在Ubuntu系统中,使用OpenSSL限制访问通常涉及以下几个方面:
配置SSL/TLS证书:
certbot工具来自动更新证书。配置防火墙:
ufw(Uncomplicated Firewall)或iptables来限制对OpenSSL服务的访问。ufw可以这样限制访问:sudo ufw allow from 192.168.1.0/24 to any port 443
sudo ufw enable
192.168.1.0/24网络的流量访问端口443(HTTPS)。配置OpenSSL服务:
/etc/ssl/openssl.cnf或/etc/ssl/ssl.conf),设置访问控制列表(ACL)。[ CA_default ]
dir = /var/lib/ssl
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
使用反向代理:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /admin {
allow 192.168.1.0/24;
deny all;
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
通过以上方法,你可以有效地限制对OpenSSL服务的访问,确保只有授权的用户或网络可以访问你的服务。
