ïŒ2352ã®ããã«ã ã¹ã¿ãŒãã¬ã€ãã«åŸããšãã«çºçããå¯èœæ§ã®ããäžè¬çãªåé¡ã«ã€ããŠã¯ãã¹ã¿ãŒãã¬ã€ãã«ãã©ãã«ã·ã¥ãŒãã£ã³ã°ã»ã¯ã·ã§ã³ãè¿œå ããŠãã ããã
ããã¥ã¡ã³ããæ°ãããŠãŒã¶ãŒã«ãšã£ãŠäœ¿ãããããã®ã«ããŸãã
ãã©ãã«ã·ã¥ãŒãã£ã³ã°ã»ã¯ã·ã§ã³ã¯ãããŸããã
ã¹ã¿ãŒãã¬ã€ãã®æåŸã«ãããã©ãã«ã·ã¥ãŒãã£ã³ã°ã®ã»ã¯ã·ã§ã³ããŠãŒã¶ãŒã¯äžè¬çãªåé¡ãããã®çç±ãšä¿®æ£æé ãšãšãã«èª¿ã¹ãããšãã§ããŸãã
ç§ãã¡ã®ããã¥ã¡ã³ãã¯ãäžè¬çã«ããããããããããããããã®ã«ããå¿ èŠããããŸãã ãã ããç¹å®ã®ãšã©ãŒã¡ãã»ãŒãžãšããããä¿®æ£ããããã®æé ãå«ããã©ãã«ã·ã¥ãŒãã£ã³ã°ã»ã¯ã·ã§ã³ããããšãæ°ãããŠãŒã¶ãŒã«ãšã£ãŠéåžžã«åœ¹ç«ã€å ŽåããããŸãã
ã¯ã
ããã«ã¡ã¯ãééããªãããã«è³æã§ãã ã¬ã€ãããã©ããŒããŠãããšãã«ãããã€ãã®åé¡ãçºçãã質åãéãããŸããã çŸæç¹ã§ã¯ããã®ãšã©ãŒã§ç«ã¡åŸçããŠããŸãã ãã¶ããããã¥ã¡ã³ãã§ãããæãããšãã§ããŸããïŒ
@ fox27374ãã©ãŠã¶éçºããŒã«ãéããŠwindow.PAGE_DATA
ã®å€ã貌ãä»ããããšãã§ããŸããïŒ ãã®ãšã©ãŒã衚瀺ãããŠããéããã©ãŠã¶ã³ã³ãœãŒã«ã«å
¥åã§ããŸãã
ãŸããã¹ã¿ãŒãã¬ã€ãã®ãã¹ãŠã®æé ãã€ãŸãã³ã³ãœãŒã«OAuthã¯ã©ã€ã¢ã³ãã®äœæãå®è¡ããŸãããïŒ
ããã
ãããwindow.PAGE_DATAãšãoauthã¯ã©ã€ã¢ã³ãã®äœæã«äœ¿çšããã³ãã³ãã§ãã èšåãã¹ãéèŠãªç¹ã®1ã€ã¯ãç§ãèªåã®èšŒææžïŒã©ãCAã«ãã£ãŠçœ²åããããã®ïŒã䜿çšããŠããããšã§ãã
ããŒã¿window.PAGE_DATA = {
"error": {
"code": 7,
"message": "error:pkg/web/oauthclient:exchange (token exchange refused)",
"details": [{
"@type": "type.googleapis.com/ttn.lorawan.v3.ErrorDetails",
"namespace": "pkg/web/oauthclient",
"name": "exchange",
"message_format": "token exchange refused",
"code": 7
}]
}
};
æå³docker-compose run --rm stack is-db create-oauth-client --id console --name "Console" --owner admin --secret "SM2CE7335KDAIILCA76KETRHDQTTDAQTDJHBSL6RCOX3WFZFDZ4Q" --redirect-uri "https://lora01.ntslab.loc/console/oauth/callback" --redirect-uri "/console/oauth/callback"
ã©ããããããšãïŒ
也æ¯ã
ãããšã«
@ fox27374è¿œå æ å ±ãããããšãã
æ§æãããOAuthURLãã€ãŸãæ§æãã/token
URLã¯äœã§ããïŒ æ©å¯ã³ã³ãã³ããç·šéã§ããŸãã
Dockerãä»ããŠThingsStackãå®è¡ããŠãããšä»®å®ããŠãDockerã³ã³ããã§lora01.ntslab.loc
ã解決ãããããšã確èªã§ããŸããïŒ
ããã
è¿ä¿¡ãšããã§ç§ãå©ããŠãããŠããããšãã ã³ã³ãã³ãã¯ãŸã æå³ããããŸãããå°æ¥ã®æ¬çªç°å¢ã®ãã¹ããšããŠãä»ã®ãšããã©ãã®ã»ããã¢ããã§ãã ActilityãµãŒããŒãåé€ããã:)
ã¯ããLinuxãµãŒããŒã§Dockerãä»ããŠTTNã¹ã¿ãã¯ãå®è¡ããŸãã lora01.ntslab.locã¯hostsãã¡ã€ã«ã§æ§æãããŠãããããåå解決ãæ©èœããã¯ãã§ãã
/ tokenURLã¯æ¬¡ã®ãšããã§ãã
token-urlïŒ ' httpsïŒ//lora01.ntslab.loc/oauth/token '
ããã«è©³ããæ å ±ãå¿ èŠãªå Žåã¯ãdocker- compose.ymlãã¡ã€ã«ãšttn-lw-stack.ymlãã¡ã€ã«ãçŽæ¥ç¢ºèªã§ããŸãã ãŸããéå§ã¹ã¯ãªããã䜿çšããŠåæåãè¡ããŸãïŒ start.sh ïŒã
åãã£ãŠæè¬ããŸãã
ãããšã«
ããã«ã¡ã¯@ fox27374
ã¯ããLinuxãµãŒããŒã§Dockerãä»ããŠTTNã¹ã¿ãã¯ãå®è¡ããŸãã lora01.ntslab.locã¯hostsãã¡ã€ã«ã§æ§æãããŠãããããåå解決ãæ©èœããã¯ãã§ãã
ããªãã®ãã·ã³ã®/etc/hosts
ãã¡ã€ã«ãæå³ããŸããïŒ ããã¯ãã¹ã¿ãã¯ãå®è¡ãããŠããDockerã³ã³ããã«ã¯åœ±é¿ããŸãããããã¯ãçºçããŠããåé¡ã®åå ã§ããå¯èœæ§ããããŸãã
次ã®ã³ãã³ãã§ç¢ºèªã§ããŸãã
$ docker-compose stack exec nc -z lora01.ntslab.loc
nc: bad address 'lora01.ntslab.loc'
ã®ç·ã«æ²¿ã£ãŠäœãã衚瀺ãããã¯ãã§ãã
次ã®ããã«ãdocker-compose.yamlã«extra_hosts
ã»ã¯ã·ã§ã³ãè¿œå ããŠã¿ãŠãã ããã
# docker-compose.yaml
services:
# ...
stack:
# ...
extra_hosts:
- "lora01.ntslab.loc:YOUR_IP_ADDRESS"
# ...
ãããŠdocker-compose up -d
ã§åèµ·åããŸã
ããã§ããã¹ãåã®è§£æ±ºãæ©èœããã¯ãã§ãã ïŒãã ãã YOUR_IP_ADDRESS
ã127.0.0.1
ã®ãããªãã®ã§ããå Žåã§ãããšã©ãŒãçºçããå¯èœæ§ããããŸãïŒ
ããã«ã¡ã¯@neoaggelos
æ
å ±ããããšãããããŸãã ãã¹ããšã³ããªãåé€ããDNSãµãŒããŒã«çŽæ¥IP /ãã¹ãåãèšå®ããŸããã ããã«ãdocker-compose.ymlã«ãextra_hostsããšã³ããªãè¿œå ããŸããã
æãå
¥ããŸããããšã©ãŒã¯ãŸã ååšããŸãã
ã³ã³ããã§ashshellãèµ·åããDNSã®è§£å床ã確èªããŸããã
$ nslookup lora01.ntslab.loc
Name: lora01.ntslab.loc
Address 1: 172.24.89.120 lora01.ntslab.loc
ã ããããã¯è¯ãããã ã ããŒã¯ã³äº€æãæåŠããããšãããšã©ãŒã¡ãã»ãŒãžã«ç¶ããŠãoauthããŒã¯ã³äº€æã«å¯ŸããŠæå¹ã«ã§ããè¿œå ã®ãããã°ã¯ãããŸããïŒ ããã§å¿ããããŠãã¿ãŸãã...ã
ããããšã
ã¡ãªã¿ã«ãä»ã®èª°ããåãåé¡ãæ±ããŠããããã§ã
ããã«ã¡ã¯@neoaggelos
æ å ±ããããšãããããŸãã ãã¹ããšã³ããªãåé€ããDNSãµãŒããŒã«çŽæ¥IP /ãã¹ãåãèšå®ããŸããã ããã«ãdocker-compose.ymlã«ãextra_hostsããšã³ããªãè¿œå ããŸããã
ããŒããé©åãªDNSæ§æãããã°ã extra_hosts
ãèšå®ããå¿
èŠã¯ãããŸããã
æãå ¥ããŸããããšã©ãŒã¯ãŸã ååšããŸãã
ã³ã³ããã§ashshellãèµ·åããDNSã®è§£å床ã確èªããŸããã
$ nslookup lora01.ntslab.loc Name: lora01.ntslab.loc Address 1: 172.24.89.120 lora01.ntslab.loc
172.24.89.120
ã¯ãDockerã«ãã£ãŠäœæããããããã¯ãŒã¯ããã®ãã®ã§ãããããã倱æã®åå ã§ããå¯èœæ§ããããŸãã
ã ããããã¯è¯ãããã ã ããŒã¯ã³äº€æãæåŠããããšãããšã©ãŒã¡ãã»ãŒãžã«ç¶ããŠãoauthããŒã¯ã³äº€æã«å¯ŸããŠæå¹ã«ã§ããè¿œå ã®ãããã°ã¯ãããŸããïŒ ããã§å¿ããããŠãã¿ãŸãã...ã
ããããšã
Cookieãã¯ãªã¢ããã¯ãªãŒã³ãªãã©ãŠã¶ã»ãã·ã§ã³ãããè©ŠããŠã¿ãŠãã ããã ãŸãã蚌ææžãã¹ã¿ãã¯cat /var/run/secrets/cert.pem
ããé©åã«èªã¿åãããã³ã³ããå
ã®ã·ã§ã«ããcat /var/run/secrets/key.pem
ãããããã§ãã¯ããã®ã«ååã§ããããšã確èªããŠãã ããã
ãªããããã¯; ããŒã«ã«ãã¹ãã§ã¹ã¿ãã¯ãèšå®ããŠã¿ãŸãããïŒ æåããŸãããïŒ
ããã
ç³ãèš³ãããŸãããã172.24.89.120ãã©ãå ã®ãµãŒããŒèªäœã®IPã¢ãã¬ã¹ã§ããããšã«ã€ããŠã¯è§ŠããŸããã§ããã Dockerã¢ãã¬ã¹ã¯172.9.0.Xã§ã
ç§ã¯ãã¹ãŠã®ãã¹ãããã©ã€ããŒãã¢ãŒãã®ãã©ãŠã¶ã§è¡ãã®ã§ãCookieã¯é¢ä¿ããŠããŸããã ããŒãšèšŒææžã¯ããthethingsããŠãŒã¶ãŒãèªã¿åãããšãã§ããŸãã
/ $ whoami
thethings
/ $ cat /var/run/secrets/key.pem
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC7IjZoBd2Mu4Ev
AYDrEh6mBWYw5cRDA02F10OQpbQbm6RigFbODM2owGRyCkkZfAUL2VV9xl5TzdMl
I6IecaA7/F7TpciuiJHmnfRVAbDlPI6EJYybdrU7tmfdeWc/ThuVVNolJFUeap+T
OIzv9MkGbBAF19ju4PJel6z3ef+NUhc5LKfjVQZeieQULX2b9+Hpd4ySdR2Nfzdt
......
èšå®ãããŒã«ã«ãã¹ãã«å€æŽããŠãæçš¿ãç¶ããŸãã
ç³ãèš³ãããŸãããã172.24.89.120ãã©ãå ã®ãµãŒããŒèªäœã®IPã¢ãã¬ã¹ã§ããããšã«ã€ããŠã¯è§ŠããŸããã§ããã Dockerã¢ãã¬ã¹ã¯172.9.0.Xã§ã
ããããã³ã³ããå
ããcurl https://lora01.ntslab.loc
ã§ããŸããïŒ ããã§ãªãå Žåãå ±åããããšã©ãŒã¯äœã§ããïŒ
ããã
ããã£ãããã§ãã ã«ãŒã«ã®ãã³ãã¯è¯ããã®ã§ããã ããã¯ãca.pemãä¿¡é Œã§ãã蚌ææžã¹ãã¢ã«ãªãããšã瀺ããŠããŸãã
/ # curl https://lora01.ntslab.loc
curl: (60) SSL certificate problem: self signed certificate in certificate chain
ããã§ãca.pem蚌ææžã/ usr / local / share / ca-certificates /ã«ã³ããŒããŸããã
/ $ ls -la /usr/local/share/ca-certificates/ca.pem
-rw-r--r-- 1 thething thething 1310 Apr 14 11:36 /usr/local/share/ca-certificates/ca.pem
docker-compose.ymlãã¡ã€ã«ã®ããªã¥ãŒã ã»ã¯ã·ã§ã³ã«è¿œå ããŸãã
volumes:
- "./data/blob:/srv/ttn-lorawan/public/blob"
- "./config/stack:/config:ro"
- "./config/stack/cert/ca.pem:/usr/local/share/ca-certificates/ca.pem"
ããã§ãã³ã³ãœãŒã«ã«ãã°ã€ã³ã§ãããã¹ãŠã®èšŒææžãä¿¡é ŒãããŸãã çŽ æŽãããïŒ
ããã¯ãä¿¡é Œã§ããã«ãŒã蚌ææžãTTNã³ã³ããã«è¿œå ããããã®æè¯ã®/æå³ãããæ¹æ³ã§ããïŒ
é¶é æãæ©ãããŠããããªããã èªèšŒããŒã¯ã³ããŸã DBã«æ®ã£ãŠããããã§ãããã®ããããã¹ãŠãæ©èœããŸããã ã³ã³ããã®èµ·ååŸãä¿¡é Œã§ããã¹ãã¢ã«ca.pem蚌ææžãè¿œå ããã«ã¯ã次ã®ã³ãã³ããå®è¡ããå¿ èŠããããŸããã
docker exec -it --user root ttn-server_stack_1 /usr/sbin/update-ca-certificates
ãã®åŸãoauthã¯ã©ã€ã¢ã³ãã¯ããŒã¯ã³ãååŸããŠDBã«ä¿åã§ããŸãã ç§ã¯ä»ã®ãšããåãããšãã§ããŸãããããã¯ç§ãæšæž¬ããæçµçãªè§£æ±ºçã§ã¯ãªãã¯ãã§ãã äœãæ¡ã¯ïŒ
ã©ããããããšãïŒ
@ fox27374ããªããåå ãèŠã€ããã®ã¯çŽ æŽãããããšã§ãã ããã¯åžžã«ã¯ãªãŒã³ãªè§£æ±ºçãèãåºãããã®è¯ãã¹ã¿ãŒãã§ãã
ã¹ã¿ãã¯ã¯ããã¡ã€ã«åã§ããTTN_LW_TLS_ROOT_CA
ïŒãŸãã¯tls.root-ca
ïŒãšCAãå°éããŸãã https://thethingsstack.io/v3.7.0/reference/configuration/the-things-stack/ãåç
§ããŠãã ãã
@johanstokking ïŒdocker-compose.ymlã«ä»¥äžãè¿œå ããŸãã
......
secrets:
- cert.pem
- key.pem
- ca.pem
secrets:
cert.pem:
file: config/stack/cert/cert.pem
key.pem:
file: config/stack/cert/key.pem
ca.pem:
file: config/stack/cert/ca.pem
ãã®ããã«ããŠã蚌ææžãã¡ã€ã«ã¯/ run / secretsããã³/ var / run / secretsã®ã³ã³ãããŒã§äœ¿çšã§ããŸãã ã³ã³ããå ã§ãã®æ¹åæ§ã確èªããŸããã
è¿œå ããTTN_LW_TLS_ROOT_CA: "/var/run/secrets/ca.pem"
docker-compose.ymlãã¡ã€ã«ã«ã ãšã©ãŒã¯ãŸã ãããŸãã ãŸãããããttn-lw-stack.ymlã«è¿œå ããããšããŸããïŒ
tls:
source: "file"
root-ca: "/var/run/secrets/ca.pem"
certificate: "/var/run/secrets/cert.pem"
key: "/var/run/secrets/key.pem"
ããã§ãåãã§ãã ããã§ããšã©ãŒãçºçããŸãã äžéšã®ã¢ããªã±ãŒã·ã§ã³ãç¹ã«oauthã¯ã©ã€ã¢ã³ããOSå
éšã®ä¿¡é Œãããã«ãŒã蚌ææžã䜿çšããŠããå¯èœæ§ããããŸããïŒ ä¿¡é Œãããã«ãŒã蚌ææžã«ca.pemãè¿œå ãããšããã«ããã¹ãŠãæ©èœããããã§ãã
ããããšãããããšã«
cc @adriansmares
ããã«ã¡ã¯ãããã«äœããã¥ãŒã¹ã¯ãããŸããïŒ straceã䜿çšããŠä¿¡é Œãããã«ãŒã蚌ææžãžã®ã¢ã¯ã»ã¹ããããã°ããããšããŸããããæåããŸããã§ããã
@ fox27374ãããæ©èœããããšã確èªã§ããŸããïŒ
$ curl -cacert /var/run/secrets/ca.pem https://lora01.ntslab.loc
@adriansmaresã«ã¯2ã€ã®ãã®ãå¿ èŠãªããã§ãã
net
ãšã©ãŒãŸãã¯ãã®ä»ã®stdlibã§ãããããæ ¹æ¬çãªãšã©ãŒã®åå ããå Žåã«ãã£ãŠã¯reasonå±æ§ãšããŠå ±åããŸããtls.root-ca
ãå°éããŠããããšã確èªããŸãããã«ã¡ã¯ãã¿ããªã
åã403ãšã©ãŒãçºçããVagrantããã¯ã¹å ïŒVirtual Boxã䜿çšïŒã§Dockerã䜿çšããŠTTNã¹ã¿ãã¯v3ãå®è¡ããŠããŸãã -Saltstackã¬ã·ããäœæããããã®ãµã³ãããã¯ã¹ã§ãã
DNSã®é¢åãèŠãŠããããããªã¢ãããŒããè©ŠããŸããã
letsencrypt
ã§äœæãããæ¢åã®èšŒææžãåå©çšããŸããinsecure
æ§æã1ã€ãã€è©ŠããŸããç§ã«ãšã£ãŠããã¯root-ca
ã®åé¡ã§ã¯ãããŸãããç§ã¯ãããäœã§ãããããããŸããã ããã«ã€ããŠå¥ã®åé¡ãéãå¿
èŠããããŸããïŒ
ãã ãã1ã€ã®è³ªåïŒããªãã®ç¥èãããVagrantããã¯ã¹å ã®éçºç®çã®ããã ãã«TLSãªãã§æ§æããããšã¯å¯èœã§ããïŒ ãããããªããç§ã«ããã€ãã®æéãæããŠããã ããŸããïŒ
ç§ã®VPSã§ã¯ã letsencrypt
ã§æ£åžžã«åäœããããšã確èªã§ããŸããããã¯ããã¡ããæ¬çªç°å¢ã§äœ¿çšãããã®ã§ãã
ããããšãã
c/shared
ãè¿œå ãããšãæ§æã§ã¯ãªãå¯èœæ§ããããŸã
ããã«ã¡ã¯ãè¿ä¿¡ãé ããªã£ãŠãã¿ãŸããã ca.pem蚌ææžãtustedã«ãŒã蚌ææžã«ã€ã³ã¹ããŒã«ãããŠããªããããcurlã--cacertãã©ã¡ãŒã¿ãŒã§ã®ã¿æ©èœããããšã確èªã§ããŸãã
/ $ whoami
thethings
/ $ curl https://lora01.ntslab.loc
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
/ $ curl --cacert /var/run/secrets/ca.pem https://lora01.ntslab.loc
/ $
OAuthã¯ã©ã€ã¢ã³ããTLSæ§æãå°éããŠãããã©ããã確èªããŠãã ãã
ã¹ã¿ãã¯ã®åã§nginxã䜿çšããå Žåãnginxã¯ãã¹ãŠã®ssl / tlsãåŠçããå¿ èŠããããŸãã
ããã¯nginxã®èšå®ã§ãïŒ
nginx.conf
stream {
include stream_conf.d/*.conf;
}
stream_conf.d / mqtt.conf
log_format mqtt '$remote_addr [$time_local] $protocol $status $bytes_received '
'$bytes_sent $upstream_addr';
upstream ttn1 {
server stack-ip:1881;
zone tcp_mem 64k;
}
upstream ttn2 {
server stack-ip:1882;
zone tcp_mem 64k;
}
upstream ttn3 {
server stack-ip:1883;
zone tcp_mem 64k;
}
server {
listen 8881 ssl; # MQTT secure port
preread_buffer_size 1k;
ssl_certificate /etc/letsencrypt/live/FQDN/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/FQDN/privkey.pem; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:128m; # 128MB ~= 500k sessions
ssl_session_tickets on;
ssl_session_timeout 8h;
proxy_pass ttn1;
proxy_connect_timeout 1s;
}
server {
listen 8882 ssl; # MQTT secure port
preread_buffer_size 1k;
ssl_certificate /etc/letsencrypt/live/FQDN/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/FQDN/privkey.pem; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:128m; # 128MB ~= 500k sessions
ssl_session_tickets on;
ssl_session_timeout 8h;
proxy_pass ttn2;
proxy_connect_timeout 1s;
server {
listen 8883 ssl; # MQTT secure port
preread_buffer_size 1k;
ssl_certificate /etc/letsencrypt/live/FQDN/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/FQDN/privkey.pem; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:128m; # 128MB ~= 500k sessions
ssl_session_tickets on;
ssl_session_timeout 8h;
proxy_pass ttn3;
proxy_connect_timeout 1s;
}
server {
listen 1881; # MQTT secure port
preread_buffer_size 1k;
proxy_pass ttn1;
proxy_connect_timeout 1s;
}
server {
listen 1882; # MQTT secure port
preread_buffer_size 1k;
proxy_pass ttn2;
proxy_connect_timeout 1s;
}
server {
listen 1883; # MQTT secure port
preread_buffer_size 1k;
proxy_pass ttn3;
proxy_connect_timeout 1s;
}
ãã¹ãŠã®ããŒãïŒPORT = 1884ã1885ã1887ïŒã®ãµã€ãæ§æã§ãããå¿ èŠã§ãã
server {
server_name FQDN;
location / {
proxy_pass http://stack-ip:PORT;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_buffering off;
}
listen [::]:PORT ipv6only=on; # managed by Certbot
listen PORT; # managed by Certbot
}
ããŒãã®å ŽåïŒPORT / PORTSSL = 1885 / 443ã1884 / 8884ã1887 / 8887ïŒïŒ
server {
server_name FQDN;
location / {
proxy_pass http://stack-ip:PORT;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_buffering off;
}
listen [::]:PORTSSL ssl ipv6only=on; # managed by Certbot
listen PORTSSL ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/FQDN/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/FQDN/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
ã芧ã®ãšãããç§ã䜿çšããŠããã®ã¯æå·åã§ãã
ã©ããããããšã@ wasn-euïŒ
ããã¯ïŒ1760ã«ã圹ç«ã¡ãŸãã
ããã«ã¡ã¯ãã¿ããªã
Ubuntuã«TTN3.7ãã€ã³ã¹ããŒã«ãããšãã«ãåæ§ã®åé¡ãçºçããŸãã
fox27374ã®ã¬ã€ãïŒhttps://github.com/fox27374/lora-stackïŒã«åŸããŸãããããŸã åé¡ããããŸãã
ç§ã®ã€ã³ã¹ããŒã«ã¯VMãšUbuntuã«ãããŸãã ããŒã«ã«éçºã«ã¯èªå·±çœ²å蚌ææžã䜿çšããŸãã
ç§ã¯ãŸã ãã®ãšã©ãŒã§ç«ã¡åŸçããŠããŸãã ãããŒã¯ã³æåŠäº€æã
åãã£ãŠæè¬ããŸãã
ããã«ã¡ã¯@ramampiandra ã
Slackãã£ããã§æžããããã«ããã¹ãŠãæ©èœããã«ã¯ã次ã®ãã®ãå¿ èŠã§ãã
蚌ææžãæ£ããããšã確èªããŠãã ããã
cert.pem
openssl x509 -in cert.pem -text -noout | grep -A 1 Identifier
X509v3 Subject Key Identifier:
26:78:63:90:E7:1C:09:B7:DA:B3:7D:81:F0:DE:47:6B:AE:16:58:79
X509v3 Authority Key Identifier:
keyid:86:32:F5:56:44:21:EC:E3:2A:D9:5F:6E:87:82:7A:67:C2:F1:77:E8
ca.pem
openssl x509 -in ca.pem -text -noout | grep -A 1 Identifier
X509v3 Subject Key Identifier:
86:32:F5:56:44:21:EC:E3:2A:D9:5F:6E:87:82:7A:67:C2:F1:77:E8
cert.pemã®AuthorityKeyIdentifierãca.pemã®SubjectKeyIdentifierãšåãã§ããããšã確èªããŠãã ããã
ã¹ã¿ãã¯ãéå§ããããã¹ãŠã®Dockerã³ã³ãããŒãèµ·åãããã次ã®ã³ãã³ããå®è¡ããŸãïŒãttn-server_stack_1ããTTNã³ã³ãããŒã®ååã«é©åãããŸãïŒã
docker exec -it --user root ttn-server_stack_1 /usr/sbin/update-ca-certificates
ããã«ãããca.pem蚌ææžãã³ã³ããå
ã«ã€ã³ã¹ããŒã«ãããä¿¡é Œã§ãã蚌ææžã«è¿œå ãããŸãã
ãã®åŸãã³ã³ããã«çŽæ¥ãã°ã€ã³ããŠã蚌ææžãæ©èœãããã©ããããã¹ãããŸãã
docker-compose exec stack "/bin/ash"
curl https://YOURSERVER.YOUR.DOMAIN
çµæããšã©ãŒã¯è¡šç€ºãããªãã¯ãã§ããããã¯ã蚌ææžãä¿¡é ŒãããŠããããšãæå³ããŸãã
ãããã圹ã«ç«ãŠã°å¹žãã§ãã
也æ¯
ãããã£ãŠãããã詳现ã«èª¿ã¹ãåŸãåçŸã§ããTLSæ§æïŒç¹ã«ã«ãŒã蚌ææžïŒãOAuthãããŒã«ãã£ãŠå°éããããããŒã¯ã³äº€æã倱æãããšããåé¡ãããããšã確èªã§ããŸããã
ç§ã¯çŸåšããããä¿®æ£ããããã®PRã«åãçµãã§ããŸãããããã¯æ¬æ¥é ãã«çéžããã¯ãã§ãã
@kschifferçŽ æŽãããããããèŠãŠãããŠããããšãã ãã¹ããæäŒãããšãã§ããããã«ãç§ãæçš¿ããŠãããŠãã ããã
ããïŒ ãããäžæçã«ä¿®æ£ããå¥ã®åé¿çããããŸããïŒ
@dgraposoããã¯3.8.1ã§ä¿®æ£ãããã¯ãã§ã
ïŒ2511ã§å¯ŸåŠãããïŒ2521ã§ããã«ãã©ããŒã§ãããããŒã¯ã³äº€ææåŠãã®åé¡ã«çŠç¹ã移ã£ãããããã®åé¡ã¯ä»ã®ãšããéããŸãã ããããã©ãã«ã·ã¥ãŒãã£ã³ã°ã»ã¯ã·ã§ã³ãè¿œå ããæ倧ã®çç±ã ã£ããšæããŸãã
ãã®åé¡ã¯ããã®æåã®ç®çãè°è«ããã®ã«ãã¯ãããŸã圹ã«ç«ã¡ãŸããã ãã©ãã«ã·ã¥ãŒãã£ã³ã°ã®ã»ã¯ã·ã§ã³ããŸã å¿ èŠã§ãããšæãããå Žåã¯ãé©åãªã¹ã³ãŒãã§åéããããšããå§ãããŸãã
æãåèã«ãªãã³ã¡ã³ã
ããã«ã¡ã¯ãã¿ããªã
Ubuntuã«TTN3.7ãã€ã³ã¹ããŒã«ãããšãã«ãåæ§ã®åé¡ãçºçããŸãã
fox27374ã®ã¬ã€ãïŒhttps://github.com/fox27374/lora-stackïŒã«åŸããŸãããããŸã åé¡ããããŸãã
ç§ã®ã€ã³ã¹ããŒã«ã¯VMãšUbuntuã«ãããŸãã ããŒã«ã«éçºã«ã¯èªå·±çœ²å蚌ææžã䜿çšããŸãã
ç§ã¯ãŸã ãã®ãšã©ãŒã§ç«ã¡åŸçããŠããŸãã ãããŒã¯ã³æåŠäº€æã
åãã£ãŠæè¬ããŸãã