Security/DNSSEC-TLS-nginx: Difference between revisions
< Security
(Blanked the page) |
No edit summary |
||
(15 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
This page details how to set up a server running a modified version of nginx that uses a self-signed certificate with the DNSSEC TLS extension to authenticate https sessions. It's probably safest to do this in a virtual machine. However, for the brave, simply skip the VM-specific steps. | |||
# Set up a linux VM and enable a host-only network adapter so you can talk to it as well as a NAT'd adapter so it can talk to the internet (outside the scope of this article) | |||
# In that VM, do the following: | |||
# Install and set up bind9: | |||
## 'apt-get install bind' or bind9 or something | |||
## Set up keys and zone files (see [https://www.dnssec-tools.org/wiki/index.php/Sign_Your_Zone here], except using dnssec-keygen and dnssec-signzone instead of zonesigner). This will involve getting your DS set signed by your zone's parent. | |||
## Make a self-signed certificate | |||
## Make a TLSA record using [http://hg.mozilla.org/users/dkeeler_mozilla.com/dnssec-tls/file/tip/cert2dane.sh cert2tlsa.sh] (and put this in your zone file) | |||
## Sign the zones | |||
## Start the dns server | |||
# Get sources: | |||
## [http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.10.tar.gz ldns-1.6.10.tar.gz] | |||
## [http://nginx.org/download/nginx-1.0.5.tar.gz nginx-1.0.5.tar.gz] | |||
## [http://www.openssl.org/source/openssl-1.0.0d.tar.gz openssl-1.0.0d.tar.gz] | |||
# Get patches: | |||
## [http://hg.mozilla.org/users/dkeeler_mozilla.com/dnssec-tls/file/tip/nginx-1.0.5-dnssectls.patch nginx-1.0.5-dnssectls.patch] | |||
## [http://hg.mozilla.org/users/dkeeler_mozilla.com/dnssec-tls/file/tip/openssl-1.0.0d-dnssectls.patch openssl-1.0.0d-dnssectls.patch] | |||
# Install a local copy of ldns: | |||
## Untar the archive and cd to the directory | |||
## Run './configure --disable-gost --prefix=$HOME/local' | |||
## Run 'make', 'make install' | |||
## (If you prefer, simply build it without installing and link against the static libs when necessary.) | |||
# Make a dnssec chain: | |||
## Use [http://hg.mozilla.org/users/dkeeler_mozilla.com/dnssec-tls/file/tip/generate.c generate.c] | |||
## Or `dig +sigchase +trusted-key=[root key file] [domain name] TYPE65468 > output`, edit out the non-dns information in that file, and then run `./convert < output > dnssecchain` using [http://hg.mozilla.org/users/dkeeler_mozilla.com/dnssec-tls/file/tip/convert.c convert.c] | |||
# Unpack and patch a local copy of openssl: | |||
## Untar the archive and cd to the directory | |||
## Apply the patch | |||
## You don't actually have to config/compile/install (nginx just does what it needs with this openssl directory) | |||
# Build nginx: | |||
## Untar the archive and cd to the directory | |||
## Apply the patch | |||
## Run './configure --with-openssl=$HOME/openssl-1.0.0d --with-http_ssl_module --without-http_rewrite_module --prefix=`pwd`', 'make' | |||
# 'mkdir logs' to make nginx happy | |||
# Make sure you don't have other webservers running on the machine (Ubuntu seems to have one by default) | |||
# Put the paths to the appropriate certificate files in conf/nginx.conf (i.e. the certificate indicated by the TLSA record) | |||
# Put the path to the appropriate dnssec chain file in conf/nginx.conf (created using generate.c, above) | |||
# Start nginx: 'sudo ./obj/nginx' |
Latest revision as of 23:47, 23 August 2011
This page details how to set up a server running a modified version of nginx that uses a self-signed certificate with the DNSSEC TLS extension to authenticate https sessions. It's probably safest to do this in a virtual machine. However, for the brave, simply skip the VM-specific steps.
- Set up a linux VM and enable a host-only network adapter so you can talk to it as well as a NAT'd adapter so it can talk to the internet (outside the scope of this article)
- In that VM, do the following:
- Install and set up bind9:
- 'apt-get install bind' or bind9 or something
- Set up keys and zone files (see here, except using dnssec-keygen and dnssec-signzone instead of zonesigner). This will involve getting your DS set signed by your zone's parent.
- Make a self-signed certificate
- Make a TLSA record using cert2tlsa.sh (and put this in your zone file)
- Sign the zones
- Start the dns server
- Get sources:
- Get patches:
- Install a local copy of ldns:
- Untar the archive and cd to the directory
- Run './configure --disable-gost --prefix=$HOME/local'
- Run 'make', 'make install'
- (If you prefer, simply build it without installing and link against the static libs when necessary.)
- Make a dnssec chain:
- Use generate.c
- Or `dig +sigchase +trusted-key=[root key file] [domain name] TYPE65468 > output`, edit out the non-dns information in that file, and then run `./convert < output > dnssecchain` using convert.c
- Unpack and patch a local copy of openssl:
- Untar the archive and cd to the directory
- Apply the patch
- You don't actually have to config/compile/install (nginx just does what it needs with this openssl directory)
- Build nginx:
- Untar the archive and cd to the directory
- Apply the patch
- Run './configure --with-openssl=$HOME/openssl-1.0.0d --with-http_ssl_module --without-http_rewrite_module --prefix=`pwd`', 'make'
- 'mkdir logs' to make nginx happy
- Make sure you don't have other webservers running on the machine (Ubuntu seems to have one by default)
- Put the paths to the appropriate certificate files in conf/nginx.conf (i.e. the certificate indicated by the TLSA record)
- Put the path to the appropriate dnssec chain file in conf/nginx.conf (created using generate.c, above)
- Start nginx: 'sudo ./obj/nginx'