Ukuhamba endleleni yokuphucula iziseko zophuhliso, ndagqiba ekubeni ndigqibe umbuzo wamandulo kunye nobuhlungu - ngaphandle kwezijekulo ezingeyomfuneko, ukunika ithuba oogxa (abaphuhlisi, abahloli, abalawuli, njl.njl) ukuba balawule ngokuzimeleyo oomatshini babo benyani kwi-ovirt. I-Ovirt inamacandelo amaninzi ekufuneka eqwalaselwe ukusombulula umba wam: ujongano lwewebhu ngokwayo, ikhonsoli ye-noVNC kunye nokufaka imifanekiso yedisk.
Khange ndifumane iqhosha elithi "Yenza Kubi", ke ndikubonisa ukuba ngawaphi amaqhosha endijike ngawo ukusombulula le ngxaki. Imiyalelo epheleleyo ngezantsi kwesisikiwe:
hlobo:
Ngaphambi kokuba ndiqale, ndingathanda ukutsalela ingqalelo yakho kwinto yokuba ngenxa yesizathu esithile esingaziwayo kum, imimandla yeziseko ezingundoqo zenziwa kwiindawo zangasese lan, zendawo, njalo njalo.
Andazi ukuba yintoni endithintelayo ekusebenziseni isizinda sombutho kwindawo yoluntu. Ngokomzekelo, endaweni ye-domain Alex-GLuck-Awesome-Company.local, ungasebenzisa ngokukhuselekileyo isizinda kwiwebhusayithi yenkampani i-Alex-GLuck-Awesome-Company.com.
Ukuba ukwesaba ukuba awuyi kukwazi ukugcina imimandla kwintlangano yakho, kwaye oku kuya kuphula into ethile, ngoko i-ruble eyi-100 ethobekileyo ngonyaka ungathenga i-domain eyahlukileyo kwi-infrastructure ye-aglac.com.
Kutheni kunenzuzo ngakumbi ukusebenzisa imimandla kwiindawo zoluntu:
1. Umbutho wakho uneenkonzo ezifikelelekayo kuluntu: vpn, ukwabelana ngeefayile (seafile, nextcloud), kunye nezinye. Ukuseta ukubethela ithrafikhi kwiinkonzo ezinjalo kudla ngokuba yinto enzima, kwaye asiyi kuzikhusela kwiintlaselo zeMitM kuba kunzima (hayi ngokwenene).
Okanye unedilesi yenkonzo enye ngaphakathi eofisini, kunye nenye evela kwi-Intanethi, kwaye olu qhakamshelwano kufuneka lugcinwe, nto leyo imosha izixhobo zethu eziqingqiweyo zeengcali. Ewe, abasebenzi kufuneka bakhumbule iidilesi ezahlukeneyo, nto leyo engalunganga.
2. Ungasebenzisa abasemagunyeni besatifikethi sasimahla ukufihla iinkonzo zakho zangaphakathi.
Eyakho i-PKI yinkonzo efuna ukuxhaswa; Ii-ruble ze-100 ngonyaka ithuba lokusebenzisa i-PKI evela kumagunya esiqinisekiso sasimahla ngaphezu kokuhlawula ixesha labasebenzi abanokulichitha kweminye imisebenzi.
3. Xa usebenzisa igunya lakho lesatifikethi, uya kubeka intetho kumavili abasebenzi bakho abakude kunye nabalingane abafuna ukusebenza ne-BYOD (beza neelaptops zabo, iifowuni, iitafile) kwaye awukwazi ukulawula izixhobo zabo. Bazisa iiMacs, Linux, Androids, iOS, Windows - akukho sizathu sokuxhasa i-zoo enjalo.
Kuyo yonke into, ewe, kukho okungafaniyo, kwaye iibhanki ezinamanye amashishini arhabaxa athe aseka imigaqo-nkqubo yokhuseleko azinakuze zikwazi ukuphucula inkonzo kubasebenzi bazo.
Kubo, kukho abasemagunyeni bezatifikethi ezihlawulwayo ezinokusayina isatifikethi sabo se-CA ngexabiso elithile ("inkonzo yokusayina ingcambu kaGoogle").
Kukho ezinye izizathu zokuba kutheni kunenzuzo ngakumbi ukusebenzisa i-domain yoluntu (into ebaluleke kakhulu kukuba yeyakho), kodwa eli nqaku alikho malunga naloo nto.
Ingongoma yile...
QAPHELA! Ukuba wongeza isatifikethi Masifihle i-CA kuluhlu oluthenjiweyo lwe-ovirt, sinokuchaphazela ukhuseleko lweenkqubo zakho!
Into yokuqala ekufuneka uyithathele ingqalelo kukuba ukuveza ujongano lwe-Ovirt kwi-Intanethi kukwenza okubi, kuba Oku akunangqiqo, kwaye kudala izoyikiso ezongezelelweyo zokhuseleko.
Ke ngoko, kufuneka ufumane isatifikethi kwenye yeenginginya zethu ze-bastion, kwaye emva koko udlulisele isatifikethi kunye nesitshixo kumamkeli wethu nge-ovirt-injini.
Songeza idilesi yangaphandle ye-bastion host yethu kwi-dns ngegama lethu le-ovirt ovirtengine.example.com, Ndiya kushiya ukufakwa kwe-certbot kunye ne-nginx ngasemva kwemifanekiso (indlela yokwenza oku sele ichazwe kwi-Habré).
Ukumisela uhlobo lwenjinx >=1.15.7
/etc/nginx/conf.d/default.conf
server {
server_name _;
listen 80 default_server;
location /robots.txt { alias /usr/share/nginx/html/robots.txt; }
location /.well-known {
root /usr/share/nginx/html;
}
location / {
return 444;
}
}
server {
server_name _;
listen 443 ssl http2 default_server;
location /robots.txt { alias /usr/share/nginx/html/robots.txt; }
location /.well-known {
root /usr/share/nginx/html;
}
ssl_certificate /etc/nginx/ssl/$ssl_server_name/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/$ssl_server_name/privkey.pem;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
# позволяем серверу прикреплять OCSP-ответы, тем самым уменьшая время загрузки страниц у пользователей
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
location / {
return 444;
}
}
Emva koko sifumana isatifikethi sethu kunye nesitshixo:
certbot certonly --nginx -d ovirtengine.example.com
Gcina isatifikethi sethu kunye nesitshixo:
tar Phczf /tmp/ovirtengine.example.com.tgz /etc/letsencrypt/live/ovirtengine.example.com
Khuphela indawo yokugcina kwi-bastion host kwaye uyilayishe kwi-ovirt injini yethu:
scp bastion-host:/tmp/ovirtengine.example.com.tgz /tmp/
scp /tmp/ovirtengine.example.com.tgz ovirtengine.example.com:/
Masiqhubele phambili siye egoli
Okulandelayo, sikhupha uvimba wethu kwaye senze ii-symlink ukwenza lula ukuqonda inkqubo yendawo yefayile:
tar Pxzf /ovirtengine.example.com.tgz && rm -f ovirtengine.example.com.tgz
mkdir -p /etc/letsencrypt/live
ln -f -s /etc/letsencrypt/live /etc/pki/letsencrypt
Siqwalasela i-pki eyakhelwe-ngaphakathi e-Ovirt ukuze ivenkile yesatifikethi ye-java (openjdk) isetyenziswe ukuqinisekisa iziqinisekiso:
cat << EOF > /etc/ovirt-engine/engine.conf.d/99-setup-pki.conf
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
EOF
Siguqulela i-CA ukusuka ekuguquleleni ikhowudi kwifomati ye-der kwaye siyifake kwivenkile yesatifikethi se-ovirt java trust yevenkile (esi singxobo esiqulathe uluhlu lwezatifikethi, inkqubo enjalo isetyenziswa kwi-java):
openssl x509 -outform der -in /etc/pki/letsencrypt/ovirtengine.example.com/chain.pem -out /tmp/ovirtengine.example.com.chain.der
keytool -import -alias "Let's Encrypt Authority X3" -file /tmp/ovirtengine.example.com.chain.der -keystore /etc/pki/ovirt-engine/.truststore -storepass $(grep '^ENGINE_PKI_TRUST_STORE_PASSWORD' /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf | cut -f 2 -d '"')
rm -f /tmp/ovirtengine.example.com.chain.der
Sihlela izicwangciso ze-SSL ze-apache, songeza ipharamitha ukuxhasa ii-symlinks kwaye sisuse iparameter ye-CA ekutshekishweni ngayo izatifikethi (ngokungagqibekanga, iseti yesixokelelwano see-CAs ezithembekileyo ziya kusetyenziselwa ukuqinisekiswa):
sed -r -i 's|^(SSLCACertificateFile.*)|#1|g' /etc/httpd/conf.d/ssl.conf
sed -r -i '0,/(^#?SSLCACertificateFile.*)/ s//1nOptions FollowSymlinks/' /etc/httpd/conf.d/ssl.conf
Ke, ukuba kunokwenzeka, sigcina iifayile zoqobo ezenziwe nge-ovirt's automatic PKI kwaye endaweni yazo ii-symlinks ngeefayile ezivela kwi-Let Encrypt:
ln -f -s /etc/pki/letsencrypt/ovirtengine.example.com/fullchain.pem /etc/pki/ovirt-engine/apache-chain.pem
services=( 'apache' 'imageio-proxy' 'websocket-proxy' )
for i in "${services[@]}"; do
cp /etc/pki/ovirt-engine/certs/$i.cer{,."$( date +%F )".bak}
cp /etc/pki/ovirt-engine/keys/$i.key.nopass{,."$( date +%F )".bak}
ln -f -s /etc/pki/letsencrypt/ovirtengine.example.com/privkey.pem /etc/pki/ovirt-engine/keys/$i.key.nopass
ln -f -s /etc/pki/letsencrypt/ovirtengine.example.com/cert.pem /etc/pki/ovirt-engine/certs/{apache,imageio-proxy,websocket-proxy}.cer
done
Sibuyisela iimeko ze-SElinux kwiifayile kwaye siqale kwakhona iinkonzo zethu (httpd, ovirt-injini, ovirt-imageio-proxy, ovirt-websocket-proxy):
restorecon -Rv /etc/pki
systemctl restart httpd ovirt-engine ovirt-imageio-proxy ovirt-websocket-proxy
httpd — iseva yewebhu apache
i-ovirt-injini-i-ovirt web interface
i-ovirt-imageio-proxy - i-daemon yokukhuphela imifanekiso yedisk
i-ovirt-websocket-proxy-inkonzo yokuqhuba i-console ye-noVNC
Konke oku kungasentla kwavavanywa kwinguqulo ye-Ovirt 4.2.
Uhlaziyo oluzenzekelayo lwezatifikethi kwi-ovirt
Ngokweendlela ezilungileyo zokhuseleko, akufanele kubekho uxhulumaniso phakathi kwe-bastion host kunye ne-ovirt, kwaye isatifikethi sikhutshwe kuphela kwiinyanga ezi-3. Kulapho kuvela khona umba ophikisanayo malunga nendlela endiphumeze ngayo uhlaziyo lwezatifikethi.
Ndinencwadi yokudlala esebenzayo esebenza kwi-foreman yonke imihla ngo-5 am ngokweshedyuli. Le ncwadi yokudlala iya kwi-ovirt, ihlola ixesha elisemthethweni lesatifikethi, kwaye ukuba kukho ngaphantsi kweentsuku ezi-5 ezisele ngaphambi kokuphelelwa yisikhathi, iya kumphathi we-bastion kwaye iqalise ukuhlaziya isatifikethi.
Emva kokuhlaziya isatifikethi, igcina isiqulathi seefayili ngeefayile, siyikhuphele kwinginginya ye-Forman kwaye uyikhulule kwinginginya ye-Ovirt. Emva koko i-SElinux ibuyisela iimeko kwiifayile kwaye iqalise kwakhona iinkonzo zethu.
umthombo: www.habr.com
