Awesome
Akebi
ð Akebi: A keyless https server, and backend dns server that resolves ip from domain
Sorry, the documentation is currently in Japanese only. Google Translate is available.
ã€ã³ã¿ãŒãããã«å ¬éãããŠããªããã©ã€ããŒã Web ãµã€ãããæ£èŠãã® Letâs Encrypt ã®èšŒææžã§ HTTPS åããããã®ãHTTPS ãªããŒã¹ãããã·ãµãŒããŒã§ãã
ãã® HTTPS ãªããŒã¹ãããã·ãµãŒããŒã¯ã
- æš©åš DNS ãµãŒããŒ:
192-168-1-11.local.example.com
ã®ããã«ãµããã¡ã€ã³ãšã㊠IP ã¢ãã¬ã¹ãæå®ãããšããã®ãŸãŸ192.168.1.11
ã«åå解決ããã¯ã€ã«ãã«ãŒã DNS - API ãµãŒããŒ: äºåã« Letâs Encrypt ã§ååŸãã蚌ææžãšç§å¯éµãä¿æããTLS ãã³ãã·ã§ã€ã¯æã®èšŒææžã®äŸçµŠãšãPre-master Secret Key ã®çæã«äœ¿ãä¹±æ°ã«ç§å¯éµã§ããžã¿ã«çœ²åãè¡ã API
- ããŒã¢ã³ããã»ã¹: Letâs Encrypt ã§ååŸãã *.local.example.com ã® HTTPS ã¯ã€ã«ãã«ãŒã蚌ææžãšãAPI ãµãŒããŒã® HTTPS 蚌ææžãå®æçã«æŽæ°ããããŒã¢ã³
ã®3ã€ã®ã³ã³ããŒãã³ãã«ãã£ãŠæ§æããããKeyless Server ã«äŸåããŠããŸãã
以äžãHTTPS ãªããŒã¹ãããã·ãµãŒããŒã HTTPS Server ãäžèšã®3ã€ã®æ©èœãæã€ããã¯ãšã³ããµãŒããŒã Keyless Server ãšåŒç§°ããŸãã
Keyless Server ã®ã³ãŒãã®å€§åãš HTTPS Server ã® TLS ãã³ãã·ã§ã€ã¯åŠçã¯ãncruces ããéçºã® keyless ãããŒã¹ã«ãå人çãªçšéã«åãããŠã«ã¹ã¿ãã€ãºãããã®ã§ãã
å倧ãªçºæãããŠãã ãã£ã ncruces ããã«ããã®å Žã§å¿ããæ·±ãæè¬ãç³ãäžããŸãïŒç§ãæžããã³ãŒã㯠20% çšåºŠã«ãããŸããïŒã
éçºèæ¯
Akebi ã¯ããªã¬ãªã¬èšŒææžä»¥å€ã§ã® HTTPS åãå°é£ãªããŒã«ã« LAN äžã§ãªãã¹ã³ããããµãŒããŒã¢ããªã±ãŒã·ã§ã³ããLet's Encrypt çºè¡ã®æ£èŠã® HTTPS 蚌ææžã§ HTTPS åããããã«éçºãããŸããã
ããŒã«ã« LAN ãã€ã³ãã©ããããªã©ã®ãã©ã€ããŒããããã¯ãŒã¯ã§ãªãã¹ã³ãããŠãã Web ãµãŒããŒã¯ãHTTP ã§ãªãã¹ã³ãããŠããããšãã»ãšãã©ã§ãã
ããã¯çèŽããããªã¹ã¯ãèããäœããVPN çµç±ãªãå ã æå·åãããŠãããªã©ã®çç±ã§ HTTPS ã«ããå¿ èŠããªãããšããã©ã€ããŒããããã¯ãŒã¯ã§ä¿¡é Œããã HTTPS 蚌ææžã®å ¥æãäºå®äžé£ããããšãªã©ãçç±ã§ããããHTTP ã®æ¹ãåçŽã§ç°¡åã§ããã
ãã©ãŠã¶ã® HTTPS åã®å§å
âŠãšããããæè¿ã®ãã©ãŠã¶ã¯ã€ã³ã¿ãŒãããäžã«å ¬éãããŠãã Web ãµã€ãã®ã¿ãªãããçèŽã®ãªã¹ã¯ãèããäœããã©ã€ããŒããããã¯ãŒã¯äžã® Web ãµã€ãã«ããHTTPS ãèŠæ±ããããã«ãªã£ãŠããŸããã
ãã§ã« PWA ã®äž»èŠæ©èœã§ãã Service Worker ã Web Push API ãªã©ãã¯ãããè¿å¹Žè¿œå ãããå€ãã® Web API ã®å©çšã«ïŒäžã«ã¯ WebCodecs API ã®ãã㪠HTTPS åãå¿ é ã«ããå¿ èŠãçç¡ãªãã®ãå«ããŠïŒHTTPS ãå¿ é ã«ãªã£ãŠããŸã£ãŠããŸãã
[!NOTE]
æ£ç¢ºã«ã¯ å®å šãªã³ã³ããã¹ã (Secure Contexts) ã§ãªããšåäœããªãããã«ãªã£ãŠããŠãç¹å¥ã« localhost (127.0.0.1) ã ã㯠http:// ã§ãå®å šãªã³ã³ããã¹ãã ãšèªããããããã«ãªã£ãŠããŸãã
ãã©ã€ããŒã Web ãµã€ãã§ãã£ãŠããããšãã°ãããªãã£ããã®ããã« getUserMedia() ããã¯ãªããããŒãã«ã³ããŒããããã« Clipboard API ã䜿ãããèŠä»¶ãåºãŠããããšãããã§ãããïŒã©ã¡ãã Secure Contexts ãå¿ é ã§ãïŒã
- ãã£ããã³ãŒã㯠Service Worker ã«å¯Ÿå¿ããŠããã®ã«ãHTTP ã§ã¯ Service Worker ãåããªãã®ã§ãã£ãã·ã¥ãå¹ãããèªã¿èŸŒã¿ããã³ãã³é ããªã
- PWA 㧠Android ã®ããŒã ç»é¢ã«ã€ã³ã¹ããŒã«ããŠãã¢ã€ã³ã³ã Chrome æ±ãã«ãªããããã©ãŒã ã«å ¥åãããšäžéšã«ãä¿è·ãããŠããªãéä¿¡ããšãããããŒã衚瀺ãããŠããã
- Clipboard APIã»Storage APIã»SharedArrayBuffer ãªã©ã®åŒ·å㪠API ã Secure Contexts ã§ãªããšäœ¿ãããä»åŸã®æ©èœéçºã倧ããå¶çŽããã
ç§ãéçºããŠãã KonomiTV ã§ããäžèšã®ãããªèª²é¡ãæ±ããŠããŸããã
ããããæè¿æ°ãã«è¿œå ããã API ã¯ãã®æ§è³ªã«é¢ãããåçç¡çšã§ Secure Contexts ãå¿ é ã«ãªã£ãŠãã ããšãå€ãããªãããªãã©ã€ããŒã Web ãµã€ãã®éçºã¯ããªãããã¥ãããªã£ãŠããŠããŸãã
ããã«ãChrome 94 ããé©çšããã Private Network Access ãšããä»æ§ã®ãããã§ãHTTP ã®å ¬é Web ãµã€ããããã©ã€ããŒã Web ãµã€ãã«ã¢ã¯ã»ã¹ã§ããªããªããŸããã CORS ããããŒã§æ瀺çã«èš±å¯ããŠããŠããã§ãã
以åãã HTTPS ã®å ¬é Web ãµã€ããã HTTP ã®ãã©ã€ããŒã Web ãµã€ããžã®ã¢ã¯ã»ã¹ã¯ãMixed Content ãšããŠçŠæ¢ãããŠããŸã (localhost ãé€ã) ããã®ãããå ¬é Web ãµã€ãã HTTP (Public (HTTP) -> Private (HTTP)) ã®æ§æã«ããããåŸãªãã£ãã®ã§ããããããããçŠæ¢ãããŠããŸããŸããã
ããããå€æŽã¯ãå ¬é Web ãµã€ãããããŒã«ã« LAN äžã«ããããã€ã¹ãæäœããé¡ã®ã¢ããªã±ãŒã·ã§ã³ã«ãšã£ãŠãããªãå³ããå¶çŽã«ãªããŸãã
[!NOTE]
Chrome 105 以éã§ã¯ãPublic (HTTPS) -> Private (HTTPS) ã®ã¢ã¯ã»ã¹ã«ã¯ãããã«ãã©ã€ããŒã Web ãµã€ãåŽã®ã¬ã¹ãã³ã¹ã«Access-Control-Allow-Private-Network
ããããŒãä»äžããå¿ èŠãããããã§ã (åè)ã
Chrome 105 以éãå ¬é Web ãµã€ããããã©ã€ããŒã Web ãµã€ãã«ã¢ã¯ã»ã¹ããã«ã¯äž¡æ¹ã® HTTPS åãå¿ é ã§ãå ã㊠Preflight ãªã¯ãšã¹ããé£ãã§ãããšãã«Access-Control-Allow-Private-Network: true
ãè¿ããå¿ èŠãåºãŠããŸãã
ãã©ã€ããŒã Web ãµã€ãã®èšŒææžååŸã®å°é£ã
äžè¬çãªå ¬é Web ãµã€ããªããLet's Encrypt ã䜿ãããšã§ç¡æã§ç°¡åã« HTTPS åã§ããŸããç¡æ㧠HTTPS 蚌ææžãåããããã«ãªã£ãããšãããããã©ãŠã¶ã«ãã HTTPS åã®å§åã¯å¹Žã 匷ãŸã£ãŠããŸãã
ãããããã©ã€ããŒã Web ãµã€ãã®å Žåãæ£æ»æ³ã§ã® HTTPS åã¯å°é£ã極ããŸãã
åœç¶ã€ã³ã¿ãŒãããäžãã㯠Web ãµãŒããŒã«ã¢ã¯ã»ã¹ã§ããªããããLet's Encrypt ã® HTTP-01 ãã£ã¬ã³ãžãéããŸããã
âŠãã以åã« Let's Encrypt ã¯å
ã
IP ã¢ãã¬ã¹å®ã«ã¯èšŒææžãçºè¡ã§ããŸããããã°ããŒãã« IP ãªããŸã ãããäžçåå°ã§å±±ã»ã©è¢«ããŸãã£ãŠãããã©ã€ããŒã IP ã®æææš©ã䞻匵ããã®ã«ã¯ç¡çããããŸãã
ããã§ããå©çšãããã®ããèªå·±çœ²å蚌ææžïŒãªã¬ãªã¬èšŒææžïŒã䜿ã£ã HTTPS åã§ãã
èªå㧠HTTPS 蚌ææžãäœã£ãŠããŸãæ¹æ³ã§ããã©ã€ããŒã IP ã¢ãã¬ã¹ã ãããé¢ä¿ãªããèªç±ã«èšŒææžãäœæã§ããŸãã
æè¿ã§ã¯ mkcert ã®ãããªããªã¬ãªã¬èšŒææžãããããã«çæããããŒã«ãåºãŠããŠããŸãã
èªåã§äœã£ã蚌ææžãªã®ã§åœç¶ãã©ãŠã¶ã«ã¯ä¿¡é Œãããããã®ãŸãŸã§ã¯ã¢ã¯ã»ã¹ãããšèŠåã衚瀺ãããŠããŸããŸãã
ãã©ãŠã¶ã«èšŒææžãä¿¡é Œããããã®æ¥ç¶ã§ã¯ãã©ã€ãã·ãŒãä¿è·ãããŸãããã®èŠåããªããã«ã¯ãçæãããªã¬ãªã¬èšŒææžã OS ã®èšŒææžã¹ãã¢ã«ãä¿¡é Œãããã«ãŒã蚌ææ©é¢ããšããŠã€ã³ã¹ããŒã«ããå¿
èŠããããŸãã
mkcert ã¯ãã®ããããèªååããŠãããŸãããããã¯ãããŸã§éçºæã®è©±ã
mkcert ãã€ã³ã¹ããŒã«ãã PC 以å€ã®ããã€ã¹ã«ã¯æåã§ã€ã³ã¹ããŒã«ããªããšãããŸããããã€ã³ã¹ããŒã«æ¹æ³ããããšé¢åã§ããéçºè
ãªããšããããäžè¬ãŠãŒã¶ãŒã«ã¯é£æ床ãé«ãäœæ¥ã ãšæããŸãã
ãããããã©ã€ããŒã Web ãµã€ããé²èŠ§ããããã€ã¹ãã¹ãŠã«ã€ã³ã¹ããŒã«ããªããã°ãªãããé²èŠ§ããã€ã¹ãå€ããã°å€ãã»ã©å€§å€ã§ãã
âŠããããèæ¯ãããäžè¬ãŠãŒã¶ãŒã«é
åžããã¢ããªã±ãŒã·ã§ã³ã§ã¯ãäºå®äžãªã¬ãªã¬èšŒææžã¯äœ¿ããªãç¶æ
ã§ãã
ãã¡ãããŠãŒã¶ãŒäœéšãç ç²ã«ããã°äœ¿ããªãã¯ãããŸããããããå€ãã®æ¹ã«ç°¡åã«äœ¿ã£ãŠããã ãããã«ããã§ããã ãããããç¶æ
ã¯é¿ãããã§ãã
Let's Encrypt ã® DNS èªèšŒ + ã¯ã€ã«ãã«ãŒã DNS ãšããéžæè¢
é話äŒé¡ããªã¬ãªã¬èšŒææžã«æŒãããŠããŸãç¥ãããŠããªãã®ã§ãããå®ã¯ãã©ã€ããŒã Web ãµã€ãã§ããLet's Encrypt ã® DNS èªèšŒ (DNS-01 ãã£ã¬ã³ãž) ã䜿ãã°ãæ£èŠã® HTTPS 蚌ææžãåãããšãã§ããŸãã
詳现㯠ãã®èšäº ã詳ããã§ããã軜ã説æããŸãã
éåžžãDNS äžã® A ã¬ã³ãŒãã«ã¯ã°ããŒãã« IP ã¢ãã¬ã¹ãæå®ããŸããã§ããããšãã«ã°ããŒãã« IP ã¢ãã¬ã¹ã§ãªããšãããªãå¶çŽãããããã§ã¯ãããŸããã127.0.0.1
ã 192.168.1.1
ãå
¥ããããšã ã£ãŠå¯èœã§ãã
ããšãã°ãlocal.example.com
ã® A ã¬ã³ãŒãã 127.0.0.1
ã«èšå®ãããšããŸãããã¡ããã«ãŒãããã¯ã¢ãã¬ã¹ãªã®ã§ã€ã³ã¿ãŒãããäžããã¯ã¢ã¯ã»ã¹ã§ããŸããããLet's Encrypt ã® HTTP èªèšŒã¯éããŸããã
ããã§ãLet's Encrypt ã® DNS èªèšŒ (DNS-01 ãã£ã¬ã³ãž) 㧠HTTPS 蚌ææžãååŸããŸãã
DNS èªèšŒã¯ãäŸã§ãã local.example.com
ã® DNS ãå€æŽã§ããæš©éïŒâãã¡ã€ã³ã®æææš©ïŒã蚌æããããšã§ãHTTPS 蚌ææžãååŸããæ¹æ³ã§ãã
DNS èªèšŒãªãã€ã³ã¿ãŒãããããã¢ã¯ã»ã¹ã§ããå¿
èŠã¯ãªããDNS èªèšŒæã« _acme-challenge.local.example.com
ã® TXT ã¬ã³ãŒãã«ããŒã¯ã³ãèšå®ã§ããã°ããã£ãã HTTPS 蚌ææžãååŸã§ããŸãã
âŠâŠäžèŠäžäºè§£æ±ºã®ããã«èŠããŸãããããã®æ¹æ³ã¯ã€ã³ãã©ãããäžã®ãµã€ããªã©ã§ãã©ã€ããŒã IP ã¢ãã¬ã¹ãåºå®ãããŠããå Žåã«ã¯ãŽã£ããã§ãããäžç¹å®å€æ°ã®ç°å¢ã«ã€ã³ã¹ããŒã«ããããã©ã€ããŒã Web ãµã€ãã§ã¯ãã€ã³ã¹ããŒã«ããã PC ã®ãã©ã€ããŒã IP ã¢ãã¬ã¹ãç°å¢ããšã«ãã©ãã©ãªããããã®ãŸãŸã§ã¯äœ¿ããŸããã
ããã§ç»å Žããã®ãã¯ã€ã«ãã«ãŒã DNS ãµãŒãã¹ã§ããnip.io ã sslip.io ãããç¥ãããŠããŸãã
ããã㯠http://192-168-1-11.sslip.io
ã®ãããªãµããã¡ã€ã³ã 192.168.1.11
ã«åå解決ããŠãããç¹æ®ãª DNS ãµãŒããŒã§ãsslip.io ã®æ¹ã¯èªåãä¿æãããã¡ã€ã³ãã¯ã€ã«ãã«ãŒã DNS ãµãŒããŒã«ããããšãã§ããŸãã
ãŸããå®ã¯ Let's Encrypt ã§ã¯ã¯ã€ã«ãã«ãŒã蚌ææžãååŸã§ããŸãã ãã¡ã€ã³ã®æææš©ã蚌æã§ããã°ãhoge.local.example.com
ã»fuga.local.example.com
ã»piyo.local.example.com
ãããã§ã䜿ãã蚌ææžãçºè¡ã§ããŸãã
ãã®ã¯ã€ã«ãã«ãŒã DNS ãµãŒãã¹ãšååŸããã¯ã€ã«ãã«ãŒã蚌ææžãçµã¿åãããã°ãhttp://192.168.1.11:3000/
ã®ä»£ããã« https://192-168-1-11.local.example.com:3000/
ã«ã¢ã¯ã»ã¹ããã ãã§ãéæ³ã®ããã«æ£èŠã®èšŒææžã§ãªãã¹ã³ããããã©ã€ããŒã HTTPS ãµã€ããã§ãããããŸãïŒ
[!NOTE]
ãã¯ã€ã«ãã«ãŒã DNS ãš Let's Encrypt ã®ã¯ã€ã«ãã«ãŒã蚌ææžãçµã¿åãããŠããŒã«ã« LAN 㧠HTTPS ãµãŒããŒãå®çŸããããšããã¢ã€ãã¢ã¯ãCorollarium 瀟éçºã® localtls ããåŸããã®ã§ãã
蚌ææžãšç§å¯éµã®æ±ã
çµç·¯ã®èª¬æããããžãé·ããªã£ãŠããŸããŸãããããããããæ¬çªã§ãã
äžèšã®æé ãèžãããšã§ããã©ã€ããŒã Web ãµã€ãã§ã HTTPS åã§ããéçã¯ã€ããŸããã
ã§ãããäžç¹å®å€æ°ã®ç°å¢ã«ã€ã³ã¹ããŒã«ããããã©ã€ããŒã Web ãµã€ãïŒããå€ãã¯ãªãããèåãªäŸã ãš Plex Media Server ãªã©ã®äžè¬ãŠãŒã¶ãŒã«é
åžãããã¢ããªã±ãŒã·ã§ã³ã該åœããïŒã§ã¯ãHTTPS 蚌ææžã»ç§å¯éµã®æ±ããã©ãããããåé¡ã«ãªããŸãã
ã¢ããªã±ãŒã·ã§ã³èªäœãé åžããªããã°ãªããªãã®ã§ãåœç¶èšŒææžãšç§å¯éµãã¢ããªã±ãŒã·ã§ã³ã«å梱ããªããã°ãªããŸãããã§ããããã®ãã¡ç§å¯éµãæŒæŽ©ãããšãå¥ã®ã¢ããªã±ãŒã·ã§ã³ããªãããŸãã§ããããéä¿¡ãçèŽã§ãããããŠããŸããŸãïŒäžéè æ»æïŒã
ãã£ãšãä»åã¯ãã©ãŠã¶ãžã®å»ºåãšããŠåœ¢åŒäž HTTPS ã«ãããã ããªã®ã§ãã®ç¹ã¯æ£çŽã©ãã§ãããã®ã§ãããããããã ã蚌ææžãšç§å¯éµãããã°èª°ã§ã HTTPS 蚌ææžã倱å¹ã§ããŠããŸãããç§å¯éµã®å ¬é㯠Let's Encrypt ã®å©çšèŠçŽã§çŠæ¢ãããŠãããç¹ãåä»ã§ãã
ã¢ããªã±ãŒã·ã§ã³ã®å
éšã«ç§å¯éµãé ãããšãã§ããŸãããæ詮㯠DRM ã®ãããªãã®ã§ææ¬çãšã¯ãããªãã»ããOSS ã®å Žåã¯é ãããšèªäœãé£ãããªããŸãã
ãŸããLet's Encrypt çºè¡ã® HTTPS 蚌ææžã¯3ã¶æã§æå¹æéãåãããããåç°å¢ã«ãã蚌ææžã»ç§å¯éµãã©ãã¢ããããŒãããããåé¡ã«ãªããŸãã
ãã®ãç§å¯éµã®æ±ããã©ãããããåé¡ããTLS ãã³ãã·ã§ã€ã¯ã®å éšåŠçãããã¯ãç§å¯éµããªã¢ãŒããµãŒããŒã«é èœããããšã§è§£æ±ºãããç¹ããAkebi HTTPS Server ã®æ倧ã®ç¹åŸŽã§ãã
[!NOTE]
蚌ææžã TLS ãã³ãã·ã§ã€ã¯æ¯ã« Keyless Server ããããŠã³ããŒããããããä¿åãã蚌ææžã®æŽæ°ã«æ©ãå¿ èŠããããŸããã
ç§å¯éµããªã¢ãŒããµãŒããŒã«é èœããããã«ã¯ãTLS ãã³ãã·ã§ã€ã¯äžã§ç§å¯éµã䜿ãåŠçãããµãŒããŒäžã§ä»£ããã«è¡ã API ãµãŒããŒãå¿
èŠã«ãªããŸãã
ã©ã®ã¿ã¡ API ãµãŒããŒãèŠããªããsslip.io ã¹ã¿ã€ã«ã®ã¯ã€ã«ãã«ãŒã DNS ãš Let's Encrypt ã®èšŒææžèªåæŽæ°ãŸã§ãŸãšããŠãã£ãŠãããæ¹ãè¯ãããïŒãšããããšã§éçºãããã®ããncruces ããéçºã® keyless ã§ãã
ç§ããã® keyless ãããšã«è¥å¹²æ¹è¯ãããã®ã Akebi Keyless Server ã§ãAkebi HTTPS Server ãšãã¢ã§1ã€ã®ã·ã¹ãã ãæ§æããŠããŸãã
[!NOTE]
HTTPS ãªããŒã¹ãããã·ã®åœ¢ã«ãªã£ãŠããã®ã¯ãHTTPS å察象ã®ã¢ããªã±ãŒã·ã§ã³ãã©ããªèšèªã§æžãããŠããããš HTTP ãµãŒããŒã®ãªããŒã¹ãããã·ãšããŠæãã ã㧠HTTPS åã§ããæ±çšæ§ã®é«ããšããããã TLS ãã³ãã·ã§ã€ã¯ã®æ·±ãéšåã®åŠçã«ä»å ¥ã§ããã®ã Golang ããããããªãã£ãã®ãçç±ã§ãã
詳现㯠HTTPS ãªããŒã¹ãããã·ãšããã¢ãããŒã ã®é ç®ã§èª¬æããŠããŸãã
å°å ¥
å¿ èŠãªãã®
- Linux ãµãŒã㌠(VMã»VPS)
- Keyless Server ãåããããã«å¿ èŠã§ãã
- Keyless Server 㯠UDP 53 ããŒã (DNS) ãš TCP 443 ããŒã (HTTPS) ã䜿çšããŸãã
- ããããå€éšãããã¯ãŒã¯ããã¢ã¯ã»ã¹ã§ããããã«ãã¡ã€ã¢ãŠã©ãŒã«ãèšå®ããŠãã ããã
- Keyless Server ãããŠã³ããŠããŸããšããã® Keyless Server ã«äŸåãã HTTPS Server ãèµ·åã§ããªããªããŸããå®å®çšŒåã®ããã«ããKeyless Server ã¯ä»ã®ãµã€ããšåå± ãããªãããšãããããããŸãã
- ãµãŒããŒã¯äœã¹ããã¯ãªãã®ã§ã倧äžå€«ã§ããç§ã¯ Oracle Cloud Free Tier ã® AMD ã€ã³ã¹ã¿ã³ã¹ã§åãããŠããŸãã
- Ubuntu 20.04 LTS ã§åäœã確èªããŠããŸãã
- èªåãææãããã¡ã€ã³
- Keyless Server ã®ã¯ã€ã«ãã«ãŒã DNS æ©èœãšãAPI ãµãŒããŒã®ãã¡ã€ã³ã«å©çšããŸãã
- ã¯ã€ã«ãã«ãŒã DNS æ©èœçšã®ãã¡ã€ã³ã¯ãããšãã°
example.net
ãææããŠããå Žåãlocal.example.net
ãip.example.net
ãªã©ã®ãµããã¡ã€ã³ã«ãããšè¯ãã§ãããã- IP â ãã¡ã€ã³ã®ããã®å°çšã®ãã¡ã€ã³ãçšæã§ãããªããå¿ ããããµããã¡ã€ã³ã§ããå¿ èŠã¯ãããŸããã
- ãã®äŸã®å Žåã
192-168-1-11.local.example.net
ã 192.168.1.11 ã«åå解決ãããããã«ãªããŸãã
- ãã¡ãããææããŠãããã¡ã€ã³ã® DNS èšå®ãå€æŽã§ããããšãåæã§ãã
Keyless Server ã®ã»ããã¢ãã
以äžã¯ Ubuntu 20.04 LTS ã§ã®ã€ã³ã¹ããŒã«æé ã§ãã
Golang ã®ã€ã³ã¹ããŒã«
Go 1.18 ã§éçºããŠããŸãã
$ sudo add-apt-repository ppa:longsleep/golang-backports
$ sudo apt install golang
systemd-resolved ãæ¢ãã
ã¯ã€ã«ãã«ãŒã DNS ãµãŒããŒãåããã®ã«å¿
èŠã§ãïŒ53çªããŒãããããã£ã³ã°ããããïŒã
ä»ã«ãã£ãšã¹ããŒããªåé¿çããããããããªãã®ã§ãåèçšåºŠã«âŠã
$ sudo systemctl disable systemd-resolved
$ sudo systemctl stop systemd-resolved
$ sudo mv /etc/resolv.conf /etc/resolv.conf.old # ãªãªãžãã«ã® resolv.conf ãããã¯ã¢ãã
$ sudo nano /etc/resolv.conf
---------------------------------------------
nameserver 1.1.1.1 1.0.0.1 # â nameserver ã 127.0.0.53 ããå€æŽãã
(以äžç¥)
---------------------------------------------
DNS èšå®ã®å€æŽ
ããããã¯ãKeyless Server ãç«ãŠããµãŒããŒã«å²ãåœãŠããã¡ã€ã³ã akebi.example.com
ãã¯ã€ã«ãã«ãŒã DNS ã§äœ¿ããã¡ã€ã³ã local.example.com
ãšããŠèª¬æããŸãã
example.com
ã® DNS èšå®ã§ãakebi.example.com
ã® A ã¬ã³ãŒãã«ãKeyless Server ãç«ãŠããµãŒããŒã® IP ã¢ãã¬ã¹ãèšå®ããŸããIPv6 çšã® AAAA ã¬ã³ãŒããèšå®ããŠãããã§ãããã
次ã«ãlocal.example.com
ã® NS ã¬ã³ãŒãã«ãããŒã ãµãŒããŒïŒDNSãµãŒããŒïŒãšã㊠akebi.example.com
ãæå®ããŸãã
ãã®èšå®ã«ããã192-168-1-11.local.example.com
ã 192.168.1.11
ã«åå解決ããããã«ãakebi.example.com
ã® DNS ãµãŒã㌠(UDP 53 çªããŒã) ã« DNS ã¯ãšãªãé£ã¶ããã«ãªããŸãã
ã€ã³ã¹ããŒã«
$ sudo apt install make # make ãå¿
èŠ
$ git clone git@github.com:tsukumijima/Akebi.git
$ cd Akebi
$ make build-keyless-server # Keyless Server ããã«ã
$ cp ./example/akebi-keyless-server.json ./akebi-keyless-server.json # èšå®ãã¡ã€ã«ãã³ããŒ
akebi-keyless-server.json
ãèšå®ãã¡ã€ã«ã§ããJSONC (JSON with comments) ã§æžãããŠããŸãã
å®éã«å€æŽãå¿
èŠãªèšå®ã¯4ã€ã ãã§ãã
domain
: ã¯ã€ã«ãã«ãŒã DNS ã§äœ¿ããã¡ã€ã³ïŒãã®äŸã§ã¯local.example.com
ïŒãèšå®ããŸããnameserver
:local.example.com
ã® NS ã¬ã³ãŒãã«èšå®ããããŒã ãµãŒããŒïŒãã®äŸã§ã¯akebi.example.com
ïŒãèšå®ããŸããis_private_ip_ranges_only
: ã¯ã€ã«ãã«ãŒã DNS ã®åå解決ç¯å²ããã©ã€ããŒã IP ã¢ãã¬ã¹ã«éå®ããããèšå®ããŸãã- ãã®èšå®ã true ã®ãšããããšãã°
192-168-1-11.local.example.com
ã10-8-0-1.local.example.com
ã¯åå解決ãããŸããã142-251-42-163.local.example.com
ã¯åå解決ãããããã¡ã€ã³ãååšããªãæ±ãã«ãªããŸãã - ãã©ã€ããŒã IP ã¢ãã¬ã¹ã®ç¯å²ã«ã¯ Tailscale ã® IP ã¢ãã¬ã¹ (100.64.0.0/10, fd7a:115c:a1e0:ab12::/64) ãå«ãŸããŸãã
- ã°ããŒãã« IP ã«è§£æ±ºã§ããŠããŸããšäžãäžãã£ãã·ã³ã°ãµã€ãã«äœ¿ãããªããšãéããªãäžãçšéäžã°ããŒãã« IP ã«è§£æ±ºã§ããå¿ èŠæ§ããªããããå人çã«ã¯ true ã«ããŠããããšãããããããŸãã
- ãã®èšå®ã true ã®ãšããããšãã°
keyless_api.handler
: Keyless API ãµãŒããŒã® URLïŒhttps:// ã®ãã㪠URL ã¹ããŒã ã¯é€å€ããïŒãèšå®ããŸããakebi.example.com/
ã®ããã«æå®ããŸããæ«å°Ÿã®ã¹ã©ãã·ã¥ã¯å¿ é ã§ãã
ã»ããã¢ãã
$ sudo ./akebi-keyless-server setup
ã»ããã¢ããã¹ã¯ãªãããå®è¡ããŸãã
ã»ããã¢ããéäžã§ DNS ãµãŒããŒãš HTTP ãµãŒããŒãèµ·åããŸããã1024 çªæªæºã®ããŒãã§ã®ãªãã¹ã³ã«ã¯ root æš©éãå¿
èŠãªãããsudo ãã€ããŠå®è¡ããŸãã
Running setup...
Creating a new Let's Encrypt account...
Creating a new account private key...
Accept Let's Encrypt ToS? [y/n]: y
Use the Let's Encrypt production API? [y/n]: y
Enter an email address: yourmailaddress@example.com
Creating a new master private key...
Starting DNS server for domain validation...
Please, ensure that:
- NS records for local.example.com point to akebi.example.com
- akebi-keyless-server is reachable from the internet on UDP akebi.example.com:53
Continue? y
Obtaining a certificate for *.local.example.com...
Creating a new Keyless API private key...
Starting HTTPS server for hostname validation...
Please, ensure that:
- akebi-keyless-server is reachable from the internet on TCP akebi.example.com:443
Continue?
Obtaining a certificate for akebi.example.com...
Done!
$ sudo chown -R $USER:$USER ./
çµãã£ãããroot æš©éã§äœããããã¡ã€ã«é¡ã®ææè
ãããã°ã€ã³äžã®äžè¬ãŠãŒã¶ãŒã«èšå®ããŠãããŸãããã
ãã㧠Keyless Server ãèµ·åã§ããç¶æ
ã«ãªããŸããïŒ
certificates/ ãã©ã«ãã«ã¯ãLet's Encrypt ããååŸãã HTTPS ã¯ã€ã«ãã«ãŒã蚌ææž/ç§å¯éµãšãAPI ãµãŒããŒã® HTTPS 蚌ææž/ç§å¯éµãæ ŒçŽãããŠããŸãã
letsencrypt/ ãã©ã«ãã«ã¯ãLet's Encrypt ã®ã¢ã«ãŠã³ãæ
å ±ãæ ŒçŽãããŠããŸãã
Systemd ãµãŒãã¹ã®èšå®
Keyless Server 㯠Systemd ãµãŒãã¹ãšããŠåäœããŸãã
Systemd ã« Keyless Server ãµãŒãã¹ãã€ã³ã¹ããŒã«ããæå¹åããŸãã
# ãµãŒãã¹ãã¡ã€ã«ãã³ããŒ
$ sudo cp ./example/akebi-keyless-server.service /etc/systemd/system/akebi-keyless-server.service
# /home/ubuntu/Akebi ã®éšåã Akebi ãé
眮ãããã£ã¬ã¯ããªã®ãã¹ã«å€æŽãã
$ sudo nano /etc/systemd/system/akebi-keyless-server.service
# ãœã±ãããã¡ã€ã«ãã³ããŒ
$ sudo cp ./example/akebi-keyless-server.socket /etc/systemd/system/akebi-keyless-server.socket
# ãµãŒãã¹ãæå¹å
$ sudo systemctl daemon-reload
$ sudo systemctl enable akebi-keyless-server.service
$ sudo systemctl enable akebi-keyless-server.socket
# ãµãŒãã¹ãèµ·å
# akebi-keyless-server.socket ã¯èªåã§èµ·åããã
$ sudo systemctl start akebi-keyless-server.service
https://akebi.example.com
ã«ã¢ã¯ã»ã¹ã㊠404 ããŒãžã衚瀺ãããã°ãKeyless Server ã®ã»ããã¢ããã¯å®äºã§ãïŒ ãç²ãæ§ã§ããã
Keyless Server ãèµ·åããŠããéãLet's Encrypt ããååŸãã HTTPS 蚌ææžã¯èªåçã«æŽæ°ãããŸãã äžåºŠã»ããã¢ããããã°ãåºæ¬çã«ã¡ã³ããã³ã¹ããªãŒã§åäœããŸãã
â akebi-keyless-server.service - Akebi Keyless Server Service
Loaded: loaded (/etc/systemd/system/akebi-keyless-server.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2022-05-21 07:31:34 UTC; 2h 59min ago
TriggeredBy: â akebi-keyless-server.socket
Main PID: 767 (akebi-keyless-s)
Tasks: 7 (limit: 1112)
Memory: 7.8M
CGroup: /system.slice/akebi-keyless-server.service
ââ767 /home/ubuntu/Akebi/akebi-keyless-server
systemctl status akebi-keyless-server.service
ããã®ããã«ãªã£ãŠããã°ãæ£ãã Keyless Server ãèµ·åã§ããŠããŸãã
$ sudo systemctl stop akebi-keyless-server.service
$ sudo systemctl stop akebi-keyless-server.socket
Keyless Server ãµãŒãã¹ãçµäºãããéã¯ã以äžã®ã³ãã³ããå®è¡ããŠãã ããã
HTTPS Server ã®ã»ããã¢ãã
ãã«ã
HTTPS Server ã®ãã«ãã«ã¯ãGo 1.18 ãš make ãã€ã³ã¹ããŒã«ãããŠããç°å¢ãå¿ èŠã§ããããã§ã¯ãã§ã«ã€ã³ã¹ããŒã«ãããŠãããã®ãšããŠèª¬æããŸãã
[!NOTE]
Windows çã® make 㯠ãã¡ã ããã€ã³ã¹ããŒã«ã§ããŸãã
2006 幎ããæŽæ°ãããŠããŸããããWindows 10 ã§ãæ®éã«åäœããŸããããã ãå®æãããã¢ããªã±ãŒã·ã§ã³ãªã®ã§ãããã
$ git clone git@github.com:tsukumijima/Akebi.git
$ cd Akebi
# çŸåšã®ãã©ãããã©ãŒã åãã«ãã«ã
$ make build-https-server
# ãã¹ãŠã®ãã©ãããã©ãŒã åãã«ãã«ã
# Windows (64bit), Linux (x64), Linux (arm64) åãã®å®è¡ãã¡ã€ã«ãäžåºŠã«ã¯ãã¹ã³ã³ãã€ã«ãã
$ make build-https-server-all-platforms
- Windows:
akebi-keyless-server.exe
- Linux (x64):
akebi-keyless-server
(æ¡åŒµåãªã) - Linux (arm64):
akebi-keyless-server-arm
(æ¡åŒµåãªã)
ãã«ããããå®è¡ãã¡ã€ã«ã¯ããããã Makefile ãšåããã©ã«ãã«åºåãããŸãã
åºåããããã¡ã€ã«åã¯äžèšã®éãã§ããé©å®ãªããŒã ããŠãæ§ããŸããã
HTTPS Server ã®èšå®
HTTPS Server ã¯ãèšå®ãå®è¡ãã¡ã€ã«ãšåããã©ã«ãã«ãã akebi-keyless-server.json
ããèªã¿èŸŒã¿ãŸããKeyless Server åæ§ãJSONC (JSON with comments) ã§æžãããŠããŸãã
èšå®ã¯ã³ãã³ãã©ã€ã³åŒæ°ãããè¡ããŸããåŒæ°ã¯ããããèšå®ãã¡ã€ã«ã®é
ç®ã«å¯Ÿå¿ããŠããŸãã
èšå®ãã¡ã€ã«ãé
眮ãããŠãããšãã«ã³ãã³ãã©ã€ã³åŒæ°ãæå®ããå Žåã¯ãã³ãã³ãã©ã€ã³åŒæ°ã®æ¹ã®èšå®ãåªå
ãããŸãã
listen_address
: HTTPS ãªããŒã¹ãããã·ããªãã¹ã³ããã¢ãã¬ã¹ãæå®ããŸãã- ã³ãã³ãã©ã€ã³åŒæ°ã§ã¯
--listen-address
ã«å¯Ÿå¿ããŸãã - åºæ¬çã«ã¯
0.0.0.0:(ããŒãçªå·)
ã®ããã«ããŠããã° OK ã§ãã
- ã³ãã³ãã©ã€ã³åŒæ°ã§ã¯
proxy_pass_url
: ãªããŒã¹ãããã·ãã HTTP ãµãŒããŒã® URL ãæå®ããŸãã- ã³ãã³ãã©ã€ã³åŒæ°ã§ã¯
--proxy-pass-url
ã«å¯Ÿå¿ããŸãã
- ã³ãã³ãã©ã€ã³åŒæ°ã§ã¯
keyless_server_url
: Keyless Server ã® URL ãæå®ããŸãã- ã³ãã³ãã©ã€ã³åŒæ°ã§ã¯
--keyless-server-url
ã«å¯Ÿå¿ããŸãã
- ã³ãã³ãã©ã€ã³åŒæ°ã§ã¯
custom_certificate
: Keyless Server ã䜿ãããã«ã¹ã¿ã ã® HTTPS 蚌ææž/ç§å¯éµã䜿ãå Žåã«èšå®ããŸãã- ã³ãã³ãã©ã€ã³åŒæ°ã§ã¯
--custom-certificate
--custom-private-key
ã«å¯Ÿå¿ããŸãã - æ®éã« HTTPS ã§ãªãã¹ã³ããã®ãšå€ãããŸããããKeyless Server ã䜿ããšããš HTTPS ãµãŒããŒãå ±éåã§ããããšãHTTP/2 ã«å¯Ÿå¿ã§ããããšãã¡ãªããã§ãã
- ã³ãã³ãã©ã€ã³åŒæ°ã§ã¯
HTTPS ãªããŒã¹ãããã·ã®èµ·å
HTTPS Server ã¯å®è¡ãã¡ã€ã«åäœã§åäœããŸãã
akebi-keyless-server.json
ãå®è¡ãã¡ã€ã«ãšåããã©ã«ãã«é
眮ããªãå Žåã¯ãå®è¡æã«ã³ãã³ãã©ã€ã³åŒæ°ãæå®ããå¿
èŠããããŸãã
$ ./akebi-https-server
2022/05/22 03:49:36 Info: Starting HTTPS reverse proxy server...
2022/05/22 03:49:36 Info: Listening on 0.0.0.0:3000, Proxing http://your-http-server-url:8080/.
ãã®ç¶æ 㧠https://local.local.example.com:3000/ ã«ã¢ã¯ã»ã¹ããŠãããã·å ã®ãµã€ãã衚瀺ãããã°ãæ£ãã HTTPS åã§ããŠããŸãïŒïŒ
ãã¡ãããããšãã° PC ã®ããŒã«ã« IP ã 192.168.1.11 ãªããhttps://192-168-1-11.local.example.com:3000/ ã§ãã¢ã¯ã»ã¹ã§ããã¯ãã§ãã
HTTPS Server 㯠Ctrl + C ã§çµäºã§ããŸãã
èšå®å
容ã«ãšã©ãŒããããšãã¯ãã°ã衚瀺ãããã®ã§ãããã確èªããŠã¿ãŠãã ããã
[!NOTE]
ãã¡ã€ã³ã®æ¬æ¥ IP ã¢ãã¬ã¹ãå ¥ããéšåã«my
/local
/localhost
ãšå ¥ãããšãç¹å¥ã« 127.0.0.1ïŒã«ãŒãããã¯ã¢ãã¬ã¹ïŒã«åå解決ãããããã«èšå®ããŠããŸãã
127-0-0-1.local.example.com
ããããããããããšæããŸããããŒã«ã«ã§éçºããéã«ã䜿ããã ããã
HTTPS Server 㯠HTTP/2 ã«å¯Ÿå¿ããŠããŸãã HTTP/2 㯠HTTPS ã§ãã䜿ããŸãããããµã€ãã HTTPS åããããšã§ãåæã« HTTP/2 ã«å¯Ÿå¿ã§ããŸãã
[!NOTE]
ã©ã¡ãããšèšãã°ãGolang ã®æšæº HTTP ãµãŒã㌠(http.Server) ãäœãèšå®ããªããŠã HTTP/2 ã«æšæºå¯Ÿå¿ããŠããããšã«ãããã®ã§ãã
ã«ã¹ã¿ã ã®èšŒææž/ç§å¯éµãæå®ã§ããã®ããKeyless Server ã䜿ããã«åèªçšæãã蚌ææžã§ HTTPS åããã±ãŒã¹ãšå®è£ ãå ±éåã§ããã®ããããŸãããHTTPS Server ãéã«æãã ãã§ããããã« HTTP/2 ã«å¯Ÿå¿ã§ããã®ã倧ããã§ãã
Uvicorn ãªã©ãHTTP/2 ã«å¯Ÿå¿ããŠããªãã¢ããªã±ãŒã·ã§ã³ãµãŒããŒã¯ãããªãã«ãããŸããæ¬æ¥ã¯ NGINX ãªã©ãæãã¹ãã§ããããã©ãäžè¬ãŠãŒã¶ãŒã«é
åžããã¢ããªã±ãŒã·ã§ã³ã§ã¯ãç°¡æ㪠HTTP ãµãŒããŒã«ããããåŸãªãããšãå€ã
ãããŸãã
ããããå Žåã§ããã¢ããªã±ãŒã·ã§ã³æ¬äœã®å®è£
ã«æãå ããããšãªããã¢ããªã±ãŒã·ã§ã³æ¬äœã®èµ·åãšåæã« HTTPS Server ãèµ·åããã ãã§ãHTTPS åãš HTTP/2 察å¿ãåæã«è¡ããŸãã
$ ./akebi-https-server --listen-address 0.0.0.0:8080 --proxy-pass-url http://192.168.1.11:8000
2022/05/22 03:56:50 Info: Starting HTTPS reverse proxy server...
2022/05/22 03:56:50 Info: Listening on 0.0.0.0:8080, Proxing http://192.168.1.11:8000.
--listen-address
ã --proxy-pass-url
ãªãã·ã§ã³ãæå®ããŠããªãã¹ã³ããŒãããããã·å¯Ÿè±¡ã® HTTP ãµãŒããŒã® URL ãäžæžãã§ããŸãã
$ ./akebi-https-server -h
Usage of C:\Develop\Akebi\akebi-https-server.exe:
-custom-certificate string
Optional: Use your own HTTPS certificate instead of Akebi Keyless Server.
-custom-private-key string
Optional: Use your own HTTPS private key instead of Akebi Keyless Server.
-keyless-server-url string
URL of HTTP server to reverse proxy.
-listen-address string
Address that HTTPS server listens on.
Specify 0.0.0.0:port to listen on all interfaces.
-mtls-client-certificate string
Optional: Client certificate of mTLS for akebi.example.com (Keyless API).
-mtls-client-certificate-key string
Optional: Client private key of mTLS for akebi.example.com (Keyless API).
-proxy-pass-url string
URL of HTTP server to reverse proxy.
-h
ãªãã·ã§ã³ã§ãã«ãã衚瀺ãããŸãã
æè¡è§£èª¬ãšæ³šæ
Keyless ã®ä»çµã¿
ç§å¯éµããŠãŒã¶ãŒã«å ¬éããã«æ£èŠã® HTTPS ãµãŒããŒãç«ãŠããããšããããªãã¯ã«ã¯ïŒâKeylessâ ã®ç±æ¥ïŒãCloudflare ã® Keyless SSL ãšåæ§ã®ææ³ãçšããããŠããŸãã
ãµã€ãã Cloudflare ã«ãã£ãã·ã¥ãããå Žåãé垞㯠Cloudflare çºè¡ã®èšŒææžãå©çšã§ããŸããäžæ¹ãäŒæ¥ã«ãã£ãŠã¯ãEV 蚌ææžã䜿ããããªã©ã®çç±ã§ã«ã¹ã¿ã 蚌ææžã䜿ãã±ãŒã¹ãããããã§ãã
Cloudflare ã®ä»çµã¿äžãã«ã¹ã¿ã 蚌ææžãå©çšããéã¯ããã®èšŒææžãšç§å¯éµã Cloudflare ã«é ããå¿
èŠããããŸããKeyless SSL ã¯ãCloudflare ã§ã«ã¹ã¿ã 蚌ææžã䜿ãããããã³ã³ãã©ã€ã¢ã³ã¹äžã®çç±ã§ã«ã¹ã¿ã 蚌ææžã®ç§å¯éµã瀟å€ã«é ããããªãäŒæ¥ã«åãããµãŒãã¹ã§ãã
Keyless SSL ã§ã¯ãç§å¯éµã瀟å€ã«åºããªãäŒæ¥åŽããKey Serverãããã¹ãããŸããKey Server ã¯ãTLS ãã³ãã·ã§ã€ã¯ã®ãããŒã®ãã¡ãç§å¯éµãå¿ èŠãšããåŠçã Cloudflare ã® Web ãµãŒããŒã«ä»£ãã£ãŠè¡ã API ãµãŒããŒã§ãã
å
·äœçã«ã¯ãéµäº€æã¢ã«ãŽãªãºã ã RSA æ³ã®ãšãã¯ãïŒãã©ãŠã¶ããéãããŠããïŒå
¬ééµã§æå·åããã Premaster Secret ãç§å¯éµã§åŸ©å·ããããã Cloudflare ã®ãµãŒããŒã«è¿ããŸãã
éµäº€æã¢ã«ãŽãªãºã ã DHE (Diffie-Hellman) æ³ã®ãšãã¯ããå°ãè€éã§ãClient Randomã»Server Randomã»Server DH Parameter ãããã·ã¥åãããã®ã«ç§å¯éµã§ããžã¿ã«çœ²åãè¡ããããã Cloudflare ã®ãµãŒããŒã«è¿ããŸãã
è€éã§é£è§£ãªããšãããç§ãæ£ãã説æã§ããŠãããèªä¿¡ããªãã®ã§ã詳现㯠å
¬åŒã®è§£èª¬èšäº ã«è²ããŸãâŠã
ãã® Keyless SSL ã® ãç§å¯éµããªããŠãã蚌ææžãš Key Server ããããã° HTTPS åã§ããã ãšããç¹åŸŽããåããç§å¯éµãå ¬éã§ããªãä»åã®ãŠãŒã¹ã±ãŒã¹ã«é©çšãããã®ããncruces æ°ãéçºããã keyless ã§ãã
[!NOTE]
åè¿°ããŸããããAkebi Keyless Server 㯠keyless ã®ãµãŒããŒéšåã®ã³ãŒãã®ãã©ãŒã¯ã§ãã
Keyless SSL ã®ãKey Serverãã«çžåœãããã®ããKeyless Server ããªãã¹ã³ããŠãã API ãµãŒããŒã§ããïŒä»¥äžãKeyless API ãšåŒç§°ïŒ
/certificate
ãšã³ããã€ã³ãã¯ãKeyless Server ãä¿ç®¡ããŠããã¯ã€ã«ãã«ãŒã蚌ææžããã®ãŸãŸè¿ããŸãã
/sign
ãšã³ããã€ã³ãã¯ãHTTPS Server ããã¯ã€ã«ãã«ãŒã蚌ææžã® SHA-256 ããã·ã¥ãšClient Randomã»Server Randomã»Server DH Parameter ã®ããã·ã¥ãéããéããã蚌ææžã®ããã·ã¥ã«çŽã¥ãç§å¯éµã§çœ²åããããããžã¿ã«çœ²åãè¿ããŸãã
keyless ã®äœè
ã® ncruces æ°ã«ããã°ãKeyless SSL ãšç°ãªãããåé¡ãåçŽåãããããéµäº€æã¢ã«ãŽãªãºã 㯠DHE æ³ (ECDHE)ãå
¬ééµ/ç§å¯éµã¯ ECDSA éµã®ã¿ã«å¯Ÿå¿ããŠãããšã®ããšã
Keyless Server ã®ã»ããã¢ããã§çæãããç§å¯éµã®ãµã€ãºãå°ããã®ã¯ãã®ããã§ãïŒECDSA 㯠RSA ãããéµé·ãçãç¹åŸŽããããŸãïŒã
[!NOTE]
å³ã ããèŠãã° RSA éµäº€æã¢ã«ãŽãªãºã ã®æ¹ãåçŽã«èŠããŸãããECDHE with ECDSA ã®æ¹ãæ°ããå®å šã§éããããªã®ã§ããããå å³ããŠéžå®ããã®ãããããŸããã
Keyless SSL ãšã¯ææ³ããåæ§ã§ãããKey Server ãšã®éä¿¡ãããã³ã«ã¯ç°ãªãããïŒkeyless ã§ã¯å€§å¹ ã«ç°¡ç¥åãããŠããïŒãKeyless SSL ãšäºææ§ãããããã§ã¯ãããŸããã
äžéè æ»æã®ãªã¹ã¯ãš mTLS (TLSçžäºèªèšŒ)
ãã®ææ³ã¯éåžžã«åªããŠããŸãããäžéè
æ»æ (MitM) ã®ãªã¹ã¯ã¯æ®ããŸãã
蚌ææžãšç§å¯éµããã®ãŸãŸå
¬éãããŠããç¶æ
ãšæ¯èŒããã°ãæ»æã®é£æ床ã¯é«ããªãã§ãããããšã¯ãããKeyless API ã«ã¯ã©ãããã§ãã¢ã¯ã»ã¹ã§ãããããããããšæãã°äžéè
æ»æã§ããŠããŸããããããŸããïŒã»ãã¥ãªãã£ãšã³ãžãã¢ã§ã¯ãªãã®ã§è©³ããããšã¯ããããªãâŠïŒã
ããã§ãncruces æ°ã¯ Keyless API ã mTLS (TLSçžäºèªèšŒ) ã§ä¿è·ããæ£ããã¯ã©ã€ã¢ã³ã蚌ææž/ç§å¯éµãæã£ãŠãã Keyless API ã¯ã©ã€ã¢ã³ãã®ã¿ Keyless API ã«ã¢ã¯ã»ã¹ã§ããããã«ããããšãææ¡ããŠããŸãã
æ£ããã¯ã©ã€ã¢ã³ã蚌ææž/ç§å¯éµããªããã° Keyless API ã«ã¢ã¯ã»ã¹ã§ããªããããäžéè
æ»æã®ãªã¹ã¯ãæžãããŸãã
ãšã¯ãããã¯ã©ã€ã¢ã³ã蚌ææž/ç§å¯éµãçãŸããŠããŸã£ãŠã¯æå³ããããŸããã ncruces æ°èªèº«ããæçµçã«ã¯ãé£èªåã DRM ã®ãããªæ¹æ³ã«ãªããŸãããšã³ã¡ã³ãããŠããŸãã
ãªããç§ã®ãŠãŒã¹ã±ãŒã¹ã§ã¯ ãããŒã«ã« LAN äžã®ãµã€ãããã©ãŠã¶ã«åœ¢åŒäž HTTPS ãšèªèãããããã°æ£çŽäžéè æ»æã®ãªã¹ã¯ã¯ã©ãã§ãããã ãšãããã®ã ã£ããããmTLS ã¯å©çšããŠããŸããã
ã ããããããéä¿¡å 容ãäžéè æ»æããããããªããŒã«ã« LAN ãããã®ãªãããã®ãããã¯ãŒã¯ã¯ãããããªæå³ã§çµãã£ãŠããšæãâŠã
âŠãšã¯èšã£ããã®ã®ãäžå¿ Akebi ã§ã mTLS ã«å¯Ÿå¿ããŠããŸããæ£ç¢ºã«ã¯ keyless ã§å¯Ÿå¿ãããŠããã®ã§ HTTPS Server ã§ã䜿ããããã«ããçšåºŠã®ãã®ã§ããâŠã
openssl req -newkey rsa:2048 -nodes -x509 -days 365 -out client_ca_cert.pem -keyout client_ca_private_key.pem
openssl genrsa -out client_private_key.pem 2048
openssl req -new -key client_private_key.pem -days 365 -out client_cert.csr
openssl x509 -req -in client_cert.csr -CA client_ca_cert.pem -CAkey client_ca_private_key.pem -out client_cert.pem -days 365 -sha256 -CAcreateserial
rm client_ca_cert.srl
rm client_cert.csr
mTLS ã®ã¯ã©ã€ã¢ã³ãCA蚌ææžãšã¯ã©ã€ã¢ã³ã蚌ææžãäœæããã«ã¯ãäžèšã®ã³ãã³ããå®è¡ããŸãã
client_ca_cert.pem
ã»client_ca_private_key.pem
ãã¯ã©ã€ã¢ã³ã CA 蚌ææž/ç§å¯éµãclient_cert.pem
ã»client_private_key.pem
ãã¯ã©ã€ã¢ã³ã蚌ææž/ç§å¯éµã§ãã
Keyless Server ã®èšå®ã§ã¯ãkeyless_api.client_ca
ã« mTLS ã®ã¯ã©ã€ã¢ã³ã CA 蚌ææž (client_ca_cert.pem
) ãžã®ãã¹ãæå®ããŸãã
èšå®ã®åæ ã«ã¯ Keyless Server ãµãŒãã¹ã®åèµ·åãå¿
èŠã§ãã
HTTPS Server ã®èšå®ã§ã¯ãmtls.client_certificate
ã»mtls.client_certificate_key
ã« mTLS ã®ã¯ã©ã€ã¢ã³ã蚌ææž/ç§å¯éµ (client_cert.pem
ã»client_private_key.pem
) ãžã®ãã¹ãæå®ããŸãã
ãã®ç¶æ
㧠HTTPS Server ããªãã¹ã³ããŠãããµã€ãã«ã¢ã¯ã»ã¹ã§ããã°ãmTLS ãæå¹åã§ããŠããŸãã
Keyless Server ã«ã¯ã©ã€ã¢ã³ã CA 蚌ææžãèšå®ãããŸãŸ HTTPS Server ã® mTLS åšãã®èšå®ãå€ããšãKeyless API ã«ã¢ã¯ã»ã¹ã§ããªããªã£ãŠããã¯ãã§ãã
HTTPS ãªããŒã¹ãããã·ãšããã¢ãããŒã
Akebi ã§ã¯ãKeyless Server ã䜿ã HTTPS åããããã®ã¢ãããŒããšããŠãHTTPS ãµãŒããŒãèåŸã® HTTP ãµãŒããŒã®ãªããŒã¹ãããã·ãšããŠç«ãŠãããšããæ¹æ³ãæ¡çšããŠããŸãã
äžæ¹ããã©ãŒã¯å ã® keyless ã¯ãGolang ã§æžããã Web ãµãŒããŒã® TLS èšå®ã«ãKeyless ã®ã¯ã©ã€ã¢ã³ãã©ã€ãã©ãªã®é¢æ° (GetCertificate()) ãã»ããããããšã§ããçŽæ¥ãHTTPS åãããŠãŒã¹ã±ãŒã¹ãæ³å®ããŠæžãããŠããŸãã
ãã®ã¢ãããŒãã¯ã確ãã«ã¢ããªã±ãŒã·ã§ã³ãµãŒããŒã Golang ã§æžãããŠããã±ãŒã¹ã§ã¯ãŽã£ãããªäžæ¹ã§ãã¢ããªã±ãŒã·ã§ã³ãµãŒããŒã Golang 以å€ã®èšèªã§æžãããŠããå Žåã¯äœ¿ããŸããã
ãšã¯ãããä»ã®èšèªã§æžãããã¢ããªã±ãŒã·ã§ã³ãµãŒããŒããHTTPS åããããã ãã« Golang ã§æžãçŽãã®ã¯éçŸå®çã§ããããããã®èšèªã®å©ç¹ããããŸããã
ãããªããšãäžèŠ keyless ã®ã¯ã©ã€ã¢ã³ãã©ã€ãã©ãªã Python ã Node.js ãªã©ãã»ãã®èšèªã«ç§»æ€ããã°è¯ãããã«èŠããŸãããšããããã»ãšãã©ã®èšèªã«ãããŠãã©ã€ãã©ãªã®ç§»æ€ã¯äžå¯èœãªããšãããããŸããã
å®éã« keyless ã¯ã©ã€ã¢ã³ãã«çžåœããå®è£
ã Python ã«ç§»æ€ã§ããªããè©Šããã®ã§ãããå®ã¯ Python 㯠TLS åšãã®å®è£
ã OpenSSL ã«äžžæãããŠããŸãã æšæºã¢ãžã¥ãŒã«ã® ssl
ãããã®å®æ
㯠OpenSSL ã®ãã€ãã£ãã©ã€ãã©ãªã®ã©ãããŒã«ãããŸããã
ããã«ãssl
ã¢ãžã¥ãŒã«ã§ã¯ãTLS ãã³ãã·ã§ã€ã¯ãè¡ãåŠçã SSLContext.do_handshake()
ã®äžã«é èœãããŠãããããTLS ãã³ãã·ã§ã€ã¯ã®å
éšåŠçã«ä»å
¥ã§ããªãããšãåãããŸããã
Golang ã§ã¯ TLS ãã³ãã·ã§ã€ã¯ã®çŽ°ããèšå®ãè¡ã struct ãçšæãããŠããŸãããPython ã§ã¯ããã«çžåœãã API ãèŠã€ããããŸããã§ããããããããªããã ãšæããŸãâŠã
Node.js ã® TLS ã©ã€ãã©ãªã軜ã調ã¹ãŠã¿ãŸããããPython ãšæ¯ã¹ããš API ããããã§ããäœã¬ãã«ãªã«ã¹ã¿ãã€ãºãã§ãããã®ã®ãTLS ãã³ãã·ã§ã€ã¯ãã®ãã®ã«ä»å
¥ããããã® API ã¯èŠã€ããããŸããã§ããã
è€éã§é£è§£ãªäžã«ãããŒã決ãŸããã£ãŠãã TLS ãã³ãã·ã§ã€ã¯ã®å
éšåŠçã«ããããå²ã蟌ããŠãŒã¹ã±ãŒã¹ãïŒããããç¹æ®ãªã±ãŒã¹ãé€ããŠïŒã»ãŒçç¡ãªããšã¯ç«ãèŠãããæããã§ãããä»æ¹ãªããšã¯æããŸãã
TLS åšãã®å®è£ ã¯äžæããã°è匱æ§ã«ãªããããŸããããå°éç¥èã®ãªãäžè¬ã®ããã°ã©ããŒããããããšããã£ãŠã»ãã¥ãªãã£ãªã¹ã¯ãé«ãŸãããšããèããããªã®ãããããŸããïŒå®éããã ãšã¯æããŸãïŒã
èŠã€ããããŠããªãã ãã§ãkeyless ã¯ã©ã€ã¢ã³ãã©ã€ãã©ãªã移æ€å¯èœãªïŒTLS ãã³ãã·ã§ã€ã¯ã®æ·±ãéšåãŸã§ä»å ¥ã§ããïŒèšèªããããããããŸãããã§ããããã§ã« API ã®ä»æ§äžç§»æ€ã§ããªãèšèªããããšãªã£ãŠã¯ãçŽæ¥ Keyless Server ã䜿ã£ãŠ HTTPS åããã¢ãããŒãã¯åãã¥ããã§ãã
ãŸããäžè¬ç㪠Web ãµãŒãã¹ã§ã¯ã¢ããªã±ãŒã·ã§ã³ãµãŒããŒãšã€ã³ã¿ãŒããããšã®éã« Apache ã NGINX ãªã©ã® Web ãµãŒããŒãæãããšãå€ãã§ãããApache ã NGINX ã keyless ã¯ã©ã€ã¢ã³ãã«å¯Ÿå¿ããŠããªãããšã¯èšããŸã§ããããŸãããApache ã NGINX ã®ãœãŒã¹ã³ãŒãããããã°ãªããšããªãããã§ããããããŸã§ããããšèšããããšâŠã
ãã㧠ãçŽæ¥ keyless ã¯ã©ã€ã¢ã³ãã«ã§ããªããªããkeyless ã«å¯Ÿå¿ãããªããŒã¹ãããã·ãäœãã°ããã®ã§ã¯ïŒããšé転ã®çºæ³ã§ç·šã¿åºããã®ããHTTPS ãªããŒã¹ãããã·ãšããã¢ãããŒãã§ãã
ãã®æ¹æ³ã§ããã°ãKeyless 㧠HTTPS åããã HTTP ãµãŒããŒãã©ããªèšèªã Web ãµãŒããŒã䜿ã£ãŠããããšé¢ä¿ãªããããããã« HTTPS ãµãŒããŒãç«ã¡äžããããŸãã
ãªããŒã¹ãããã·ãã¢ããªã±ãŒã·ã§ã³ãµãŒããŒãšã¯å¥ã§èµ·åãããªããšãããªãé¢åããããããŸãããäžåºŠèµ·åããŠããŸãã°ãæ瀺çã«çµäºãããŸã§ãªãã¹ã³ããŠãããŸããã¢ããªã±ãŒã·ã§ã³ãµãŒããŒã®èµ·åæã«åæã«èµ·åããçµäºæã«åæã«çµäºãããããã«ããŠãããšè¯ãã§ãããã
ãŸããHTTPS Server ã¯åäžãã€ããªã ãã§åäœããŸããåŒæ°ãæå®ããã°èšå®ãã¡ã€ã« (akebi-https-server.json
) ããªããŠãèµ·åã§ããŸãããèšå®ãã¡ã€ã«ãå«ããŠããå¿
èŠãªã®ã¯2ãã¡ã€ã«ã ãã§ãã
Apache ã NGINX ãäžè¬ç㪠PC ã«é
åžããã¢ããªã±ãŒã·ã§ã³ã«çµã¿èŸŒãã®ã¯ããããç¡çããããŸããããããªãé
åžããã¢ããªã±ãŒã·ã§ã³ã«ãæ¯èŒççµã¿èŸŒã¿ãããã®ã§ã¯ãªãã§ããããã
URL å€æŽã«ã€ããŠ
HTTPS åã«ããã£ãŠã¯ãä»ãŸã§ã® http://192.168.1.11:3000/
ã®ãã㪠IP ã¢ãã¬ã¹çŽæã¡ã® URL ã䜿ããªããªãã代ããã« https://192-168-1-11.local.example.com:3000/
ã®ãã㪠URL ã§ã¢ã¯ã»ã¹ããå¿
èŠãããç¹ãããŠãŒã¶ãŒã«ååã«åšç¥ãããå¿
èŠããããŸãã
[!NOTE]
äžå¿https://192.168.1.11:3000/
ã§ã䜿ããªãã¯ãªãã§ãããèšããŸã§ããªã蚌ææžãšã©ãŒã衚瀺ãããŸãã
ãã©ã€ããŒã IP ã¢ãã¬ã¹ã mDNS ã®ãããªããŒã«ã« LAN ã ãã§æå¹ãªãã¡ã€ã³ (äŸ: my-computer.local
) ã«ã¯æ£èŠã® HTTPS 蚌ææžãçºè¡ã§ããªãããã<u>ãã©ã€ããŒã Web ãµã€ãã§æ¬ç©ã® HTTPS 蚌ææžã䜿ãã«ã¯ããããã«ããã€ã³ã¿ãŒãããäžã§æå¹ãªãã¡ã€ã³ã«ããããåŸãŸããã</u>
ãã®ããããªã¬ãªã¬èšŒææžã䜿ããã« HTTPS åãããã®ã§ããã°ããã®å€æŽã¯é¿ããããŸããã
ãã ããã® URL å€æŽã¯ååã«ç Žå£çãªå€æŽã«ãªãããŸãã ç¹ã«ãŠãŒã¶ãŒã®å€ããããã¯ãã§ããã°ãæ
éã«é²ããã¹ãã§ãããã
ãããã®ç Žå£çãªå€æŽãåãå
¥ããããªããããã¯ãã§ããã°ãHTTP ã§ã®ã¢ã¯ã»ã¹ã䞊è¡ããŠãµããŒãããããæ£èŠã® HTTPS 蚌ææžã䜿ãã®ãè«Šããã»ããããŸããã
[!NOTE]
HTTPã»HTTPS ãäž¡æ¹ãµããŒãã§ããïŒHTTP ã¢ã¯ã»ã¹ã§ã¯ HTTPS ãå¿ èŠãšããæ©èœãç¡å¹åããïŒãªãœãŒã¹ãããã®ãªãã䞊è¡ã㊠HTTP ã¢ã¯ã»ã¹ããµããŒãããã®ãããã§ãã
ç§ã®ãŠãŒã¹ã±ãŒã¹ã§ã¯ãHTTPS åã«ãã£ãŠåŸãããã¡ãªããã URL å€æŽã®ãã¡ãªãããäžåããšå€æããŠãAkebi ã®æ¡çšã決ããŸãããã¡ãªãããšãã¡ãªããã倩秀ã«ãããŠãæ¡çšãããã©ãããèããŠã¿ãŠãã ããã
HTTPS ãå¿
èŠãªæ©èœããã»ã©äœ¿ã£ãŠããªã/䜿ãäºå®ããªãã®ã§ããã°ããã£ãš HTTP ã®ãŸãŸïŒçŸç¶ç¶æïŒãšããã®ãå
šç¶ããã ãšæããŸãã
ãŸããéžè¬ã®èª€å®¶åºã§äœ¿ãããã¡ãªãããã¯ãã§ã¯ããèªåãææããŠãããã¡ã€ã³ãšèšŒææžã䜿ãããããéçºè åŽãçšæãããã¡ã€ã³ãæ°ã«å ¥ããªããããªã¬ãªã¬èšŒææžã§ãããã IP ã¢ãã¬ã¹çŽæã¡ã§ã¢ã¯ã»ã¹ãããã ãšãã£ã声ãäžããããšãæ³å®ãããŸãã
ããããèŠæã«å¿ããã®ãªããå¿
ç¶çã«ã«ã¹ã¿ã ã® HTTPS 蚌ææž/ç§å¯éµã䜿ã£ãŠ HTTPS ãµãŒããŒãèµ·åããããšã«ãªããŸãã
ãã ãäžè¬ãŠãŒã¶ãŒåãã«ã¯ Akebi ã® HTTPS ãªããŒã¹ãããã·ãæã¿ãã«ã¹ã¿ã 蚌ææžã䜿ãããéžè¬ãŠãŒã¶ãŒåãã«ã¯çŽæ¥ã¢ããªã±ãŒã·ã§ã³åŽã§ HTTPS ãµãŒããŒããªãã¹ã³ã⊠ãšåããŠããŠã¯ãå®è£
ãç
©éã«ãªãããšã¯ç®ã«èŠããŠããŸãã
ããã§ãHTTPS Server èªäœã«ãã«ã¹ã¿ã ã®èšŒææž/ç§å¯éµã䜿ã£ãŠ HTTPS ãªããŒã¹ãããã·ããªãã¹ã³ã§ããèšå®ãšã³ãã³ãã©ã€ã³åŒæ°ãçšæããŸããã
ãã®æ©èœã䜿ãããšã§ãHTTPS ãµãŒããŒã®åœ¹ç®ã Akebi HTTPS Server ã«äžå
åã§ããŸãã
詳ãã㯠HTTPS Server ã®èšå® ã§èª¬æããŠããŸãããHTTPS Server ã§ã¯ãèšå®ãã¡ã€ã«ã«èšèŒã®èšå®ããããã³ãã³ãã©ã€ã³åŒæ°ã«æå®ããèšå®ã®æ¹ãåªå
ãããŸãã
ãããå©çšããŠãHTTPS Server ã®èµ·åã³ãã³ãã«ãã¢ããªã±ãŒã·ã§ã³åŽã®èšå®ã§ã«ã¹ã¿ã ã®èšŒææž/ç§å¯éµãæå®ããããšãã ã --custom-certificate
/ --custom-private-key
ãæå®ããã°ãèšå®ãã¡ã€ã«ãæžãæããããšãªããã«ã¹ã¿ã 蚌ææžã䜿ã£ãŠ HTTPS Server ãèµ·åã§ããŸãã
HTTPS ãµãŒããŒãå¥éçšæããããããã¯ããã«ã·ã³ãã«ãªå®è£
ã«ãªãã¯ãã§ãã
ãŸããã«ã¹ã¿ã 蚌ææžã§ã® HTTPS åã HTTPS Server ã§è¡ãããšã§ãåè¿°ããããã« HTTP/2 ã«ã察å¿ã§ããŸãã
HTTP/2 察å¿ã«ãã£ãŠçéã«ãªãããšããããšã¯ããŸããªããšã¯æããŸãããå€ããå°ãªããããã©ãŒãã³ã¹ã¯åäžããã¯ãã§ãã
ã«ã¹ã¿ã 蚌ææž/ç§å¯éµã䜿ãããå ·äœçãªãŠãŒã¹ã±ãŒã¹ãšããŠãTailscale ã® HTTPS æå¹åæ©èœ ãå©çšããã±ãŒã¹ãèããããŸãã
[!NOTE]
Tailscale ã¯ãP2P åã®ã¡ãã·ã¥ VPN ãããããã«æ§ç¯ã§ãããµãŒãã¹ã§ãã Tailscale ã«æ¥ç¶ããŠããã°ãã©ãããã§ãã»ãã® Tailscale ã«æ¥ç¶ãããŠããããã€ã¹ã«ã¢ã¯ã»ã¹ã§ããŸãã
tailscale cert
ã³ãã³ããå®è¡ãããšã[machine-name].[domain-alias].ts.net
ã®ãã©ãŒãããã®ãã¡ã€ã³ã§å©çšã§ãããHTTPS 蚌ææžãšç§å¯éµãçºè¡ãããŸãã
ãã®èšŒææžã¯ããã¹ãåã [machine-name].[domain-alias].ts.net
ã§ããã°åã PC å
ã®ã©ããªãã©ã€ããŒã Web ãµã€ãã§ã䜿ãããLet's Encrypt çºè¡ã®æ£èŠã®èšŒææžã§ãã
Tailscale ããçºè¡ãããã«ã¹ã¿ã ã®èšŒææž/ç§å¯éµã HTTPS Server ã«èšå®ãããšãhttps://[machine-name].[domain-alias].ts.net:3000/
ã® URL ã§ã¢ããªã±ãŒã·ã§ã³ã« HTTPS ã§ã¢ã¯ã»ã¹ã§ããããã«ãªããŸãã
Keyless Server ãå©çšããæ©èœãç¡å¹åããããããhttps://192-168-1-11.local.example.com:3000/
ã® URL ã§ã¢ã¯ã»ã¹ã§ããªããªãç¹ã¯ãã¬ãŒããªãã§ãã
Tailscale ãåžžã«çµç±ããŠãã©ã€ããŒã Web ãµã€ãã«ã¢ã¯ã»ã¹ãããŠãŒã¶ãŒã«ãšã£ãŠã¯ãIP ã¢ãã¬ã¹ãã®ãŸãŸããããããããã URL ã§ã¢ã¯ã»ã¹ã§ãããããKeyless Server ãããè¯ãéžæè¢ãããããŸããã