nginx + iptables

configuration-files/alpha/nginx.conf

@@ -0,0 +1,292 @@
+
+# load_module "modules/ngx_stream_ssl_preread_module.so";
+load_module /usr/lib/nginx/modules/ngx_stream_module.so;
+
+# worker_processes  1;
+daemon off;
+
+user root.nginx;
+
+pid /srv/root/nginx/pid;
+
+worker_rlimit_nofile 1024;
+events {
+	worker_connections  800;
+}
+
+#error_log  /srv/root/nginx/error.log warn;
+error_log  /tmp/nginx-error.log warn;
+
+http {
+	access_log /tmp/nginx-access.log;
+
+	include       /etc/nginx/mime.types;
+	default_type  application/octet-stream;
+	index         index.html index.htm index.xhtml;
+
+	fastcgi_param HTTP_PROXY "";
+
+	keepalive_timeout  65;
+
+	server_tokens off;
+
+	upstream git_baguette_backend {
+		server 192.168.122.132:3000;
+		# server 192.168.122.132:80;
+		keepalive 32;
+	}
+
+	upstream baguette_backend {
+		server 192.168.122.132:80;
+		keepalive 32;
+	}
+
+	upstream arpenteurs_backend_ws {
+		server localhost:3000;
+		# server 192.168.122.132:80;
+		keepalive 32;
+	}
+
+
+	upstream team_baguette_backend_ws {
+		server 192.168.122.132:8065;
+		# server 192.168.122.132:80;
+		keepalive 32;
+	}
+
+	upstream team_baguette_backend {
+		server 192.168.122.132:8065;
+		keepalive 32;
+	}
+
+	proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
+
+
+	server {
+		listen       80 ;
+		listen       [::]:80 ;
+		server_name  www.arpenteurdestrasbourg.netlib.re arpenteurdestrasbourg.netlib.re;
+
+		location /admin {
+			proxy_set_header Upgrade $http_upgrade;
+			proxy_set_header Connection "upgrade";
+			client_max_body_size 50M;
+			proxy_set_header Host $http_host;
+			proxy_set_header X-Real-IP $remote_addr;
+			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header X-Forwarded-Proto $scheme;
+			proxy_set_header X-Frame-Options SAMEORIGIN;
+			proxy_buffers 256 16k;
+			proxy_buffer_size 16k;
+			client_body_timeout 60;
+			send_timeout 300;
+			lingering_timeout 5;
+			proxy_connect_timeout 90;
+			proxy_send_timeout 300;
+			proxy_read_timeout 90s;
+			proxy_pass http://arpenteurs_backend_ws;
+		}
+
+		location / {
+			proxy_buffering off;
+			proxy_set_header Host $host;
+			proxy_next_upstream_timeout 2s;
+			proxy_pass http://localhost:3000/;
+		}
+	}
+
+	server {
+		listen       80 ;
+		listen       [::]:80 ;
+		server_name  baguette.netlib.re
+			www.baguette.netlib.re
+			mail.baguette.netlib.re
+			git.baguette.netlib.re;
+#			error_log  /srv/root/nginx/error_baguette-port-80.log warn;
+			error_log  /tmp/nginx-error_baguette-port-80.log warn;
+
+		location / {
+			rewrite  ^ https://git.baguette.netlib.re$request_uri? permanent;
+		}
+
+		location ~ /.well-known/acme-challenge/(.*) {
+			client_max_body_size 1M;
+			proxy_set_header Connection "";
+			proxy_set_header Host $http_host;
+			proxy_set_header X-Real-IP $remote_addr;
+			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header X-Forwarded-Proto $scheme;
+			proxy_set_header X-Frame-Options SAMEORIGIN;
+			proxy_buffers 256 16k;
+			proxy_buffer_size 16k;
+			proxy_read_timeout 600s;
+			proxy_cache mattermost_cache;
+			proxy_cache_revalidate on;
+			proxy_cache_min_uses 2;
+			proxy_cache_use_stale timeout;
+			proxy_cache_lock on;
+			# Not sure.
+			add_header Content-Type application/jose+json;
+			proxy_pass http://baguette_backend;
+		}
+	}
+
+	server {
+		listen       443 ssl;
+		listen       [::]:443 ssl;
+		server_name  git.baguette.netlib.re;
+		ssl_protocols TLSv1.2;
+
+		ssl_certificate      /etc/ssl/baguette.netlib.re.fullchain.pem;
+		ssl_certificate_key  /etc/ssl/private/baguette.netlib.re.key;
+
+		ssl_dhparam    /etc/ssl/private/dhparam.pem;
+		ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
+
+
+		ssl_session_timeout  5m;
+		ssl_session_cache    shared:SSL:10m;
+
+		# ssl_ciphers  HIGH:!MEDIUM:!WEAK:!aNULL:!MD5:!RC4;
+		ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:!ECDHE-RSA-AES256-SHA384;
+		ssl_prefer_server_ciphers   on;
+
+#		error_log  /srv/root/nginx/error_git-baguette.log warn;
+		error_log  /tmp/nginx-error_git-baguette.log warn;
+
+		location / {
+			proxy_buffering off;
+			proxy_next_upstream_timeout 2s;
+			client_max_body_size 0;
+			# proxy_set_header Host $host;
+			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header X-Real-IP $remote_addr;
+			proxy_set_header Host $http_host;
+			proxy_set_header X-Forwarded-Proto $scheme;
+			proxy_max_temp_file_size 0;
+			proxy_redirect off;
+			proxy_read_timeout 120;
+			proxy_pass http://git_baguette_backend;
+		}
+	}
+
+
+	server {
+		listen       80 ;
+		listen       [::]:80 ;
+		server_name  www.baguette.netlib.re baguette.netlib.re;
+
+		location / {
+			rewrite  ^ https://baguette.netlib.re$request_uri? permanent;
+		}
+	}
+
+	server {
+		listen       443 ssl;
+		listen       [::]:443 ssl;
+		server_name  baguette.netlib.re;
+
+		ssl_certificate      /etc/ssl/baguette.netlib.re.fullchain.pem;
+		ssl_certificate_key  /etc/ssl/private/baguette.netlib.re.key;
+
+
+		ssl_session_timeout  5m;
+		ssl_session_cache    shared:SSL:10m;
+
+		ssl_ciphers  HIGH:!aNULL:!MD5:!RC4;
+		ssl_prefer_server_ciphers   on;
+
+		location / {
+			root /srv/baguette/ ;
+		}
+	}
+
+
+	server {
+		listen       80 ;
+		listen       [::]:80 ;
+		server_name  www.team.baguette.netlib.re team.baguette.netlib.re;
+
+		location / {
+			rewrite  ^ https://team.baguette.netlib.re$request_uri? permanent;
+		}
+
+		location ~ /.well-known/acme-challenge/(.*) {
+			client_max_body_size 1M;
+			proxy_set_header Connection "";
+			proxy_set_header Host $http_host;
+			proxy_set_header X-Real-IP $remote_addr;
+			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header X-Forwarded-Proto $scheme;
+			proxy_set_header X-Frame-Options SAMEORIGIN;
+			proxy_buffers 256 16k;
+			proxy_buffer_size 16k;
+			proxy_read_timeout 600s;
+			proxy_cache mattermost_cache;
+			proxy_cache_revalidate on;
+			proxy_cache_min_uses 2;
+			proxy_cache_use_stale timeout;
+			proxy_cache_lock on;
+			# Not sure.
+			add_header Content-Type application/jose+json;
+			proxy_pass http://baguette_backend;
+		}
+	}
+
+	server {
+		listen       443 ssl;
+		listen       [::]:443 ssl;
+		server_name  team.baguette.netlib.re;
+
+		# index index.php index.html;
+
+		ssl_certificate      /etc/ssl/baguette.netlib.re.fullchain.pem;
+		ssl_certificate_key  /etc/ssl/private/baguette.netlib.re.key;
+
+		ssl_session_timeout  5m;
+		ssl_session_cache    shared:SSL:10m;
+
+		ssl_ciphers  HIGH:!aNULL:!MD5:!RC4;
+		ssl_prefer_server_ciphers   on;
+
+		location ~ /api/v[0-9]+/(users/)?websocket$ {
+			proxy_set_header Upgrade $http_upgrade;
+			proxy_set_header Connection "upgrade";
+			client_max_body_size 50M;
+			proxy_set_header Host $http_host;
+			proxy_set_header X-Real-IP $remote_addr;
+			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header X-Forwarded-Proto $scheme;
+			proxy_set_header X-Frame-Options SAMEORIGIN;
+			proxy_buffers 256 16k;
+			proxy_buffer_size 16k;
+			client_body_timeout 60;
+			send_timeout 300;
+			lingering_timeout 5;
+			proxy_connect_timeout 90;
+			proxy_send_timeout 300;
+			proxy_read_timeout 90s;
+			proxy_pass http://team_baguette_backend_ws;
+		}
+
+		location / {
+			client_max_body_size 50M;
+			proxy_set_header Connection "";
+			proxy_set_header Host $http_host;
+			proxy_set_header X-Real-IP $remote_addr;
+			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header X-Forwarded-Proto $scheme;
+			proxy_set_header X-Frame-Options SAMEORIGIN;
+			proxy_buffers 256 16k;
+			proxy_buffer_size 16k;
+			proxy_read_timeout 600s;
+			proxy_cache mattermost_cache;
+			proxy_cache_revalidate on;
+			proxy_cache_min_uses 2;
+			proxy_cache_use_stale timeout;
+			proxy_cache_lock on;
+			proxy_pass http://team_baguette_backend;
+		}
+	}
+
+}

configuration-files/phy0-ARN/iptables.sh

@@ -0,0 +1,57 @@
+#!/bin/sh
+
+alpha="192.168.122.84"
+team="192.168.122.132"
+bsdbuild="192.168.122.165"
+baguette="192.168.122.181"
+rd="192.168.122.211"
+
+# association
+ceius="192.168.122.30"
+
+# not currently running
+bsdservices="192.168.122.131"
+
+#
+# Rules
+#
+
+# alpha
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80   -j DNAT --to-destination ${alpha}:80
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 443  -j DNAT --to-destination ${alpha}:443
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2203 -j DNAT --to-destination ${alpha}:22
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 9998 -j DNAT --to-destination ${alpha}:9998
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 9999 -j DNAT --to-destination ${alpha}:9999
+
+# team
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2201 -j DNAT --to-destination ${team}:22
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2210 -j DNAT --to-destination ${team}:22
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2299 -j DNAT --to-destination ${team}:22
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25   -j DNAT --to-destination ${team}:25
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 587  -j DNAT --to-destination ${team}:587
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 993  -j DNAT --to-destination ${team}:993
+
+# rd
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2205 -j DNAT --to-destination ${rd}:22
+
+# bsdbuild
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2265 -j DNAT --to-destination ${bsdbuild}:22
+
+# CEIUS
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2230 -j DNAT --to-destination ${ceius}:22
+
+# bsdservices
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2200 -j DNAT --to-destination ${bsdservices}:22
+
+# baguette
+iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2220 -j DNAT --to-destination ${baguette}:22
+
+#
+# HOW-TO `iptables`
+#
+
+# remove the second entry of the LIBVIRT_FWI chain # iptables -D LIBVIRT_FWI 2
+# list nat rules:                                  # iptables -L -t nat --line-numbers
+
+# Accept to forward any packet from any local VM
+iptables  -A FORWARD -p tcp -i virbr0 -s 192.168.122.0/24