2006-11-12

squid で SSL Reverse Proxy

ちゃんとしたサービス時にはちゃんとSSL証明書は取るけど
ひとまずこんなんでよさそう

Reverse Proxyのことや、なんでssl reverse proxyなんてやるのかは
ほかで調べてみてくださいまし・・

2006-11-12

■OPENSSLインストール

wget http://www.openssl.org/source/openssl-0.9.8d.tar.gz
tar xzvf openssl-0.9.8d.tar.gz
cd openssl-0.9.8d
./config
make
make install

2006-11-12

■証明書作成

2006-11-12

■パスフレーズで保護された秘密鍵を生成

bin/openssl genrsa -des 1024 > private/key.pem
--------------------
1112 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.+++++
..............+++++
e is 65537 (0x10001)
Enter PEM pass phrase:（パスフレーズ入力）
Verifying password - Enter PEM pass phrase:（パスフレーズ再入力）
--------------------

2006-11-12

■鍵からパスフレーズを削除

bin/openssl rsa -in private/key.pem -out private/key.pem
--------------------
read RSA private key
Enter PEM pass phrase:（パスフレーズ入力）
writing RSA private key
--------------------

2006-11-12

■CSR(サイト証明書を発行するためのリクエスト作成)

bin/openssl req -new -days 365 -key private/key.pem -out csr.pem
--------------------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) :Shibuya-ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:hogege,ltd.
Organizational Unit Name (eg, section) :hogege division
Common Name (eg, YOUR name) :hogege.net
Email Address :(そのままリターン)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :(そのままリターン)
An optional company name :(そのままリターン)
--------------------

2006-11-12

■認証局を使わず、自分で署名する場合

bin/openssl x509 -in csr.pem -out certs/cert.pem -req -signkey private/key.pem -days 365

2006-11-12

■squid install

cd /wget http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE14.tar.gz
tar xzvf squid-2.5.STABLE14.tar.gz
cd squid-2.5.STABLE14

./configure --enable-err-language=Japanese --disable-internal-dns --enable-ssl
cp /usr/local/squid/etc/squid.conf /squid.conf
make;make install

vi /usr/local/squid/etc/squid.conf
--------------------
cache_dir ufs /var/cache/squid 100 16 256
cache_effective_user squid
visible_hostname hogege.net
httpd_accel_host 192.168.1.1(自分自身のIPとかアプリが動いているサーバとか)
httpd_accel_port 80
httpd_accel_single_host on
httpd_accel_with_proxy on
httpd_accel_uses_host_header off

https_port 443 cert=/usr/local/ssl/certs/cert.pem key=/usr/local/ssl/private/key.pem
acl SSL_ports port 443

acl all src 0.0.0.0/0.0.0.0
http_access allow all

coredump_dir /var/cache/squid
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
--------------------

/usr/local/squid/sbin/squid -z
chown -R squid /usr/local/squid/var/logs; chgrp -R squid /usr/local/squid/var/logs
/usr/local/squid/sbin/squid -z

2006-11-12

■squid起動

/usr/local/squid/bin/RunCache &
(rc.localにでもほりこんでおけばいいとおもう)