これは日々の作業を通して学んだことや毎日の生活で気づいたことをを記録しておく備忘録である。
HTML ファイル生成日時: 2024/12/05 07:26:42.662 (台灣標準時)
# cd /usr/pkgsrc/security/openssl # make install => Bootstrap dependency digest>=20010302: found digest-20190127 => Checksum SHA1 OK for openssl-1.1.1i.tar.gz => Checksum RMD160 OK for openssl-1.1.1i.tar.gz => Checksum SHA512 OK for openssl-1.1.1i.tar.gz ===> Installing dependencies for openssl-1.1.1i ========================================================================== The supported build options for openssl are: idea md2 mdc2 rc5 threads zlib The currently selected options are: idea md2 mdc2 rc5 threads You can select which build options to use by setting PKG_DEFAULT_OPTIONS or the following variable. Its current value is shown: PKG_OPTIONS.openssl (not defined) ========================================================================== => Tool dependency gmake>=3.81: found gmake-4.2.1nb1 => Tool dependency perl>=5.0: found perl-5.32.0nb1 => Build dependency cwrappers>=20150314: found cwrappers-20180325 ===> Checking for vulnerabilities in openssl-1.1.1i ===> Overriding tools for openssl-1.1.1i ===> Extracting for openssl-1.1.1i ..... => Automatic manual page handling => Generating post-install file lists => Checking file-check results for openssl-1.1.1i => Creating binary package /data0/netbsd/pkgsrc/current/pkgsrc/security/openssl/work/.packages/openssl-1.1.1i.tgz ===> Building binary package for openssl-1.1.1i => Creating binary package /tmp/packages/All/openssl-1.1.1i.tgz ===> Installing binary package of openssl-1.1.1i openssl-1.1.1i: copying /usr/pkg/share/examples/openssl/openssl.cnf to /usr/pkg/etc/openssl/openssl.cnf # make clean
秘密鍵 server.key ができた。% cd /somewhere/in/the/disk % ls % openssl genpkey -algorithm RSA -out server.key -aes-256-cbc \ ? -pkeyopt rsa_keygen_bits:4096 ..............................++++ ................................................................................................................................................................................................................................................++++ Enter PEM pass phrase: Verifying - Enter PEM pass phrase: % ls -l total 1 -rw------- 1 daisuke taiwan 3434 Jan 27 17:50 server.key
% openssl rsa -noout -text -in server.key Enter pass phrase for server.key: RSA Private-Key: (4096 bit, 2 primes) modulus: .....
署名された証明書 server.crt ができた。% openssl req -new -x509 -nodes -sha384 -days 365 \ ? -key server.key -out server.crt -extensions usr_cert Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:TW State or Province Name (full name) [Some-State]:Taoyuan Locality Name (eg, city) []:Jhongli Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXXX Organizational Unit Name (eg, section) []:XXXXX Common Name (e.g. server FQDN or YOUR name) []:XXXXX Email Address []:XXXXX@YYYYY.ZZZZZ % ls -l total 1 -rw-r--r-- 1 daisuke taiwan 2134 Jan 27 18:15 server.crt -rw------- 1 daisuke taiwan 3434 Jan 27 17:50 server.key
% openssl x509 -noout -text -in server.crt Certificate: Data: Version: 3 (0x2) Serial Number: .....
# cd /usr/pkgsrc/www/apache24 # make install => Bootstrap dependency digest>=20010302: found digest-20190127 => Checksum SHA1 OK for httpd-2.4.46.tar.bz2 => Checksum RMD160 OK for httpd-2.4.46.tar.bz2 => Checksum SHA512 OK for httpd-2.4.46.tar.bz2 ===> Installing dependencies for apache-2.4.46nb2 ========================================================================== The supported build options for apache are: apache-managed-domain-handling apache-mpm-event apache-mpm-prefork apache-mpm-worker brotli http2 lua suexec xml The currently selected options are: apache-mpm-event apache-mpm-prefork apache-mpm-worker brotli http2 xml You can select which build options to use by setting PKG_DEFAULT_OPTIONS or the following variable. Its current value is shown: PKG_OPTIONS.apache (not defined) ========================================================================== ========================================================================== The following variables will affect the build process of this package, apache-2.4.46nb2. Their current value is shown below: * APACHE_MODULES = all * IPV6_READY = YES * SSLBASE = /usr * SSLCERTS = /etc/openssl/certs * SSLDIR = /etc/openssl * SSLKEYS = /etc/openssl/private * VARBASE = /var Based on these variables, the following variables have been set: * TERMCAP_TYPE = termcap You may want to abort the process now with CTRL-C and change the value of variables in the first group before continuing. Be sure to run `/usr/bin/make clean' after the changes. ========================================================================== => Tool dependency libtool-base>=2.4.2nb9: found libtool-base-2.4.6nb2 => Tool dependency perl>=5.0: found perl-5.32.0nb1 => Tool dependency pkgconf-[0-9]*: found pkgconf-1.7.3 => Build dependency cwrappers>=20150314: found cwrappers-20180325 => Full dependency apr>=1.5.0: found apr-1.7.0nb1 => Full dependency apr-util>=1.6.1nb6: found apr-util-1.6.1nb8 => Full dependency pcre>=8.30nb1: found pcre-8.44 => Full dependency nghttp2>=1.40.0nb4: found nghttp2-1.42.0nb1 => Full dependency libxml2>=2.9.10nb3: found libxml2-2.9.10nb3 => Full dependency brotli>=1.0.1: found brotli-1.0.9 => Full dependency readline>=6.0: found readline-8.0 ===> Checking for vulnerabilities in apache-2.4.46nb2 ===> Overriding tools for apache-2.4.46nb2 ===> Extracting for apache-2.4.46nb2 ..... =========================================================================== The following files should be created for apache-2.4.46nb2: /etc/rc.d/apache (m=0755) [/usr/pkg/share/examples/rc.d/apache] =========================================================================== =========================================================================== $NetBSD: MESSAGE,v 1.2 2014/02/22 17:28:34 ryoon Exp $ After apache-2.4.3, --enable-mpms-shared='event worker prefork' is passed to configure script, then these multi-process model is built and you can select the model in configuraton file. The mod_cgi.so module conflicts with non-prefork multi-process model, and mod_cgi.so module is not built anymore. You can use mod_cgid.so module instead. =========================================================================== # make clean
# cd /usr/pkg/etc/httpd # cp -pi httpd.conf httpd.conf.orig # vi httpd.conf # cp -pi httpd-userdir.conf httpd-uesrdir.conf.orig # vi httpd-userdir.conf
起動することが確認できたら、一度、止めておく。# ps auxww | grep httpd root 22552 0.0 0.0 15012 48 pts/25 R+ 6:35PM 0:00.00 grep httpd # /usr/pkg/sbin/apachectl start # ps auxww | grep httpd www 19714 0.0 0.0 3189776 3856 ? Sl 6:35PM 0:00.00 /usr/pkg/sbin/httpd -k start www 24052 0.0 0.0 3189776 3792 ? Sl 6:35PM 0:00.00 /usr/pkg/sbin/httpd -k start root 26030 0.0 0.0 88880 3864 ? Ss 6:35PM 0:00.00 /usr/pkg/sbin/httpd -k start www 28793 0.0 0.0 3189776 3788 ? Sl 6:35PM 0:00.00 /usr/pkg/sbin/httpd -k start root 23667 0.0 0.0 5472 52 pts/25 R+ 6:35PM 0:00.00 grep httpd
# /usr/pkg/sbin/apachectl stop # ps auxww | grep httpd root 983 0.0 0.0 15596 48 pts/25 R+ 6:38PM 0:00.00 grep httpd
次に、 httpd-ssl.conf を編集する。 TLS v1.3 のみを受け付けるようにする。# cd /usr/pkg/etc/httpd # cp -pi httpd.conf httpd.conf.notls # vi httpd.conf # diff httpd.conf.notls httpd.conf 91c91 < #LoadModule socache_shmcb_module lib/httpd/mod_socache_shmcb.so --- > LoadModule socache_shmcb_module lib/httpd/mod_socache_shmcb.so 148c148 < #LoadModule ssl_module lib/httpd/mod_ssl.so --- > LoadModule ssl_module lib/httpd/mod_ssl.so 523c523 < #Include etc/httpd/httpd-ssl.conf --- > Include etc/httpd/httpd-ssl.conf
# cd /usr/pkg/etc/httpd # cp -pi httpd-ssl.conf httpd-ssl.conf.orig # vi httpd-ssl.conf # diff httpd-ssl.conf.orig httpd-ssl.conf 52,53c52,55 < SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES < SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES --- > #SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES > SSLCipherSuite TLSv1.3 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > #SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES > SSLProxyCipherSuite TLSv1.3 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" 79,80c81,84 < SSLProtocol all -SSLv3 < SSLProxyProtocol all -SSLv3 --- > #SSLProtocol all -SSLv3 > SSLProtocol -all +TLSv1.3 > #SSLProxyProtocol all -SSLv3 > SSLProxyProtocol -all +TLSv1.3 125,126c129,132 < ServerName www.example.com:443 < ServerAdmin you@example.com --- > #ServerName www.example.com:443 > ServerName aaa.bbb.ccc.ddd:443 > #ServerAdmin you@example.com > ServerAdmin XXXXX@YYYYY.ZZZZZ
証明書は以下の場所に置かれていなくてはならない。# Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) # ECC keys, when in use, can also be configured in parallel SSLCertificateKeyFile "/usr/pkg/etc/httpd/server.key"
# Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. Keep # in mind that if you have both an RSA and a DSA certificate you # can configure both in parallel (to also allow the use of DSA # ciphers, etc.) # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) # require an ECC certificate which can also be configured in # parallel. SSLCertificateFile "/usr/pkg/etc/httpd/server.crt"
# /usr/pkg/sbin/apachectl start Apache/2.4.46 mod_ssl (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Private key 127.0.0.1:443:0 (/usr/pkg/etc/httpd/server.key) Enter pass phrase: OK: Pass Phrase Dialog successful.
httpd-ssl.conf ファイルを修正する。#!/bin/sh echo 'MY_PASSPHRASE'
# cd /usr/pkg/etc/httpd # chmod 700 /somewhere/in/the/disk/echo_passphrase.sh # cp -pi httpd-ssl.conf httpd-ssl.conf.20210127 # vi httpd-ssl.conf # diff httpd-ssl.conf.20210127 httpd-ssl.conf 90c90,91 < SSLPassPhraseDialog builtin --- > #SSLPassPhraseDialog builtin > SSLPassPhraseDialog exec:/somewhere/in/the/disk/echo_passphrase.sh
次に、 httpd-ssl.conf を修正する。# cd /usr/pkg/etc/httpd # cp -pi httpd.conf httpd.conf.20210127 # vi httpd.conf # diff httpd.conf.20210127 httpd.conf 173c173 < #LoadModule rewrite_module lib/httpd/mod_rewrite.so --- > LoadModule rewrite_module lib/httpd/mod_rewrite.so
Apache を再起動すれば、 http 接続要求が https に自動転送されるようにな る。# cd /usr/pkg/etc/httpd # cp -pi httpd-ssl.conf httpd-ssl.conf.20210127_2 # vi httpd-ssl.conf # diff httpd-ssl.conf.20210127_2 httpd-ssl.conf 125a126,131 > <VirtualHost *:80> > RewriteEngine On > RewriteCond %{HTTPS} off > RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] > </VirtualHost> >