Configuration du routeur

2021-11-16 19:26:38 +00:00 · 2021-11-16 19:26:38 +00:00 · 4dd11d8def
parent 335d4f1743
commit 4dd11d8def
1 changed files with 768 additions and 0 deletions
--- a/Serveurs/linksys.md
+++ b/Serveurs/linksys.md
@ -0,0 +1,768 @@
+# Routeur `linksys` : serveur-mère de l'infrastructure de Libre en Communs
+
+
+### Matériel
+
+Linksys WRT3200ACM (ARMv7 Processor rev 1 (v7l))
+
+### Logiciel
+  
+Système d'exploitation : OpenWrt 21.02.1 / LuCI openwrt-21.02  
+Reverse proxy HTTP(S) : `nginx`
+Interface graphique : `luci`
+VPN : `openvpn`
+Certificats SSL : `acme`
+
+
+### Caractéristiques notables
+
+Domaine : routeur.libre-en-communs.org  
+Adresse ipv4 publique : 80.67.179.96  
+Adresse ipv4 locale : 192.169.1.1  
+Adresse ipv6 publique : 2001:910:1360::1
+
+#### Configuration des interfaces
+
+##### /etc/config/network
+
+    config interface 'loopback'
+        option device 'lo'
+        option proto 'static'
+        option ipaddr '127.0.0.1'
+        option netmask '255.0.0.0'
+
+    config globals 'globals'
+        option ula_prefix 'fd91:24db:dc7e::/48'
+
+    config device
+        option name 'br-lan'
+        option type 'bridge'
+        list ports 'lan1'
+        list ports 'lan2'
+        list ports 'lan3'
+        list ports 'lan4'
+
+    config interface 'lan'
+        option device 'br-lan'
+        option proto 'static'
+        option ipaddr '192.169.1.1'
+        option ip6assign '64'
+        list ip6class 'wan6'
+        option netmask '255.255.255.0'
+        list dns '80.67.169.12'
+        list dns '80.67.169.40'
+
+    config device
+        option name 'wan'
+        option macaddr 'ea:9f:80:1a:08:80'
+
+    config interface 'wan'
+        option device 'wan'
+        option proto 'dhcp'
+
+    config interface 'wan6'
+        option device 'wan'
+        option proto 'static'
+        option ip6prefix '2001:910:1360::/48'
+        list ip6addr '2001:910:1360:ffff::1'
+
+### Configuration des certificats SSL
+#### /etc/config/acme
+
+    config acme
+	option state_dir '/etc/acme'
+	option debug '0'
+	option account_email 'cominfra@a-lec.org'
+
+    config cert 'example_wildcard'
+	option update_nginx '1'
+	option enabled '1'
+	list domains 'routeur.libre-en-communs.org'
+	option update_uhttpd '0'
+	option validation_method 'webroot'
+	option webroot '/www'
+	option keylength 'ec-384'
+	option use_staging '0'
+
+### Configuration DHCP (IP statiques allouées aux VM et serveurs)
+
+#### /etc/config/dhcp
+
+    config dnsmasq
+        option domainneeded '1'
+        option localise_queries '1'
+        option rebind_protection '1'
+        option rebind_localhost '1'
+        option local '/lan/'
+        option domain 'lan'
+        option authoritative '1'
+        option readethers '1'
+        option leasefile '/tmp/dhcp.leases'
+        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
+        option localservice '1'
+        option ednspacket_max '1232'
+        option logqueries '1'
+        option boguspriv '0'
+        option allservers '1'
+
+    config dhcp 'lan'
+        option interface 'lan'
+        option start '100'
+        option limit '150'
+        option leasetime '12h'
+        option dhcpv4 'server'
+        option ra 'hybrid'
+        option dhcpv6 'hybrid'
+        option ndp 'hybrid'
+        list ra_flags 'none'
+
+    config dhcp 'wan'
+        option interface 'wan'
+        option ignore '1'
+
+    config odhcpd 'odhcpd'
+        option maindhcp '0'
+        option leasefile '/tmp/hosts/odhcpd'
+        option leasetrigger '/usr/sbin/odhcpd-update'
+        option loglevel '4'
+
+    config domain
+        option ip '2001:910:1360::1'
+        option name 'routeur'
+
+    config domain
+        option name 'routeur'
+        option ip '192.169.1.1'
+
+    config domain
+        option name 'mother.libre-en-communs.org'
+        option ip '192.169.1.108'
+
+    config domain
+        option name 'mother'
+        option ip '2001:910:1360::2'
+
+    config domain
+        option name 'mother'
+        option ip '192.169.1.108'
+
+    config domain
+        option name 'aunt.libre-en-communs.org'
+        option ip '192.169.1.206'
+
+    config domain
+        option name 'aunt'
+        option ip '2001:910:1360::3'
+
+    config domain
+        option name 'aunt'
+        option ip '192.169.1.206'
+
+    config domain
+        option name 'mail'
+        option ip '2001:910:1360::148'
+
+    config domain
+        option name 'mail'
+        option ip '192.169.1.201'
+
+    config domain
+        option name 'dns'
+        option ip '2001:910:1360::11c'
+
+    config domain
+        option name 'dns'
+        option ip '192.169.1.242'
+
+    config domain
+        option name 'git.a-lec.org'
+        option ip '192.169.1.108'
+
+    config domain
+        option name 'git'
+        option ip '2001:910:1360::42'
+
+    config domain
+        option name 'git'
+        option ip '192.169.1.131'
+
+    config domain
+        option name 'gestion'
+        option ip '2001:910:1360::1ab'
+
+    config domain
+        option name 'gestion'
+        option ip '192.169.1.236'
+
+    config domain
+        option name 'www'
+        option ip '2001:910:1360::1ca'
+
+    config domain
+        option name 'www'
+        option ip '192.169.1.188'
+
+    config domain
+        option name 'xmpp'
+        option ip '2001:910:1360::142'
+
+    config domain
+        option name 'xmpp.a-lec.org'
+        option ip '2001:910:1360::142'
+
+    config domain
+        option name 'xmpp'
+        option ip '192.169.1.211'
+
+    config domain
+        option name 'xmpp.a-lec.org'
+        option ip '192.169.1.211'
+
+    config domain
+        option name 'toot'
+        option ip '2001:910:1360::16a'
+
+    config domain
+        option name 'toot'
+        option ip '192.169.1.179'
+
+    config host
+        option name 'mother'
+        option dns '1'
+        option mac '08:60:6E:11:C3:CA'
+        option ip '192.169.1.108'
+
+    config host
+        option name 'aunt'
+        option dns '1'
+        option mac '20:CF:30:67:08:A7'
+        option ip '192.169.1.206'
+
+    config host
+        option mac '52:54:00:C1:D0:69'
+        option ip '192.169.1.242'
+        option name 'dns'
+        option dns '1'
+
+    config host
+        option name 'gestion'
+        option dns '1'
+        option mac '52:54:00:C8:83:EC'
+        option ip '192.169.1.236'
+
+    config host
+        option name 'git'
+        option dns '1'
+        option mac '52:54:00:FD:63:1C'
+        option ip '192.169.1.131'
+
+    config host
+        option mac '52:54:00:12:BC:CF'
+        option ip '192.169.1.201'
+        option name 'mail'
+        option dns '1'
+
+    config host
+        option name 'toot'
+        option dns '1'
+        option mac '52:54:00:E4:2A:97'
+        option ip '192.169.1.179'
+
+    config host
+        option mac '52:54:00:07:F1:3C'
+        option ip '192.169.1.188'
+        option name 'www'
+        option dns '1'
+
+    config host
+        option name 'xmpp'
+        option dns '1'
+        option mac '52:54:00:0B:A6:ED'
+        option ip '192.169.1.211'
+
+    config host
+        option name 'xmpp.chalec.org'
+        option dns '1'
+        option mac '52:54:00:FC:74:4C'
+        option ip '192.169.1.204'
+
+    config host
+        option name 'tootest'
+        option dns '1'
+        option mac '52:54:00:25:18:BB'
+        option ip '192.169.1.232'
+
+    config host
+        option name 'audio'
+        option dns '1'
+        option mac '52:54:00:F1:8B:EC'
+        option ip '192.169.1.186'
+
+### Configuration du pare-feu (et redirections de ports pour IPV4)
+
+#### /etc/config/firewall
+
+    config defaults
+        option input 'ACCEPT'
+        option output 'ACCEPT'
+        option synflood_protect '1'
+        option forward 'ACCEPT'
+
+    config zone
+        option name 'lan'
+        list network 'lan'
+        option input 'ACCEPT'
+        option output 'ACCEPT'
+        option forward 'ACCEPT'
+
+    config zone
+        option name 'wan'
+        list network 'wan'
+        list network 'wan6'
+        option output 'ACCEPT'
+        option mtu_fix '1'
+        list device 'tun0'
+        option input 'ACCEPT'
+        option forward 'ACCEPT'
+        option masq '1'
+
+    config forwarding
+        option src 'lan'
+        option dest 'wan'
+
+    config rule
+        option name 'Allow-DHCP-Renew'
+        option src 'wan'
+        option proto 'udp'
+        option dest_port '68'
+        option target 'ACCEPT'
+        option family 'ipv4'
+
+    config rule
+        option name 'Allow-Ping'
+        option src 'wan'
+        option proto 'icmp'
+        option icmp_type 'echo-request'
+        option family 'ipv4'
+        option target 'ACCEPT'
+
+    config rule
+        option name 'Allow-IGMP'
+        option src 'wan'
+        option proto 'igmp'
+        option family 'ipv4'
+        option target 'ACCEPT'
+
+    config rule
+        option name 'Allow-DHCPv6'
+        option src 'wan'
+        option proto 'udp'
+        option src_ip 'fc00::/6'
+        option dest_ip 'fc00::/6'
+        option dest_port '546'
+        option family 'ipv6'
+        option target 'ACCEPT'
+
+    config rule
+        option name 'Allow-MLD'
+        option src 'wan'
+        option proto 'icmp'
+        option src_ip 'fe80::/10'
+        list icmp_type '130/0'
+        list icmp_type '131/0'
+        list icmp_type '132/0'
+        list icmp_type '143/0'
+        option family 'ipv6'
+        option target 'ACCEPT'
+
+    config rule
+        option name 'Allow-ICMPv6-Input'
+        option src 'wan'
+        option proto 'icmp'
+        list icmp_type 'echo-request'
+        list icmp_type 'echo-reply'
+        list icmp_type 'destination-unreachable'
+        list icmp_type 'packet-too-big'
+        list icmp_type 'time-exceeded'
+        list icmp_type 'bad-header'
+        list icmp_type 'unknown-header-type'
+        list icmp_type 'router-solicitation'
+        list icmp_type 'neighbour-solicitation'
+        list icmp_type 'router-advertisement'
+        list icmp_type 'neighbour-advertisement'
+        option limit '1000/sec'
+        option family 'ipv6'
+        option target 'ACCEPT'
+
+    config rule
+        option name 'Allow-ICMPv6-Forward'
+        option src 'wan'
+        option dest '*'
+        option proto 'icmp'
+        list icmp_type 'echo-request'
+        list icmp_type 'echo-reply'
+        list icmp_type 'destination-unreachable'
+        list icmp_type 'packet-too-big'
+        list icmp_type 'time-exceeded'
+        list icmp_type 'bad-header'
+        list icmp_type 'unknown-header-type'
+        option limit '1000/sec'
+        option family 'ipv6'
+        option target 'ACCEPT'
+
+    config rule
+        option name 'Allow-IPSec-ESP'
+        option src 'wan'
+        option dest 'lan'
+        option proto 'esp'
+        option target 'ACCEPT'
+
+    config rule
+        option name 'Allow-ISAKMP'
+        option src 'wan'
+        option dest 'lan'
+        option dest_port '500'
+        option proto 'udp'
+        option target 'ACCEPT'
+
+    config rule
+        option name 'Support-UDP-Traceroute'
+        option src 'wan'
+        option dest_port '33434:33689'
+        option proto 'udp'
+        option family 'ipv4'
+        option target 'REJECT'
+        option enabled 'false'
+
+    config include
+        option path '/etc/firewall.user'
+
+    config forwarding
+        option src 'wan'
+        option dest 'lan'
+
+    config redirect
+        option target 'DNAT'
+        option name 'ssh 222 -> mother'
+        option src 'wan'
+        option src_dport '222'
+        option dest 'lan'
+        option dest_ip '192.169.1.108'
+        option dest_port '222'
+
+    config redirect
+        option target 'DNAT'
+        option name 'ssh 223 -> aunt'
+        option src 'wan'
+        option src_dport '223'
+        option dest 'lan'
+        option dest_ip '192.169.1.206'
+        option dest_port '223'
+
+    config redirect
+        option target 'DNAT'
+        option name 'dns 53 -> dns'
+        option src 'wan'
+        option src_dport '53'
+        option dest 'lan'
+        option dest_port '53'
+        option dest_ip '192.169.1.242'
+
+    config redirect
+        option target 'DNAT'
+        option src 'wan'
+        option src_dport '25'
+        option dest 'lan'
+        option dest_port '25'
+        option name 'smtp -> mail'
+        option dest_ip '192.169.1.201'
+
+    config redirect
+        option target 'DNAT'
+        option src 'wan'
+        option src_dport '587'
+        option dest 'lan'
+        option dest_port '587'
+        option name 'smtps -> mail'
+        option dest_ip '192.169.1.201'
+
+    config redirect
+        option target 'DNAT'
+        option src 'wan'
+        option src_dport '993'
+        option dest 'lan'
+        option dest_port '993'
+        option name 'imaps -> mail'
+        option dest_ip '192.169.1.201'
+
+    config redirect
+        option target 'DNAT'
+        option name 'ssh 666 -> mail'
+        option src 'wan'
+        option src_dport '666'
+        option dest 'lan'
+        option dest_port '22'
+        option dest_ip '192.169.1.201'
+
+    config redirect
+        option target 'DNAT'
+        option name 'ssh 22 -> git'
+        option src 'wan'
+        option src_dport '22'
+        option dest 'lan'
+        option dest_port '22'
+        option dest_ip '192.169.1.131'
+
+    config redirect
+        option target 'DNAT'
+        option name 'ssh 777 -> www'
+        option src 'wan'
+        option src_dport '777'
+        option dest 'lan'
+        option dest_port '22'
+        option dest_ip '192.169.1.188'
+
+    config redirect
+        option target 'DNAT'
+        option name 'xmpp c2s'
+        option src 'wan'
+        option src_dport '5222'
+        option dest 'lan'
+        option dest_port '5222'
+        option dest_ip '192.169.1.211'
+
+    config redirect
+        option target 'DNAT'
+        option src 'wan'
+        option src_dport '5223'
+        option dest 'lan'
+        option dest_port '5223'
+        option name 'xmpp c2s tls'
+        option dest_ip '192.169.1.211'
+
+    config redirect
+        option target 'DNAT'
+        option name 'xmpp s2s'
+        option src 'wan'
+        option src_dport '5269'
+        option dest 'lan'
+        option dest_port '5269'
+        option dest_ip '192.169.1.211'
+
+    config redirect
+        option target 'DNAT'
+        option name 'xmpp https'
+        option src 'wan'
+        option src_dport '5443'
+        option dest 'lan'
+        option dest_port '5443'
+        option dest_ip '192.169.1.211'
+
+    config redirect
+        option target 'DNAT'
+        option name 'xmpp http'
+        option src 'wan'
+        option src_dport '5280'
+        option dest 'lan'
+        option dest_port '5280'
+        option dest_ip '192.169.1.211'
+
+    config redirect
+        option target 'DNAT'
+        option name 'xmpp stun'
+        option src 'wan'
+        option src_dport '3478'
+        option dest 'lan'
+        option dest_port '3478'
+        option dest_ip '192.169.1.211'
+
+### Configuration Reverse Proxy (nginx)
+
+Note : IPV4 uniquement
+
+#### /etc/nginx/uci.conf (fichier principal de configuration)
+
+    worker_processes auto;
+
+    user root;
+
+    events {
+        worker_connections  1024;    
+    }
+
+    include reverse_proxy_ssl.conf;
+
+    http {
+        access_log off;
+        log_format openwrt
+            '$request_method $scheme://$host$request_uri => $status'
+            ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';
+
+        include mime.types;
+        default_type application/octet-stream;
+        sendfile on;
+
+        client_max_body_size 128M;
+        large_client_header_buffers 2 1k;
+        server_names_hash_bucket_size 64;
+
+        gzip on;
+        gzip_vary on;
+        gzip_proxied any;
+
+        root /www;
+
+        server { #see uci show 'nginx._lan'
+            listen 444 ssl proxy_protocol default_server;
+            listen [::]:444 ssl default_server;
+            server_name routeur.libre-en-communs.org;
+            include conf.d/*.locations;
+            ssl_certificate /etc/acme/routeur.libre-en-communs.org_ecc/fullchain.cer;
+            ssl_certificate_key /etc/acme/routeur.libre-en-communs.org_ecc/routeur.libre-en-communs.org.key;
+            ssl_session_cache shared:SSL:32k;
+            ssl_session_timeout 64m;
+            access_log off; # logd openwrt;
+        }
+
+        server {
+            if ($host = routeur.libre-en-communs.org) {
+                return 301 https://$host$request_uri;
+            }
+            server_name                 routeur.libre-en-communs.org;
+            listen 80;
+            return 404;
+        }
+
+
+        include reverse_proxy.conf;
+        include conf.d/*.conf;
+    }
+
+#### /etc/nginx/reverse_proxy.conf (reverse proxy HTTP)
+
+    server {
+        server_name gestion.a-lec.org;
+        listen 80;
+        proxy_redirect off;
+        proxy_set_header X-Real-IP       $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        location / {
+        proxy_pass http://gestion:80;
+        }
+    }
+
+    server {
+        server_name coffre.a-lec.org;
+        listen 80;
+        proxy_redirect off;
+        proxy_set_header X-Real-IP       $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        location / {
+            proxy_pass http://gestion:80;
+        }
+    }
+
+    server {
+        server_name git.a-lec.org;
+        listen 80;
+        proxy_redirect off;
+        proxy_set_header X-Real-IP       $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        location / {
+            proxy_pass http://git:80;
+        }
+    }
+
+    server {
+        server_name www.a-lec.org;
+        listen 80;
+        proxy_redirect off;
+        proxy_set_header X-Real-IP       $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        location / {
+            proxy_pass http://www:80;
+        }
+    }
+
+    server {
+        server_name a-lec.org;
+        listen 80;
+        proxy_redirect off;
+        proxy_set_header X-Real-IP       $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        location / {
+            proxy_pass http://www:80;
+        }
+    }
+
+    server {
+        server_name toot.a-lec.org;
+        listen 80;
+        proxy_redirect off;
+        proxy_set_header X-Real-IP       $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        location / {
+            proxy_pass http://toot:80;
+        }
+    }
+
+#### /etc/nginx/reverse_proxy_ssl.conf (reverse proxy HTTPS)
+
+    stream {
+
+    map_hash_max_size 64;
+    map_hash_bucket_size 64;
+        map $ssl_preread_server_name $name_443 {
+            gestion.a-lec.org gestion_a-lec_443;
+        coffre.a-lec.org gestion_a-lec_443;
+            git.a-lec.org git_a-lec_443;
+            www.a-lec.org www_a-lec_443;
+        a-lec.org www_a-lec_443;
+        mail.a-lec.org mail_a-lec_443;
+        toot.a-lec.org toot_a-lec_443;
+        routeur.libre-en-communs.org routeur_444;
+        }
+
+        upstream gestion_a-lec_443 {
+            server gestion:443;
+        }
+
+        upstream git_a-lec_443 {
+            server git:443;
+        }
+
+        upstream mail_a-lec_443 {
+            server mail:443;
+        }
+
+        upstream www_a-lec_443 {
+            server www:443;
+        }
+
+        upstream toot_a-lec_443 {
+            server toot:443;
+        }
+
+        upstream routeur_444 {
+            server 127.0.0.1:444;
+        }
+
+        server {
+            listen 443;
+            proxy_pass $name_443;
+        proxy_protocol on;
+            ssl_preread on;
+        }
+
+    log_format basic '$remote_addr [$time_local] '
+                 '$protocol $status $bytes_sent $bytes_received '
+                 '$session_time "$upstream_addr" '
+                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
+
+    }