроме webscoket
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule .? - [F]
#ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"
#websocket for safari without certauth
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
SetEnvIf Cookie "zt-cert=([^,;]+),([^,;]+),[^,;]+,([^,;]+)" zt-cert-sha1=$1 zt-cert-date=$2 zt-cert-uid=$3
<RequireAll>
Require expr %{sha1:salt1%{env:zt-cert-date}salt3%{env:zt-cert-uid}salt2} == %{env:zt-cert-sha1}
Require expr %{env:zt-cert-sha1} =~ /^.{40}$/
Require expr %{env:zt-cert-date} -ge %{env:zt-cert-date-now}
</RequireAll>
#замещаем авторизацию по владельцу сертификата на авторизацию по номеру протокола
SSLUserName SSl_PROTOCOL
SSLOptions -FakeBasicAuth
</If>
</If>
<If "%{SSL:SSL_CLIENT_VERIFY} = 'SUCCESS'">
<If "%{HTTP:Upgrade} != 'websocket'">
SetEnvIf Cookie "zt-cert=([^,;]+),[^,;]+,([^,;]+)" HAVE_zt-cert-sha1=$1 HAVE_zt-cert-date-halfnow=$2
SetEnvIfExpr "env('HAVE_zt-cert-date-halfnow') -ge %{TIME} && env('HAVE_zt-cert-sha1')=~/.{40}/" HAVE_zt-cert-sha1-found=1
Define zt-cert "path=/;Max-Age=%{env:zt-cert-timeout};HttpOnly;Secure;SameSite=Strict"
Define dates_user "%{env:zt-cert-date-next},%{env:zt-cert-date-halfnext},%{SSL_CLIENT_S_DN_CN}"
Header set Set-Cookie "expr=zt-cert=%{sha1:salt1%{env:zt-cert-date-next}sal3%{SSL_CLIENT_S_DN_CN}salt2},${dates_user};${zt-cert}" env=!HAVE_zt-cert-sha1-found
</If>
</If>
SetEnvIfExpr "env('HAVE_zt-cert-date-halfnow') -ge %{TIME} && env('HAVE_zt-cert-sha1')=~/.{40}/" HAVE_zt-cert-sha1-found=1
работает,
а так работать не будет
SetEnvIfExpr "env('HAVE_zt-cert-date-halfnow') -ge env('zt-cert-date-now') && env('HAVE_zt-cert-sha1')=~/.{40}/" HAVE_zt-cert-sha1-found=1
Ona o le LuaHookAccessChecker o le a faatoa faʻagaoioia pe a uma siaki avanoa e faʻavae i luga o lenei faʻamatalaga mai Nginx.
So'oga ile puna.
E tasi le mea.
I se tulaga lautele, e le afaina pe o le a le faʻatonuga o loʻo tusia i totonu o le Apache (atonu o le Nginx), talu ai i le faaiuga o mea uma o le a faʻavasegaina e faʻavae i luga o le faʻatonuga o le talosaga mai le tagata faʻaoga, lea e fetaui ma le polokalame mo le gaioiga. Lua tusitusiga.
Fa'ai'uga:
Tulaga va'aia pe a uma le fa'atinoga (sini):
pulega o au'aunaga ma atina'e e maua mai se telefoni fe'avea'i ile IOS e aunoa ma ni polokalame fa'aopoopo (VPN), fa'atasi ma malupuipuia.
Ua ausia le sini, e galue sockets ma maua se tulaga saogalemu e le itiiti ifo nai lo se tusi faamaonia.
puna: www.habr.com
