nginx + iptables

This commit is contained in:
Karchnu 2022-04-24 11:50:51 +02:00
parent 6da92a1b46
commit c10d0de8f6
2 changed files with 349 additions and 0 deletions

View File

@ -0,0 +1,292 @@
# load_module "modules/ngx_stream_ssl_preread_module.so";
load_module /usr/lib/nginx/modules/ngx_stream_module.so;
# worker_processes 1;
daemon off;
user root.nginx;
pid /srv/root/nginx/pid;
worker_rlimit_nofile 1024;
events {
worker_connections 800;
}
#error_log /srv/root/nginx/error.log warn;
error_log /tmp/nginx-error.log warn;
http {
access_log /tmp/nginx-access.log;
include /etc/nginx/mime.types;
default_type application/octet-stream;
index index.html index.htm index.xhtml;
fastcgi_param HTTP_PROXY "";
keepalive_timeout 65;
server_tokens off;
upstream git_baguette_backend {
server 192.168.122.132:3000;
# server 192.168.122.132:80;
keepalive 32;
}
upstream baguette_backend {
server 192.168.122.132:80;
keepalive 32;
}
upstream arpenteurs_backend_ws {
server localhost:3000;
# server 192.168.122.132:80;
keepalive 32;
}
upstream team_baguette_backend_ws {
server 192.168.122.132:8065;
# server 192.168.122.132:80;
keepalive 32;
}
upstream team_baguette_backend {
server 192.168.122.132:8065;
keepalive 32;
}
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
server {
listen 80 ;
listen [::]:80 ;
server_name www.arpenteurdestrasbourg.netlib.re arpenteurdestrasbourg.netlib.re;
location /admin {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
proxy_pass http://arpenteurs_backend_ws;
}
location / {
proxy_buffering off;
proxy_set_header Host $host;
proxy_next_upstream_timeout 2s;
proxy_pass http://localhost:3000/;
}
}
server {
listen 80 ;
listen [::]:80 ;
server_name baguette.netlib.re
www.baguette.netlib.re
mail.baguette.netlib.re
git.baguette.netlib.re;
# error_log /srv/root/nginx/error_baguette-port-80.log warn;
error_log /tmp/nginx-error_baguette-port-80.log warn;
location / {
rewrite ^ https://git.baguette.netlib.re$request_uri? permanent;
}
location ~ /.well-known/acme-challenge/(.*) {
client_max_body_size 1M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache mattermost_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
# Not sure.
add_header Content-Type application/jose+json;
proxy_pass http://baguette_backend;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name git.baguette.netlib.re;
ssl_protocols TLSv1.2;
ssl_certificate /etc/ssl/baguette.netlib.re.fullchain.pem;
ssl_certificate_key /etc/ssl/private/baguette.netlib.re.key;
ssl_dhparam /etc/ssl/private/dhparam.pem;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;
# ssl_ciphers HIGH:!MEDIUM:!WEAK:!aNULL:!MD5:!RC4;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:!ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers on;
# error_log /srv/root/nginx/error_git-baguette.log warn;
error_log /tmp/nginx-error_git-baguette.log warn;
location / {
proxy_buffering off;
proxy_next_upstream_timeout 2s;
client_max_body_size 0;
# proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_max_temp_file_size 0;
proxy_redirect off;
proxy_read_timeout 120;
proxy_pass http://git_baguette_backend;
}
}
server {
listen 80 ;
listen [::]:80 ;
server_name www.baguette.netlib.re baguette.netlib.re;
location / {
rewrite ^ https://baguette.netlib.re$request_uri? permanent;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name baguette.netlib.re;
ssl_certificate /etc/ssl/baguette.netlib.re.fullchain.pem;
ssl_certificate_key /etc/ssl/private/baguette.netlib.re.key;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;
ssl_ciphers HIGH:!aNULL:!MD5:!RC4;
ssl_prefer_server_ciphers on;
location / {
root /srv/baguette/ ;
}
}
server {
listen 80 ;
listen [::]:80 ;
server_name www.team.baguette.netlib.re team.baguette.netlib.re;
location / {
rewrite ^ https://team.baguette.netlib.re$request_uri? permanent;
}
location ~ /.well-known/acme-challenge/(.*) {
client_max_body_size 1M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache mattermost_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
# Not sure.
add_header Content-Type application/jose+json;
proxy_pass http://baguette_backend;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name team.baguette.netlib.re;
# index index.php index.html;
ssl_certificate /etc/ssl/baguette.netlib.re.fullchain.pem;
ssl_certificate_key /etc/ssl/private/baguette.netlib.re.key;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;
ssl_ciphers HIGH:!aNULL:!MD5:!RC4;
ssl_prefer_server_ciphers on;
location ~ /api/v[0-9]+/(users/)?websocket$ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
proxy_pass http://team_baguette_backend_ws;
}
location / {
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache mattermost_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_pass http://team_baguette_backend;
}
}
}

View File

@ -0,0 +1,57 @@
#!/bin/sh
alpha="192.168.122.84"
team="192.168.122.132"
bsdbuild="192.168.122.165"
baguette="192.168.122.181"
rd="192.168.122.211"
# association
ceius="192.168.122.30"
# not currently running
bsdservices="192.168.122.131"
#
# Rules
#
# alpha
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination ${alpha}:80
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 443 -j DNAT --to-destination ${alpha}:443
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2203 -j DNAT --to-destination ${alpha}:22
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 9998 -j DNAT --to-destination ${alpha}:9998
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 9999 -j DNAT --to-destination ${alpha}:9999
# team
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2201 -j DNAT --to-destination ${team}:22
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2210 -j DNAT --to-destination ${team}:22
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2299 -j DNAT --to-destination ${team}:22
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25 -j DNAT --to-destination ${team}:25
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 587 -j DNAT --to-destination ${team}:587
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 993 -j DNAT --to-destination ${team}:993
# rd
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2205 -j DNAT --to-destination ${rd}:22
# bsdbuild
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2265 -j DNAT --to-destination ${bsdbuild}:22
# CEIUS
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2230 -j DNAT --to-destination ${ceius}:22
# bsdservices
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2200 -j DNAT --to-destination ${bsdservices}:22
# baguette
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2220 -j DNAT --to-destination ${baguette}:22
#
# HOW-TO `iptables`
#
# remove the second entry of the LIBVIRT_FWI chain # iptables -D LIBVIRT_FWI 2
# list nat rules: # iptables -L -t nat --line-numbers
# Accept to forward any packet from any local VM
iptables -A FORWARD -p tcp -i virbr0 -s 192.168.122.0/24