Enable SSL Offload

IBM Bluemix InfraλŠ” λ‹€μ–‘ν•œ μ’…λ₯˜μ˜ Load Balancer μ˜΅μ…˜μ„ μ œκ³΅ν•˜κ³  μžˆμŠ΅λ‹ˆλ‹€.

이번 PostλŠ” μ›Ήμ„œλ²„μ— Open SSL μΈμ¦μ„œλ₯Ό μƒμ„±ν•˜μ—¬, Bluemix Infra Portal에 λ“±λ‘ν•˜κ³ , Local Load Balancer의 SSL Offload κΈ°λŠ₯을 μ‚¬μš©ν•˜μ—¬ Https μ›ΉνŽ˜μ΄μ§€λ₯Ό κ΅¬μ„±ν•˜λŠ” κ°€μ΄λ“œμž…λ‹ˆλ‹€.

SSL Offload λž€?
SSL 즉 Secure socket layer 인증은 μ›Ή μ‘μš© ν”„λ‘œκ·Έλž¨μ—μ„œ μ„œλ²„μ™€ ν΄λ¦¬μ–ΈνŠΈκ°„μ˜ 컴퓨터 κ°„μ˜ 인증을 μ œκ³΅ν•œλ‹€. 이 λ•Œ μ „μš© SSL μΈμ¦μ„œλ₯Ό μ‚¬μš©ν•˜μ—¬ νšŒμ‚¬ λ˜λŠ” λΉ„μ¦ˆλ‹ˆμŠ€λŠ” μ›Ή μ„œλ²„μ— ν•΄λ‹Ή μΈμ¦μ„œλ₯Ό ν˜ΈμŠ€νŒ… ν•΄μ•Ό ν•˜λŠ”λ° μ΄λ ‡κ²Œ μΈμ¦μ„œλ₯Ό 많이 μ‚¬μš©ν•˜λŠ” 것은 μ‹œμŠ€ν…œμ— 뢀담을 μ£Όκ³  μ‘μš© ν”„λ‘œκ·Έλž¨μ˜ 속도λ₯Ό μ €ν•˜ μ‹œν‚€λŠ” μš”μΈμ΄ λœλ‹€.
κ·Έλ ‡κΈ° λ•Œλ¬Έμ— SSL μ˜€ν”„ λ‘œλ”©μ€ μ£Όμš” μ›Ή μ„œλ²„μ—μ„œ SSL μ•”ν˜Έν™” 및 λ³΅ν˜Έν™” ν•˜λŠ” λͺ¨λ“  처리 μš”μ†Œ μž‘μ—…μ„ μœ„ν•΄ νŠΉλ³„νžˆ μ„€κ³„λœ λ³„λ„μ˜ μž₯치둜 μ΄μš©ν•΄μ„œ 처리 ν•  수 μžˆλŠ” 게 ν•˜λŠ” κΈ°λŠ₯으둜 메인 μ›Ή μ„œλ²„μ˜ μ„±λŠ₯이 ν–₯상 ν•  수 있으며, 효율적으둜 SSL μΈμ¦μ„œλ₯Ό 처리 ν•  μˆ˜μžˆλ‹€.
좜처 : http://m.blog.daum.net/wetsand/63

1. Load Balancer Service μ„€μ •
Bluemix Portalμ—μ„œ Network > Load Balancing > Local νŽ˜μ΄μ§€μ— μ ‘μ†ν•˜μ—¬ 우츑 μƒλ‹¨μ˜ SSL Offload κΈ°λŠ₯이 ν¬ν•¨λ˜μ–΄ μžˆλŠ” Local Load Balancerλ₯Ό μ£Όλ¬Έν•©λ‹ˆλ‹€.

Load Balancer 배포가 되면, VIP ADDRESSλ₯Ό ν΄λ¦­ν•˜μ—¬ Details νŽ˜μ΄μ§€λ‘œ μ ‘μ†ν•©λ‹ˆλ‹€.

HTTPS μ˜ˆμ‹œλ‘œ μ•„λž˜μ™€ 같이 섀정을 ν•©λ‹ˆλ‹€.
μ•„λž˜μ™€ 같이 μ„€μ • μ‹œ, Web Serverμ—μ„œ Http Headerλ₯Ό 톡해 Client IPλ₯Ό 확인할 수 μžˆμŠ΅λ‹ˆλ‹€.
Internet -> Https(443 Port) -> Load Balancer(SSL Offload) -> Http(80 port) -> Web Server

2. 사섀 Open SSL μΈμ¦μ„œ 생성
* Cent OS 6μ—μ„œ μƒμ„±ν•˜λŠ” κ°€μ΄λ“œ μž…λ‹ˆλ‹€.

// Open SSL μ„€μΉ˜
# yum install mod_ssl openssl

// Private Key 생성
# openssl genrsa –out test.key 2048

// CSR 생성
# openssl req –new –key test.key –out test.csr

// Self Signed Key 생성
# openssl x509 –req –days 365 –in test.csr –signkey test.key –out test.crt

// 파일 볡사
# cp test.crt /etc/pki/tls/certs
# cp ca.key /etc/pki/tls/private/ca.key
# cp ca.csr /etc/pki/tls/private/ca.csr

// Apache SSL 파일 μ„€μ •
# vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

// SSLCertificateFile λ³€μˆ˜ λ³€κ²½
SSLCertificateFile /etc/pki/tls/certs/test.crt

// SSLCertificateKeyFile λ³€μˆ˜ λ³€κ²½
SSLCertificateKeyFile /etc/pki/tls/private/test.key

// Apache μž¬μ‹œμž‘
# service httpd restart

// httpd.conf 파일 μˆ˜μ •
# vi /etc/httpd/conf/httpd.conf

// NameVirtualHost λ³€μˆ˜ μΆ”κ°€
NameVirtualHost *:443

// NameVirtualHost μ„€μ • κ°’ μΆ”κ°€
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/test.crt
SSLCertificateKeyFile /etc/pki/tls/private/test.key
<Directory /var/www/vhosts/test.com/httpsdocs>
AllowOverride All
</Directory>
DocumentRoot /var/www/vhosts/test.com/httpsdocs
ServerName test.com
</VirtualHost>

// Apache μž¬μ‹œμž‘
# service httpd restart

3. SSL μΈμ¦μ„œ Bluemix 포털 등둝

Bluemix Infra Portalμ—μ„œ Security > SSL > Certificates 메뉴λ₯Ό ν΄λ¦­ν•˜μ—¬ 우츑 μƒλ‹¨μ˜ Import SSL Certificate 클릭

Import SSL Certificate νŒμ—… 창이 뜨면, Certificate, Private Key ν•­λͺ©μ„ μž‘μ„± ν›„ Importλ₯Ό ν΄λ¦­ν•©λ‹ˆλ‹€. (곡인 SSL μΈμ¦μ„œμ˜ 경우, 등둝 ν›„ μ΅œμ’… 메일을 νšŒμ‹  λ°›μ•„μ•Ό ν•©λ‹ˆλ‹€.)
Test.crt -> Certificate
Test.key -> Private Key

등둝이 μ™„λ£Œλ˜λ©΄, μ•„λž˜ μ˜ˆμ‹œμ™€ 같이 μΈμ¦μ„œκ°€ λ‚˜νƒ€λ‚©λ‹ˆλ‹€.

μ•„κΉŒ λ°°ν¬ν•œ Load Balancer의 Detail νŽ˜μ΄μ§€μ—μ„œ SSL Offload 탭을 ν΄λ¦­ν•˜κ³ , Certificate ν•­λͺ©μ„ ν΄λ¦­ν•˜μ—¬ μ•„κΉŒ λ“±λ‘ν•œ μΈμ¦μ„œλ₯Ό μ„ νƒν•©λ‹ˆλ‹€.

μΈμ¦μ„œλ₯Ό μ„ νƒν•˜λ©΄ μ•„λž˜μ™€ 같이 μ•”ν˜Έν™” μ˜΅μ…˜λ“€μ΄ λ‚˜νƒ€λ‚˜κ³ , μ•Œλ§žκ²Œ 선택해 μ€λ‹ˆλ‹€.

μ›Ή λΈŒλΌμš°μ €μ— https://loadbalancerip λ₯Ό μž…λ ₯ν•˜μ‹œλ©΄ μ •μƒμ μœΌλ‘œ μ ‘μ†λ˜λŠ” 것을 확인할 수 μžˆμŠ΅λ‹ˆλ‹€.

κ°μ‚¬ν•©λ‹ˆλ‹€.

ν† λ‘  μ°Έκ°€

이메일은 κ³΅κ°œλ˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€. ν•„μˆ˜ μž…λ ₯창은 * 둜 ν‘œμ‹œλ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€