Had iyo jeer waynu maqalnaa odhaahda ah “Amniga Qaranka”, laakiin marka ay dawladdu bilowdo inay la socoto isgaadhsiintayada, oo ay duubto iyada oo aanay jirin tuhun la isku hallayn karo, sharci iyo ujeeddo la’aan, waa in aynu is waydiinnaa su’aasha ah: Ma runtii waxay ilaalinayaan amniga qaranka mise ma iyagaa ilaalinaya tooda?
- Edward Snowden
Dheef-shiid kiimikaadkan ayaa loogu talagalay in lagu kordhiyo xiisaha Bulshada ee arrinta sirta ah, taas oo, marka la eego noqda mid khuseeya sidii hore.
Ajendaha:
Kuwa xiiseeya ee ka socda bulshada bixiyaha internetka ee baahsan ee "Medium" ayaa abuuraya matoorka raadinta iyaga u gaar ah
Dhexdhexaadku waxa ay dhistay hay'ad shahaado oo cusub, Dhexdhexaad Global Root CA. Yaa isbedelku saamayn doona?
Shahaadooyinka amniga ee guri kasta - sida loo abuuro adeeggaaga shabakadda Yggdrasil oo u soo saar shahaado SSL oo sax ah
I xasuusi - waa maxay "Medium"?
Dhexdhexaad (Eng. Dhexdhexaad - "dhexdhexaadiye", halkudhig asal ah - Ha waydiin qarsoodigaaga. Dib u celi; sidoo kale Ingiriisi ereyga dhexdhexaad macneheedu waa “dhex dhexaad ah”) - Bixiye internet baahsan oo Ruush ah oo bixiya adeegyada marin u helka lacag la'aan.
Magaca buuxa: Bixiyaha Adeegga Internetka Dhexdhexaad. Markii hore mashruuca waxaa loo maleeyay sida в .
Waxaa la sameeyay Abriil 2019 iyada oo qayb ka ah abuurista jawi isgaarsiineed oo madax-bannaan iyadoo la siinayo isticmaaleyaasha dhamaadka marin u helka ilaha shabakadda Yggdrasil iyadoo la adeegsanayo tignoolajiyada gudbinta xogta Wi-Fi.
Macluumaad dheeraad ah oo ku saabsan mowduuca:
Kuwa xiiseeya ee ka socda bulshada bixiyaha internetka ee baahsan ee "Medium" ayaa abuuraya matoorka raadinta iyaga u gaar ah
Изначально в сети , oo bixiyaha adeegga Internetka ee dhexdhexaadka ah u isticmaalo gaadiid ahaan, ma lahayn server-ka DNS u gaar ah ama kaabayaasha muhiimka ah ee dadweynaha - si kastaba ha ahaatee, baahida loo qabo bixinta shahaadooyinka amniga ee adeegyada shabakadaha dhexe ayaa xalliyey labadan mashaakil.
Maxaad ugu baahan tahay PKI haddii Yggdrasil ka baxsan sanduuqa uu bixiyo awoodda sirta ah ee u dhexeeya asxaabta?Looma baahna in la isticmaalo HTTPS si loogu xidho adeegyada webka ee shabakada Yggdrasil haddii aad ku xidho iyaga adoo maxali ah ku shaqeeya shabakada Yggdrasil.
Runtii: Gaadiidka Yggdrasil waa isku mid Waxay kuu oggolaaneysaa inaad si badbaado leh u isticmaasho agabka gudaha shabakadda Yggdrasil - awoodda wax-qabadka gabi ahaanba laga saaray.
Xaaladdu si weyn ayey isu beddeshaa haddii aad si toos ah u gasho ilaha Yggdarsil ee intranetka, laakiin iyada oo loo marayo marin dhexdhexaad ah - barta gelitaanka shabakadda dhexdhexaadka ah, oo ay maamusho hawlwadeenkeeda.
Xaaladdan, yaa wax u dhimi kara xogta aad gudbiso:
- Xiriiriyaha barta marinka. Way caddahay in hawl wadeenka hadda ee barta gelitaanka shabakadda Dhexdhexaadku uu dhegaysan karo taraafikada aan qarsoodiga ahayn ee dhex mara qalabkiisa.
- soo dhex galay (). Dhexdhexaadku waxa uu leeyahay dhibaato la mid ah , kaliya ee la xidhiidha galinta iyo noodhka dhexe.
Tani waa sida ay u egtahay
go'aanka: si aad u gasho adeegyada shabakada gudaha shabakada Yggdrasil, isticmaal borotokoolka HTTPS (heerka 7 ). Dhibaatadu waxay tahay in aysan suurtagal ahayn in la bixiyo shahaado ammaan oo dhab ah adeegyada shabakadda Yggdrasil iyada oo loo marayo habab caadi ah sida .
Sidaa darteed, waxaan dhisnay xarun noo gaar ah oo shahaado-siinta - . Подавляющее большинство сервисов сети «Medium» подписаны корневым сертификатом безопасности промежуточного центра сертификации «Medium Domain Validation Secure Server CA».
Suurtagalnimada in la carqaladeeyo shahaadada asalka ah ee maamulka shahaadada ayaa, dabcan, la tixgeliyey - laakiin halkan shahaadada ayaa aad looga baahan yahay si loo xaqiijiyo daacadnimada gudbinta xogta iyo baabi'inta suurtagalnimada weerarrada MITM.
Adeegyada shabakadaha dhexdhexaadka ah ee hawl wadeenada kala duwan waxay leeyihiin shahaadooyin amni oo kala duwan, hal dariiq ama mid kale oo ay saxeexeen maamulka shahaado bixinta. Si kastaba ha ahaatee, hawl wadeenada Root CA ma awoodaan inay dhagaystaan taraafikada sirta ah ee adeegyada ay saxeexeen shahaadooyinka amniga (eeg ).
Kuwa si gaar ah uga walaacsan ammaankooda waxay isticmaali karaan hababkaas sida ilaalin dheeraad ah, sida и .
Waqtigan xaadirka ah, kaabayaasha muhiimka ah ee dadweynaha ee shabakadda Dhexdhexaadku waxay awood u leeyihiin inay hubiyaan heerka shahaadada iyadoo la adeegsanayo borotokoolka ama isticmaalka .
U dhaadhac qodobka
User начал разработку поискового движка для веб-сервисов, расположенных в сети Yggdrasil. Важным аспектом является тот факт, что определение IPv6-адресов сервисов при произведении поиска осуществляется путём направления запроса на DNS-сервер, расположенный внутри сети «Medium».
TLD ugu weyn waa .ygg. Inta badan magacyada domain waxay leeyihiin TLD-kan, marka laga reebo laba ka reeban: .isp и .gg.
Поисковой движок находится в стадии разработки, но его использование уже возможно сегодня — достаточно посетить веб-сайт .
Вы можете помочь развитию проекта, .
Dhexdhexaadku waxa ay dhistay hay'ad shahaado oo cusub, Dhexdhexaad Global Root CA. Yaa isbedelku saamayn doona?
Shalay, tijaabinta dadwaynaha ee shaqaynta Xarunta shahaadaynta Dhexdhexaadka ee Root CA ayaa la dhameeyay. Dhammaadka imtixaanka, khaladaadka ku jira hawlgalka adeegyada kaabayaasha muhiimka ah ee dadweynaha ayaa la saxay waxaana la sameeyay shahaado xidid cusub oo maamulka shahaado-siinta "Medium Global Root CA" ayaa la sameeyay.
Dhammaan nuucyada iyo sifooyinka PKI waa la tixgeliyey - hadda shahaadada CA-ga cusub "Medium Global Root CA" waxaa la soo saari doonaa kaliya toban sano ka dib (ka dib taariikhda uu dhacayo). Hadda shahaadooyinka amniga waxaa bixiya oo keliya maamulka shahaado-siinta dhexe - tusaale ahaan, "Medium Domain Validation Secure Server CA".
Sidee buu u eg yahay silsiladda kalsoonida shahaado?
Maxaa loo baahan yahay in la sameeyo si wax walba u shaqeeyaan haddii aad tahay isticmaale:
Maadaama adeegyada qaarkood ay isticmaalaan HSTS, ka hor inta aanad isticmaalin ilaha shabakada Dhexdhexaadka ah, waa in aad tirtirtaa xogta ilaha interneedka dhexe. Tan waxaad ku samayn kartaa bogga Taariikhda ee browserkaaga.
Sidoo kale waa lagama maarmaan xarunta shahaadada "Medium Global Root CA".
Maxaa loo baahan yahay in la sameeyo si wax walba u shaqeeyaan haddii aad tahay hawlwadeenka nidaamka:
Waxaad u baahan tahay inaad dib u soo saarto shahaadada adeeggaaga bogga (adeegga waxaa laga heli karaa oo keliya shabakadda dhexe).
Shahaadooyinka amniga ee guri kasta - sida loo abuuro adeeggaaga shabakadda Yggdrasil oo u soo saar shahaado SSL oo sax ah
Sababtoo ah kobaca tirada adeegyada intranet-ka ee shabakadda Dhexdhexaadka ah, baahida loo qabo in la soo saaro shahaadooyin nabadgelyo oo cusub oo loo habeeyo adeegyadooda si ay u taageeraan SSL ayaa kordhay.
Maadaama Habr uu yahay kheyraad farsamo, mid kasta oo cusub dheefshiidka mid ka mid ah ajendaha ayaa muujin doona sifooyinka farsamada ee kaabayaasha shabakadda Dhexdhexaadka. Tusaale ahaan, hoos waxaa ah tilmaamo dhammaystiran oo loogu talagalay bixinta shahaadada SSL ee adeeggaaga.
Tusaalooyinka ayaa tilmaamaya magaca domainka domain.ygg, kaas oo ay tahay in lagu badalo magaca domainka ee adeegaaga.
Tallaabada 1. Samee furaha gaarka ah iyo xuduudaha Diffie-Hellman
openssl genrsa -out domain.ygg.key 2048Kadib:
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048Tallaabada 2. Samee codsi saxeexa shahaado
openssl req -new -key domain.ygg.key -out domain.ygg.csr -config domain.ygg.confWaxa ku jira faylka domain.ygg.conf:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = RU
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Moscow Oblast
localityName = Locality Name (eg, city)
localityName_default = Kolomna
organizationName = Organization Name (eg, company)
organizationName_default = ACME, Inc.
commonName = Common Name (eg, YOUR name)
commonName_max = 64
commonName_default = *.domain.ygg
[ v3_req ]
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
basicConstraints = CA:FALSE
nsCertType = server
authorityKeyIdentifier = keyid,issuer:always
crlDistributionPoints = URI:http://crl.medium.isp/Medium_Global_Root_CA.crl
authorityInfoAccess = OCSP;URI:http://ocsp.medium.isp
Tallaabada 3. Gudbi codsi shahaado
Для этого скопируйте содержимое файла domain.ygg.csr oo ku dheji goobta qoraalka ee goobta .
Raac tilmaanta lagu bixiyay mareegaha, dabadeed dhagsii "Submit". Haddii lagu guuleysto, fariin ayaa loo diri doonaa ciwaanka iimaylka aad sheegtay oo ay ku jiraan lifaaq qaab shahaado ah oo ay saxiixday maamulka shahaado bixinta dhexe.
Tallaabada 4. Deji serverkaaga shabakada
Если вы используете nginx в качестве веб-сервера, используйте следующую конфигурацию:
file domain.ygg.conf tusaha ku jira /etc/nginx/sites-la heli karo/
server {
listen [::]:80;
listen [::]:443 ssl;
root /var/www/domain.ygg;
index index.php index.html index.htm index.nginx-debian.html;
server_name domain.ygg;
include snippets/domain.ygg.conf;
include snippets/ssl-params.conf;
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; allow all; }
location ~* .(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /.ht {
deny all;
}
}
file ssl-params.conf tusaha ku jira / iwm/nginx/snippets/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=15552000; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
file domain.ygg.conf tusaha ku jira / iwm/nginx/snippets/
ssl_certificate /etc/ssl/certs/domain.ygg.crt;
ssl_certificate_key /etc/ssl/private/domain.ygg.key;
Shahaadada aad ku heshay iimaylka waa in lagu koobiyaa: /etc/ssl/certs/domain.ygg.crt. Furaha gaarka ah (domain.ygg.key) поместите в директорию / iwm/ssl/gaar ah/.
Tallaabada 5. Dib u bilow seerfarkaaga shabakada
sudo service nginx restartInternet bilaash ah oo Ruushka ah ayaa adiga kugu bilaabmaya
Waxaad ku siin kartaa dhammaan kaalmada suurtogalka ah ee aasaaska internetka bilaashka ah ee Ruushka maanta. Waxaanu soo diyaarinay liis dhamaystiran oo ah sida saxda ah ee aad u caawin karto shabakada:
- U sheeg asxaabtaada iyo asxaabtaada shabakada Dhexdhexaadka ah. La wadaag maqaalkan shabakadaha bulshada ama blog-ka gaarka ah
- Ka qayb qaado dooda arrimaha farsamada ee shabakada dhexe
- Ku samee adeeggaaga shabakadda shabakadda Yggdrasil oo ku dar
- Kaaga kor u qaad Shabakadda Dhexe
Siidaynta hore:
Sidoo kale akhri:
Waxaan ku jirnaa Telegram:
Isticmaalayaasha diiwaangashan oo keliya ayaa ka qaybqaadan kara sahanka. , soo dhawoow.
Codeyn kaduwan: waxaa muhiim noo ah inaan ogaano ra'yiga kuwa aan xisaab buuxa ku lahayn Habré
-
↑
-
↓
7 isticmaale ayaa codeeyay. 2 isticmaale ayaa ka aamusay.
Source: www.habr.com