Ekuqaleni kwekhulu lama-21, insiza efana namakheli e-IPv4 isiseduze nokuphela. Emuva ngo-2011, i-IANA yabela ababhalisi be-inthanethi besifunda amabhulokhi amahlanu asele/8 asele, futhi ngo-2017 aphelelwa amakheli. Impendulo yokushoda okuyinhlekelele kwamakheli e-IPv4 kwakungekhona nje ukuvela kwephrothokholi ye-IPv6, kodwa futhi nobuchwepheshe be-SNI, obenze kwaba nokwenzeka ukusingatha inombolo enkulu yamawebhusayithi ekhelini elilodwa le-IPv4. Ingqikithi ye-SNI ukuthi lesi sandiso sivumela amaklayenti, ngesikhathi senqubo yokuxhawula, ukuthi atshele iseva igama lesayithi efuna ukuxhuma nalo. Lokhu kuvumela iseva ukuthi igcine izitifiketi eziningi, okusho ukuthi izizinda eziningi zingasebenza ekhelini elilodwa le-IP. Ubuchwepheshe be-SNI sebudume kakhulu phakathi kwabahlinzeki be-SaaS bebhizinisi, abanethuba lokusingatha cishe inani elingenamkhawulo lezizinda ngaphandle kokubheka inani lamakheli e-IPv4 adingekayo kulokhu. Ake sithole ukuthi ungakusebenzisa kanjani ukwesekwa kwe-SNI ku-Zimbra Collaboration Suite Open-Source Edition.
I-SNI isebenza kuzo zonke izinguqulo zamanje nezisekelwe ze-Zimbra OSE. Uma une-Zimbra Open-Source esebenza kungqalasizinda yamaseva amaningi, uzodinga ukwenza zonke izinyathelo ezingezansi endaweni efakwe iseva elibamba le-Zimbra efakiwe. Ukwengeza, uzodinga amapheya wesitifiketi+izikhiye ezifanayo, kanye namaketango esitifiketi athembekile avela ku-CA yakho kusizinda ngasinye ofuna ukusisingatha ekhelini lakho le-IPv4. Sicela uqaphele ukuthi imbangela yamaphutha amaningi uma uhlela i-SNI ku-Zimbra OSE ingamafayela angalungile anezitifiketi. Ngakho-ke, sikweluleka ukuthi uhlole ngokucophelela konke ngaphambi kokuzifaka ngokuqondile.
Okokuqala, ukuze i-SNI isebenze ngokujwayelekile, udinga ukufaka umyalo zmprov mcf zimbraReverseProxySNIEnikwe amandla TRUE ku-proxy node ye-Zimbra, bese uqala kabusha isevisi yommeleli usebenzisa umyalo zmproxyctl qala kabusha.
Sizoqala ngokwakha igama lesizinda. Isibonelo, sizothatha isizinda inkampani.ru futhi, ngemva kokuba isizinda sesidaliwe kakade, sizonquma ngegama lomsingathi we-Zimbra kanye nekheli le-IP elibonakalayo. Sicela uqaphele ukuthi igama lomsingathi we-Zimbra kufanele lifane negama umsebenzisi okufanele alifake esipheqululini ukuze afinyelele isizinda, futhi lifane negama elicaciswe kusitifiketi. Isibonelo, ake sithathe i-Zimbra njengegama lomsingathi elibonakalayo mail.company.ru, futhi njengekheli le-IPv4 elibonakalayo sisebenzisa ikheli 1.2.3.4.
Ngemva kwalokhu, vele ufake umyalo zmprov md company.ru zimbraVirtualHostName mail.company.ru zimbraVirtualIPAddress 1.2.3.4ukuze ubophe umsingathi we-Zimbra ekhelini le-IP elibonakalayo. Sicela uqaphele ukuthi uma iseva itholakala ngemuva kwe-NAT noma i-firewall, kufanele uqinisekise ukuthi zonke izicelo zesizinda ziya ekhelini le-IP langaphandle elihlotshaniswa nayo, hhayi ekhelini layo kunethiwekhi yendawo.
Ngemuva kokuthi konke sekwenziwe, okusele nje ukuhlola nokulungisa izitifiketi zesizinda ukuze zifakwe, bese uzifaka.
Uma ukukhishwa kwesitifiketi sesizinda kuqediwe ngendlela efanele, kufanele ube namafayela amathathu anezitifiketi: amabili awo amaketanga ezitifiketi ezivela kwabasemagunyeni bezitifiketi zakho, kanti esisodwa yisitifiketi esiqondile sesizinda. Ngaphezu kwalokho, kufanele ube nefayela elinokhiye owusebenzisile ukuze uthole isitifiketi. Dala ifolda ehlukile /tmp/company.ru futhi ubeke wonke amafayela akhona nokhiye nezitifiketi lapho. Umphumela kufanele ube kanje:
ls /tmp/company.ru
company.ru.key
company.ru.crt
company.ru.root.crt
company.ru.intermediate.crtNgemva kwalokhu, sizohlanganisa amaketanga esitifiketi sibe yifayela elilodwa sisebenzisa umyalo cat company.ru.root.crt company.ru.intermediate.crt >> company.ru_ca.crt futhi uqiniseke ukuthi yonke into ihlelekile ngezitifiketi zisebenzisa umyalo /opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/company.ru/company.ru.key /tmp/company.ru/company.ru.crt /tmp/company.ru/company.ru_ca.crt. Ngemuva kokuthi ukuqinisekiswa kwezitifiketi nokhiye kuphumelele, ungaqala ukuzifaka.
Ukuze siqale ukufakwa, sizoqale sihlanganise isitifiketi sesizinda namaketanga athembekile avela kuziphathimandla zokunikeza izitifiketi sibe ifayela elilodwa. Lokhu kungenziwa futhi ngokusebenzisa umyalo owodwa njengo cat company.ru.crt company.ru_ca.crt >> company.ru.bundle. Ngemuva kwalokhu, udinga ukusebenzisa umyalo ukuze ubhale zonke izitifiketi kanye nokhiye ku-LDAP: /opt/zimbra/libexec/zmdomaincertmgr savecrt company.ru company.ru.bundle company.ru.keybese ufaka izitifiketi usebenzisa umyalo /opt/zimbra/libexec/zmdomaincertmgr deploycrts. Ngemuva kokufakwa, izitifiketi kanye nokhiye wesizinda se-company.ru kuzogcinwa kufolda /opt/zimbra/conf/domaincerts/company.ru.
Ngokuphinda lezi zinyathelo usebenzisa amagama esizinda ahlukene kodwa ikheli le-IP elifanayo, kungenzeka ukusingatha izizinda ezingamakhulu ambalwa ekhelini elilodwa le-IPv4. Kulokhu, ungasebenzisa izitifiketi ezivela ezinhlobonhlobo zezikhungo zokukhipha ngaphandle kwezinkinga. Ungahlola ukunemba kwazo zonke izenzo ezenziwa kunoma yisiphi isiphequluli, lapho igama ngalinye le-virtual host kufanele libonise isitifiketi saso se-SSL.
Kuyo yonke imibuzo ehlobene ne-Zextras Suite, ungathinta Ummeleli we-Zextras Ekaterina Triandafilidi nge-imeyili [i-imeyili ivikelwe]
Source: www.habr.com