CentOS 6 で IRC サーバ (SSL対応) を構築
コミュニケーション用に IRC サーバを立ててみましたので、手順を残します。 IRC サーバーとして、今回は ngircd パッケージを使用しました。
使用環境
CentOS release 6.6 (64bit)
手順
ファイアウォール設定
iptables に IRC で使用するポートを追記します。
$ sudo vi /etc/sysconfig/iptables ... + -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 6697 -j ACCEPT ...
iptables を再起動して、設定した内容を適用します。
$ sudo /etc/init.d/iptables restart
ngircd をダウンロードし、SSL オプション付きでコンパイルします。
$ cd /tmp/ $ wget http://ngircd.barton.de/pub/ngircd/ngircd-22.1.tar.gz $ tar xzfv ngircd-22.1.tar.gz $ cd ngircd-22.1/ $ sudo ./configure --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man --with-openssl=/bin/openssl $ sudo make $ sudo make install
pid 格納用のディレクトリについて設定をします。
$ sudo mkdir -p /var/run/ngircd/ $ sudo chown nobody:nobody /var/run/ngircd/ $ sudo chmod 777 /var/run/ngircd/
キーを作成します。
$ sudo mkdir -p /usr/share/ngircd $ cd /usr/share/ngircd/ $ sudo openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem
ngircd の設定ファイルを以下のとおり、編集します。
$ sudo cp -p /etc/ngircd.conf /etc/ngircd.conf.org $ diff -u /etc/ngircd.conf.org /etc/ngircd.conf --- /etc/ngircd.conf.org 2015-07-01 02:55:58.797824554 +0900 +++ /etc/ngircd.conf 2015-07-01 02:56:13.337799355 +0900 @@ -25,13 +25,13 @@ # Server name in the IRC network, must contain at least one dot # (".") and be unique in the IRC network. Required! - Name = irc.example.net + Name = <ドメイン名> # Information about the server and the administrator, used by the # ADMIN command. Not required by server but by RFC! ;AdminInfo1 = Description ;AdminInfo2 = Location - ;AdminEMail = admin@irc.server + AdminEMail = <管理者メールアドレス> # Text file which contains the ngIRCd help text. This file is required # to display help texts when using the "HELP <cmd>" command. @@ -39,20 +39,20 @@ # Info text of the server. This will be shown by WHOIS and # LINKS requests for example. - Info = Server Info Text + Info = IRC Server # Comma separated list of IP addresses on which the server should # listen. Default values are: # "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0" # so the server listens on all IP addresses of the system by default. - ;Listen = 127.0.0.1,192.168.0.1 + Listen = 0.0.0.0 # Text file with the "message of the day" (MOTD). This message will # be shown to all users connecting to the server: ;MotdFile = /etc/ngircd.motd # A simple Phrase (<256 chars) if you don't want to use a motd file. - ;MotdPhrase = "Hello world!" + MotdPhrase = "Welcome !" # The name of the IRC network to which this server belongs. This name # is optional, should only contain ASCII characters, and can't contain @@ -62,7 +62,7 @@ # Global password for all users needed to connect to the server. # (Default: not set) - ;Password = abc + Password = <パスワード> # This tells ngIRCd to write its current process ID to a file. # Note that the pidfile is written AFTER chroot and switching the @@ -77,14 +77,14 @@ # Group ID under which the ngIRCd should run; you can use the name # of the group or the numerical ID. ATTENTION: For this to work the # server must have been started with root privileges! - ;ServerGID = 65534 + ServerGID = nobody # User ID under which the server should run; you can use the name # of the user or the numerical ID. ATTENTION: For this to work the # server must have been started with root privileges! In addition, # the configuration and MOTD files must be readable by this user, # otherwise RESTART and REHASH won't work! - ;ServerUID = 65534 + ServerUID = nobody [Limits] # Define some limits and timeouts for this ngIRCd instance. Default @@ -92,25 +92,25 @@ # The server tries every <ConnectRetry> seconds to establish a link # to not yet (or no longer) connected servers. - ;ConnectRetry = 60 + ConnectRetry = 60 # Number of seconds after which the whole daemon should shutdown when # no connections are left active after handling at least one client # (0: never, which is the default). # This can be useful for testing or when ngIRCd is started using # "socket activation" with systemd(8), for example. - ;IdleTimeout = 0 + IdleTimeout = 0 # Maximum number of simultaneous in- and outbound connections the # server is allowed to accept (0: unlimited): - ;MaxConnections = 0 + MaxConnections = 20 # Maximum number of simultaneous connections from a single IP address # the server will accept (0: unlimited): - ;MaxConnectionsIP = 5 + MaxConnectionsIP = 20 # Maximum number of channels a user can be member of (0: no limit): - ;MaxJoins = 10 + MaxJoins = 20 # Maximum length of an user nickname (Default: 9, as in RFC 2812). # Please note that all servers in an IRC network MUST use the same @@ -123,11 +123,11 @@ # After <PingTimeout> seconds of inactivity the server will send a # PING to the peer to test whether it is alive or not. - ;PingTimeout = 120 + PingTimeout = 120 # If a client fails to answer a PING with a PONG within <PongTimeout> # seconds, it will be disconnected by the server. - ;PongTimeout = 20 + PongTimeout = 20 [Options] # Optional features and configuration options to further tweak the @@ -168,7 +168,7 @@ ;CloakUserToNick = yes # Try to connect to other IRC servers using IPv4 and IPv6, if possible. - ;ConnectIPv6 = yes + ConnectIPv6 = no ;ConnectIPv4 = yes # Default user mode(s) to set on new local clients. Please note that @@ -229,7 +229,7 @@ # Let ngIRCd send an "authentication PING" when a new client connects, # and register this client only after receiving the corresponding # "PONG" reply. - ;RequireAuthPing = no + RequireAuthPing = yes # Silently drop all incoming CTCP requests. ;ScrubCTCP = no @@ -246,13 +246,13 @@ # be used. (Default: not set) ;WebircPassword = xyz -;[SSL] +[SSL] # SSL-related configuration options. Please note that this section # is only available when ngIRCd is compiled with support for SSL! # So don't forget to remove the ";" above if this is the case ... # SSL Server Key Certificate - ;CertFile = /etc/ssl/server-cert.pem + CertFile = /usr/share/ngircd/server-cert.pem # Select cipher suites allowed for SSL/TLS connections. This defaults # to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS). @@ -264,23 +264,23 @@ ;CipherList = SECURE128:-VERS-SSL3.0 # Diffie-Hellman parameters ;DHFile = /etc/ssl/dhparams.pem # SSL Server Key - ;KeyFile = /etc/ssl/server-key.pem + KeyFile = /usr/share/ngircd/server-key.pem # password to decrypt SSLKeyFile (OpenSSL only) - ;KeyFilePassword = secret + KeyFilePassword = <キー作成時に設定したパスワード> # Additional Listen Ports that expect SSL/TLS encrypted connections - ;Ports = 6697, 9999 + Ports = 6697 @@ -340,7 +340,7 @@ ;Passive = no # Connect to the remote server using TLS/SSL (Default: false) - ;SSLConnect = yes + SSLConnect = yes # Define a (case insensitive) list of masks matching nicknames that # should be treated as IRC services when introduced via this remote @@ -365,7 +365,7 @@ # There may be more than one [Channel] block, one for each channel. # Name of the channel - ;Name = #TheName + Name = #mychannel # Topic for this channel ;Topic = a great topic
設定ファイルが正しく設定されたか、以下のコマンドで確認します。
$ sudo ngircd -t ngIRCd 22.1-IRCPLUS+SSL+SYSLOG+ZLIB-x86_64/unknown/linux-gnu Copyright (c)2001-2014 Alexander Barton (<alex@barton.de>) and Contributors. Homepage: <http://ngircd.barton.de/> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Reading configuration from "/etc/ngircd.conf" ... OK, press enter to see a dump of your server configuration ...[Enterキー押下]
以下のとおり、サービス起動用のスクリプトを作成します。
#!/bin/bash # # ngircd # # chkconfig: - 60 90 # description: ngircd ### BEGIN INIT INFO # Provides: ngircd # Required-Start: $network $local_fs $remote_fs # Required-Stop: $network $local_fs $remote_fs # Should-Start: $syslog $named # Should-Stop: $syslog $named # Short-Description: start and stop ngircd # Description: ngircd ### END INIT INFO # Source function library. . /etc/init.d/functions # Source networking configuration. . /etc/sysconfig/network prog=ngircd lockfile=/var/lock/subsys/$prog start() { [ "$EUID" != "0" ] && exit 4 [ "$NETWORKING" = "no" ] && exit 1 [ -f /usr/sbin/ngircd ] || exit 5 /usr/sbin/ngircd # Start daemons. echo -n $"Starting $prog: " daemon $prog $OPTIONS RETVAL=$? echo [ $RETVAL -eq 0 ] && touch $lockfile return $RETVAL } stop() { [ "$EUID" != "0" ] && exit 4 echo -n $"Shutting down $prog: " killproc $prog RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f $lockfile return $RETVAL } case "$1" in start) start ;; stop) stop ;; status) status $prog ;; restart|force-reload) stop start ;; try-restart|condrestart) if status $prog > /dev/null; then stop start fi ;; reload) exit 3 ;; *) echo $"Usage: $0 {start|stop|status|restart|try-restart|force-reload}" exit 2 esac
先ほど作成したスクリプトの動作を確認します。
$ sudo /etc/init.d/ngircd start ngircd を起動中: [ OK ] $ sudo /etc/init.d/ngircd stop ngircd を停止中: [ OK ] $ sudo /etc/init.d/ngircd status ngircd は停止しています $ sudo /etc/init.d/ngircd start ngircd を起動中: [ OK ] $ sudo /etc/init.d/ngircd status ngircd (pid 30813) を実行中...
自動起動設定をします。
$ sudo chkconfig --add ngircd $ sudo chkconfig --level 345 ngircd on $ sudo chkconfig ngircd --list ngircd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
LimeChat でログインしてみます。
Server: <ドメイン名> Port: 6697 SSL: 有効 Server Password: <パスワード> Nickname: myname Channel: #mychannel
無事に接続できました!