차. 프록시 서비스

dmzsrv

scp 10.0.0.1:/ca/certs/ldap* /etc/ldap
scp 10.0.0.1:/etc/ssl/root-ca.crt /etc/ldap/
scp 10.0.0.1:/ca/cacert.pem /etc/ldap/subca.crt
cat /etc/ldap/subca.crt >> /etc/ldap/ldap.crt
cp /usr/share/doc/slapd/examples/slapd.conf /etc/ldap/

vi /etc/ldap/slapd.conf

#####
loglevel stats
moduleload back_ldap
backend ldap

database ldap
readonly yes
protocol-version 3
rebind-as-user
uri "ldaps://intsrv.skill39.local:636"
suffix "dc=skill39,dc=local"
rootdn "cn=administrator,cn=users,dc=skill39,dc=local"
rootpw Skill39**
tls ldaps
	tls_cacert=/etc/ldap/ca.crt
idassert-authzFrom "dn:*"
idassert-bind bindmethod=simple
	binddn="CN=administrator,CN=Users,DC=skill39,DC=local"
	credentials="Skill39**"
	mode=none
TLSCACertificateFile /etc/ldap/ca.crt
TLSCertificateFile /etc/ldap/ldap.crt
TLSCertificateKeyFile /etc/ldap/ldap.key
#####

vi /etc/default/slapd

#####
SLAPD_CONF="/etc/ldap/slapd.conf"

SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
#SLAPD_SERVICES="ldap:/// ldapi:///"
#####

vi /etc/ldap/ldap.conf

#####
BASE dc=skill39,dc=local
URI ldaps://ldap.skill39.local:636
TLS_CACERT /etc/ldap/ca.crt
#####

chown openldap:openldap -R /etc/ldap
systemctl restart slapd

mkdir /etc/nginx/ssl

scp 10.0.0.1:/ca/certs/www* /etc/nginx/ssl
scp 10.0.0.1:/ca/certs/wild* /etc/nginx/ssl
scp 10.0.0.1:/etc/ssl/root-ca.crt /etc/nginx/ssl
scp 10.0.0.1:/ca/cacert.pem /etc/nginx/ssl/subca.crt
cat /etc/nginx/ssl/subca.crt >> /etc/nginx/ssl/www.crt
cat /etc/nginx/ssl/root-ca.crt >> /etc/nginx/ssl/www.crt
cat /etc/nginx/ssl/subca.crt >> /etc/nginx/ssl/wild.crt
cat /etc/nginx/ssl/root-ca.crt >> /etc/nginx/ssl/wild.crt

cd /etc/nginx/sites-available/
cp default ca
cp default ocsp
cp default site
cp default www

vi /etc/nginx/sites-available/ca

#####
	listen 80;
	server_name ca.skill39.com;
#####

vi /etc/nginx/sites-available/ocsp

#####
	listen 80;
	server_name ocsp.skill39.com;
	location / {
		proxy_pass <http://intsrv.skill39.local:8080>;
	}
#####

vi /etc/nginx/sites-available/site

#####
	#listen 80 default_server;
	listen 443 ssl;
	ssl_certificate /etc/nginx/ssl/wild.crt;
	ssl_certificate_key /etc/nginx/ssl/wild.key;
	server_name site.skill39.com;
	location ~ /(.*) {
		resolver 10.0.0.1;
		proxy_pass <http://$1.skill39.local:80/>;
	}
#####

vi /etc/nginx/sites-available/www

#####
	#listen 80 default_server;
	listen 443 ssl;
	ssl_certificate /etc/nginx/ssl/www.crt;
	ssl_certificate_key /etc/nginx/ssl/www.key;
	ssl_stapling on;
	ssl_stapling_verify on;
	server_name www.skill39.com;
	location / {
		proxy_pass <http://www.skill39.local:80>;
	}
#####

cd /etc/nginx/sites-enabled
rm default
ln -s /etc/nginx/sites-available/ca ca
ln -s /etc/nginx/sites-available/ocsp ocsp
ln -s /etc/nginx/sites-available/site site
ln -s /etc/nginx/sites-available/www www

scp 10.0.0.1:/ca/cacert.pem /var/www/html/SubCA.crt
scp 10.0.0.1:/ca/crl/crl.pem /var/www/html/SubCA.crl