Mantenimiento de servicios en uiharu (KVM, nginx/websocekts, etc)
Wednesday, 11 December 2019, 10:03:19 am
Activo el SSL/TLS del servidor nginx de uiharu con un certificado self-signed Siguiendo esta guía.
dario@uiharu:~$ su Contraseña: root@uiharu:/home/dario# cd /etc/nginx/ root@uiharu:/etc/nginx# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/nginx/nginx-selfsigned.key -out /etc/nginx/nginx-selfsigned.crt Generating a 2048 bit RSA private key ..................+++ .................................+++ writing new private key to '/etc/nginx/nginx-selfsigned.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:ES State or Province Name (full name) [Some-State]:Madrid Locality Name (eg, city) []:Alcobendas Organization Name (eg, company) [Internet Widgits Pty Ltd]:SICOSOFT Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:3.0.1.3 Email Address []:dariorodriguez@sicosoft.es root@uiharu:/etc/nginx# openssl dhparam -out /etc/nginx/dhparam.pem 4096 Generating DH parameters, 4096 bit long safe prime, generator 2 This is going to take a long time ... root@uiharu:/etc/nginx# cd snippets/ root@uiharu:/etc/nginx/snippets# ls fastcgi-php.conf snakeoil.conf root@uiharu:/etc/nginx/snippets# cat >self-signed.conf <<'EOF' ssl_certificate /etc/nginx/nginx-selfsigned.crt; ssl_certificate_key /etc/nginx/nginx-selfsigned.key; EOF root@uiharu:/etc/nginx/snippets# cat >ssl-params.conf <<'EOF' ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # Disable strict transport security for now. You can uncomment the following # line if you understand the implications. # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; EOF root@uiharu:/etc/nginx/snippets# cd ../conf.d/ root@uiharu:/etc/nginx/conf.d# sed -i "/^server/alisten 443 ssl;\nlisten [::]:443 ssl;\ninclude snippets/self-signed.conf;\ninclude snippets/ssl-params.conf;" default.conf root@uiharu:/etc/nginx/conf.d# /etc/init.d/nginx restart [ ok ] Restarting nginx: nginx. root@uiharu:/etc/nginx/conf.d# exit
Descripción del proyecto
En uiharu se tienen unas máquinas virtuales KVM gestionadas por el virt-manager y un servidor nginx con websockets para las pruebas de los carteles.
Esta página documenta las modificaciones a dichos sistemas.