Articles Comments

ちからの備忘録的日記 » cloud » swift で HTTPS !

swift で HTTPS !




Swift で HTTPS を有効化

基本は、下記のドキュメントどおりです。

3.3.1. Installing and Configuring the Proxy Node

X.509形式の自己署名証明書の作成(1年間有効)

とりあえず、証明書の内容は全部デフォルトでw。

# cd /etc/swift
# openssl req -new -x509 -nodes -out cert.crt -keyout cert.key -days 365
Generating a 1024 bit RSA private key
.................++++++
.++++++
writing new private key to 'cert.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Proxy Server 設定追加

Proxy Server 設定(/etc/swift/proxy-server.conf) に、以下のハイライト部分を追加。

[DEFAULT]
bind_port = 8080
user = nemf
# Enter these next two values if using SSL certifications
cert_file = /etc/swift/cert.crt
key_file = /etc/swift/cert.key

[pipeline:main]
pipeline = healthcheck cache swauth proxy-server

[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true

[filter:swauth]
use = egg:swift#swauth
super_admin_key = swauthkey

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:cache]
use = egg:swift#memcache

Proxy Server 再起動

# swift-init proxy start

さっそく確認してみる

$ curl -v -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing' https://127.0.0.1:8080/auth/v1.0
* About to connect() to 127.0.0.1 port 8080 (#0)
*   Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

サーバ証明書が正しくないよエラーが出て、curl が接続をやめてしまいました。まあ、自己証明書なので仕方ないっす。

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify faile

下記のように、curl の証明書の正当性確認機能をオフにしたいなら、-k つけてねとのこと。

If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

再チャレンジ。

 $ curl -v -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing' https://127.0.0.1:8080/auth/v1.0 -k
* About to connect() to 127.0.0.1 port 8080 (#0)
*   Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
*        subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*        start date: 2011-06-16 03:43:21 GMT
*        expire date: 2012-06-15 03:43:21 GMT
* SSL: unable to obtain common name from peer certificate
> GET /auth/v1.0 HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: 127.0.0.1:8080
> Accept: */*
> X-Storage-User: test:tester
> X-Storage-Pass: testing
>
< HTTP/1.1 200 OK
< X-Storage-Url: http://127.0.0.1:8080/v1/AUTH_c2fc02be-369a-41d9-8203-3cf5a8114d5a
< X-Storage-Token: AUTH_tk58b31b5594ef4c81bab1c5e6f89865a9
< X-Auth-Token: AUTH_tk58b31b5594ef4c81bab1c5e6f89865a9
< Content-Length: 112
< Date: Thu, 16 Jun 2011 03:48:38 GMT
<
* Connection #0 to host 127.0.0.1 left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
{"storage": {"default": "local", "local": "http://127.0.0.1:8080/v1/AUTH_c2fc02be-369a-41d9-8203-3cf5a8114d5a"}}

無事レスポンスが返ってきました!

HTTPSの有効化は意外と簡単ですので、お試しを。

Related Posts Plugin for WordPress, Blogger...

Filed under: cloud · Tags: , , , ,

Leave a Reply

*