質問編集履歴
9
追記
test
CHANGED
File without changes
|
test
CHANGED
@@ -152,7 +152,7 @@
|
|
152
152
|
|
153
153
|
|
154
154
|
|
155
|
-
|
155
|
+
iptables -nvL
|
156
156
|
|
157
157
|
> Chain INPUT (policy ACCEPT 551K packets, 43M bytes)
|
158
158
|
|
8
追記
test
CHANGED
File without changes
|
test
CHANGED
@@ -152,7 +152,7 @@
|
|
152
152
|
|
153
153
|
|
154
154
|
|
155
|
-
|
155
|
+
# iptables -nvL
|
156
156
|
|
157
157
|
> Chain INPUT (policy ACCEPT 551K packets, 43M bytes)
|
158
158
|
|
7
追記
test
CHANGED
File without changes
|
test
CHANGED
@@ -146,4 +146,94 @@
|
|
146
146
|
|
147
147
|
|
148
148
|
|
149
|
+
|
150
|
+
|
151
|
+
- iptablesの内容
|
152
|
+
|
153
|
+
|
154
|
+
|
155
|
+
> # iptables -nvL
|
156
|
+
|
157
|
+
> Chain INPUT (policy ACCEPT 551K packets, 43M bytes)
|
158
|
+
|
159
|
+
> pkts bytes target prot opt in out source destination
|
160
|
+
|
161
|
+
> 153M 57G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
|
162
|
+
|
163
|
+
> 242K 23M ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
|
164
|
+
|
165
|
+
> 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
|
166
|
+
|
167
|
+
> 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
|
168
|
+
|
169
|
+
> 583K 37M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
|
170
|
+
|
171
|
+
> 351 21052 ACCEPT tcp -- * * 192.168.***.*** 0.0.0.0/0 state NEW tcp dpt:22
|
172
|
+
|
173
|
+
> 242K 15M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
|
174
|
+
|
175
|
+
> 7971K 465M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
|
176
|
+
|
177
|
+
>
|
178
|
+
|
179
|
+
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
|
180
|
+
|
181
|
+
> pkts bytes target prot opt in out source destination
|
182
|
+
|
183
|
+
> 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
|
184
|
+
|
185
|
+
>
|
186
|
+
|
187
|
+
> Chain OUTPUT (policy ACCEPT 144M packets, 96G bytes)
|
188
|
+
|
189
|
+
> pkts bytes target prot opt in out source destination
|
190
|
+
|
191
|
+
|
192
|
+
|
193
|
+
|
194
|
+
|
195
|
+
書く順としては、*filter内容を記述してから、sourceIPでのポリシーを記載し、
|
196
|
+
|
197
|
+
|
198
|
+
|
199
|
+
> *filter
|
200
|
+
|
201
|
+
> :INPUT ACCEPT [0:0]
|
202
|
+
|
203
|
+
> :FORWARD ACCEPT [0:0]
|
204
|
+
|
205
|
+
> :OUTPUT ACCEPT [0:0]
|
206
|
+
|
207
|
+
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
208
|
+
|
209
|
+
> -A INPUT -p icmp -j ACCEPT
|
210
|
+
|
211
|
+
> -A INPUT -p esp -j ACCEPT
|
212
|
+
|
213
|
+
> -A INPUT -p ah -j ACCEPT
|
214
|
+
|
215
|
+
> -A INPUT -i lo -j ACCEPT
|
216
|
+
|
217
|
+
>
|
218
|
+
|
219
|
+
>
|
220
|
+
|
221
|
+
最後に下記を記載しています
|
222
|
+
|
223
|
+
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
224
|
+
|
225
|
+
> COMMIT
|
226
|
+
|
227
|
+
|
228
|
+
|
229
|
+
|
230
|
+
|
231
|
+
|
232
|
+
|
233
|
+
|
234
|
+
|
235
|
+
|
236
|
+
|
237
|
+
|
238
|
+
|
149
239
|
ご教示のほどよろしくお願い致します
|
6
加筆
test
CHANGED
File without changes
|
test
CHANGED
@@ -116,7 +116,7 @@
|
|
116
116
|
|
117
117
|
|
118
118
|
|
119
|
-
-
|
119
|
+
- サーバ内でcurlコマンドを実行しました
|
120
120
|
|
121
121
|
> [root@*** conf.d]# curl -vvv http://localhost
|
122
122
|
|
5
加筆
test
CHANGED
File without changes
|
test
CHANGED
@@ -114,4 +114,36 @@
|
|
114
114
|
|
115
115
|
|
116
116
|
|
117
|
+
|
118
|
+
|
119
|
+
- リストサーバ内でcurlコマンドを実行しました
|
120
|
+
|
121
|
+
> [root@*** conf.d]# curl -vvv http://localhost
|
122
|
+
|
123
|
+
> * About to connect() to localhost port 80 (#0)
|
124
|
+
|
125
|
+
> * Trying 127.0.0.1... connected
|
126
|
+
|
127
|
+
> * Connected to localhost (127.0.0.1) port 80 (#0)
|
128
|
+
|
129
|
+
> > GET / HTTP/1.1
|
130
|
+
|
131
|
+
> > User-Agent:
|
132
|
+
|
133
|
+
> > Host: localhost
|
134
|
+
|
135
|
+
> > Accept: */*
|
136
|
+
|
137
|
+
> >
|
138
|
+
|
139
|
+
> < HTTP/1.1 302 Found
|
140
|
+
|
141
|
+
> <
|
142
|
+
|
143
|
+
> < Server: Apache
|
144
|
+
|
145
|
+
> < X-Frame-Options: DENY
|
146
|
+
|
147
|
+
|
148
|
+
|
117
149
|
ご教示のほどよろしくお願い致します
|
4
加筆
test
CHANGED
File without changes
|
test
CHANGED
@@ -90,19 +90,27 @@
|
|
90
90
|
|
91
91
|
iptablesでは、下記のように活かしています
|
92
92
|
|
93
|
-
>-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
|
93
|
+
> >-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
|
94
|
-
|
95
|
-
>[root@**** ~]# netstat -atlnp|grep ":80"
|
96
|
-
|
97
|
-
>tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5477/httpd httpd -Sコマンドを実行すると下記のように443のみのvhost設定しかしていません
|
98
|
-
|
99
|
-
>VirtualHost configuration:
|
100
|
-
|
101
|
-
>wildcard NameVirtualHosts and _default_ servers:
|
102
|
-
|
103
|
-
>_default_:443 ***.***.***.jp (/etc/httpd/conf.d/ssl.conf:81) >Syntax OK
|
104
94
|
|
105
95
|
|
96
|
+
|
97
|
+
netstatでも80はListenしています
|
98
|
+
|
99
|
+
> >[root@**** ~]# netstat -atlnp|grep ":80"
|
100
|
+
|
101
|
+
> >tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5477/httpd
|
102
|
+
|
103
|
+
|
104
|
+
|
105
|
+
httpd -Sコマンドを実行すると下記のように443のみのvhost設定しかしていません
|
106
|
+
|
107
|
+
> >VirtualHost configuration:
|
108
|
+
|
109
|
+
> >wildcard NameVirtualHosts and _default_ servers:
|
110
|
+
|
111
|
+
> >_default_:443 ***.***.***.jp (/etc/httpd/conf.d/ssl.conf:81)
|
112
|
+
|
113
|
+
> >Syntax OK
|
106
114
|
|
107
115
|
|
108
116
|
|
3
加筆
test
CHANGED
File without changes
|
test
CHANGED
@@ -88,6 +88,20 @@
|
|
88
88
|
|
89
89
|
|
90
90
|
|
91
|
+
iptablesでは、下記のように活かしています
|
92
|
+
|
93
|
+
>-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT netstatでも80はListenしています
|
94
|
+
|
95
|
+
>[root@**** ~]# netstat -atlnp|grep ":80"
|
96
|
+
|
97
|
+
>tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5477/httpd httpd -Sコマンドを実行すると下記のように443のみのvhost設定しかしていません
|
98
|
+
|
99
|
+
>VirtualHost configuration:
|
100
|
+
|
101
|
+
>wildcard NameVirtualHosts and _default_ servers:
|
102
|
+
|
103
|
+
>_default_:443 ***.***.***.jp (/etc/httpd/conf.d/ssl.conf:81) >Syntax OK
|
104
|
+
|
91
105
|
|
92
106
|
|
93
107
|
|
2
編集しました
test
CHANGED
File without changes
|
test
CHANGED
@@ -56,7 +56,7 @@
|
|
56
56
|
|
57
57
|
#SSLVerifyClient none
|
58
58
|
|
59
|
-
SSLRequire %{SSL_CLIENT_S_DN_O} eq "*****." or%{REMOTE_ADDR}=~****** or%{REMOTE_ADDR}=~*****/ or%{REMOTE_ADDR}=~*****
|
59
|
+
SSLRequire %{SSL_CLIENT_S_DN_O} eq "*****." or%{REMOTE_ADDR}=~****** or%{REMOTE_ADDR}=~*****/ or%{REMOTE_ADDR}=~*****/
|
60
60
|
|
61
61
|
</Location>
|
62
62
|
|
1
質問内容追記
test
CHANGED
File without changes
|
test
CHANGED
@@ -28,4 +28,68 @@
|
|
28
28
|
|
29
29
|
|
30
30
|
|
31
|
+
---
|
32
|
+
|
33
|
+
クライアント証明書設定はssl.confに記述しています
|
34
|
+
|
35
|
+
|
36
|
+
|
37
|
+
■/etc/httpd/conf.d/ssl.conf
|
38
|
+
|
39
|
+
|
40
|
+
|
41
|
+
```ここに言語を入力
|
42
|
+
|
43
|
+
SSLInsecureRenegotiation off
|
44
|
+
|
45
|
+
|
46
|
+
|
47
|
+
<Location />
|
48
|
+
|
49
|
+
SetEnv force-proxy-request-1.0 1
|
50
|
+
|
51
|
+
SetEnv proxy-nokeepalive 1
|
52
|
+
|
53
|
+
SSLRequireSSL
|
54
|
+
|
55
|
+
SSLVerifyClient optional
|
56
|
+
|
57
|
+
#SSLVerifyClient none
|
58
|
+
|
59
|
+
SSLRequire %{SSL_CLIENT_S_DN_O} eq "*****." or%{REMOTE_ADDR}=~****** or%{REMOTE_ADDR}=~*****/ or%{REMOTE_ADDR}=~*****./
|
60
|
+
|
61
|
+
</Location>
|
62
|
+
|
63
|
+
<Directory "">
|
64
|
+
|
65
|
+
# Options Indexes FollowSymLinks
|
66
|
+
|
67
|
+
# AllowOverride All
|
68
|
+
|
69
|
+
#add
|
70
|
+
|
71
|
+
Order deny,allow
|
72
|
+
|
73
|
+
Allow from all
|
74
|
+
|
75
|
+
</Directory>
|
76
|
+
|
77
|
+
###サーバの公開鍵
|
78
|
+
|
79
|
+
SSLCACertificateFile /usr/local/ssl/CA/CA.key
|
80
|
+
|
81
|
+
###失効ファイル
|
82
|
+
|
83
|
+
SSLCARevocationFile /etc/pki/exampleCA/crl.pem
|
84
|
+
|
85
|
+
|
86
|
+
|
87
|
+
```
|
88
|
+
|
89
|
+
|
90
|
+
|
91
|
+
|
92
|
+
|
93
|
+
|
94
|
+
|
31
95
|
ご教示のほどよろしくお願い致します
|