documentation/Serveurs/routeur.md

790 lines
19 KiB
Markdown

# Routeur `routeur` : routeur principal de l'infrastructure de Libre en Communs
### Matériel
Linksys WRT3200ACM (ARMv7 Processor rev 1 (v7l))
### Logiciel
Système d'exploitation : OpenWrt 21.02.1 / LuCI openwrt-21.02
Reverse proxy HTTP(S) : `nginx`
Interface graphique : `luci`
VPN : `openvpn`
Certificats SSL : `acme`
### Caractéristiques notables
Domaine : routeur.libre-en-communs.org
Adresse ipv4 publique : 80.67.179.96
Adresse ipv4 locale : 192.169.1.1
Adresse ipv6 publique : 2001:910:1360::1
#### Configuration des interfaces
##### /etc/config/network
<details>
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd91:24db:dc7e::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.169.1.1'
option ip6assign '64'
list ip6class 'wan6'
option netmask '255.255.255.0'
list dns '80.67.169.12'
list dns '80.67.169.40'
config device
option name 'wan'
option macaddr 'ea:9f:80:1a:08:80'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'static'
option ip6prefix '2001:910:1360::/48'
list ip6addr '2001:910:1360:ffff::1'
</details>
### Configuration des certificats SSL
#### /etc/config/acme
<details>
config acme
option state_dir '/etc/acme'
option debug '0'
option account_email 'cominfra@a-lec.org'
config cert 'example_wildcard'
option update_nginx '1'
option enabled '1'
list domains 'routeur.libre-en-communs.org'
option update_uhttpd '0'
option validation_method 'webroot'
option webroot '/www'
option keylength 'ec-384'
option use_staging '0'
</details>
### Configuration DHCP (IP statiques allouées aux VM et serveurs)
#### /etc/config/dhcp
<details>
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option logqueries '1'
option boguspriv '0'
option allservers '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra 'hybrid'
option dhcpv6 'hybrid'
option ndp 'hybrid'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option ip '2001:910:1360::1'
option name 'routeur'
config domain
option name 'routeur'
option ip '192.169.1.1'
config domain
option name 'mother.libre-en-communs.org'
option ip '192.169.1.108'
config domain
option name 'mother'
option ip '2001:910:1360::2'
config domain
option name 'mother'
option ip '192.169.1.108'
config domain
option name 'aunt.libre-en-communs.org'
option ip '192.169.1.206'
config domain
option name 'aunt'
option ip '2001:910:1360::3'
config domain
option name 'aunt'
option ip '192.169.1.206'
config domain
option name 'mail'
option ip '2001:910:1360::148'
config domain
option name 'mail'
option ip '192.169.1.201'
config domain
option name 'dns'
option ip '2001:910:1360::11c'
config domain
option name 'dns'
option ip '192.169.1.242'
config domain
option name 'git.a-lec.org'
option ip '192.169.1.108'
config domain
option name 'git'
option ip '2001:910:1360::42'
config domain
option name 'git'
option ip '192.169.1.131'
config domain
option name 'gestion'
option ip '2001:910:1360::1ab'
config domain
option name 'gestion'
option ip '192.169.1.236'
config domain
option name 'www'
option ip '2001:910:1360::1ca'
config domain
option name 'www'
option ip '192.169.1.188'
config domain
option name 'xmpp'
option ip '2001:910:1360::142'
config domain
option name 'xmpp.a-lec.org'
option ip '2001:910:1360::142'
config domain
option name 'xmpp'
option ip '192.169.1.211'
config domain
option name 'xmpp.a-lec.org'
option ip '192.169.1.211'
config domain
option name 'toot'
option ip '2001:910:1360::16a'
config domain
option name 'toot'
option ip '192.169.1.179'
config host
option name 'mother'
option dns '1'
option mac '08:60:6E:11:C3:CA'
option ip '192.169.1.108'
config host
option name 'aunt'
option dns '1'
option mac '20:CF:30:67:08:A7'
option ip '192.169.1.206'
config host
option mac '52:54:00:C1:D0:69'
option ip '192.169.1.242'
option name 'dns'
option dns '1'
config host
option name 'gestion'
option dns '1'
option mac '52:54:00:C8:83:EC'
option ip '192.169.1.236'
config host
option name 'git'
option dns '1'
option mac '52:54:00:FD:63:1C'
option ip '192.169.1.131'
config host
option mac '52:54:00:12:BC:CF'
option ip '192.169.1.201'
option name 'mail'
option dns '1'
config host
option name 'toot'
option dns '1'
option mac '52:54:00:E4:2A:97'
option ip '192.169.1.179'
config host
option mac '52:54:00:07:F1:3C'
option ip '192.169.1.188'
option name 'www'
option dns '1'
config host
option name 'xmpp'
option dns '1'
option mac '52:54:00:0B:A6:ED'
option ip '192.169.1.211'
config host
option name 'xmpp.chalec.org'
option dns '1'
option mac '52:54:00:FC:74:4C'
option ip '192.169.1.204'
config host
option name 'tootest'
option dns '1'
option mac '52:54:00:25:18:BB'
option ip '192.169.1.232'
config host
option name 'audio'
option dns '1'
option mac '52:54:00:F1:8B:EC'
option ip '192.169.1.186'
</details>
### Configuration du pare-feu (et redirections de ports pour IPV4)
#### /etc/config/firewall
<details>
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option mtu_fix '1'
list device 'tun0'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config forwarding
option src 'wan'
option dest 'lan'
config redirect
option target 'DNAT'
option name 'ssh 222 -> mother'
option src 'wan'
option src_dport '222'
option dest 'lan'
option dest_ip '192.169.1.108'
option dest_port '222'
config redirect
option target 'DNAT'
option name 'ssh 223 -> aunt'
option src 'wan'
option src_dport '223'
option dest 'lan'
option dest_ip '192.169.1.206'
option dest_port '223'
config redirect
option target 'DNAT'
option name 'dns 53 -> dns'
option src 'wan'
option src_dport '53'
option dest 'lan'
option dest_port '53'
option dest_ip '192.169.1.242'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '25'
option dest 'lan'
option dest_port '25'
option name 'smtp -> mail'
option dest_ip '192.169.1.201'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '587'
option dest 'lan'
option dest_port '587'
option name 'smtps -> mail'
option dest_ip '192.169.1.201'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '993'
option dest 'lan'
option dest_port '993'
option name 'imaps -> mail'
option dest_ip '192.169.1.201'
config redirect
option target 'DNAT'
option name 'ssh 666 -> mail'
option src 'wan'
option src_dport '666'
option dest 'lan'
option dest_port '22'
option dest_ip '192.169.1.201'
config redirect
option target 'DNAT'
option name 'ssh 22 -> git'
option src 'wan'
option src_dport '22'
option dest 'lan'
option dest_port '22'
option dest_ip '192.169.1.131'
config redirect
option target 'DNAT'
option name 'ssh 777 -> www'
option src 'wan'
option src_dport '777'
option dest 'lan'
option dest_port '22'
option dest_ip '192.169.1.188'
config redirect
option target 'DNAT'
option name 'xmpp c2s'
option src 'wan'
option src_dport '5222'
option dest 'lan'
option dest_port '5222'
option dest_ip '192.169.1.211'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '5223'
option dest 'lan'
option dest_port '5223'
option name 'xmpp c2s tls'
option dest_ip '192.169.1.211'
config redirect
option target 'DNAT'
option name 'xmpp s2s'
option src 'wan'
option src_dport '5269'
option dest 'lan'
option dest_port '5269'
option dest_ip '192.169.1.211'
config redirect
option target 'DNAT'
option name 'xmpp https'
option src 'wan'
option src_dport '5443'
option dest 'lan'
option dest_port '5443'
option dest_ip '192.169.1.211'
config redirect
option target 'DNAT'
option name 'xmpp http'
option src 'wan'
option src_dport '5280'
option dest 'lan'
option dest_port '5280'
option dest_ip '192.169.1.211'
config redirect
option target 'DNAT'
option name 'xmpp stun'
option src 'wan'
option src_dport '3478'
option dest 'lan'
option dest_port '3478'
option dest_ip '192.169.1.211'
</details>
### Configuration Reverse Proxy (nginx)
Note : IPV4 uniquement
#### /etc/nginx/uci.conf (fichier principal de configuration)
<details>
worker_processes auto;
user root;
events {
worker_connections 1024;
}
include reverse_proxy_ssl.conf;
http {
access_log off;
log_format openwrt
'$request_method $scheme://$host$request_uri => $status'
' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';
include mime.types;
default_type application/octet-stream;
sendfile on;
client_max_body_size 128M;
large_client_header_buffers 2 1k;
server_names_hash_bucket_size 64;
gzip on;
gzip_vary on;
gzip_proxied any;
root /www;
server { #see uci show 'nginx._lan'
listen 444 ssl proxy_protocol default_server;
listen [::]:444 ssl default_server;
server_name routeur.libre-en-communs.org;
include conf.d/*.locations;
ssl_certificate /etc/acme/routeur.libre-en-communs.org_ecc/fullchain.cer;
ssl_certificate_key /etc/acme/routeur.libre-en-communs.org_ecc/routeur.libre-en-communs.org.key;
ssl_session_cache shared:SSL:32k;
ssl_session_timeout 64m;
access_log off; # logd openwrt;
}
server {
if ($host = routeur.libre-en-communs.org) {
return 302 https://$host$request_uri;
}
server_name routeur.libre-en-communs.org;
listen 80;
return 404;
}
include reverse_proxy.conf;
include conf.d/*.conf;
}
</details>
#### /etc/nginx/reverse_proxy.conf (reverse proxy HTTP)
<details>
server {
server_name gestion.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://gestion:80;
}
}
server {
server_name coffre.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://gestion:80;
}
}
server {
server_name git.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://git:80;
}
}
server {
server_name www.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://www:80;
}
}
server {
server_name a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://www:80;
}
}
server {
server_name toot.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://toot:80;
}
}
</details>
#### /etc/nginx/reverse_proxy_ssl.conf (reverse proxy HTTPS)
<details>
stream {
map_hash_max_size 64;
map_hash_bucket_size 64;
map $ssl_preread_server_name $name_443 {
gestion.a-lec.org gestion_a-lec_443;
coffre.a-lec.org gestion_a-lec_443;
git.a-lec.org git_a-lec_443;
www.a-lec.org www_a-lec_443;
a-lec.org www_a-lec_443;
mail.a-lec.org mail_a-lec_443;
toot.a-lec.org toot_a-lec_443;
routeur.libre-en-communs.org routeur_444;
}
upstream gestion_a-lec_443 {
server gestion:443;
}
upstream git_a-lec_443 {
server git:443;
}
upstream mail_a-lec_443 {
server mail:443;
}
upstream www_a-lec_443 {
server www:443;
}
upstream toot_a-lec_443 {
server toot:443;
}
upstream routeur_444 {
server 127.0.0.1:444;
}
server {
listen 443;
proxy_pass $name_443;
proxy_protocol on;
ssl_preread on;
}
log_format basic '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
}
</details>