CentOS 6 で IRC サーバ (SSL対応) を構築
コミュニケーション用に IRC サーバを立ててみましたので、手順を残します。 IRC サーバーとして、今回は ngircd パッケージを使用しました。
使用環境
CentOS release 6.6 (64bit)
手順
ファイアウォール設定
iptables に IRC で使用するポートを追記します。
$ sudo vi /etc/sysconfig/iptables ... + -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 6697 -j ACCEPT ...
iptables を再起動して、設定した内容を適用します。
$ sudo /etc/init.d/iptables restart
ngircd をダウンロードし、SSL オプション付きでコンパイルします。
$ cd /tmp/ $ wget http://ngircd.barton.de/pub/ngircd/ngircd-22.1.tar.gz $ tar xzfv ngircd-22.1.tar.gz $ cd ngircd-22.1/ $ sudo ./configure --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man --with-openssl=/bin/openssl $ sudo make $ sudo make install
pid 格納用のディレクトリについて設定をします。
$ sudo mkdir -p /var/run/ngircd/ $ sudo chown nobody:nobody /var/run/ngircd/ $ sudo chmod 777 /var/run/ngircd/
キーを作成します。
$ sudo mkdir -p /usr/share/ngircd $ cd /usr/share/ngircd/ $ sudo openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem
ngircd の設定ファイルを以下のとおり、編集します。
$ sudo cp -p /etc/ngircd.conf /etc/ngircd.conf.org
$ diff -u /etc/ngircd.conf.org /etc/ngircd.conf
--- /etc/ngircd.conf.org 2015-07-01 02:55:58.797824554 +0900
+++ /etc/ngircd.conf 2015-07-01 02:56:13.337799355 +0900
@@ -25,13 +25,13 @@
# Server name in the IRC network, must contain at least one dot
# (".") and be unique in the IRC network. Required!
- Name = irc.example.net
+ Name = <ドメイン名>
# Information about the server and the administrator, used by the
# ADMIN command. Not required by server but by RFC!
;AdminInfo1 = Description
;AdminInfo2 = Location
- ;AdminEMail = admin@irc.server
+ AdminEMail = <管理者メールアドレス>
# Text file which contains the ngIRCd help text. This file is required
# to display help texts when using the "HELP <cmd>" command.
@@ -39,20 +39,20 @@
# Info text of the server. This will be shown by WHOIS and
# LINKS requests for example.
- Info = Server Info Text
+ Info = IRC Server
# Comma separated list of IP addresses on which the server should
# listen. Default values are:
# "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0"
# so the server listens on all IP addresses of the system by default.
- ;Listen = 127.0.0.1,192.168.0.1
+ Listen = 0.0.0.0
# Text file with the "message of the day" (MOTD). This message will
# be shown to all users connecting to the server:
;MotdFile = /etc/ngircd.motd
# A simple Phrase (<256 chars) if you don't want to use a motd file.
- ;MotdPhrase = "Hello world!"
+ MotdPhrase = "Welcome !"
# The name of the IRC network to which this server belongs. This name
# is optional, should only contain ASCII characters, and can't contain
@@ -62,7 +62,7 @@
# Global password for all users needed to connect to the server.
# (Default: not set)
- ;Password = abc
+ Password = <パスワード>
# This tells ngIRCd to write its current process ID to a file.
# Note that the pidfile is written AFTER chroot and switching the
@@ -77,14 +77,14 @@
# Group ID under which the ngIRCd should run; you can use the name
# of the group or the numerical ID. ATTENTION: For this to work the
# server must have been started with root privileges!
- ;ServerGID = 65534
+ ServerGID = nobody
# User ID under which the server should run; you can use the name
# of the user or the numerical ID. ATTENTION: For this to work the
# server must have been started with root privileges! In addition,
# the configuration and MOTD files must be readable by this user,
# otherwise RESTART and REHASH won't work!
- ;ServerUID = 65534
+ ServerUID = nobody
[Limits]
# Define some limits and timeouts for this ngIRCd instance. Default
@@ -92,25 +92,25 @@
# The server tries every <ConnectRetry> seconds to establish a link
# to not yet (or no longer) connected servers.
- ;ConnectRetry = 60
+ ConnectRetry = 60
# Number of seconds after which the whole daemon should shutdown when
# no connections are left active after handling at least one client
# (0: never, which is the default).
# This can be useful for testing or when ngIRCd is started using
# "socket activation" with systemd(8), for example.
- ;IdleTimeout = 0
+ IdleTimeout = 0
# Maximum number of simultaneous in- and outbound connections the
# server is allowed to accept (0: unlimited):
- ;MaxConnections = 0
+ MaxConnections = 20
# Maximum number of simultaneous connections from a single IP address
# the server will accept (0: unlimited):
- ;MaxConnectionsIP = 5
+ MaxConnectionsIP = 20
# Maximum number of channels a user can be member of (0: no limit):
- ;MaxJoins = 10
+ MaxJoins = 20
# Maximum length of an user nickname (Default: 9, as in RFC 2812).
# Please note that all servers in an IRC network MUST use the same
@@ -123,11 +123,11 @@
# After <PingTimeout> seconds of inactivity the server will send a
# PING to the peer to test whether it is alive or not.
- ;PingTimeout = 120
+ PingTimeout = 120
# If a client fails to answer a PING with a PONG within <PongTimeout>
# seconds, it will be disconnected by the server.
- ;PongTimeout = 20
+ PongTimeout = 20
[Options]
# Optional features and configuration options to further tweak the
@@ -168,7 +168,7 @@
;CloakUserToNick = yes
# Try to connect to other IRC servers using IPv4 and IPv6, if possible.
- ;ConnectIPv6 = yes
+ ConnectIPv6 = no
;ConnectIPv4 = yes
# Default user mode(s) to set on new local clients. Please note that
@@ -229,7 +229,7 @@
# Let ngIRCd send an "authentication PING" when a new client connects,
# and register this client only after receiving the corresponding
# "PONG" reply.
- ;RequireAuthPing = no
+ RequireAuthPing = yes
# Silently drop all incoming CTCP requests.
;ScrubCTCP = no
@@ -246,13 +246,13 @@
# be used. (Default: not set)
;WebircPassword = xyz
-;[SSL]
+[SSL]
# SSL-related configuration options. Please note that this section
# is only available when ngIRCd is compiled with support for SSL!
# So don't forget to remove the ";" above if this is the case ...
# SSL Server Key Certificate
- ;CertFile = /etc/ssl/server-cert.pem
+ CertFile = /usr/share/ngircd/server-cert.pem
# Select cipher suites allowed for SSL/TLS connections. This defaults
# to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
@@ -264,23 +264,23 @@
;CipherList = SECURE128:-VERS-SSL3.0
# Diffie-Hellman parameters
;DHFile = /etc/ssl/dhparams.pem
# SSL Server Key
- ;KeyFile = /etc/ssl/server-key.pem
+ KeyFile = /usr/share/ngircd/server-key.pem
# password to decrypt SSLKeyFile (OpenSSL only)
- ;KeyFilePassword = secret
+ KeyFilePassword = <キー作成時に設定したパスワード>
# Additional Listen Ports that expect SSL/TLS encrypted connections
- ;Ports = 6697, 9999
+ Ports = 6697
@@ -340,7 +340,7 @@
;Passive = no
# Connect to the remote server using TLS/SSL (Default: false)
- ;SSLConnect = yes
+ SSLConnect = yes
# Define a (case insensitive) list of masks matching nicknames that
# should be treated as IRC services when introduced via this remote
@@ -365,7 +365,7 @@
# There may be more than one [Channel] block, one for each channel.
# Name of the channel
- ;Name = #TheName
+ Name = #mychannel
# Topic for this channel
;Topic = a great topic
設定ファイルが正しく設定されたか、以下のコマンドで確認します。
$ sudo ngircd -t ngIRCd 22.1-IRCPLUS+SSL+SYSLOG+ZLIB-x86_64/unknown/linux-gnu Copyright (c)2001-2014 Alexander Barton (<alex@barton.de>) and Contributors. Homepage: <http://ngircd.barton.de/> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Reading configuration from "/etc/ngircd.conf" ... OK, press enter to see a dump of your server configuration ...[Enterキー押下]
以下のとおり、サービス起動用のスクリプトを作成します。
#!/bin/bash
#
# ngircd
#
# chkconfig: - 60 90
# description: ngircd
### BEGIN INIT INFO
# Provides: ngircd
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Should-Start: $syslog $named
# Should-Stop: $syslog $named
# Short-Description: start and stop ngircd
# Description: ngircd
### END INIT INFO
# Source function library.
. /etc/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
prog=ngircd
lockfile=/var/lock/subsys/$prog
start() {
[ "$EUID" != "0" ] && exit 4
[ "$NETWORKING" = "no" ] && exit 1
[ -f /usr/sbin/ngircd ] || exit 5
/usr/sbin/ngircd
# Start daemons.
echo -n $"Starting $prog: "
daemon $prog $OPTIONS
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $lockfile
return $RETVAL
}
stop() {
[ "$EUID" != "0" ] && exit 4
echo -n $"Shutting down $prog: "
killproc $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $lockfile
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $prog
;;
restart|force-reload)
stop
start
;;
try-restart|condrestart)
if status $prog > /dev/null; then
stop
start
fi
;;
reload)
exit 3
;;
*)
echo $"Usage: $0 {start|stop|status|restart|try-restart|force-reload}"
exit 2
esac
先ほど作成したスクリプトの動作を確認します。
$ sudo /etc/init.d/ngircd start ngircd を起動中: [ OK ] $ sudo /etc/init.d/ngircd stop ngircd を停止中: [ OK ] $ sudo /etc/init.d/ngircd status ngircd は停止しています $ sudo /etc/init.d/ngircd start ngircd を起動中: [ OK ] $ sudo /etc/init.d/ngircd status ngircd (pid 30813) を実行中...
自動起動設定をします。
$ sudo chkconfig --add ngircd $ sudo chkconfig --level 345 ngircd on $ sudo chkconfig ngircd --list ngircd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
LimeChat でログインしてみます。
Server: <ドメイン名> Port: 6697 SSL: 有効 Server Password: <パスワード> Nickname: myname Channel: #mychannel
無事に接続できました!
