OPENSSL、秘密鍵、自己認証局、SSL証明書作成

openssl-1.0.1fを使用し、秘密鍵、自己認証局、SSL証明書を作成し、/etc/nginx/sslに置き、nginxのConfファイルに設定しました。

■OpenSSL設定ファイルバックアップ

cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnfORG

■OpenSSL設定ファイル変更
vi /etc/ssl/openssl.cnf

[ CA_default ]
# CAディレクトリ作成場所
#dir = ./demoCA # Where everything is kept
dir = /etc/ssl/CA # Where everything is kept

# 署名の期限
#default_days = 365 # how long to certify for 1年
default_days = 3650 # how long to certify for 10年

[ req_distinguished_name ]
# 以下地域設定
#countryName_default = AU
countryName_default = JP

# 適当
#stateOrProvinceName_default = Some-State
stateOrProvinceName_default = Kanagawa

# 適当
#localityName = Locality Name (eg, city)
localityName = Sagamihara

# 0.organizationName_default = Internet Widgits Pty Ltd
0.organizationName_default = xxxxx

[ usr_cert ]
# 認証局作成:true
# basicConstraints=CA:FALSE
basicConstraints=CA:true

# コメントアウト外す
# nsCertType = server
nsCertType = server

[ v3_ca ]
# コメントアウト外す
# nsCertType = sslCA, emailCA
nsCertType = sslCA, emailCA

■CA作成スクリプト編集
vi /etc/ssl/misc/CA.sh

#if [ -z “$DAYS” ] ; then DAYS=”-days 365″ ; fi # 1 年
#CADAYS=”-days 1095″ # 3 年
DAYS=”-days 3650″ # 10 年
CADAYS=”-days 7300″ # 20 20年

#if [ -z “$CATOP” ] ; then CATOP=./demoCA ; fi
CATOP=”/etc/ssl/CA”

■CA作成スクリプト実行
mkdir /etc/ssl/CA
cd /etc/ssl/CA
/etc/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
# [Enter]
Making CA certificate …
Generating a 1024 bit RSA private key
………………………….++++++
………..++++++
writing new private key to ‘/etc/ssl/CA/private/./cakey.pem’
Enter PEM pass phrase: # パスフレーズ設定
Verifying – Enter PEM pass phrase: # 確認
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]: #[Enter]
State or Province Name (full name) [Tokyo]: #[Enter]
oote-machi 1,Chiyodaku-ku []: #[Enter]
Organization Name (eg, company) [Youria]: #[Enter]
Organizational Unit Name (eg, section) []: #[Enter]
Common Name (e.g. server FQDN or YOUR name) []:*.websample.jp #ワイルドカード
Email Address []: #[Enter]

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: #[Enter]
An optional company name []: #[Enter]
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/CA/private/./cakey.pem: # 先のパスフレーズ
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 17236407115119056261 (0xef3404f2e4afd585)
Validity
Not Before: Jan 27 05:02:38 2014 GMT
Not After : Jan 22 05:02:38 2034 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = Sagamihara
commonName = *.websample.jp
emailAddress = xxxx@xxxxx.xx
X509v3 extensions:
X509v3 Subject Key Identifier:
F5:0A:92:8C:4B:CA:F1:67:17:0B:5A:F1:88:CA:8A:17:14:21:6A:3A
X509v3 Authority Key Identifier:
keyid:F5:0A:92:8C:4B:CA:F1:67:17:0B:5A:F1:88:CA:8A:17:14:21:6A:3A

X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
Certificate is to be certified until May 17 13:28:01 2032 GMT (7300 days)

Write out database with 1 new entries
Data Base Updated

■作成確認
ls -l /etc/ssl/CA
合計 36
-rw-r–r– 1 root root 3113 2月 20 14:02 2014 cacert.pem
-rw-r–r– 1 root root 676 2月 20 14:02 2014 careq.pem
drwxr-xr-x 2 root root 4096 2月 20 14:01 2014 certs
drwxr-xr-x 2 root root 4096 2月 20 14:01 2014 crl
-rw-r–r– 1 root root 111 2月 20 14:02 2014 index.txt
-rw-r–r– 1 root root 21 2月 20 14:02 2014 index.txt.attr
-rw-r–r– 1 root root 0 2月 20 14:01 2014 index.txt.old
drwxr-xr-x 2 root root 4096 2月 20 14:02 2014 newcerts
drwxr-xr-x 2 root root 4096 2月 20 14:01 2014 private
-rw-r–r– 1 root root 17 2月 20 14:02 2014 serial

■秘密鍵作成
openssl genrsa -aes256 -rand /var/log/boot.log -out /etc/ssl/private/server.key 1024
510364 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
……………………………………….++++++
………………++++++
e is 65537 (0×10001)
Enter pass phrase for /etc/ssl/private/server.key: # パスフレーズ設定
Verifying – Enter pass phrase for /etc/ssl/private/server.key: # 確認

ls /etc/ssl/private/
server.key

# パスフレーズを必要としない秘密鍵作成
openssl rsa -in /etc/ssl/private/server.key -out /etc/ssl/private/nopass_server.key
Enter pass phrase for /etc/ssl/private/server.key: #パスフレーズの入力
writing RSA key

ls -l /etc/ssl/private/
-rw-r–r– 1 root root 887 2月 20 14:12 2014 nopass_server.key
-rw-r–r– 1 root root 986 2月 20 14:08 2014 server.key

■署名要求書(CSR)の作成
自己認証局用に編集したopenssl.cnfを署名要求書用に編集
vi /etc/ssl/openssl.cnf

[ CA_default ]
#dir = ./demoCA # Where everything is kept
dir = /etc/ssl/CA # Where everything is kept

#default_days = 365 # how long to certify for
default_days = 3650 # how long to certify for

[ req_distinguished_name ]
countryName_default = AU
countryName_default = JP

stateOrProvinceName_default = Some-State
stateOrProvinceName_default = Kanagawa

localityName = Locality Name (eg, city)
localityName = Sagamohara

0.organizationName_default = Internet Widgits Pty Ltd
0.organizationName_default = xxxxx

■署名要求書を発行します。
openssl req -new -days 3650 -key /etc/ssl/private/nopass_server.key -out /etc/ssl/www_csr.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]: #[Enter]
State or Province Name (full name) [Kanagawa]: #[Enter]
oote-machi 1,Chiyodaku-ku []: #[Sagamihara]
Organization Name (eg, company) [xxxx]: #[Enter]
Organizational Unit Name (eg, section) []: #[Enter]
Common Name (e.g. server FQDN or YOUR name) []: *.websample.jp# ワイルドカード
Email Address []: #[Enter]

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: #[Enter]
An optional company name []: #[Enter]

■署名要求書に署名
openssl ca -config /etc/ssl/openssl.cnf -in /etc/ssl/www_csr.pem -keyfile /etc/ssl/CA/private/cakey.pem -cert /etc/ssl/CA/cacert.pem -out server.pem

Using configuration from /etc/ssl/CA/openssl_server.cnf
Enter pass phrase for /etc/ssl/CA/private/cakey.pem: # パスフレーズの入力
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 14017714533794264351 (0xc288ed1975a3351f)
Validity
Not Before: May 22 15:00:49 2012 GMT
Not After : May 20 15:00:49 2022 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = Sagamihara
commonName = *.websample.jp
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F8:97:17:66:E4:3D:6E:71:0B:ED:C7:D1:99:61:3C:86:7C:A9:AB:6F
X509v3 Authority Key Identifier:
keyid:25:77:B8:F5:09:E7:C0:33:ED:10:3A:FE:DC:B7:21:64:66:AA:20:28

Certificate is to be certified until May 20 15:00:49 2022 GMT (3650 days)
Sign the certificate? [y/n]: # y

1 out of 1 certificate requests certified, commit? [y/n] # y
Write out database with 1 new entries
Data Base Updated

作成されたserver.pemをWebサーバで使用。 /etc/nginx/ssl/ に置く

■エラー
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

■エラーの対応
openssl ca -revoke /etc/ssl/CA/newcerts/00.pem
上記でだめなら
/etc/ssl/index.txt ファイルを削除して touch /etc/ssl/index.txt  で復活後 上記コマンドを再度行う

■nginxの設定
mkdir /etc/nginx/ssl
mv server.pem /etc/nginx/ssl/
vi /etc/nginx/conf.d/default
# SSL証明書と秘密鍵を指定
server {
listen 443;
server_name localhost;

root /usr/share/nginx/www;
index index.html index.htm;

ssl on;
ssl_certificate /etc/nginx/ssl/server.pem;
ssl_certificate_key /etc/ssl/private/nopass_server.key;
}

STUNSERVER-1.2.6 インストール

ウエブカメラ通話実現のキーとなるクライアント双方のIPアドレスをNATを越えて取得し、双方向リアルタイムウエブカメラ通話を可能とします。

■ダウンロード先
wget http://sourceforge.net/projects/stuntman/files/stunserver-1.2.6.tgz

■保存先
/usr/local/src/STUNServer
stunserver-1.2.6.tgz

■解凍先
/usr/local/src/STUNServer/stunserver

■事前にインストール
RedHat/Fedora and EC2 Amazon Linux AMI
yum groupinstall “Development Tools” # For g++, make, et. al.
yum install boost* # For Boost
yum install openssl-devel # For OpenSSL

■makeで作成
rwxr-xr-x 1 root root 139558 2月 18 2:37 2014 stunserver
-rwxr-xr-x 1 root root 95110 2月 18 2:37 2014 stunclient
-rwxr-xr-x 1 root root 171783 2月 18 2:37 2014 stuntestcode

■インストール先
/usr/bin/stunclient(STUNクライアント)
/usr/sbin/stunserver (STUNサーバ)
/etc/stun/stund.conf (STUNサーバ設定ファイル、未使用)
/etc/init.d/stund (STUNサーバ起動ファイル)

■STUNサーバ起動ファイル /etc/init.d/stund

#! /bin/sh

# chkconfig: 344 98 1
# description: stund
# processname: stund
#
# /etc/init.d/stund: start and stop the STUND daemon
#
DAEMON_START=”/usr/local/bin/start_stund_server.sh”(起動スクリプト)
DAEMON_STOP=”/usr/local/bin/stop_stund_server.sh”(終了スクリプト)
test -x $DAEMON_START || exit 0
test -x $DAEMON_STOP || exit 0
case “$1″ in
start)
echo -n “Starting STUND stunserver: stund”
$DAEMON_START
echo “ok.”
;;
stop)
echo -n “Stopping STUND stunserver: stund”
$DAEMON_STOP
echo “ok.”
;;

reload|force-reload)
echo -n “Restarting STUND stunserver: stund”
$DAEMON_STOP
$DAEMON_START
echo “ok.”
;;
restart)
echo -n “Restarting STUND stunserver: stund”
$DAEMON_STOP
$DAEMON_START
echo “ok.”
;;
*)
echo “Usage: /etc/init.d/stund {start|stop|reload|force-reload|restart}”
exit 1
esac
exit 0
~
# chmod +x /etc/init.d/stund
# chkconfig /etc/init.d/stund on

■起動スクリプト: /usr/local/bin/start_stund_server.sh

/usr/sbin/stunserver –mode full –primaryinterface XXX.XXX.XXX.101 –primaryport 3478 –altint
erface XXX.XXX.XXX.102 –altport 3479 > /dev/null 2>&1 &

※ルータのポート解放設定 と iptablesのポート解放設定が必要

※XXX.XXX.XXX.101とXXX.XXX.XXX.102は、1台のマシン、LANカード2枚、グローバルIPも2つ必要

■終了スクリプト: /usr/local/bin/stop_stund_server.sh
killall /usr/sbin/stunserver

■ご利用方法

peer.jsファイル内の以下の部分を変更してご利用ください。

// var defaultConfig = {‘iceServers’: [{ ‘url':    ’stun:stun.l.google.com:19302′ }]};

↓ 変更
var defaultConfig = {‘iceServers’: [{ ‘url':  ’stun:turn.websample.jp:3478′ }]};
 var dataCount = 1;

※問題がありましたらご連絡お願いします。

PEERSERVER、PEERJS インストール

ウエブカメラ通話アプリケーションPeerJSとそのPeerServerのインストールと設定と自動起動を記載しました。

■PeerServerダウンロード
# cd /opt
# git clone https://github.com/peers/peerjs-server.git

■PeerServerの依存ライブラリインストール
# cd peerjs-server

# npm install
npmはnode.jsのpackage管理ツール

■PeerJSダウンロード

$ cd /opt
$ git clone https://github.com/peers/peerjs.git

videochatのデモをnginxの下に配置
$ cd /var/www/html/xxxx
$ mkdir peerjs
$ cp /opt/peerjs/examples/videochat/* /var/www/html/xxxx/peerjs

$ cp /opt/peerjs/dist/peer.js  /var/www/html/xxxx/peerjs
以下のdiffのようにindex.htmlを修正

$ vi peerjs/index.html
# diff index.html /opt/peerjs/examples/videochat/index.html
6c6
<

>
13c13
< var peer = new Peer({host:’192.xxx.xxx.xxx’, port:9000, key: ‘peerjs’, debug: 3}); — > var peer = new Peer({ key: ‘lwjd5qra8257b9′, debug: 3});
PeerServer起動

PeerServerの自動起動設定
$ vi /etc/init/peerjs.conf
description “PeerJS Server”
author “co-meeting Inc.”

# Saves log to /var/log/upstart/peerjs.log
console log

# Starts only after drives are mounted.
start on started mountall

stop on shutdown

# Automatically Respawn. But fail permanently if it respawns 10 times in 5 seconds:
respawn
respawn limit 10 5

script
node /opt/peerjs-server/bin/peerjs -p 8124 -k peerjs
end script
起動コマンドオプションの-k peerjsはクライアントのnew Peer({host:’’, port:8124, key: ‘peerjs’, debug: 3})のkeyと一致

80番と8124番ポート解放

■peerserver 自動起動

# vi /etc/init.d/peerjs

#! /bin/sh
# chkconfig: 345 99 1
# description: peerjs
# processname: peerjs
#
# /etc/init.d/peerjs: start and stop the PEERJS daemon
#
DAEMON_START=”/usr/local/bin/start_peers_server.sh”
DAEMON_STOP=”/usr/local/bin/stop_peers_server.sh”
test -x $DAEMON_START || exit 0
test -x $DAEMON_STOP || exit 0
case “$1″ in
start)
echo -n “Starting STUND peerserver: peerjs”
$DAEMON_START
echo “ok.”
;;
stop)
echo -n “Stopping STUND peerserver: peerjs”
$DAEMON_STOP
echo “ok.”
;;

reload|force-reload)
echo -n “Restarting STUND peerserver: peerjs”
$DAEMON_STOP
$DAEMON_START
echo “ok.”
;;
restart)
echo -n “Restarting STUND peerserver: peerjs”
$DAEMON_STOP
$DAEMON_START
echo “ok.”
;;
*)
echo “Usage: /etc/init.d/stund {start|stop|reload|force-reload|restart}”
exit 1
esac
exit 0

# chmod +x /etc/init.d/peerjs
# chkconfig /etc/init.d/peerjs on

# vi /usr/local/bin/start_peers_server.sh
node /opt/peerjs-server/bin/peerjs -p 8124 -k peerjs > /dev/null 2>& 1 &

# vi /usr/local/bin/stop_peers_server.sh
killall node /opt/peerjs-server/bin/peerjs

OPENSSL-1.0.1F インストール

記事を記載する為、WordPressが良いことを知り、インストールや設定を調べている間に、SSL機能が必要と知り、openssl-1.0.1fをインストールをインストールしました。

■ダウンロード&解凍  (/usr/local/src/openssl ←ダウンロード場所)
wget http://www.openssl.org/source/openssl-1.0.1f.tar.gz
wget http://www.linuxfromscratch.org/patches/blfs/svn/openssl-1.0.1f-fix_parallel_build-1.patch
wget http://www.linuxfromscratch.org/patches/blfs/svn/openssl-1.0.1f-fix_pod_syntax-1.patch
tar xvzf openssl-1.0.1f.tar.gz

■パッチスクリプト実行
patch -Np1 -i ../openssl-1.0.1f-fix_parallel_build-1.patch
patch -Np1 -i ../openssl-1.0.1f-fix_pod_syntax-1.patch

■config実行
./config –prefix=/usr \
–openssldir=/etc/ssl \
–libdir=lib \
shared \
zlib-dynamic

■make実行

■ビルド結果をテストする場合は make test実行

■スタティックライブラリをインストールしたくない場合は、以下の sed コマンド実行

sed -i ‘s# libcrypto.a##;s# libssl.a##’ Makefile

■root ユーザーになって以下1,2,3を実行します。

1.make MANDIR=/usr/share/man MANSUFFIX=ssl install
下記のエラー (上記 sed しなかった場合)
cp: cannot stat `lib4758cca.so’: No such file or directory
make[1]: *** [install] Error 1
make[1]: Leaving directory `/usr/local/src/nginx/openssl-1.0.1f/engines’
make: *** [install_sw] Error 1

find / -name lib4758cca.so
/usr/lib64/openssl/engines/lib4758cca.so

cp -p /usr/lib64/openssl/engines/* engin

2.install -dv -m755 /usr/share/doc/openssl-1.0.1f
3.cp -vfr doc/* /usr/share/doc/openssl-1.0.1f

PHP-FPM インストール

Nginxインストールで調べた際、php-fpmが同時にインストールするようなので、php-fpm インストールとphp-fpm.confの設定をしました。PHP5.4からFastCGI(php-fpm)が利用可能になったからのようです。

■yumでインストール

yum –enablerepo=remi install php php-fpm

■php-fpm設定
mkdir /var/log/php-fpm
chown -R nobody:nobody /var/log/php-fpm

php-fpm.confを編集

[global]
pid = /var/run/php-fpm/php-fpm.pid

vi /etc/php-fpm.d/www.conf
[www]
user = nginx
group = nginx
listen = 127.0.0.1:9000
listen.owner = nginx
listen.group = nginx
listen.mode = 0666
listen.allowed_clients = 127.0.0.1
listen=/var/run/php-fpm/php-fpm.sock

pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500

php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_value[session.save_path] = /var/lib/php/session
php_admin_flag[log_errors] = on

/var/lib/php/session の権限を nginx に変更
chown nginx:nginx /var/lib/php/session

service php-fpm start
chkconfig php-fpm on

NGINX-1.5.10 フロントXXX.CONF設定、バックエンドXXX.CONF設定

2台構成のNginxのリバースプロキシのConfの設定をしました。WordPress,SSLを考慮しています。SPDY3.1も使用できました。

■フロント側 192.xxx.xxx105

/etc/nginx/nginx.conf
user nginx;
worker_processes 2;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;

access_log /var/log/nginx/access.log main;

sendfile on;
#tcp_nopush on;

keepalive_timeout 65;

#gzip on;
gzip on;
gzip_types text/plain
text/xml
text/css
text/javascript
image/x-icon
application/xml
application/rss+xml
application/json
application/x-javascript;
gzip_disable “MSIE [1-6]\.”;
gzip_disable “Mozilla/4″;

# トークン他
server_tokens off;
ignore_invalid_headers on;

#プロキシー

/etc/nginx/conf.d/proxy.conf
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=czone:4m max_size=50m inactive=120m;
proxy_temp_path /var/tmp/nginx;
proxy_cache_key “$scheme://$host$request_uri”;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# 設定ファイル読み込み
include /etc/nginx/conf.d/*.conf;
}

=============================

/etc/nginx/conf.d/virtual.conf
upstream backend {
ip_hash;
server 192.XXX.XXX.110:8080;
}

server {

server_name xxx.xxxxx.jp;
rewrite http://proxy.xxxxxxxx.jp$request_uri? permanent;
}

server {
listen 80;
server_name xxxx.xxxx.jp;
root /var/www/html/xxxxx;

access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log debug;

client_max_body_size 36M;
port_in_redirect off;

location ~ /\. { deny all; access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location = /favicon.ico { access_log off; log_not_found off; }
location /wp-admin { proxy_pass http://backend; }
location ~ .*\.php { proxy_pass http://backend; }
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
log_not_found off;
proxy_pass http://backend;
}
location / {
set $mobile “”;
if ($http_user_agent ~* ‘(DoCoMo|J-PHONE|Vodafone|MOT-|UP\.Browser|DDIPOCKET|ASTEL|PDXGW|Palmscape|Xiin
o|sharp pda browser|Windows CE|L-mode|WILLCOM|SoftBank|Semulator|Vemulator|J-EMULATOR|emobile|mixi-mobile-conve
rter)’) {
set $mobile “@ktai”;
}
if ($http_user_agent ~* ‘(iPhone|iPod|Opera Mini|Android.*Mobile|NetFront|PSP|BlackBerry)’) {
set $mobile “@mobile”;
}
if ($http_cookie ~* “comment_author_|wordpress_(?!test_cookie)|wp-postpass_” ) {
set $do_not_cache 1;
}
set $do_not_cache 0;
if ($request_method != GET) {
set $do_not_cache 1;
}
if ($uri !~* “.(jpg|png|gif|jpeg|css|js|swf|pdf|html|htm)$”) {
set $do_not_cache 1;
}
# Casheing
proxy_no_cache $do_not_cache;
proxy_cache_bypass $do_not_cache;
proxy_cache czone;
proxy_cache_key “$scheme://$host$request_uri$is_args$args$mobile”;
proxy_cache_valid 200 301 302 60m;
proxy_cache_valid 404 5m;
proxy_cache_use_stale error timeout invalid_header updating
http_500 http_502 http_503 http_504;
proxy_pass http://ssmg;

proxy_redirect off;
}
}

server {
listen 443 ssl spdy;
server_name proxy-wp.ssmg.jp;
root /var/www/html/proxy-wp;
client_max_body_size 36M;

# ssl
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;

ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

# Tell the browser we do SPDY
add_header Alternate-Protocol 443:npn-spdy/2;
# spdy
spdy_max_concurrent_streams 50;
spdy_streams_index_size 32;
spdy_recv_timeout 5s;
spdy_keepalive_timeout 15s;
spdy_headers_comp 9;

location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# Casheing
set $do_not_cache 0;
if ($request_method != GET) {
set $do_not_cache 1;
}
if ($uri !~* “.(jpg|png|gif|jpeg|css|js|swf|pdf|html|htm)$”) {
set $do_not_cache 1;
}
proxy_no_cache $do_not_cache;
proxy_cache_bypass $do_not_cache;
proxy_cache czone;
proxy_cache_key “$scheme://$host$request_uri$is_args$args$mobile”;
proxy_cache_valid 200 301 302 60m;
proxy_cache_valid 404 5m;
proxy_cache_use_stale error timeout invalid_header updating
http_500 http_502 http_503 http_504;
proxy_pass http://backend;
}
}

■バックエンド側 192.XXX.XXX110
/etc/nginx/nginx.conf
ser nginx;
worker_processes 2;

error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;

access_log /var/log/nginx/access.log main;

sendfile on;

#keepalive_timeout 0;
keepalive_timeout 30;

# gzip圧縮
gzip on;
gzip_http_version 1.0;
gzip_vary on;
gzip_comp_level 6;
gzip_types text/xml text/css application/xhtml+xml application/xml application/rss+xml application/atom_xml application/x-javascript application/x-httpd-php;
gzip_disable “MSIE [1-6]\.”;

# リバースプロキシの設定
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=czone:4m max_size=50m inactive=120m;
proxy_temp_path /var/lib/nginx/tmp;
proxy_cache_key “$scheme://$host$request_uri”;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
include /etc/nginx/conf.d/*.conf;

=============================

/etc/nginx/conf.d/virtul.conf
server {
listen 8080;
server_name xxxxx.xxxxx.jp;
root /var/www/html/xxxxx;

access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log debug;
client_max_body_size 36M;

location / {
index index.php index.html index.htm;
# static files
if (-f $request_filename) {
expires 14d;
break;
}
# request to index.php
if (!-e $request_filename) {
rewrite ^(.+)$ /index.php?q=$1 last;
}
}

location ~ \.php$ {
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
expires 2h;
}
location ~ (\.ht|\.git|\.svn) {
deny all;
}
}

※SPDYの設定は、80のほうには 設定できない
※リバースプロキシ 80 → 8080  443 → 8080

OPENSSL-1.0.1G のインストール & 自己認証局

先日、OpenSSLに発覚した「Heartbleed」と呼ばれる重大な脆弱性に対応する為、OpenSSL-1.0.1f からOpenSSL-1.0.1g へUPDATしました。

>ダウンロード&Make場所へ移動
# cd /usr/local/src/

>最新OpenSSLをダウンロード
# wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz

>解凍
# tar -xzf openssl-1.0.1g.tar.gz

>移動
# cd ./openssl-1.0.1g

>config, make, make install
# ./config –prefix=/usr –openssldir=/etc/ssl –libdir=lib shared zlib-dynamic
# make
# make install

インストール後のバージョン確認
# openssl
OpenSSL> version
OpenSSL 1.0.1g 7 Apr 2014

※makeでエラー その対応
c_zlib.c: In function ‘bio_zlib_ctrl’:
c_zlib.c:725: error: ‘BIO_ZLIB_CTX’ has no member named ‘ocount’
c_zlib.c:726: error: ‘BIO_ZLIB_CTX’ has no member named ‘odone’
c_zlib.c:765: error: ‘BIO_ZLIB_CTX’ has no member named ‘obuf’
c_zlib.c:767: error: ‘BIO_ZLIB_CTX’ has no member named ‘obuf’
c_zlib.c:768: error: ‘BIO_ZLIB_CTX’ has no member named ‘obuf’
c_zlib.c:770: error: ‘BIO_ZLIB_CTX’ has no member named ‘obufsize’
make[2]: *** [c_zlib.o] エラー 1
make[2]: ディレクトリ `/usr/local/src/openssl/openssl-1.0.1g/crypto/comp’ から出ます
make[1]: *** [subdirs] エラー 1
make[1]: ディレクトリ `/usr/local/src/openssl/openssl-1.0.1g/crypto’ から出ます
make: *** [build_crypto] エラー 1

# yum install zlib-* で解決
installing:
zlib-devel x86_64 1.2.3-29.el6 base 44 k
zlib-static x86_64 1.2.3-29.el6 base 52 k

自己認証局

# cd /etc/pki/tls
# cp -p openssl.cnf openssl.cnf.org  (デフォルトのファイルをコピーしておく)
※openssl.cnf ファイルは2つ存在しており多少違いがあります。
”./CA -newca”の実行時にopenssl-1.0.1fの時には、発生しなかったエラーが発生します。
2つのバックアップをとり、 /etc/pki/tls/openssl.cnf を以下の通り編集し
/etc/ssl/openssl.cnf にコピーして対応しました

>openssl.cnf の修正
# /etc/pki/tls/openssl.cnf
[ req ]
default_bits = 2048

[ req_distinguished_name ]
countryName_default = JP

[ usr_cert ]
basicConstraints=CA:TRUE (CA証明書の発行)
nsCertType = server (サーバ証明書の作成)   ←コメント解除

[ v3_ca ]
nsCertType = sslCA, emailCA      ←コメント解除

> CAスクリプトの修正
# cd /etc/pki/tls/misc
# cp -p CA CA.org
# vi CA
以下の有効期間を任意の日数に変更
if [ -z “$DAYS” ] ; then DAYS=”-days 3650″ ; fi # 10 year
CADAYS=”-days 7300″ # 20 years

>デフォルトのフォルダを待避して空ディレクトリを作成
# cd ../../
# mv CA CA.org
# mkdir CA
※失敗した場合は、CAフォルダを再作成。

> CA作成スクリプトを実行
# cd ./tls/misc
# ./CA -newca
CA certificate filename (or enter to create)
(ファイル名は空のまま[Enter])
Making CA certificate …
Generating a 2048 bit RSA private key
….+++
………………………………..+++
writing new private key to ‘/etc/pki/CA/private/./cakey.pem’
Enter PEM pass phrase: (パスフレーズを入力)
Verifying – Enter PEM pass phrase: (パスフレーズを入力)
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]: JP (国名)
State or Province Name (full name) []:XXXXXX(都道府県)
Locality Name (eg, city) [Default City]:XXXXXXX(市区町村)
Organization Name (eg, company) [Default Company Ltd]:XXXX(組織)
Organizational Unit Name (eg, section) []:(部門)
Common Name (eg, your name or your server’s hostname) []:*.XXXXX.XX (ホスト名等)⇒ ワイルドカード指定
Email Address []:(何も入力せず[Enter])

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:(何も入力せず[Enter])
An optional company name []:(何も入力せず[Enter])
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:(最初に入力したパスフレーズ)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 9646386112852737689 (0x85ded90f96d93e99)
Validity
Not Before: Apr 4 11:06:24 2014 GMT
Not After : Mar 30 11:06:24 2034 GMT
Subject:
countryName = JP
stateOrProvinceName = XXXXXX
organizationName = XXXX
commonName = *.XXX.XXX ⇒ ワイルドカード指定 
X509v3 extensions:
X509v3 Subject Key Identifier:
C6:FD:32:42:E7:51:EF:4C:1B:AC:F8:B0:94:D1:6D:B4:DA:AA:7D:47
X509v3 Authority Key Identifier:
keyid:C6:FD:32:42:E7:51:EF:4C:1B:AC:F8:B0:94:D1:6D:B4:DA:AA:7D:47

X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
Certificate is to be certified until Mar 30 11:06:24 2034 GMT (7300 days)

Write out database with 1 new entries
Data Base Updated

>ブラウザ用のCA証明書を作成
# cd ../../CA/private/
# chmod 0600 cakey.pem
# openssl x509 -inform PEM -outform DER -in ../cacert.pem -out ../cacert.der

>”cacert.pem”と”cacert.der”があることを確認
# ls -l /etc/pki/CA

>証明書要求(CSR)を作成
# cd /tmp (適当なディレクトリへ移動するか新規作成)
# openssl md5 * > rand.dat (乱数ファイルを作成)
# openssl genrsa -rand rand.dat -des3 2048 > key.pem (秘密鍵を作成)
48 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
………………………………………………………………………………………+++
…………………..+++
e is 65537 (0×10001)
Enter pass phrase:(パスフレーズを入力)
Verifying – Enter pass phrase:(パスフレーズを入力)

# openssl req -new -key key.pem -out server.csr  (CSRを作成)
Enter pass phrase for key.pem:(使用した秘密鍵のパスフレーズを入力)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]: JP (国名)
State or Province Name (full name) []:XXXXXX(都道府県)
Locality Name (eg, city) [Default City]:XXXXXXX(市区町村)
Organization Name (eg, company) [Default Company Ltd]:XXXX(組織)
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:*.XXXXX.XX (ホスト名等)⇒ ワイルドカード指定
Email Address []:(何も入力せず[Enter])

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:(何も入力せず[Enter])
An optional company name []:(何も入力せず[Enter])

>”key.pem”と”server.csr”ができていることを確認
# ls -l

>自己認証局で署名
# cd /etc/pki/tls/misc/
# openssl ca -out /var/tmp/cert.pem -infiles /var/tmp/server.csr
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem::(パスフレーズを入力)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 9646386112852737690 (0x85ded90f96d93e9a)
Validity
Not Before: Apr 4 11:39:25 2014 GMT
Not After : Apr 4 11:39:25 2015 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = Axel
commonName = *.ecoya.jp
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
80:17:82:6F:AE:A1:9E:CC:A4:F2:D0:C0:E5:C3:42:6C:8B:4A:7E:AC
X509v3 Authority Key Identifier:
keyid:C6:FD:32:42:E7:51:EF:4C:1B:AC:F8:B0:94:D1:6D:B4:DA:AA:7D:47

Certificate is to be certified until Apr 4 11:39:25 2015 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

> ls -l /tmp
“cert.pem”ができていることを確認
※”cert.pem”と”key.pem”をペアで使用

>補足1
サーバ証明書と秘密鍵を使用する時に、Webサーバ起動時に秘密鍵のパスフレーズ入力しない設定
# cd /tmp
# openssl rsa -in key.pem -out key.pem.nopassword
nter pass phrase for key.pem:(パスフレーズを入力)
writing RSA key
※作成した”key.pem.nopassword”を”key.pem”の代わりに使用する

>補足2
サーバ証明書をWindows(IIS等)で使用するために変換する
# openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.p12
※ここで作成された”cert.p12″をMMCの証明書スナップインでインポート
(合わせて[信頼されたルート証明機関]にはC証明書”cacert.pem”をインポート)

>補足3
署名時にエラーが出る場合
# openssl ca -out /var/tmp/cert.pem -infiles /var/tmp/server.csr
~ 省略 ~
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
※このエラーが出る場合、以前発行した証明要求の失効処理する

# openssl ca -revoke /etc/pki/CA/newcerts/85DED90F96D93E99.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:(パスフレーズを入力)
Revoking Certificate 85DED90F96D93E99.
Data Base Updated

補足4
“openssl ciphers cipherlist ‘暗号スイートのリスト’ -v”コマンドで利用できる暗号スイートの一覧を表示
# openssl ciphers cipherlist ‘HIGH:!aNULL:!MD5′ -v
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(256) Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1
SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(128) Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1
ECDH-ECDSA-AES128-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1