diff --git a/Serveurs/linksys.md b/Serveurs/linksys.md new file mode 100644 index 0000000..a04b7d9 --- /dev/null +++ b/Serveurs/linksys.md @@ -0,0 +1,768 @@ +# Routeur `linksys` : serveur-mère de l'infrastructure de Libre en Communs + + +### Matériel + +Linksys WRT3200ACM (ARMv7 Processor rev 1 (v7l)) + +### Logiciel + +Système d'exploitation : OpenWrt 21.02.1 / LuCI openwrt-21.02 +Reverse proxy HTTP(S) : `nginx` +Interface graphique : `luci` +VPN : `openvpn` +Certificats SSL : `acme` + + +### Caractéristiques notables + +Domaine : routeur.libre-en-communs.org +Adresse ipv4 publique : 80.67.179.96 +Adresse ipv4 locale : 192.169.1.1 +Adresse ipv6 publique : 2001:910:1360::1 + +#### Configuration des interfaces + +##### /etc/config/network + + config interface 'loopback' + option device 'lo' + option proto 'static' + option ipaddr '127.0.0.1' + option netmask '255.0.0.0' + + config globals 'globals' + option ula_prefix 'fd91:24db:dc7e::/48' + + config device + option name 'br-lan' + option type 'bridge' + list ports 'lan1' + list ports 'lan2' + list ports 'lan3' + list ports 'lan4' + + config interface 'lan' + option device 'br-lan' + option proto 'static' + option ipaddr '192.169.1.1' + option ip6assign '64' + list ip6class 'wan6' + option netmask '255.255.255.0' + list dns '80.67.169.12' + list dns '80.67.169.40' + + config device + option name 'wan' + option macaddr 'ea:9f:80:1a:08:80' + + config interface 'wan' + option device 'wan' + option proto 'dhcp' + + config interface 'wan6' + option device 'wan' + option proto 'static' + option ip6prefix '2001:910:1360::/48' + list ip6addr '2001:910:1360:ffff::1' + +### Configuration des certificats SSL +#### /etc/config/acme + + config acme + option state_dir '/etc/acme' + option debug '0' + option account_email 'cominfra@a-lec.org' + + config cert 'example_wildcard' + option update_nginx '1' + option enabled '1' + list domains 'routeur.libre-en-communs.org' + option update_uhttpd '0' + option validation_method 'webroot' + option webroot '/www' + option keylength 'ec-384' + option use_staging '0' + +### Configuration DHCP (IP statiques allouées aux VM et serveurs) + +#### /etc/config/dhcp + + config dnsmasq + option domainneeded '1' + option localise_queries '1' + option rebind_protection '1' + option rebind_localhost '1' + option local '/lan/' + option domain 'lan' + option authoritative '1' + option readethers '1' + option leasefile '/tmp/dhcp.leases' + option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' + option localservice '1' + option ednspacket_max '1232' + option logqueries '1' + option boguspriv '0' + option allservers '1' + + config dhcp 'lan' + option interface 'lan' + option start '100' + option limit '150' + option leasetime '12h' + option dhcpv4 'server' + option ra 'hybrid' + option dhcpv6 'hybrid' + option ndp 'hybrid' + list ra_flags 'none' + + config dhcp 'wan' + option interface 'wan' + option ignore '1' + + config odhcpd 'odhcpd' + option maindhcp '0' + option leasefile '/tmp/hosts/odhcpd' + option leasetrigger '/usr/sbin/odhcpd-update' + option loglevel '4' + + config domain + option ip '2001:910:1360::1' + option name 'routeur' + + config domain + option name 'routeur' + option ip '192.169.1.1' + + config domain + option name 'mother.libre-en-communs.org' + option ip '192.169.1.108' + + config domain + option name 'mother' + option ip '2001:910:1360::2' + + config domain + option name 'mother' + option ip '192.169.1.108' + + config domain + option name 'aunt.libre-en-communs.org' + option ip '192.169.1.206' + + config domain + option name 'aunt' + option ip '2001:910:1360::3' + + config domain + option name 'aunt' + option ip '192.169.1.206' + + config domain + option name 'mail' + option ip '2001:910:1360::148' + + config domain + option name 'mail' + option ip '192.169.1.201' + + config domain + option name 'dns' + option ip '2001:910:1360::11c' + + config domain + option name 'dns' + option ip '192.169.1.242' + + config domain + option name 'git.a-lec.org' + option ip '192.169.1.108' + + config domain + option name 'git' + option ip '2001:910:1360::42' + + config domain + option name 'git' + option ip '192.169.1.131' + + config domain + option name 'gestion' + option ip '2001:910:1360::1ab' + + config domain + option name 'gestion' + option ip '192.169.1.236' + + config domain + option name 'www' + option ip '2001:910:1360::1ca' + + config domain + option name 'www' + option ip '192.169.1.188' + + config domain + option name 'xmpp' + option ip '2001:910:1360::142' + + config domain + option name 'xmpp.a-lec.org' + option ip '2001:910:1360::142' + + config domain + option name 'xmpp' + option ip '192.169.1.211' + + config domain + option name 'xmpp.a-lec.org' + option ip '192.169.1.211' + + config domain + option name 'toot' + option ip '2001:910:1360::16a' + + config domain + option name 'toot' + option ip '192.169.1.179' + + config host + option name 'mother' + option dns '1' + option mac '08:60:6E:11:C3:CA' + option ip '192.169.1.108' + + config host + option name 'aunt' + option dns '1' + option mac '20:CF:30:67:08:A7' + option ip '192.169.1.206' + + config host + option mac '52:54:00:C1:D0:69' + option ip '192.169.1.242' + option name 'dns' + option dns '1' + + config host + option name 'gestion' + option dns '1' + option mac '52:54:00:C8:83:EC' + option ip '192.169.1.236' + + config host + option name 'git' + option dns '1' + option mac '52:54:00:FD:63:1C' + option ip '192.169.1.131' + + config host + option mac '52:54:00:12:BC:CF' + option ip '192.169.1.201' + option name 'mail' + option dns '1' + + config host + option name 'toot' + option dns '1' + option mac '52:54:00:E4:2A:97' + option ip '192.169.1.179' + + config host + option mac '52:54:00:07:F1:3C' + option ip '192.169.1.188' + option name 'www' + option dns '1' + + config host + option name 'xmpp' + option dns '1' + option mac '52:54:00:0B:A6:ED' + option ip '192.169.1.211' + + config host + option name 'xmpp.chalec.org' + option dns '1' + option mac '52:54:00:FC:74:4C' + option ip '192.169.1.204' + + config host + option name 'tootest' + option dns '1' + option mac '52:54:00:25:18:BB' + option ip '192.169.1.232' + + config host + option name 'audio' + option dns '1' + option mac '52:54:00:F1:8B:EC' + option ip '192.169.1.186' + +### Configuration du pare-feu (et redirections de ports pour IPV4) + +#### /etc/config/firewall + + config defaults + option input 'ACCEPT' + option output 'ACCEPT' + option synflood_protect '1' + option forward 'ACCEPT' + + config zone + option name 'lan' + list network 'lan' + option input 'ACCEPT' + option output 'ACCEPT' + option forward 'ACCEPT' + + config zone + option name 'wan' + list network 'wan' + list network 'wan6' + option output 'ACCEPT' + option mtu_fix '1' + list device 'tun0' + option input 'ACCEPT' + option forward 'ACCEPT' + option masq '1' + + config forwarding + option src 'lan' + option dest 'wan' + + config rule + option name 'Allow-DHCP-Renew' + option src 'wan' + option proto 'udp' + option dest_port '68' + option target 'ACCEPT' + option family 'ipv4' + + config rule + option name 'Allow-Ping' + option src 'wan' + option proto 'icmp' + option icmp_type 'echo-request' + option family 'ipv4' + option target 'ACCEPT' + + config rule + option name 'Allow-IGMP' + option src 'wan' + option proto 'igmp' + option family 'ipv4' + option target 'ACCEPT' + + config rule + option name 'Allow-DHCPv6' + option src 'wan' + option proto 'udp' + option src_ip 'fc00::/6' + option dest_ip 'fc00::/6' + option dest_port '546' + option family 'ipv6' + option target 'ACCEPT' + + config rule + option name 'Allow-MLD' + option src 'wan' + option proto 'icmp' + option src_ip 'fe80::/10' + list icmp_type '130/0' + list icmp_type '131/0' + list icmp_type '132/0' + list icmp_type '143/0' + option family 'ipv6' + option target 'ACCEPT' + + config rule + option name 'Allow-ICMPv6-Input' + option src 'wan' + option proto 'icmp' + list icmp_type 'echo-request' + list icmp_type 'echo-reply' + list icmp_type 'destination-unreachable' + list icmp_type 'packet-too-big' + list icmp_type 'time-exceeded' + list icmp_type 'bad-header' + list icmp_type 'unknown-header-type' + list icmp_type 'router-solicitation' + list icmp_type 'neighbour-solicitation' + list icmp_type 'router-advertisement' + list icmp_type 'neighbour-advertisement' + option limit '1000/sec' + option family 'ipv6' + option target 'ACCEPT' + + config rule + option name 'Allow-ICMPv6-Forward' + option src 'wan' + option dest '*' + option proto 'icmp' + list icmp_type 'echo-request' + list icmp_type 'echo-reply' + list icmp_type 'destination-unreachable' + list icmp_type 'packet-too-big' + list icmp_type 'time-exceeded' + list icmp_type 'bad-header' + list icmp_type 'unknown-header-type' + option limit '1000/sec' + option family 'ipv6' + option target 'ACCEPT' + + config rule + option name 'Allow-IPSec-ESP' + option src 'wan' + option dest 'lan' + option proto 'esp' + option target 'ACCEPT' + + config rule + option name 'Allow-ISAKMP' + option src 'wan' + option dest 'lan' + option dest_port '500' + option proto 'udp' + option target 'ACCEPT' + + config rule + option name 'Support-UDP-Traceroute' + option src 'wan' + option dest_port '33434:33689' + option proto 'udp' + option family 'ipv4' + option target 'REJECT' + option enabled 'false' + + config include + option path '/etc/firewall.user' + + config forwarding + option src 'wan' + option dest 'lan' + + config redirect + option target 'DNAT' + option name 'ssh 222 -> mother' + option src 'wan' + option src_dport '222' + option dest 'lan' + option dest_ip '192.169.1.108' + option dest_port '222' + + config redirect + option target 'DNAT' + option name 'ssh 223 -> aunt' + option src 'wan' + option src_dport '223' + option dest 'lan' + option dest_ip '192.169.1.206' + option dest_port '223' + + config redirect + option target 'DNAT' + option name 'dns 53 -> dns' + option src 'wan' + option src_dport '53' + option dest 'lan' + option dest_port '53' + option dest_ip '192.169.1.242' + + config redirect + option target 'DNAT' + option src 'wan' + option src_dport '25' + option dest 'lan' + option dest_port '25' + option name 'smtp -> mail' + option dest_ip '192.169.1.201' + + config redirect + option target 'DNAT' + option src 'wan' + option src_dport '587' + option dest 'lan' + option dest_port '587' + option name 'smtps -> mail' + option dest_ip '192.169.1.201' + + config redirect + option target 'DNAT' + option src 'wan' + option src_dport '993' + option dest 'lan' + option dest_port '993' + option name 'imaps -> mail' + option dest_ip '192.169.1.201' + + config redirect + option target 'DNAT' + option name 'ssh 666 -> mail' + option src 'wan' + option src_dport '666' + option dest 'lan' + option dest_port '22' + option dest_ip '192.169.1.201' + + config redirect + option target 'DNAT' + option name 'ssh 22 -> git' + option src 'wan' + option src_dport '22' + option dest 'lan' + option dest_port '22' + option dest_ip '192.169.1.131' + + config redirect + option target 'DNAT' + option name 'ssh 777 -> www' + option src 'wan' + option src_dport '777' + option dest 'lan' + option dest_port '22' + option dest_ip '192.169.1.188' + + config redirect + option target 'DNAT' + option name 'xmpp c2s' + option src 'wan' + option src_dport '5222' + option dest 'lan' + option dest_port '5222' + option dest_ip '192.169.1.211' + + config redirect + option target 'DNAT' + option src 'wan' + option src_dport '5223' + option dest 'lan' + option dest_port '5223' + option name 'xmpp c2s tls' + option dest_ip '192.169.1.211' + + config redirect + option target 'DNAT' + option name 'xmpp s2s' + option src 'wan' + option src_dport '5269' + option dest 'lan' + option dest_port '5269' + option dest_ip '192.169.1.211' + + config redirect + option target 'DNAT' + option name 'xmpp https' + option src 'wan' + option src_dport '5443' + option dest 'lan' + option dest_port '5443' + option dest_ip '192.169.1.211' + + config redirect + option target 'DNAT' + option name 'xmpp http' + option src 'wan' + option src_dport '5280' + option dest 'lan' + option dest_port '5280' + option dest_ip '192.169.1.211' + + config redirect + option target 'DNAT' + option name 'xmpp stun' + option src 'wan' + option src_dport '3478' + option dest 'lan' + option dest_port '3478' + option dest_ip '192.169.1.211' + +### Configuration Reverse Proxy (nginx) + +Note : IPV4 uniquement + +#### /etc/nginx/uci.conf (fichier principal de configuration) + + worker_processes auto; + + user root; + + events { + worker_connections 1024; + } + + include reverse_proxy_ssl.conf; + + http { + access_log off; + log_format openwrt + '$request_method $scheme://$host$request_uri => $status' + ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer'; + + include mime.types; + default_type application/octet-stream; + sendfile on; + + client_max_body_size 128M; + large_client_header_buffers 2 1k; + server_names_hash_bucket_size 64; + + gzip on; + gzip_vary on; + gzip_proxied any; + + root /www; + + server { #see uci show 'nginx._lan' + listen 444 ssl proxy_protocol default_server; + listen [::]:444 ssl default_server; + server_name routeur.libre-en-communs.org; + include conf.d/*.locations; + ssl_certificate /etc/acme/routeur.libre-en-communs.org_ecc/fullchain.cer; + ssl_certificate_key /etc/acme/routeur.libre-en-communs.org_ecc/routeur.libre-en-communs.org.key; + ssl_session_cache shared:SSL:32k; + ssl_session_timeout 64m; + access_log off; # logd openwrt; + } + + server { + if ($host = routeur.libre-en-communs.org) { + return 301 https://$host$request_uri; + } + server_name routeur.libre-en-communs.org; + listen 80; + return 404; + } + + + include reverse_proxy.conf; + include conf.d/*.conf; + } + +#### /etc/nginx/reverse_proxy.conf (reverse proxy HTTP) + + server { + server_name gestion.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + proxy_pass http://gestion:80; + } + } + + server { + server_name coffre.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + proxy_pass http://gestion:80; + } + } + + server { + server_name git.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + proxy_pass http://git:80; + } + } + + server { + server_name www.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + proxy_pass http://www:80; + } + } + + server { + server_name a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + proxy_pass http://www:80; + } + } + + server { + server_name toot.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + proxy_pass http://toot:80; + } + } + +#### /etc/nginx/reverse_proxy_ssl.conf (reverse proxy HTTPS) + + stream { + + map_hash_max_size 64; + map_hash_bucket_size 64; + map $ssl_preread_server_name $name_443 { + gestion.a-lec.org gestion_a-lec_443; + coffre.a-lec.org gestion_a-lec_443; + git.a-lec.org git_a-lec_443; + www.a-lec.org www_a-lec_443; + a-lec.org www_a-lec_443; + mail.a-lec.org mail_a-lec_443; + toot.a-lec.org toot_a-lec_443; + routeur.libre-en-communs.org routeur_444; + } + + upstream gestion_a-lec_443 { + server gestion:443; + } + + upstream git_a-lec_443 { + server git:443; + } + + upstream mail_a-lec_443 { + server mail:443; + } + + upstream www_a-lec_443 { + server www:443; + } + + upstream toot_a-lec_443 { + server toot:443; + } + + upstream routeur_444 { + server 127.0.0.1:444; + } + + server { + listen 443; + proxy_pass $name_443; + proxy_protocol on; + ssl_preread on; + } + + log_format basic '$remote_addr [$time_local] ' + '$protocol $status $bytes_sent $bytes_received ' + '$session_time "$upstream_addr" ' + '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; + + }