From c10d0de8f6cdce837a5e6f5a9088c4fc69d94903 Mon Sep 17 00:00:00 2001 From: Karchnu Date: Sun, 24 Apr 2022 11:50:51 +0200 Subject: [PATCH] nginx + iptables --- configuration-files/alpha/nginx.conf | 292 +++++++++++++++++++++++ configuration-files/phy0-ARN/iptables.sh | 57 +++++ 2 files changed, 349 insertions(+) create mode 100644 configuration-files/alpha/nginx.conf create mode 100755 configuration-files/phy0-ARN/iptables.sh diff --git a/configuration-files/alpha/nginx.conf b/configuration-files/alpha/nginx.conf new file mode 100644 index 0000000..15d1e7a --- /dev/null +++ b/configuration-files/alpha/nginx.conf @@ -0,0 +1,292 @@ + +# load_module "modules/ngx_stream_ssl_preread_module.so"; +load_module /usr/lib/nginx/modules/ngx_stream_module.so; + +# worker_processes 1; +daemon off; + +user root.nginx; + +pid /srv/root/nginx/pid; + +worker_rlimit_nofile 1024; +events { + worker_connections 800; +} + +#error_log /srv/root/nginx/error.log warn; +error_log /tmp/nginx-error.log warn; + +http { + access_log /tmp/nginx-access.log; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + index index.html index.htm index.xhtml; + + fastcgi_param HTTP_PROXY ""; + + keepalive_timeout 65; + + server_tokens off; + + upstream git_baguette_backend { + server 192.168.122.132:3000; + # server 192.168.122.132:80; + keepalive 32; + } + + upstream baguette_backend { + server 192.168.122.132:80; + keepalive 32; + } + + upstream arpenteurs_backend_ws { + server localhost:3000; + # server 192.168.122.132:80; + keepalive 32; + } + + + upstream team_baguette_backend_ws { + server 192.168.122.132:8065; + # server 192.168.122.132:80; + keepalive 32; + } + + upstream team_baguette_backend { + server 192.168.122.132:8065; + keepalive 32; + } + + proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off; + + + server { + listen 80 ; + listen [::]:80 ; + server_name www.arpenteurdestrasbourg.netlib.re arpenteurdestrasbourg.netlib.re; + + location /admin { + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + client_max_body_size 50M; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + client_body_timeout 60; + send_timeout 300; + lingering_timeout 5; + proxy_connect_timeout 90; + proxy_send_timeout 300; + proxy_read_timeout 90s; + proxy_pass http://arpenteurs_backend_ws; + } + + location / { + proxy_buffering off; + proxy_set_header Host $host; + proxy_next_upstream_timeout 2s; + proxy_pass http://localhost:3000/; + } + } + + server { + listen 80 ; + listen [::]:80 ; + server_name baguette.netlib.re + www.baguette.netlib.re + mail.baguette.netlib.re + git.baguette.netlib.re; +# error_log /srv/root/nginx/error_baguette-port-80.log warn; + error_log /tmp/nginx-error_baguette-port-80.log warn; + + location / { + rewrite ^ https://git.baguette.netlib.re$request_uri? permanent; + } + + location ~ /.well-known/acme-challenge/(.*) { + client_max_body_size 1M; + proxy_set_header Connection ""; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + proxy_read_timeout 600s; + proxy_cache mattermost_cache; + proxy_cache_revalidate on; + proxy_cache_min_uses 2; + proxy_cache_use_stale timeout; + proxy_cache_lock on; + # Not sure. + add_header Content-Type application/jose+json; + proxy_pass http://baguette_backend; + } + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + server_name git.baguette.netlib.re; + ssl_protocols TLSv1.2; + + ssl_certificate /etc/ssl/baguette.netlib.re.fullchain.pem; + ssl_certificate_key /etc/ssl/private/baguette.netlib.re.key; + + ssl_dhparam /etc/ssl/private/dhparam.pem; + ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 + + + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:10m; + + # ssl_ciphers HIGH:!MEDIUM:!WEAK:!aNULL:!MD5:!RC4; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:!ECDHE-RSA-AES256-SHA384; + ssl_prefer_server_ciphers on; + +# error_log /srv/root/nginx/error_git-baguette.log warn; + error_log /tmp/nginx-error_git-baguette.log warn; + + location / { + proxy_buffering off; + proxy_next_upstream_timeout 2s; + client_max_body_size 0; + # proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_max_temp_file_size 0; + proxy_redirect off; + proxy_read_timeout 120; + proxy_pass http://git_baguette_backend; + } + } + + + server { + listen 80 ; + listen [::]:80 ; + server_name www.baguette.netlib.re baguette.netlib.re; + + location / { + rewrite ^ https://baguette.netlib.re$request_uri? permanent; + } + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + server_name baguette.netlib.re; + + ssl_certificate /etc/ssl/baguette.netlib.re.fullchain.pem; + ssl_certificate_key /etc/ssl/private/baguette.netlib.re.key; + + + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:10m; + + ssl_ciphers HIGH:!aNULL:!MD5:!RC4; + ssl_prefer_server_ciphers on; + + location / { + root /srv/baguette/ ; + } + } + + + server { + listen 80 ; + listen [::]:80 ; + server_name www.team.baguette.netlib.re team.baguette.netlib.re; + + location / { + rewrite ^ https://team.baguette.netlib.re$request_uri? permanent; + } + + location ~ /.well-known/acme-challenge/(.*) { + client_max_body_size 1M; + proxy_set_header Connection ""; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + proxy_read_timeout 600s; + proxy_cache mattermost_cache; + proxy_cache_revalidate on; + proxy_cache_min_uses 2; + proxy_cache_use_stale timeout; + proxy_cache_lock on; + # Not sure. + add_header Content-Type application/jose+json; + proxy_pass http://baguette_backend; + } + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + server_name team.baguette.netlib.re; + + # index index.php index.html; + + ssl_certificate /etc/ssl/baguette.netlib.re.fullchain.pem; + ssl_certificate_key /etc/ssl/private/baguette.netlib.re.key; + + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:10m; + + ssl_ciphers HIGH:!aNULL:!MD5:!RC4; + ssl_prefer_server_ciphers on; + + location ~ /api/v[0-9]+/(users/)?websocket$ { + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + client_max_body_size 50M; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + client_body_timeout 60; + send_timeout 300; + lingering_timeout 5; + proxy_connect_timeout 90; + proxy_send_timeout 300; + proxy_read_timeout 90s; + proxy_pass http://team_baguette_backend_ws; + } + + location / { + client_max_body_size 50M; + proxy_set_header Connection ""; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + proxy_read_timeout 600s; + proxy_cache mattermost_cache; + proxy_cache_revalidate on; + proxy_cache_min_uses 2; + proxy_cache_use_stale timeout; + proxy_cache_lock on; + proxy_pass http://team_baguette_backend; + } + } + +} diff --git a/configuration-files/phy0-ARN/iptables.sh b/configuration-files/phy0-ARN/iptables.sh new file mode 100755 index 0000000..7026658 --- /dev/null +++ b/configuration-files/phy0-ARN/iptables.sh @@ -0,0 +1,57 @@ +#!/bin/sh + +alpha="192.168.122.84" +team="192.168.122.132" +bsdbuild="192.168.122.165" +baguette="192.168.122.181" +rd="192.168.122.211" + +# association +ceius="192.168.122.30" + +# not currently running +bsdservices="192.168.122.131" + +# +# Rules +# + +# alpha +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination ${alpha}:80 +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 443 -j DNAT --to-destination ${alpha}:443 +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2203 -j DNAT --to-destination ${alpha}:22 +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 9998 -j DNAT --to-destination ${alpha}:9998 +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 9999 -j DNAT --to-destination ${alpha}:9999 + +# team +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2201 -j DNAT --to-destination ${team}:22 +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2210 -j DNAT --to-destination ${team}:22 +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2299 -j DNAT --to-destination ${team}:22 +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25 -j DNAT --to-destination ${team}:25 +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 587 -j DNAT --to-destination ${team}:587 +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 993 -j DNAT --to-destination ${team}:993 + +# rd +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2205 -j DNAT --to-destination ${rd}:22 + +# bsdbuild +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2265 -j DNAT --to-destination ${bsdbuild}:22 + +# CEIUS +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2230 -j DNAT --to-destination ${ceius}:22 + +# bsdservices +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2200 -j DNAT --to-destination ${bsdservices}:22 + +# baguette +iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2220 -j DNAT --to-destination ${baguette}:22 + +# +# HOW-TO `iptables` +# + +# remove the second entry of the LIBVIRT_FWI chain # iptables -D LIBVIRT_FWI 2 +# list nat rules: # iptables -L -t nat --line-numbers + +# Accept to forward any packet from any local VM +iptables -A FORWARD -p tcp -i virbr0 -s 192.168.122.0/24