제2의 비엔지니어 인생관을 꿈꾸며

Posted
Filed under Study

https://github.com/bombadil/mod_proxy_msrpc

먼저 포스팅한 http://blog.sooli.com/641 역방향 프록시 내용중 해당 모듈만 설치하고 OutlookAnywherePassthrough On 구문 한줄 넣어주면 모든 사이트의 SSL 사이트와 Exchange 서버까지 RPC over HTTPS 를 사용할수가 있습니다.

<VirtualHost *:443>
    OutlookAnywherePassthrough On
.
.
.
.
.
</VirtualHost>

NLB를 위한 CAS가 2대 이상일경우는 proxy.conf 설정에서
<Proxy balancer://Exchange>
         BalancerMember https://cas1.domain.net route=1
         BalancerMember https://cas2.domain.net route=2

         AllowOverride None
         Order allow,deny
         allow from all

     </Proxy>
위와같이 구성하고 <VirtualHost *:443> 설정에 balancer 그룹네임으로 지정하면 로드밸런싱으로 구성할수가 있습니다.
ProxyPass / balancer://Exchange/ stickysession=ROUTEID
ProxyPassReverse / balancer://Exchange/
HAProxy 보다는 아파치 Reverse Proxy 가 설정하기 좀더 편한거 같습니다.

2017/12/16 05:22 2017/12/16 05:22
Posted
Filed under Study

Exporting SSL certificates from Windows to Linux

First, you have to get the certificate and key out of Windows in a pfx (PKCS #12) format.

  • Click Start, Run, then type “mmc” and hit enter.
  • In the leftmost menu, choose “Add/Remove Snap In”.
  • Click “Add”, then click “Certificates”, then OK.
  • When the wizard starts, choose “Computer Account”, “Local Computer” and finish out the wizard.
  • Once you’re finished, get back to the MMC and expand the “Certificates” node, then the “Personal” node.
  • Click on the “Certificates” node under “Personal” and find your certificate in the right pane.
  • Right click on the certificate and choose “All Tasks”, then “Export”.
  • When the wizard starts, choose “Yes” for exporting the private key, then select ONLY “Strong Private Key Protection” from the PFX section. You will also need to set a password and specify a location for the PFX file.
  • Once the PFX file has been saved, close out the MMC (don’t save the snap-in if it asks).
  • Get the PFX over to the Linux server somehow.

Once the PFX makes it over to the Linux server, you have to decrypt the PFX into a plaintext PEM file (PFX’s are binary files, and can’t be viewed in a text editor):

openssl pkcs12 -in file.pfx -out file.pem

You will be asked for the password for the PFX (which is the one you set in the Windows wizard). Once you enter that, you will be asked for a new password. This new password is used to encrypt the private key. You cannot proceed until you enter a password that is 4 characters or longer. REMEMBER this password!

When this step is complete, you should have a PEM file that you can read in a text editor. Open the file in a text editor and copy the private key and certificate to different files. Remember to keep the dashed lines intact when you copy the certificates – this is important. There is some additional text above the key, and also between the key and certificate – this text should be ignored and should not be included in the certificate and key files.

Now that you have the key and certificate separated, you need to decrypt the private key (or face the wrath of Apache every time you restart the server). You can decrypt the private key like this:

openssl rsa -in file.key -out file.key

Yes, provide the same file name twice and it will decrypt the key onto itself, keeping everything in one file. OpenSSL will ask for a password to decrypt the key, and this is the password you set when you decrypted the PFX. If you forgot the password, you will need to start over from when you brought it over from the Windows box.

After this entire process, you will have four files, a PFX, PEM, KEY, and CRT. Throw away the PFX and PEM, and you can use the key and certificate files to install into Apache. In case you forget the syntax, here’s what goes in the Apache configuration:

SSLEngine On
SSLCertificateFile /path/to/your/certificate
SSLCertificateKeyFile /path/to/your/privatekey



<VirtualHost *:443>
    ServerName host.domain.com
    SSLEngine On
    SSLProxyEngine On
    ProxyRequests Off
    ProxyPreserveHost On
    SSLCertificateFile /etc/apache2/ssl/domain.pem
    SSLCertificateKeyFile /etc/apache2/ssl/domain-private.key 
    ProxyPass / https://192.168.1.14/
    ProxyPassReverse / https://192.168.1.14/
</VirtualHost>

두가지 방법이 존재합니다. 위 방식은 https 로 받아서 https 로 전달하는 방법이고 아래 내용은 http로 받아서 엔드유저단에는 https 로 전달해주는 방법입니다. 즉 중간에 SSL 브릿지 역할만 하게끔 하는것도 SSL 사이트를 구성할수 있는 방법중 하나입니다. 서버에서 SSL 사이트를 구성하지 않아도 중간 프록시단에서 SSL 로 연결해줄수 있는 방법이기도 합니다.

Listen 443

NameVirtualHost *:443
<VirtualHost *:443>
    SSLEngine On
    # Set the path to SSL certificate
    # Usage: SSLCertificateFile /path/to/cert.pem
    SSLCertificateFile /etc/apache2/ssl/file.pem

    # Servers to proxy the connection, or;
    # List of application servers:
    # Usage:
    # ProxyPass / http://[IP Addr.]:[port]/
    # ProxyPassReverse / http://[IP Addr.]:[port]/
    # Example:
    ProxyPass / http://0.0.0.0:8080/
    ProxyPassReverse / http://0.0.0.0:8080/

    # Or, balance the load:
    # ProxyPass / balancer://balancer_cluster_name

</VirtualHost>

How To Use Apache HTTP Server As Reverse-Proxy Using mod_proxy Extension
2015/07/15 10:16 2015/07/15 10:16