Sizwa inkulumo ethi “ukuphepha kwezwe” ngaso sonke isikhathi, kodwa lapho uhulumeni eqala ukuqapha ezokuxhumana kwethu, eziqopha ngaphandle kokusola okukholakalayo, isisekelo somthetho futhi ngaphandle kwanoma iyiphi injongo esobala, kufanele sizibuze umbuzo: ingabe ngempela zivikela ukuphepha kwezwe noma bavikela ezabo?
- Edward Snowden
Le nhlabamkhosi ihloselwe ukukhulisa intshisekelo yoMphakathi odabeni lobumfihlo, okuthi, uma kubhekwa
Ku-ajenda:
Abashisekayo abavela emphakathini womhlinzeki we-inthanethi ohlukaniselwe "Medium" badala injini yabo yokusesha
I-Medium isungule igunya elisha lokunikeza izitifiketi, i-Medium Global Root CA. Obani abayothintwa izinguquko?
Izitifiketi zokuphepha zawo wonke amakhaya - ungayenza kanjani isevisi yakho kunethiwekhi ye-Yggdrasil futhi uyikhiphele isitifiketi esivumelekile se-SSL
Ngikhumbuze - yini i-“Medium”?
Medium (eng. Medium - "umlamuli", isiqubulo sokuqala - Ungabuzi ubumfihlo bakho. Yibuyisele; futhi ngesiNgisi igama naphakathi lisho “okumaphakathi”) - umhlinzeki we-inthanethi ohlukaniswe waseRussia ohlinzeka ngezinsizakalo zokufinyelela kunethiwekhi
Igama eligcwele: Umhlinzeki Wesevisi Ye-inthanethi Omaphakathi. Ekuqaleni iphrojekthi yacatshangelwa njenge
Yakheka ngo-April 2019 njengengxenye yokwakhiwa kwendawo yezokuxhumana ezimele ngokunikeza abasebenzisi bokugcina ukufinyelela kuzinsiza zenethiwekhi ye-Yggdrasil ngokusebenzisa ubuchwepheshe bokudluliswa kwedatha okungenantambo kwe-Wi-Fi.
Ulwazi olwengeziwe ngesihloko:
Abashisekayo abavela emphakathini womhlinzeki we-inthanethi ohlukaniselwe "Medium" badala injini yabo yokusesha
Ekuqaleni ku-inthanethi
Kungani udinga i-PKI uma i-Yggdrasil ngaphandle kwebhokisi inikeza ikhono lokubethela ithrafikhi phakathi kontanga?Asikho isidingo sokusebenzisa i-HTTPS ukuze uxhume kumasevisi ewebhu kunethiwekhi ye-Yggdrasil uma uxhuma kuwo ngomzila wenethiwekhi ye-Yggdrasil esebenza endaweni.
Ngempela: Ukuthutha kwe-Yggdrasil kusezingeni
Isimo sishintsha kakhulu uma ufinyelela izinsiza ze-intranethi ze-Yggdarsil hhayi ngokuqondile, kodwa nge-node ephakathi nendawo - indawo yokufinyelela yenethiwekhi Emaphakathi, elawulwa u-opharetha wayo.
Kulesi simo, ubani ongafaka engozini idatha oyidluliselayo:
- U-opharetha wephoyinti lokufinyelela. Kusobala ukuthi u-opharetha wamanje wendawo yokufinyelela yenethiwekhi Emaphakathi angalalela ithrafikhi engabhaliwe edlula ezintweni zayo.
- isigebengu (
indoda phakathi ). Okumaphakathi kunenkinga efana neInkinga yenethiwekhi ye-Tor , kuphela ngokuphathelene namanodi okokufaka kanye namaphakathi.
Lokhu kubukeka kanjani
Isixazululo: ukuze ufinyelele izinsiza zewebhu ngaphakathi kwenethiwekhi ye-Yggdrasil, sebenzisa iphrothokholi ye-HTTPS (izinga lesi-7
Ngakho-ke, sasungula isikhungo sethu sokunikeza izitifiketi -
Amathuba okuphazamisa isitifiketi sempande yesiphathimandla sesitifiketi, yiqiniso, kucatshangelwe - kodwa lapha isitifiketi sidingeka kakhulu ukuze kuqinisekiswe ubuqotho bokudluliswa kwedatha nokuqeda amathuba okuhlaselwa kwe-MITM.
Amasevisi enethiwekhi amaphakathi avela ku-opharetha abahlukene anezitifiketi zokuphepha ezihlukene, ngandlela thize ezisayinwe yiziphathimandla zokunikeza izitifiketi. Kodwa-ke, opharetha be-Root CA abakwazi ukulalela ithrafikhi ebethelwe kusukela kumasevisi abasayine kuwo izitifiketi zokuphepha (bona
Labo abakhathazeke ngokukhethekile ngokuphepha kwabo bangasebenzisa izindlela ezinjalo njengesivikelo esengeziwe, njenge
Njengamanje, ingqalasizinda yokhiye womphakathi yenethiwekhi Emaphakathi inamandla okuhlola isimo sesitifiketi kusetshenziswa iphrothokholi
Thola iphuzu
Umsebenzisi
I-TLD eyinhloko .ygg. Amagama amaningi wesizinda anale TLD, ngaphandle kokubili: .isp и .gg.
Injini yokusesha ingaphansi kokuthuthukiswa, kodwa ukusetshenziswa kwayo kakade kungenzeka namuhla - vele uvakashele iwebhusayithi
Ungasiza ukuthuthukiswa kwephrojekthi,
I-Medium isungule igunya elisha lokunikeza izitifiketi, i-Medium Global Root CA. Obani abayothintwa izinguquko?
Izolo, ukuhlolwa komphakathi kokusebenza kwesikhungo sokunikeza izitifiketi se-Medium Root CA kuqediwe. Ekupheleni kokuhlolwa, amaphutha ekusebenzeni kwezinsiza ezibalulekile zengqalasizinda yomphakathi alungiswa futhi kwadalwa isitifiketi esisha sempande yesiphathimandla sokunikeza izitifiketi “Medium Global Root CA”.
Kwacatshangelwa wonke ama-nuances nezici ze-PKI - manje isitifiketi esisha se-CA "Medium Global Root CA" sizokhishwa eminyakeni eyishumi kuphela kamuva (ngemuva kosuku lwaso lokuphelelwa yisikhathi). Manje izitifiketi zokuphepha zikhishwa kuphela iziphathimandla zesitifiketi esimaphakathi - isibonelo, “I-Medium Domain Validation Secure Server CA”.
Lubukeka kanjani uchungechunge lokwethenjwa kwesitifiketi manje?
Yini okudingeka yenziwe ukuze yonke into isebenze uma ungumsebenzisi:
Njengoba ezinye izinsiza zisebenzisa i-HSTS, ngaphambi kokusebenzisa izinsiza zenethiwekhi Emaphakathi, kufanele ususe idatha kuzinsiza ze-intranet emaphakathi. Ungakwenza lokhu kuthebhu yomlando yesiphequluli sakho.
Kuyadingeka futhi
Yini okudingeka yenziwe ukwenza yonke into isebenze uma ungu-opharetha wesistimu:
Udinga ukuphinda ukhiphe isitifiketi sesevisi yakho ekhasini
Izitifiketi zokuphepha zawo wonke amakhaya - ungayenza kanjani isevisi yakho kunethiwekhi ye-Yggdrasil futhi uyikhiphele isitifiketi esivumelekile se-SSL
Ngenxa yokwanda kwenani lezinsizakalo ze-intranet kunethiwekhi ye-Medium, isidingo sokukhipha izitifiketi ezintsha zokuphepha nokulungisa izinsiza zabo ukuze zisekele i-SSL sikhulile.
Njengoba i-Habr iwumthombo wezobuchwepheshe, ekugayeni okusha ngakunye enye yezinto ze-ajenda izoveza izici zobuchwepheshe zengqalasizinda yenethiwekhi Emaphakathi. Isibonelo, ngezansi kunemiyalo ebanzi yokukhipha isitifiketi se-SSL sesevisi yakho.
Izibonelo zizokhombisa igama lesizinda domain.ygg, okumele kuthathelwe indawo igama lesizinda senkonzo yakho.
Isinyathelo 1 Khiqiza ukhiye oyimfihlo namapharamitha we-Diffie-Hellman
openssl genrsa -out domain.ygg.key 2048
Khona-ke:
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Isinyathelo 2 Dala isicelo sokusayina isitifiketi
openssl req -new -key domain.ygg.key -out domain.ygg.csr -config domain.ygg.conf
Okuqukethwe kwefayela domain.ygg.conf:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = RU
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Moscow Oblast
localityName = Locality Name (eg, city)
localityName_default = Kolomna
organizationName = Organization Name (eg, company)
organizationName_default = ACME, Inc.
commonName = Common Name (eg, YOUR name)
commonName_max = 64
commonName_default = *.domain.ygg
[ v3_req ]
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
basicConstraints = CA:FALSE
nsCertType = server
authorityKeyIdentifier = keyid,issuer:always
crlDistributionPoints = URI:http://crl.medium.isp/Medium_Global_Root_CA.crl
authorityInfoAccess = OCSP;URI:http://ocsp.medium.isp
Isinyathelo 3 Thumela isicelo sesitifiketi
Ukuze wenze lokhu, kopisha okuqukethwe kwefayela domain.ygg.csr bese unamathisele enkambini yombhalo kusayithi
Landela imiyalelo enikezwe kuwebhusayithi, bese uchofoza okuthi "Hambisa". Uma kuphumelele, umlayezo uzothunyelwa ekhelini le-imeyili olicacisile eliqukethe okunamathiselwe kwi-imeyili ngendlela yesitifiketi esisayinwe isiphathimandla sokunikeza izitifiketi esimaphakathi.
Isinyathelo 4 Setha iseva yakho yewebhu
Uma usebenzisa i-nginx njengeseva yakho yewebhu, sebenzisa ukumisa okulandelayo:
Файл domain.ygg.conf ohlwini lwemibhalo /etc/nginx/sites-available/
server {
listen [::]:80;
listen [::]:443 ssl;
root /var/www/domain.ygg;
index index.php index.html index.htm index.nginx-debian.html;
server_name domain.ygg;
include snippets/domain.ygg.conf;
include snippets/ssl-params.conf;
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; allow all; }
location ~* .(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /.ht {
deny all;
}
}
Файл ssl-params.conf ohlwini lwemibhalo / njll/nginx/amazwibela/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=15552000; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Файл domain.ygg.conf ohlwini lwemibhalo / njll/nginx/amazwibela/
ssl_certificate /etc/ssl/certs/domain.ygg.crt;
ssl_certificate_key /etc/ssl/private/domain.ygg.key;
Isitifiketi osithole nge-imeyili kufanele sikopishelwe ku-: /etc/ssl/certs/domain.ygg.crt. Ukhiye oyimfihlo (domain.ygg.key) ibeke ohlwini lwemibhalo /etc/ssl/private/.
Isinyathelo 5 Qala kabusha iseva yakho yewebhu
sudo service nginx restart
I-inthanethi yamahhala e-Russia iqala ngawe
Unganikeza lonke usizo olungenzeka ekusungulweni kwe-inthanethi yamahhala eRussia namuhla. Sihlanganise uhlu olubanzi lokuthi ungasiza kanjani inethiwekhi:
- Tshela abangani bakho nosebenza nabo mayelana nenethiwekhi ye-Medium. Yabelana
ngereferensi kulesi sihloko ezinkundleni zokuxhumana noma ibhulogi yomuntu siqu - Bamba iqhaza engxoxweni yezinkinga zobuchwepheshe kunethiwekhi Ephakathi
ku-GitHub - Dala isevisi yakho yewebhu kunethiwekhi ye-Yggdrasil futhi uyengeze kuyo
I-DNS yenethiwekhi Emaphakathi - Phakamisa eyakho
indawo yokungena kunethiwekhi ye-Medium
Ukukhishwa kwangaphambilini:
Funda futhi:
Siku-Telegram:
Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo.
Okunye ukuvota: kubalulekile ngathi ukuthi sazi umbono walabo abangenayo i-akhawunti ephelele ngo-Habré
-
↑
-
↓
Bangu-7 abasebenzisi abavotile. Abasebenzisi abangu-2 bayenqaba.
Source: www.habr.com