Squidでリバースプロキシ

更新日2015-08-09 (日) 05:43:44

構成

squidでリバプロを構成する。PCから、Squidまではhttpまたはhttpsで通信、Squidからwebサーバ(IIS)まではhttpで通信を行う。

クライアントPCはWindows7を使用したが、WebDAVの認証がエクスプローラでは動作しなかった。IEやWebDAVクライアントCyberduckでは動作した。エクスプローラがへぼい

          :80----------------------|                 --------------|
    ---------|squid (Name :pound)  |                 |             |
             |                     |192.168.10.XX    |  Win2012R2  |
 192.168.55.1|                     |-----------------| IIS(WebDAV) |
         :443|                     | 192.168.10.60:80| Windows認証 |
    ---------|                     |                 |             |
             ----------------------|                 ---------------

squid.confの設定

squidはsquid-3.1.23-1vl6.x86_64をrpmでインストール

/etc/squid/squid.conf

# Squid normally listens to port 3128
## http_port 3128

## ---------以下を追加

visible_hostname pound  ← コンピュータ名(必須ではない)

http_port 192.168.55.1:80 accel defaultsite=192.168.10.60  ←http通信
https_port 443 accel cert=/usr/local/etc/squid-ssl/newcert.pem \
key=/usr/local/e\tc/squid-ssl/private.key defaultsite=192.168.10.60 \
protocol=http  ←https通信
         ^^^^ https→httpに変換
cache_peer 192.168.10.60 parent 80 0 no-query originserver login=PASS
                                                          ^^^^^^^^^^Windows認証のため
## ---------ここまで

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 100 16 256

SSL証明書の作成

以下を事前インストール

# apt-get install openssl-devel

# apt-get install openssl-perl

秘密鍵の作成

保存ディレクトリの作成

# mkdir -p /usr/local/etc/squid-ssl
# cd /usr/local/etc/squid-ssl
# openssl genrsa -des3 -out private.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................+++
..............+++
e is 65537 (0x10001)
Enter pass phrase for private.key:
Verifying - Enter pass phrase for private.key:

秘密鍵の確認

# openssl rsa -text -noout -in private.key
Enter pass phrase for private.key:
Private-Key: (2048 bit)
modulus:
    00:a5:b7:88:b9:84:83:f0:75:23:dc:2d:b7:93:8a:
    27:01:6b:b2:f6:0a:f8:0f:e5:cd:6e:a9:12:86:54:
    6d:94:c9:5c:51:79:47:cb:9c:94:f6:b6:6e:19:e9:

(略)

    6a:f4:02:6a:95:4b:a3:e9
coefficient:
    42:7a:d7:96:22:59:68:40:93:a0:4e:eb:61:e7:cf:
    7d:fb:56:d5:f7:b8:5b:82:ca:47:d3:03:f1:e3:88:
    84:27:3f:6d:c5:ca:25:87:60:db:6f:da:17:99:dc:
    07:e9:09:6b:f9:4b:80:05:10:f0:51:2c:92:93:16:
    36:1f:f6:8b:6f:b4:e2:80:a6:1e:d2:58:0d:03:83:
    7a:48:72:1f:40:65:48:88:db:0e:4b:83:28:d9:d7:
    1b:b7:db:bf:1b:8f:c6:92:42:4c:cf:9f:6d:52:f7:
    45:b5:05:37:a2:73:03:fe:d9:1b:b9:64:22:24:c5:
    9e:24:04:ca:1a:73:2a:87

CSRの生成

# openssl req -new -key private.key -out csr.pem
Enter pass phrase for private.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Mie
Locality Name (eg, city) []:Ise
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ISM21
Organizational Unit Name (eg, section) []:ISM21
Common Name (e.g. server FQDN or YOUR name) []:pound.ism21.net
Email Address []:okada@ism21.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

CSRの確認

# openssl req -text -noout -in csr.pem
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=JP, ST=Mie, L=Ise, O=ISM21, OU=ISM21, CN=pound.ism21.net/emailAddress=okada@ism21.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                   00:a5:b7:88:b9:84:83:f0:75:23:dc:2d:b7:93:8a:
                   27:01:6b:b2:f6:0a:f8:0f:e5:cd:6e:a9:12:86:54:
                   6d:94:c9:5c:51:79:47:cb:9c:94:f6:b6:6e:19:e9:
(略)

        86:07:93:6c:2b:d5:b1:60:de:42:c2:52:09:66:9a:21:7a:fb:
        8e:20:93:0f

# ls
csr.pem  private.key

秘密鍵のパスフレーズ解除

# cp -p private.key private.key.passphrased
#  openssl rsa -in private.key -out private.key
Enter pass phrase for private.key:
writing RSA key

秘密鍵からパスフレーズが抜けたことを確認する

パスワード入力を求められないことを確認 (Enter pass phrase for private.key:がないこと)

# openssl rsa -text -noout -in private.key
Private-Key: (2048 bit)
modulus:
   00:a5:b7:88:b9:84:83:f0:75:23:dc:2d:b7:93:8a:
   27:01:6b:b2:f6:0a:f8:0f:e5:cd:6e:a9:12:86:54:
(略)

証明書の作成

# openssl x509 -in csr.pem -out newcert.pem -req -signkey private.key -days 365
Signature ok
subject=/C=JP/ST=Mie/L=Ise/O=ISM21/OU=ISM21/CN=pound.ism21.net/emailAddress=okada@ism21.net
Getting Private key

証明書の確認

# openssl x509 -text -noout -in newcert.pem
Certificate:
   Data:
        Version: 1 (0x0)
        Serial Number: 12279140036195989902 (0xaa6844ce24bd398e)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=JP, ST=Mie, L=Ise, O=ISM21, OU=ISM21, CN=pound.ism21.net/emailAddress=okada@ism21.net
        Validity
            Not Before: Aug  7 14:13:27 2015 GMT
            Not After : Aug  6 14:13:27 2016 GMT
        Subject: C=JP, ST=Mie, L=Ise, O=ISM21, OU=ISM21, CN=pound.ism21.net/emailAddress=okada@ism21.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                   00:a5:b7:88:b9:84:83:f0:75:23:dc:2d:b7:93:8a:
                   27:01:6b:b2:f6:0a:f8:0f:e5:cd:6e:a9:12:86:54:
                   6d:94:c9:5c:51:79:47:cb:9c:94:f6:b6:6e:19:e9:

(略)

参考


トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 単語検索 最終更新   ヘルプ   最終更新のRSS
Last-modified: 2015-08-09 (日) 05:43:44 (927d)