補足情報

Tips1. サンプルアプリケーションとして動作するNGINXの設定

以下がサンプルアプリケーションの参考設定となります。 Luaスクリプトモジュールを導入したNGINXで実行してください。

  • /etc/nginx/conf.d/default.conf

Version情報
 1# /etc/nginx/conf.d/default.conf
 2server {
 3    listen       80 default_server;
 4    server_name  localhost;
 5
 6    #charset koi8-r;
 7    #access_log  /var/log/nginx/host.access.log  main;
 8
 9    location / {
10        root   /usr/share/nginx/html;
11        index  index.html index.htm;
12    }
13
14    error_page   500 502 503 504  /50x.html;
15    location = /50x.html {
16        root   /usr/share/nginx/html;
17    }
18
19}
20### this is for back to basic part2
21server {
22    listen 81;
23    listen 82;
24    return 200 "{ \"request_uri\": \"$request_uri\",\"server_addr\":\"$server_addr\",\"server_port\":\"$server_port\"}";
25}
26server {
27    listen 83;
28    location / {
29        content_by_lua_block {
30            ngx.sleep(1)
31            ngx.print("{ \"request_uri\": \""..ngx.var.request_uri.."\",\"server_addr\":\""..ngx.var.server_addr.."\",\"server_port\":\""..ngx.var.server_port.."\"}")
32        }
33    }
34}
35server {
36    listen 84;
37    location / {
38        return 500 "Server Error";
39    }
40}
41
42server {
43    listen 443 ssl;
44    ssl_certificate_key conf.d/ssl/nginx-ecc-p256.key;
45    ssl_certificate conf.d/ssl/nginx-ecc-p256.pem;
46    return 200 "{ \"request_uri\": \"$request_uri\",\"server_addr\":\"$server_addr\",\"server_port\":\"$server_port\"}";
47}

  • /etc/nginx/conf.d/ssl証明書(nginx-ecc-p256.pem)鍵(nginx-ecc-p256.key) を配置します

Tips2. OpenSSL CA(認証局) の設定

ホストのVersion情報は以下の通り

Version情報
 1$ cat /etc/*release
 2DISTRIB_ID=Ubuntu
 3DISTRIB_RELEASE=20.04
 4DISTRIB_CODENAME=focal
 5DISTRIB_DESCRIPTION="Ubuntu 20.04.3 LTS"
 6NAME="Ubuntu"
 7VERSION="20.04.3 LTS (Focal Fossa)"
 8ID=ubuntu
 9ID_LIKE=debian
10PRETTY_NAME="Ubuntu 20.04.3 LTS"
11VERSION_ID="20.04"
12HOME_URL="https://www.ubuntu.com/"
13SUPPORT_URL="https://help.ubuntu.com/"
14BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
15PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
16VERSION_CODENAME=focal
17UBUNTU_CODENAME=focal
18
19$ openssl version
20OpenSSL 1.1.1f  31 Mar 2020

openssl.cnf をコピー

# mkdir ssl
# cd ssl
cp /etc/ssl/openssl.cnf .

以下の内容を参考に、openssl.cnfの内容を変更

vi openssl.cnf
oepnssl.cnf 記述差分
 1 ####################################################################
 2 [ CA_default ]
 3
 4-dir            = ./demoCA              # Where everything is kept
 5+dir            = ./            # Where everything is kept
 6 certs          = $dir/certs            # Where the issued certs are kept
 7 crl_dir                = $dir/crl              # Where the issued crl are kept
 8 database       = $dir/index.txt        # database index file.
 9@@ -50,12 +50,12 @@
10                                        # several certs with same subject.
11 new_certs_dir  = $dir/newcerts         # default place for new certs.
12
13-certificate    = $dir/cacert.pem       # The CA certificate
14+certificate    = $dir/CA.pem   # The CA certificate
15 serial         = $dir/serial           # The current serial number
16 crlnumber      = $dir/crlnumber        # the current crl number
17                                        # must be commented out to leave a V1 CRL
18 crl            = $dir/crl.pem          # The current CRL
19-private_key    = $dir/private/cakey.pem# The private key
20+private_key    = $dir/CA.key# The private key
21
22 x509_extensions        = usr_cert              # The extensions to add to the cert
23
24@@ -169,7 +169,8 @@
25 # This goes against PKIX guidelines but some CAs do it and some software
26 # requires this to avoid interpreting an end user certificate as a CA.
27
28-basicConstraints=CA:FALSE
29+basicConstraints=CA:TRUE
30+#basicConstraints=CA:FALSE
31
32 # Here are some examples of the usage of nsCertType. If it is omitted
33 # the certificate can be used for anything *except* object signing.
34@@ -186,9 +187,13 @@
35 # and for everything including object signing:
36 # nsCertType = client, email, objsign
37
38+nsCertType = sslCA, emailCA, server, client
39+
40 # This is typical in keyUsage for a client certificate.
41 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
42
43+keyUsage = cRLSign, keyCertSign, nonRepudiation, digitalSignature, keyEncipherment

必要となるフォルダ、ファイルの作成

mkdir newcerts
touch index.txt
echo 01 > serial
echo 01 > crlnumber

Tips3. DNSコンテンツサーバのデプロイ

  • Docker Compose の実行

各ファイルを同ディレクトリに配置し、以下コマンドを実行します

docker-compose -f docker-compose.yaml up -d

  • docker-compose.yaml

docker-compose.yaml
 1version: '2'
 2services:
 3  dns:
 4    restart: always
 5    image: strm/dnsmasq
 6    volumes:
 7      - ./dnsmasq.conf:/etc/dnsmasq.conf
 8      - ./hosts-dnsmasq:/etc/hosts-dnsmasq
 9    ports:
10      - "53:53/udp"
11    cap_add:
12      - NET_ADMIN

  • /etc/dnsmasq.conf

dnsmasq.conf
1port=53
2no-hosts
3addn-hosts=/etc/hosts-dnsmasq
4expand-hosts
5domain=example.com
6domain-needed
7bogus-priv

  • hosts-dnsmasq

hosts-dnsmasq
110.1.1.8 backend1 backend2 backend3 backend4
210.1.1.5 elasticsearch security-backend1 security-backend2 security-backend3 app-backend1 app-backend2 app-backend3
310.1.1.81 api1
410.1.1.82 api1
510.1.1.83 api1
610.1.1.84 api1

Tips4. Keycloakのデプロイ

  • Docker Compose の実行

各ファイルを同ディレクトリに配置し、以下コマンドを実行します

docker-compose -f docker-compose.yaml up -d

  • docker-compose.yaml

docker-compose.yaml
 1version: '3'
 2services:
 3  keycloak:
 4    restart: always
 5    image: quay.io/keycloak/keycloak:15.0.2
 6    ports:
 7      - 8443:8443
 8      - 8081:8080
 9    environment:
10      - KEYCLOAK_USER=admin
11      - KEYCLOAK_PASSWORD=admin