質問編集履歴
9
追記
title
CHANGED
|
File without changes
|
body
CHANGED
|
@@ -75,7 +75,7 @@
|
|
|
75
75
|
|
|
76
76
|
- iptablesの内容
|
|
77
77
|
|
|
78
|
-
|
|
78
|
+
iptables -nvL
|
|
79
79
|
> Chain INPUT (policy ACCEPT 551K packets, 43M bytes)
|
|
80
80
|
> pkts bytes target prot opt in out source destination
|
|
81
81
|
> 153M 57G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
|
8
追記
title
CHANGED
|
File without changes
|
body
CHANGED
|
@@ -75,7 +75,7 @@
|
|
|
75
75
|
|
|
76
76
|
- iptablesの内容
|
|
77
77
|
|
|
78
|
-
|
|
78
|
+
# iptables -nvL
|
|
79
79
|
> Chain INPUT (policy ACCEPT 551K packets, 43M bytes)
|
|
80
80
|
> pkts bytes target prot opt in out source destination
|
|
81
81
|
> 153M 57G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
|
7
追記
title
CHANGED
|
File without changes
|
body
CHANGED
|
@@ -72,4 +72,49 @@
|
|
|
72
72
|
> < Server: Apache
|
|
73
73
|
> < X-Frame-Options: DENY
|
|
74
74
|
|
|
75
|
+
|
|
76
|
+
- iptablesの内容
|
|
77
|
+
|
|
78
|
+
> # iptables -nvL
|
|
79
|
+
> Chain INPUT (policy ACCEPT 551K packets, 43M bytes)
|
|
80
|
+
> pkts bytes target prot opt in out source destination
|
|
81
|
+
> 153M 57G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
|
|
82
|
+
> 242K 23M ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
|
|
83
|
+
> 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
|
|
84
|
+
> 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
|
|
85
|
+
> 583K 37M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
|
|
86
|
+
> 351 21052 ACCEPT tcp -- * * 192.168.***.*** 0.0.0.0/0 state NEW tcp dpt:22
|
|
87
|
+
> 242K 15M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
|
|
88
|
+
> 7971K 465M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
|
|
89
|
+
>
|
|
90
|
+
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
|
|
91
|
+
> pkts bytes target prot opt in out source destination
|
|
92
|
+
> 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
|
|
93
|
+
>
|
|
94
|
+
> Chain OUTPUT (policy ACCEPT 144M packets, 96G bytes)
|
|
95
|
+
> pkts bytes target prot opt in out source destination
|
|
96
|
+
|
|
97
|
+
|
|
98
|
+
書く順としては、*filter内容を記述してから、sourceIPでのポリシーを記載し、
|
|
99
|
+
|
|
100
|
+
> *filter
|
|
101
|
+
> :INPUT ACCEPT [0:0]
|
|
102
|
+
> :FORWARD ACCEPT [0:0]
|
|
103
|
+
> :OUTPUT ACCEPT [0:0]
|
|
104
|
+
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
105
|
+
> -A INPUT -p icmp -j ACCEPT
|
|
106
|
+
> -A INPUT -p esp -j ACCEPT
|
|
107
|
+
> -A INPUT -p ah -j ACCEPT
|
|
108
|
+
> -A INPUT -i lo -j ACCEPT
|
|
109
|
+
>
|
|
110
|
+
>
|
|
111
|
+
最後に下記を記載しています
|
|
112
|
+
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
|
113
|
+
> COMMIT
|
|
114
|
+
|
|
115
|
+
|
|
116
|
+
|
|
117
|
+
|
|
118
|
+
|
|
119
|
+
|
|
75
120
|
ご教示のほどよろしくお願い致します
|
6
加筆
title
CHANGED
|
File without changes
|
body
CHANGED
|
@@ -57,7 +57,7 @@
|
|
|
57
57
|
> >Syntax OK
|
|
58
58
|
|
|
59
59
|
|
|
60
|
-
-
|
|
60
|
+
- サーバ内でcurlコマンドを実行しました
|
|
61
61
|
> [root@*** conf.d]# curl -vvv http://localhost
|
|
62
62
|
> * About to connect() to localhost port 80 (#0)
|
|
63
63
|
> * Trying 127.0.0.1... connected
|
5
加筆
title
CHANGED
|
File without changes
|
body
CHANGED
|
@@ -56,4 +56,20 @@
|
|
|
56
56
|
> >_default_:443 ***.***.***.jp (/etc/httpd/conf.d/ssl.conf:81)
|
|
57
57
|
> >Syntax OK
|
|
58
58
|
|
|
59
|
+
|
|
60
|
+
- リストサーバ内でcurlコマンドを実行しました
|
|
61
|
+
> [root@*** conf.d]# curl -vvv http://localhost
|
|
62
|
+
> * About to connect() to localhost port 80 (#0)
|
|
63
|
+
> * Trying 127.0.0.1... connected
|
|
64
|
+
> * Connected to localhost (127.0.0.1) port 80 (#0)
|
|
65
|
+
> > GET / HTTP/1.1
|
|
66
|
+
> > User-Agent:
|
|
67
|
+
> > Host: localhost
|
|
68
|
+
> > Accept: */*
|
|
69
|
+
> >
|
|
70
|
+
> < HTTP/1.1 302 Found
|
|
71
|
+
> <
|
|
72
|
+
> < Server: Apache
|
|
73
|
+
> < X-Frame-Options: DENY
|
|
74
|
+
|
|
59
75
|
ご教示のほどよろしくお願い致します
|
4
加筆
title
CHANGED
|
File without changes
|
body
CHANGED
|
@@ -44,12 +44,16 @@
|
|
|
44
44
|
```
|
|
45
45
|
|
|
46
46
|
iptablesでは、下記のように活かしています
|
|
47
|
-
|
|
47
|
+
> >-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
|
|
48
|
-
>[root@**** ~]# netstat -atlnp|grep ":80"
|
|
49
|
-
>tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5477/httpd httpd -Sコマンドを実行すると下記のように443のみのvhost設定しかしていません
|
|
50
|
-
>VirtualHost configuration:
|
|
51
|
-
>wildcard NameVirtualHosts and _default_ servers:
|
|
52
|
-
>_default_:443 ***.***.***.jp (/etc/httpd/conf.d/ssl.conf:81) >Syntax OK
|
|
53
48
|
|
|
49
|
+
netstatでも80はListenしています
|
|
50
|
+
> >[root@**** ~]# netstat -atlnp|grep ":80"
|
|
51
|
+
> >tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5477/httpd
|
|
54
52
|
|
|
53
|
+
httpd -Sコマンドを実行すると下記のように443のみのvhost設定しかしていません
|
|
54
|
+
> >VirtualHost configuration:
|
|
55
|
+
> >wildcard NameVirtualHosts and _default_ servers:
|
|
56
|
+
> >_default_:443 ***.***.***.jp (/etc/httpd/conf.d/ssl.conf:81)
|
|
57
|
+
> >Syntax OK
|
|
58
|
+
|
|
55
59
|
ご教示のほどよろしくお願い致します
|
3
加筆
title
CHANGED
|
File without changes
|
body
CHANGED
|
@@ -43,6 +43,13 @@
|
|
|
43
43
|
|
|
44
44
|
```
|
|
45
45
|
|
|
46
|
+
iptablesでは、下記のように活かしています
|
|
47
|
+
>-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT netstatでも80はListenしています
|
|
48
|
+
>[root@**** ~]# netstat -atlnp|grep ":80"
|
|
49
|
+
>tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5477/httpd httpd -Sコマンドを実行すると下記のように443のみのvhost設定しかしていません
|
|
50
|
+
>VirtualHost configuration:
|
|
51
|
+
>wildcard NameVirtualHosts and _default_ servers:
|
|
52
|
+
>_default_:443 ***.***.***.jp (/etc/httpd/conf.d/ssl.conf:81) >Syntax OK
|
|
46
53
|
|
|
47
54
|
|
|
48
55
|
ご教示のほどよろしくお願い致します
|
2
編集しました
title
CHANGED
|
File without changes
|
body
CHANGED
|
@@ -27,7 +27,7 @@
|
|
|
27
27
|
SSLRequireSSL
|
|
28
28
|
SSLVerifyClient optional
|
|
29
29
|
#SSLVerifyClient none
|
|
30
|
-
SSLRequire %{SSL_CLIENT_S_DN_O} eq "*****." or%{REMOTE_ADDR}=~****** or%{REMOTE_ADDR}=~*****/ or%{REMOTE_ADDR}=~*****
|
|
30
|
+
SSLRequire %{SSL_CLIENT_S_DN_O} eq "*****." or%{REMOTE_ADDR}=~****** or%{REMOTE_ADDR}=~*****/ or%{REMOTE_ADDR}=~*****/
|
|
31
31
|
</Location>
|
|
32
32
|
<Directory "">
|
|
33
33
|
# Options Indexes FollowSymLinks
|
1
質問内容追記
title
CHANGED
|
File without changes
|
body
CHANGED
|
@@ -13,4 +13,36 @@
|
|
|
13
13
|
```
|
|
14
14
|
そもそも、「サイトからの応答時間が長すぎます。」の制御をapache側設定でどうにかなるのでしょうか?
|
|
15
15
|
|
|
16
|
+
---
|
|
17
|
+
クライアント証明書設定はssl.confに記述しています
|
|
18
|
+
|
|
19
|
+
■/etc/httpd/conf.d/ssl.conf
|
|
20
|
+
|
|
21
|
+
```ここに言語を入力
|
|
22
|
+
SSLInsecureRenegotiation off
|
|
23
|
+
|
|
24
|
+
<Location />
|
|
25
|
+
SetEnv force-proxy-request-1.0 1
|
|
26
|
+
SetEnv proxy-nokeepalive 1
|
|
27
|
+
SSLRequireSSL
|
|
28
|
+
SSLVerifyClient optional
|
|
29
|
+
#SSLVerifyClient none
|
|
30
|
+
SSLRequire %{SSL_CLIENT_S_DN_O} eq "*****." or%{REMOTE_ADDR}=~****** or%{REMOTE_ADDR}=~*****/ or%{REMOTE_ADDR}=~*****./
|
|
31
|
+
</Location>
|
|
32
|
+
<Directory "">
|
|
33
|
+
# Options Indexes FollowSymLinks
|
|
34
|
+
# AllowOverride All
|
|
35
|
+
#add
|
|
36
|
+
Order deny,allow
|
|
37
|
+
Allow from all
|
|
38
|
+
</Directory>
|
|
39
|
+
###サーバの公開鍵
|
|
40
|
+
SSLCACertificateFile /usr/local/ssl/CA/CA.key
|
|
41
|
+
###失効ファイル
|
|
42
|
+
SSLCARevocationFile /etc/pki/exampleCA/crl.pem
|
|
43
|
+
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
|
|
47
|
+
|
|
16
48
|
ご教示のほどよろしくお願い致します
|