Sengoliloeng se tla ba molemo ho ba:
- e tseba hore na Client Cert ke eng mme e utloisisa hore na ke hobane'ng ha e hloka li-websockets ho Safari ea mobile;
- Ke kopa ho phatlalatsa litšebeletso tsa tepo ho batho ba fokolang kapa ho 'na feela;
- e nahana hore ntho e 'ngoe le e' ngoe e se e entsoe ke motho e mong, 'me e ka rata ho etsa hore lefatše le be bonolo haholoanyane le le sireletsehileng haholoanyane.
Nalane ea li-websockets e qalile lilemo tse ka bang 8 tse fetileng. Nakong e fetileng, mekhoa e ne e sebelisoa ka mokhoa oa likopo tse telele tsa http (ha e le hantle likarabo): sebatli sa mosebedisi se rometse kopo ho seva mme se emetse hore se arabe ntho e itseng, ka mor'a hore karabo e kopane hape 'me e emetse. Empa joale ho ile ha hlaha li-websockets.
Lilemong tse 'maloa tse fetileng, re ile ra iketsetsa ts'ebetsong ea rona ho PHP e hloekileng, e ke keng ea sebelisa likopo tsa https, kaha sena ke sehokelo sa khokahanyo. Hase khale haholo, hoo e ka bang li-server tsohle tsa marang-rang li ithutile ho etsa likopo tsa proxy holim'a https le khokahano ea tšehetso: ntlafatsa.
Ha sena se etsahala, li-websockets li ile tsa fetoha ts'ebeletso ea kamehla bakeng sa lits'ebetso tsa SPA, hobane ho bonolo hakae ho fana ka litaba ho mosebelisi molemong oa seva (ho fetisa molaetsa ho tsoa ho mosebelisi e mong kapa ho jarolla mofuta o mocha oa setšoantšo, tokomane, nehelano. eo motho e mong a ntseng a e lokisa hona joale) .
Leha Setifikeiti sa Client se bile teng ka nako e telele, se ntse se sa tšehetsoa hantle, kaha se baka mathata a mangata ha u leka ho se feta. Mme (mohlomong :slightly_smiling_face: ) ke ka lebaka leo libatli tsa IOS (kaofela ntle le Safari) li sa batleng ho e sebelisa le ho e kopa lebenkeleng la setifikeiti sa lehae. Litifikeiti li na le melemo e mengata ha li bapisoa le linotlolo tsa ho kena/pass kapa ssh kapa ho koala likou tse hlokahalang ka firewall. Empa ha se seo sena se buang ka sona.
Ho iOS, mokhoa oa ho kenya setifikeiti o bonolo haholo (eseng ntle le lintlha tse tobileng), empa ka kakaretso o etsoa ho latela litaelo, tseo ho tsona ho nang le tse ngata Inthaneteng le tse fumanehang feela bakeng sa sebatli sa Safari. Ka bomalimabe, Safari ha e tsebe ho sebelisa Client Сert bakeng sa li-sockets tsa marang-rang, empa ho na le litaelo tse ngata Inthaneteng mabapi le mokhoa oa ho etsa setifikeiti se joalo, empa ha e le hantle sena ha se khonehe.
Ho utloisisa li-websockets, re sebelisitse moralo o latelang: bothata/khopolo-taba/tharollo.
Bothata: ha ho na tšehetso bakeng sa li-sockets tsa marang-rang ha u etsa likopo tsa proxy ho lisebelisoa tse sirelelitsoeng ke setifikeiti sa bareki ho Safari mobile browser bakeng sa IOS le lisebelisoa tse ling tse nolofalitseng tšehetso ea setifikeiti.
Likhopolo-taba:
- Hoa khoneha ho hlophisa mokhelo o joalo ho sebelisa litifikeiti (ho tseba hore ho ke ke ha e-ba le tsona) ho li-websockets tsa lisebelisoa tsa proxied tse ka hare / tsa ka ntle.
- Bakeng sa li-websockets, u ka etsa khokahanyo e ikhethang, e sireletsehileng le e sireletsehileng ka ho sebelisa linako tsa nakoana tse hlahisoang nakong ea kopo e tloaelehileng (e seng ea websocket).
- Likopano tsa nakoana li ka kengoa ts'ebetsong ho sebelisoa seva ea proxy e le 'ngoe (li-module tse hahelletsoeng le mesebetsi feela).
- Li-tokens tsa nakoana li se li kentsoe tšebetsong e le li-module tsa Apache tse seng li entsoe.
- Li-tokens tsa nakoana tsa nakoana li ka kenngoa ts'ebetsong ka ho qapa ka mokhoa o utloahalang mokhoa oa ho sebelisana.
Boemo bo bonahalang ka mora ho kenngwa tshebetsong.
Sepheo: tsamaiso ea litšebeletso le mekhoa ea motheo e lokela ho fumaneha ho tloha fonong ea selefouno ho IOS ntle le mananeo a eketsehileng (a kang VPN), a kopantsoeng le a sireletsehileng.
Sepheo sa tlatsetso: ho boloka nako le lisebelisoa/sephethephethe sa mehala (litšebeletso tse ling ntle le lisebelisoa tsa marang-rang li hlahisa likopo tse sa hlokahaleng) ka phano e potlakileng ea litaba ho Marang-rang a thekeng.
U ka hlahloba joang?
1. Maqephe a buloang:
— например, https://teamcity.yourdomain.com в мобильном браузере Safari (доступен также в десктопной версии) — вызывает успешное подключение к веб-сокетам.
— например, https://teamcity.yourdomain.com/admin/admin.html?item=diagnostics&tab=webS…— показывает ping/pong.
— например, https://rancher.yourdomain.com/p/c-84bnv:p-vkszd/workload/deployment:danidb:ph…-> viewlogs — показывает логи контейнера.2. Kapa ho developer console:
Teko ea Hypothesis:
1. Hoa khoneha ho hlophisa mokhelo o joalo ho sebelisa litifikeiti (ho tseba hore ho ke ke ha e-ba le tsona) ho li-sockets tsa marang-rang tsa lisebelisoa tsa proxied tse ka hare / tsa ka ntle.
Litharollo tse 2 li fumanoe mona:
a) Boemong
<Location sock*> SSLVerifyClient optional </Location>
<Location /> SSLVerifyClient require </Location>
fetola boemo ba phihlello.
Mokhoa ona o na le li-nuances tse latelang:
- Netefatso ea setifikeiti e etsahala ka mor'a kopo ho mohloli oa proxied, ke hore, kopo ea poso ea ho ts'oarana ka letsoho. Sena se bolela hore moemeli o tla qala ho kenya ebe o khaola kopo ea tšebeletso e sirelelitsoeng. Sena se mpe, empa ha se nyatsa-nyatsa;
- Ho protocol ea http2. E ntse e le teng, 'me baetsi ba li-browser ha ba tsebe ho e kenya ts'ebetsong #info about tls1.3 http2 post handshake (ha e sebetse hona joale) ;
- Ha ho hlake hore na ho ka kopanya ts'ebetso ena joang.
b) Boemong ba motheo, lumella ssl ntle le setifikeiti.
SSLVerifyClient hloka => SSLVerifyClient ka boikgethelo, empa sena se fokotsa boemo ba tshireletso ba seva sa proxy, kaha kgokelo e jwalo e tla sebetswa ntle le setifikeiti. Leha ho le joalo, o ka hanela phihlello ea litšebeletso tsa proxied ka taelo e latelang:
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteRule .? - [F]
ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"
Lintlha tse qaqileng haholoanyane li ka fumanoa sehloohong se buang ka ssl:
Likhetho tsena ka bobeli li ile tsa lekoa, khetho "b" e khethiloe bakeng sa ho feto-fetoha ha eona le ho lumellana le http2 protocol.
Ho phethela netefatso ea khopolo-taba ena, ho ile ha hlokahala liteko tse ngata mabapi le tlhophiso; meralo e latelang e ile ea lekoa:
haeba = hloka = ngola hape
Sephetho ke moralo o latelang oa mantlha:
SSLVerifyClient optional
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule .? - [F]
#ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"
#websocket for safari without cert auth
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
...
#замещаем авторизацию по владельцу сертификата на авторизацию по номеру протокола
SSLUserName SSl_PROTOCOL
</If>
</If>
Ka ho ela hloko tumello e teng ea mong'a setifikeiti, empa ka setifikeiti se sieo, ke ile ka tlameha ho kenya mong'a setifikeiti se neng se le sieo ka mokhoa oa e 'ngoe ea mefuta e fumanehang SSl_PROTOCOL (ho e-na le SSL_CLIENT_S_DN_CN), lintlha tse ling ho litokomane:
2. Bakeng sa li-websockets, u ka etsa khokahanyo e ikhethang, e sireletsehileng le e sirelelitsoeng ka ho sebelisa mananeo a nakoana a hlahisoang nakong ea kopo e tloaelehileng (e seng ea websocket).
Ho ipapisitsoe le boiphihlelo bo fetileng, o hloka ho eketsa karolo e 'ngoe ho tlhophiso e le hore u lokise li-tokens tsa nakoana bakeng sa likhokahano tsa socket tsa webo nakong ea kopo e tloaelehileng (e seng ea webo).
#подготовка передача себе Сookie через пользовательский браузер
<If "%{SSL:SSL_CLIENT_VERIFY} = 'SUCCESS'">
<If "%{HTTP:Upgrade} != 'websocket'">
Header set Set-Cookie "websocket-allowed=true; path=/; Max-Age=100"
</If>
</If>
#проверка Cookie для установления веб-сокет соединения
<source lang="javascript">
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
#check for exists cookie
#get and check
SetEnvIf Cookie "websocket-allowed=(.*)" env-var-name=$1
#or rewrite rule
RewriteCond %{HTTP_COOKIE} !^.*mycookie.*$
#or if
<If "%{HTTP_COOKIE} =~ /(^|; )cookie-names*=s*some-val(;|$)/ >
</If
</If>
</If>
Liteko li bontšitse hore lia sebetsa. Hoa khoneha ho fetisetsa Li-cookie ho uena ka sebatli sa mosebelisi.
3. Likopano tsa nakoana li ka kengoa ts'ebetsong ho sebelisoa proxy e le 'ngoe ea marang-rang (li-modules le mesebetsi e hahiloeng feela).
Joalo ka ha re fumane pejana, Apache e na le ts'ebetso e ngata ea mantlha e u lumellang ho theha meaho e nang le maemo. Leha ho le joalo, re hloka mekhoa ea ho sireletsa tlhahisoleseling ea rona ha e ntse e le ho sebatli sa mosebelisi, kahoo re fumana hore na re boloka eng le hore na hobaneng, le hore na re tla sebelisa mesebetsi efe e hahelletsoeng ka hare:
- Re hloka letšoao le ke keng la hlalosoa habonolo.
- Re hloka lets'oao le nang le bosholu bo hahiloeng ho eona le bokhoni ba ho hlahloba ho felloa ke nako ho seva.
- Re hloka letšoao le tla amahanngoa le mong'a setifikeiti.
Sena se hloka ts'ebetso ea hashing, letsoai, le letsatsi la ho tsofala ha letšoao. E itšetlehile ka litokomane re na le tsohle ka ntle ho lebokose la sha1 le %{TIME}.
Sephetho e bile moralo ona:
#нет сертификата, и обращение к websocket
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
SetEnvIf Cookie "zt-cert-sha1=([^;]+)" zt-cert-sha1=$1
SetEnvIf Cookie "zt-cert-uid=([^;]+)" zt-cert-uid=$1
SetEnvIf Cookie "zt-cert-date=([^;]+)" zt-cert-date=$1
#только так можно работать с переменными, полученными в env-ах в этот момент времени, более они нигде не доступны для функции хеширования (по отдельности можно, но не вместе, да и ещё с хешированием)
<RequireAll>
Require expr %{sha1:salt1%{env:zt-cert-date}salt3%{env:zt-cert-uid}salt2} == %{env:zt-cert-sha1}
Require expr %{env:zt-cert-sha1} =~ /^.{40}$/
</RequireAll>
</If>
</If>
#есть сертификат, запрашивается не websocket
<If "%{SSL:SSL_CLIENT_VERIFY} = 'SUCCESS'">
<If "%{HTTP:Upgrade} != 'websocket'">
SetEnvIf Cookie "zt-cert-sha1=([^;]+)" HAVE_zt-cert-sha1=$1
SetEnv zt_cert "path=/; HttpOnly;Secure;SameSite=Strict"
#Новые куки ставятся, если старых нет
Header add Set-Cookie "expr=zt-cert-sha1=%{sha1:salt1%{TIME}salt3%{SSL_CLIENT_S_DN_CN}salt2};%{env:zt_cert}" env=!HAVE_zt-cert-sha1
Header add Set-Cookie "expr=zt-cert-uid=%{SSL_CLIENT_S_DN_CN};%{env:zt_cert}" env=!HAVE_zt-cert-sha1
Header add Set-Cookie "expr=zt-cert-date=%{TIME};%{env:zt_cert}" env=!HAVE_zt-cert-sha1
</If>
</If>
Sepheo se fihletsoe, empa ho na le mathata a ho felloa ke matla ha seva (o ka sebelisa Cookie ea lilemo li ngata), e bolelang hore matšoao, le hoja a sireletsehile bakeng sa tšebeliso ea ka hare, ha a bolokehe bakeng sa tšebeliso ea indasteri (boima).
4. Li-tokens tsa nakoana tsa nakoana li se li sebelisitsoe e le li-module tsa Apache tse lokiselitsoeng.
Bothata bo le bong ba bohlokoa bo ile ba sala ho tloha phetetsong e fetileng - ho se khone ho laola botsofali ba matšoao.
Re batla mojule o entsoeng hantle o etsang sena, ho latela mantsoe: apache token json two factor auth
E, ho na le li-module tse lokiselitsoeng, empa kaofela li tlameletsoe liketsong tse itseng 'me li na le li-artifacts ka mokhoa oa ho qala seboka le Li-cookie tse eketsehileng. Ke hore, eseng ka nakoana.
Ho ile ha re nka lihora tse hlano ho batla, e leng se sa kang sa fana ka liphello tse hlakileng.
5. Li-tokens tsa nakoana tsa nakoana li ka kenngoa ts'ebetsong ka ho qapa ka mokhoa o utloahalang sebopeho sa litšebelisano.
Li-module tse lokiselitsoeng li rarahane haholo, hobane re hloka feela mesebetsi e 'maloa.
Ho boleloa joalo, bothata ka letsatsi ke hore mesebetsi ea Apache e hahelletsoeng ka hare ha e lumelle ho hlahisa letsatsi ho tloha nakong e tlang, 'me ha ho na ho kenyelletsa / ho tlosa lipalo mesebetsing e hahelletsoeng ha ho hlahlojoa hore na ha e sebetse.
Ke hore, u ke ke ua ngola:
(%{env:zt-cert-date} + 30) > %{DATE}
O ka bapisa linomoro tse peli feela.
Ha ke ntse ke batla mokhoa oa ho rarolla bothata ba Safari, ke fumane sengoloa se khahlisang:
E hlalosa mohlala oa khoutu ho Lua bakeng sa Nginx, 'me, joalo ka ha ho hlahile, e pheta-pheta mohopolo oa karolo eo ea tlhophiso eo re seng re e sebelisitse, ntle le ts'ebeliso ea mokhoa oa hmac salting bakeng sa hashing. sena ha sea fumanoa ho Apache).
Ho ile ha hlaka hore Selua ke puo e nang le mabaka a utloahalang, 'me hoa khoneha ho etsetsa Apache ntho e bonolo:
Kamora ho ithuta phapang le Nginx le Apache:
Le mesebetsi e fumanehang ho tsoa ho moetsi oa puo ea Lua:
Re fumane mokhoa oa ho beha mefuta e fapaneng ea env faeleng e nyane ea Lua e le ho beha letsatsi ho tloha nakong e tlang ho bapisa le la hajoale.
Sena ke seo mongolo o bonolo oa Lua o shebahalang ka sona:
require 'apache2'
function handler(r)
local fmt = '%Y%m%d%H%M%S'
local timeout = 3600 -- 1 hour
r.notes['zt-cert-timeout'] = timeout
r.notes['zt-cert-date-next'] = os.date(fmt,os.time()+timeout)
r.notes['zt-cert-date-halfnext'] = os.date(fmt,os.time()+ (timeout/2))
r.notes['zt-cert-date-now'] = os.date(fmt,os.time())
return apache2.OK
end
'Me ke kamoo e sebetsang kateng ka kakaretso, ka ho ntlafatsa palo ea Li-cookie le ho fetola letšoao ha halofo ea nako e fihla pele Cookie ea khale (letšoao) e fela:
SSLVerifyClient optional
#LuaScope thread
#generate event variables zt-cert-date-next
LuaHookAccessChecker /usr/local/etc/apache24/sslincludes/websocket_token.lua handler early
#запрещаем без сертификата что-то ещё, кроме webscoket
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule .? - [F]
#ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"
#websocket for safari without certauth
<If "%{SSL:SSL_CLIENT_VERIFY} != 'SUCCESS'">
<If "%{HTTP:Upgrade} = 'websocket'">
SetEnvIf Cookie "zt-cert=([^,;]+),([^,;]+),[^,;]+,([^,;]+)" zt-cert-sha1=$1 zt-cert-date=$2 zt-cert-uid=$3
<RequireAll>
Require expr %{sha1:salt1%{env:zt-cert-date}salt3%{env:zt-cert-uid}salt2} == %{env:zt-cert-sha1}
Require expr %{env:zt-cert-sha1} =~ /^.{40}$/
Require expr %{env:zt-cert-date} -ge %{env:zt-cert-date-now}
</RequireAll>
#замещаем авторизацию по владельцу сертификата на авторизацию по номеру протокола
SSLUserName SSl_PROTOCOL
SSLOptions -FakeBasicAuth
</If>
</If>
<If "%{SSL:SSL_CLIENT_VERIFY} = 'SUCCESS'">
<If "%{HTTP:Upgrade} != 'websocket'">
SetEnvIf Cookie "zt-cert=([^,;]+),[^,;]+,([^,;]+)" HAVE_zt-cert-sha1=$1 HAVE_zt-cert-date-halfnow=$2
SetEnvIfExpr "env('HAVE_zt-cert-date-halfnow') -ge %{TIME} && env('HAVE_zt-cert-sha1')=~/.{40}/" HAVE_zt-cert-sha1-found=1
Define zt-cert "path=/;Max-Age=%{env:zt-cert-timeout};HttpOnly;Secure;SameSite=Strict"
Define dates_user "%{env:zt-cert-date-next},%{env:zt-cert-date-halfnext},%{SSL_CLIENT_S_DN_CN}"
Header set Set-Cookie "expr=zt-cert=%{sha1:salt1%{env:zt-cert-date-next}sal3%{SSL_CLIENT_S_DN_CN}salt2},${dates_user};${zt-cert}" env=!HAVE_zt-cert-sha1-found
</If>
</If>
SetEnvIfExpr "env('HAVE_zt-cert-date-halfnow') -ge %{TIME} && env('HAVE_zt-cert-sha1')=~/.{40}/" HAVE_zt-cert-sha1-found=1
работает,
а так работать не будет
SetEnvIfExpr "env('HAVE_zt-cert-date-halfnow') -ge env('zt-cert-date-now') && env('HAVE_zt-cert-sha1')=~/.{40}/" HAVE_zt-cert-sha1-found=1
Hobane LuaHookAccessChecker e tla kengoa tšebetsong feela ka mor'a ho fumana licheke tse ipapisitseng le tlhahisoleseling ena ho tsoa ho Nginx.
Khokahano ho mohloli.
Ntho e 'ngoe hape.
Ka kakaretso, ha ho na taba hore na litaelo li ngotsoe ka tatellano efe ho Apache (mohlomong le Nginx), kaha qetellong ntho e 'ngoe le e' ngoe e tla hlophisoa ho latela taelo ea kopo e tsoang ho mosebedisi, e lumellanang le morero oa ho sebetsa. Lingoloa tsa Lua.
Qetello:
Boemo bo bonahalang ka mor'a ts'ebetsong (sepheo):
tsamaiso ea litšebeletso le mekhoa ea motheo e fumaneha ho tloha mohala oa thekeng ho IOS ntle le mananeo a eketsehileng (VPN), a kopantsoeng le a sireletsehileng.
Sepheo se fihletsoe, li-sockets tsa marang-rang li sebetsa 'me li na le boemo ba tšireletso e seng ka tlase ho setifikeiti.
Source: www.habr.com