documentation/Serveurs/routeur.md

45 KiB

Routeur routeur : routeur principal de l'infrastructure de Libre en Communs

Matériel

Turris Omnia 2019 (Argenté), architecture ARMv7 Processor rev 1 (v7l)
SSD KINGSTON SKC600M 256Gio

Logiciel

Système d'exploitation : OpenWrt 21.02 / LuCI openwrt-21.02 avec patch (voir plus loin)
Reverse proxy HTTP(S) : nginx
Interface graphique : luci
Certificats SSL : acme
Autres logiciels utilisés : fail2ban, htop, bash, vpn-policy-routing

Patch de block-mount pour montage partition SSD

--- a/block.c
+++ b/block.c
@@ -747,7 +747,7 @@ static void check_filesystem(struct prob
    pid = fork();
    if (!pid) {
        if(!strncmp(pr->type, "f2fs", 4)) {
-			execl(ckfs, ckfs, "-f", pr->dev, NULL);
+			execl(ckfs, ckfs, "-p", "2", "-f", pr->dev, NULL);
            exit(EXIT_FAILURE);
        } else if(!strncmp(pr->type, "btrfs", 5)) {
            execl(ckfs, ckfs, "--repair", pr->dev, NULL);
@@ -1591,7 +1591,7 @@ static int main_extroot(int argc, char *
#endif

    /* As a last resort look for /etc/config/fstab on "rootfs" partition */
-	return mount_extroot(NULL);
+	return mount_extroot("/tmp/overlay");
}

static int main_mount(int argc, char **argv)

Caractéristiques réseau

Domaine : routeur.libre-en-communs.org
Adresses ipv4 publiques : 80.67.176.33, 80.67.179.96
Adresse ipv4 locale : 192.168.0.1
Adresse ipv6 publique : 2001:910:1021::1

Configuration des interfaces

Les interfaces sont configurées pour connexion à la fibre FDN en PPPoE sur le port WAN. Il y a deux IPs publiques à récupérer et on utilise donc une interface virtuelle (wan2) utilisant le port de l'interface principale (wan) avec configuration de la seconde IP en statique. La première IP est récupérée automatiquement par l'interface principale.

Le préfixe public IPv6 du routeur (et donc du réseau) est récupéré automatiquement à la connexion, créant une interface virtuelle à la volée (nommée wan_6 et dont le bloc n'est pas visible dans le fichier de configuration, donc).

/etc/config/network
config interface 'loopback'
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd22:fc53:0a5d::/48'

config device
    option name 'br-lan'
    option type 'bridge'
    list ports 'lan0'
    list ports 'lan1'
    list ports 'lan2'
    list ports 'lan3'
    list ports 'lan4'

config interface 'lan'
    option device 'br-lan'
    option proto 'static'
    option ipaddr '192.168.0.1'
    option netmask '255.255.0.0'
    option ip6assign '64'
    list ip6class 'wan_6'

config interface 'wan'
    option device 'eth2'
    option proto 'pppoe'
    option username 'association.libre.en.comm@fdn.ilf.kosc'
    option password 'INFORMATION CACHEE'
    list ip6class 'wan_6'
    option ipv6 'auto'

config interface 'wan2'
    option proto 'static'
    option device 'eth2'
    option ipaddr '80.67.179.96'
    option netmask '255.255.255.255'

Configuration DHCP (IP statiques allouées aux VM et serveurs)

/etc/config/dhcp
config dnsmasq
    option localise_queries '1'
    option local '/lan/'
    option domain 'lan'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
    option ednspacket_max '1232'
    option rebind_protection '0'
    option localservice '0'
    list interface 'lan'
    list notinterface 'wan'
    list notinterface 'wan6'
    list notinterface 'wan_6'
    list notinterface 'wan2'
    option allservers '1'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv4 'server'
    option ra 'hybrid'
    option dhcpv6 'hybrid'
    option ndp 'hybrid'
    list ra_flags 'none'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'
    list ra_flags 'none'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'
    option loglevel '4'

config domain
    option name 'routeur'
    option ip '2001:910:1021::1'

config domain
    option name 'routeur.libre-en-communs.org'
    option ip '192.168.0.1'

config domain
    option name 'routeur.libre-en-communs.org'
    option ip '2001:910:1021::1'

config domain
    option name 'mother.libre-en-communs.org'
    option ip '192.168.1.2'

config domain
    option name 'mother'
    option ip '2001:910:1021::2'

config domain
    option name 'aunt.libre-en-communs.org'
    option ip '192.168.1.3'

config domain
    option name 'aunt'
    option ip '2001:910:1021::3'

config host
    option name 'mother'
    option dns '1'
    option mac '52:C6:86:7C:8F:7E'
    option ip '192.168.1.2'

config host
    option name 'aunt'
    option dns '1'
    option mac 'F2:8A:D8:B6:5D:60'
    option ip '192.168.1.3'

config host
    option mac '52:54:00:C1:D0:69'
    option name 'dns'
    option dns '1'
    option ip '192.168.1.242'

config host
    option name 'gestion'
    option dns '1'
    option mac '52:54:00:C8:83:EC'
    option ip '192.168.1.236'

config domain
    option name 'gestion.a-lec.org'
    option ip '192.168.1.236'

config host
    option name 'git'
    option dns '1'
    option mac '52:54:00:FD:63:1C'
    option ip '192.168.1.131'

config host
    option mac '52:54:00:12:BC:CF'
    option name 'mail'
    option dns '1'
    option ip '192.168.1.201'

config host
    option name 'toot'
    option dns '1'
    option mac '52:54:00:E4:2A:97'
    option ip '192.168.1.179'

config host
    option mac '52:54:00:07:F1:3C'
    option name 'www'
    option dns '1'
    option ip '192.168.1.188'

config host
    option name 'xmpp'
    option dns '1'
    option mac '52:54:00:0B:A6:ED'
    option ip '192.168.1.211'

config host
    option name 'audio'
    option dns '1'
    option mac '52:54:00:EE:93:E0'
    option ip '192.168.1.186'

config host
    option mac '52:54:00:F2:BB:55'
    option name 'tootest'
    option dns '1'
    option ip '192.168.1.232'

config host
    option mac '52:54:00:86:69:5F'
    option name 'generic'
    option dns '1'
    option ip '192.168.1.195'

config domain
    option name 'mail.a-lec.org'
    option ip '192.168.1.201'

config domain
    option name 'git.a-lec.org'
    option ip '192.168.1.131'

config domain
    option name 'audio.a-lec.org'
    option ip '192.168.1.186'

config domain
    option name 'sharedfs.a-lec.org'
    option ip '192.168.0.148'

config domain
    option name 'isengard.libre-en-communs.org'
    option ip '192.168.1.155'

config domain
    option name 'mother.libre-en-communs.org'
    option ip '192.168.1.2'

config domain
    option name 'isengard.libre-en-communs.org'
    option ip '192.168.1.155'

config domain
    option name 'aunt.libre-en-communs.org'
    option ip '192.168.1.3'

config domain
    option name 'xmpp.a-lec.org'
    option ip '192.168.1.211'

config domain
    option name 'dns.libre-en-communs.org'
    option ip '192.168.1.242'

config host
    option name 'libreboot'
    option dns '1'
    option mac '52:54:00:1D:0A:65'
    option ip '192.168.1.120'

config host
    option name 'isengard'
    option dns '1'
    option mac '52:54:00:C3:51:4D'
    option ip '192.168.1.155'

config host
    option name 'sharedfs'
    option dns '1'
    option mac '52:54:00:54:5A:B8'
    option ip '192.168.0.148'

config host
    option name 'ghn'
    option dns '1'
    option ip '192.168.1.224'
    option mac '52:54:00:e2:13:4f'

config host
    option name 'xmpp.chalec.org'
    option dns '1'
    option mac '52:54:00:FC:74:4C'
    option ip '192.168.2.204'

config host
    option name 'audio.chalec.org'
    option dns '1'
    option mac '52:54:00:88:F7:2F'
    option ip '192.168.2.114'

config host
    option ip '192.168.2.189'
    option name 'generic.chalec.org'
    option dns '1'
    option mac '52:54:00:C9:16:7A'

config host
    option mac '52:54:00:CA:E8:51'
    option ip '192.168.2.193'
    option name 'nuage.chalec.org'
    option dns '1'

config host
    option name 'toot.chalec.org'
    option dns '1'
    option mac '52:54:00:AB:41:92'
    option ip '192.168.2.220'

config domain
    option name 'toot.chalec.org'
    option ip '192.168.2.220'

config domain
    option name 'audio.chalec.org'
    option ip '192.168.2.114'

config domain
    option name 'nuage.chalec.org'
    option ip '192.168.2.193'

config domain
    option ip '192.168.2.204'
    option name 'xmpp.chalec.org'

config host
    option name 'forge.chalec.org'
    option dns '1'
    option mac '52:54:00:73:A2:F2'
    option ip '192.168.2.239'

config domain
    option name 'forge.chalec.org'
    option ip '192.168.2.239'

config host
    option name 'visio.chalec.org'
    option dns '1'
    option mac '52:54:00:46:87:63'
    option ip '192.168.2.198'

config domain
    option name 'visio.chalec.org'
    option ip '192.168.2.198'

config host
    option mac '52:54:00:5A:EE:F3'
    option ip '192.168.2.139'
    option name 'libreverse.chalec.org'
    option dns '1'

config domain
    option name 'libreverse.chalec.org'
    option ip '192.168.2.139'

config host
    option name 'video.chalec.org'
    option dns '1'
    option mac '52:54:00:0E:9F:9A'
    option ip '192.168.2.199'

config domain
    option name 'video.chalec.org'
    option ip '192.168.2.199'

config domain
    option name 'sharedfs.a-lec.org'
    option ip '192.168.0.148'

config domain
    option ip '192.168.0.206'
    option name 'coreboot'

config host
    option name 'ctrlv.chalec.org'
    option dns '1'
    option mac '52:54:00:C0:45:7A'
    option ip '192.168.2.240'

config host
    option name 'sondage.chalec.org'
    option dns '1'
    option mac '52:54:00:E5:F0:F8'
    option ip '192.168.2.137'

config host
    option name 'pad.chalec.org'
    option dns '1'
    option mac '52:54:00:50:56:54'
    option ip '192.168.2.182'

config host
    option name 'stats.chalec.org'
    option dns '1'
    option mac '52:54:00:87:E2:D5'
    option ip '192.168.2.196'

config domain
    option name 'stats.chalec.org'
    option ip '192.168.2.196'

config domain
    option name 'nuage.chalec.org'
    option ip '192.168.2.193'

config domain
    option name 'visio.chalec.org'
    option ip '192.168.2.198'

config host
    option name 'www.chalec.org'
    option dns '1'
    option mac '52:54:00:A6:FD:72'
    option ip '192.168.2.225'

config host
    option name 'petition.chalec.org'
    option dns '1'
    option mac '52:54:00:bd:21:03'
    option ip '192.168.2.67'

config domain
    option name 'www.chalec.org'
    option ip '192.168.2.225'

config domain
    option name 'ghn.a-lec.org'
    option ip '192.168.1.224'

Configuration du pare-feu (et redirections de ports pour IPV4)

/etc/config/firewall
config defaults
    option input 'ACCEPT'
    option output 'ACCEPT'
    option synflood_protect '1'
    option drop_invalid '1'
    option forward 'DROP'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    list network 'lan'

config zone
    option name 'wan'
    option output 'ACCEPT'
    option masq '1'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    list device 'eth2'
    option log '1'
    list network 'wan'
    list network 'wan2'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config rule
    option name 'Support-UDP-Traceroute'
    option src 'wan'
    option dest_port '33434:33689'
    option proto 'udp'
    option family 'ipv4'
    option target 'REJECT'
    option enabled 'false'

config include
    option path '/etc/firewall.user'

config include
    option path '/etc/firewall.fail2ban'
    option enabled '1'
    option reload '1'

config redirect
    option target 'DNAT'
    option name 'ssh 222 -> mother'
    option src 'wan'
    option src_dport '222'
    option dest 'lan'
    option dest_port '222'
    option src_dip '80.67.176.33'
    option dest_ip '192.168.1.2'

config redirect
    option target 'DNAT'
    option name 'ssh 223 -> aunt'
    option src 'wan'
    option src_dport '223'
    option dest 'lan'
    option dest_port '223'
    option src_dip '80.67.176.33'
    option dest_ip '192.168.1.3'

config redirect
    option target 'DNAT'
    option name 'dns 53 -> dns'
    option src 'wan'
    option src_dport '53'
    option dest 'lan'
    option dest_port '53'
    option dest_ip '192.168.1.242'
    option src_dip '80.67.176.33'

config redirect
    option target 'DNAT'
    option src 'wan'
    option src_dport '25'
    option dest 'lan'
    option dest_port '25'
    option name 'smtp -> mail'
    option dest_ip '192.168.1.201'
    option src_dip '80.67.176.33'

config redirect
    option target 'DNAT'
    option src 'wan'
    option src_dport '587'
    option dest 'lan'
    option dest_port '587'
    option name 'smtps -> mail'
    option dest_ip '192.168.1.201'
    option src_dip '80.67.176.33'

config redirect
    option target 'DNAT'
    option src 'wan'
    option src_dport '993'
    option dest 'lan'
    option dest_port '993'
    option name 'imaps -> mail'
    option dest_ip '192.168.1.201'
    option src_dip '80.67.176.33'

config redirect
    option target 'DNAT'
    option src 'wan'
    option src_dip '80.67.176.33'
    option src_dport '4190'
    option dest 'lan'
    option dest_ip '192.168.1.201'
    option dest_port '4190'
    option reflection_src 'external'
    option name 'sieve -> mail'

config redirect
    option target 'DNAT'
    option name 'ssh 666 -> mail'
    option src 'wan'
    option src_dport '666'
    option dest 'lan'
    option dest_port '22'
    option dest_ip '192.168.1.201'
    option src_dip '80.67.176.33'

config redirect
    option target 'DNAT'
    option name 'ssh 22 -> git'
    option src 'wan'
    option src_dport '22'
    option dest 'lan'
    option dest_port '22'
    option dest_ip '192.168.1.131'
    option src_dip '80.67.176.33'

config redirect
    option target 'DNAT'
    option name 'ssh 777 -> www'
    option src 'wan'
    option src_dport '777'
    option dest 'lan'
    option dest_port '22'
    option dest_ip '192.168.1.188'
    option src_dip '80.67.176.33'

config redirect
    option target 'DNAT'
    option name 'xmpp c2s'
    option src 'wan'
    option src_dport '5222'
    option dest 'lan'
    option dest_port '5222'
    option dest_ip '192.168.1.211'
    option src_dip '80.67.176.33'

config redirect
    option target 'DNAT'
    option src 'wan'
    option src_dport '5223'
    option dest 'lan'
    option dest_port '5223'
    option name 'xmpp c2s tls'
    option dest_ip '192.168.1.211'
    option src_dip '80.67.176.33'

config redirect
    option target 'DNAT'
    option name 'xmpp s2s'
    option src 'wan'
    option src_dport '5269'
    option dest 'lan'
    option dest_port '5269'
    option dest_ip '192.168.1.211'
    option src_dip '80.67.176.33'

config redirect
    option target 'DNAT'
    option name 'xmpp https'
    option src 'wan'
    option src_dport '5443'
    option dest 'lan'
    option dest_port '5443'
    option dest_ip '192.168.1.211'
    option src_dip '80.67.176.33'

config redirect
    option target 'DNAT'
    option name 'xmpp http'
    option src 'wan'
    option src_dport '5280'
    option dest 'lan'
    option dest_port '5280'
    option dest_ip '192.168.1.211'
    option src_dip '80.67.176.33'

config redirect
    option target 'DNAT'
    option name 'xmpp stun'
    option src 'wan'
    option src_dport '3478'
    option dest 'lan'
    option dest_port '3478'
    option dest_ip '192.168.1.211'
    option src_dip '80.67.176.33'

config redirect
    option target 'DNAT'
    option name 'mumble -> audio'
    option src 'wan'
    option src_dport '64738'
    option dest 'lan'
    option dest_ip '192.168.1.186'
    option dest_port '64738'
    option src_dip '80.67.176.33'

config redirect
    option target 'DNAT'
    option src 'wan'
    option src_dport '113'
    option dest 'lan'
    option dest_ip '192.168.2.204'
    option name 'Chalec xmpp (IRC sortant) identd'

config redirect
    option target 'DNAT'
    option name 'chalec xmpp c2s'
    option src 'wan'
    option src_dip '80.67.179.96'
    option dest 'lan'
    option dest_ip '192.168.2.204'
    option src_dport '5222'

config redirect
    option target 'DNAT'
    option name 'chalec xmpp c2s tls'
    option src 'wan'
    option src_dport '5223'
    option dest 'lan'
    option dest_ip '192.168.2.204'
    option src_dip '80.67.179.96'

config redirect
    option target 'DNAT'
    option name 'chalec xmpp s2s'
    option src 'wan'
    option src_dip '80.67.179.96'
    option dest 'lan'
    option dest_ip '192.168.2.204'
    option src_dport '5269'

config redirect
    option target 'DNAT'
    option name 'chalec xmpp https'
    option src 'wan'
    option src_dip '80.67.179.96'
    option dest 'lan'
    option dest_ip '192.168.2.204'
    option src_dport '5443-5444'

config redirect
    option target 'DNAT'
    option name 'chalec xmpp http'
    option src 'wan'
    option src_dip '80.67.179.96'
    option src_dport '5280'
    option dest 'lan'
    option dest_ip '192.168.2.204'

config redirect
    option target 'DNAT'
    option name 'chalec xmpp stun'
    option src 'wan'
    option src_dip '80.67.179.96'
    option dest 'lan'
    option dest_ip '192.168.2.204'
    option src_dport '3475-3478'

config redirect
    option target 'DNAT'
    option name 'chalec mumble'
    option src 'wan'
    option src_dip '80.67.179.96'
    option src_dport '64738'
    option dest 'lan'
    option dest_ip '192.168.2.114'

config redirect
    option target 'DNAT'
    option name 'Chalec Libreverse'
    option src 'wan'
    option src_dip '80.67.179.96'
    option src_dport '30000'
    option dest 'lan'
    option dest_ip '192.168.2.139'

config include
    option path '/etc/firewall.fail2ban'
    option enabled '1'
    option reload '1'

config redirect
    option target 'DNAT'
    option name 'Isengard Grafana'
    option src 'wan'
    option src_dip '80.67.176.33'
    option src_dport '3000'
    option dest 'lan'
    option dest_ip '192.168.1.155'
    option dest_port '3000'

config redirect
    option target 'DNAT'
    option src 'wan'
    option src_dip '80.67.179.96'
    option src_dport '1935'
    option dest 'lan'
    option dest_ip '192.168.2.199'
    option dest_port '1935'
    option name '1935 -> video'

config redirect
    option target 'DNAT'
    option name '10000 -> visio'
    option src 'wan'
    option src_dip '80.67.179.96'
    option src_dport '10000'
    option dest 'lan'
    option dest_ip '192.168.2.198'

config redirect
    option target 'DNAT'
    option name 'chalec ssh 22 -> forge'
    option src 'wan'
    option src_dip '80.67.179.96'
    option src_dport '22'
    option dest 'lan'
    option dest_ip '192.168.2.239'
    option dest_port '22'
    option reflection_src 'external'

config redirect
    option target 'DNAT'
    option name 'icinga 5665-> isengard'
    option src 'wan'
    option src_dport '5665'
    option dest 'lan'
    option dest_ip '192.168.1.155'
    option dest_port '5665'

config forwarding
    option src 'wan'
    option dest 'lan'

Configuration du routage des IPs publiques en sortie

/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
    option verbosity '2'
    option strict_enforcement '1'
    option src_ipset '0'
    option dest_ipset '0'
    option resolver_ipset 'dnsmasq.ipset'
    option ipv6_enabled '0'
    list ignored_interface 'vpnserver wgserver'
    option boot_timeout '30'
    option iptables_rule_option 'append'
    option procd_reload_delay '1'
    option webui_show_ignore_target '0'
    option webui_sorting '1'
    list webui_supported_protocol 'tcp'
    list webui_supported_protocol 'udp'
    list webui_supported_protocol 'tcp udp'
    list webui_supported_protocol 'icmp'
    list webui_supported_protocol 'all'
    option enabled '1'
    option webui_enable_column '1'
    option webui_protocol_column '1'
    option webui_chain_column '1'

config policy
    option name 'sortie chalec'
    option src_addr '192.168.2.0/24'
    option proto 'all'
    option chain 'OUTPUT'
    option interface 'wan2'

Configuration des certificats SSL

Configuration classique d'acme pour la génération de certificats SSL pour le routeur.

/etc/config/acme

config acme
    option state_dir '/etc/acme'
    option account_email 'cominfra@a-lec.org'
    option debug '0'

config cert 'example_wildcard'
    option update_nginx '1'
    option enabled '1'
    list domains 'routeur.libre-en-communs.org'
    option update_uhttpd '0'
    option validation_method 'webroot'
    option webroot '/www'
    option keylength 'ec-384'
    option use_staging '0'

Configuration Reverse Proxy (nginx)

Le Reverse Proxy a pour mission de rediriger les connexions HTTP(S) qui arrivent en IPv4 sur le routeur vers les machines associées à ces connexions. Il n'est donc pas utilisé pour IPv6 puisque chaque machine a sa propre IP publique accessible depuis Internet. Nous utilisons le logiciel nginx.

Pour HTTP (port 80), on utilise la méthode proxy_pass en http dans des blocs server de la section http. Afin d'éviter d'avoir des IPs à configurer ici, nous utilisons les noms d'hôte des machines qui sont donc résolus en "runtime". La redirection vers la machine s'effectue sur le port 80, avec les headers X-Real-IP et X-Forwarded-For à destination de la machine cible. La configuration du Reverse Proxy HTTP est dans le fichier /etc/nginx/reverse_proxy.conf.

Pour HTTPS (port 443), en raison de notre volonté de ne pas centraliser les certificats SSL en un seul endroit, nous avons fait le choix de ne pas déchiffrer les requêtes sur le routeur. Ainsi, nous utilisons la méthode proxy_pass avec le proxy_protocol et ssl_preread dans la section stream. Cela permet de lire le nom d'hôte dans l'en-tête SSL et de transmettre directement la requête non traitée à la machine correspondante. Afin de ne pas gêner des requêtes en IPv4 sur le port 443 internes au réseau, la redirection vers la machine s'effectue sur le port 444 en proxy_protocol permettant de récupérer l'IP de la machine ayant émis la requête. La configuration du Reverse Proxy HTTPS est dans le fichier /etc/nginx/reverse_proxy_ssl.conf.

Enfin, la configuration générale de nginx ainsi que le bloc pour le serveur correspondant à la page de configuration du routeur se trouve dans /etc/nginx/nginx.conf.

/etc/nginx/nginx.conf (fichier principal de configuration)

worker_processes auto;

user root;

events {
    worker_connections  1024;	
}

#error_log /var/log/nginx/error.log debug;

stream {
    include reverse_proxy_ssl.conf;
}

http {
    
    resolver 127.0.0.1 ipv6=off;

    include mime.types;
    default_type application/octet-stream;
    sendfile on;

    client_max_body_size 128M;
    large_client_header_buffers 2 1k;
    server_names_hash_bucket_size 64;

    gzip on;
    gzip_vary on;
    gzip_proxied any;

    include reverse_proxy.conf;

        #include conf.d/*.conf;

    server {

        listen 0.0.0.0:444 ssl proxy_protocol;
        server_name routeur.libre-en-communs.org;

        ssl_certificate /etc/acme/routeur.libre-en-communs.org_ecc/fullchain.cer;
            ssl_certificate_key /etc/acme/routeur.libre-en-communs.org_ecc/routeur.libre-en-communs.org.key;
        
                location /cgi-bin/luci {
            index  index.html;
            include uwsgi_params;
            uwsgi_param SERVER_ADDR $server_addr;
            uwsgi_modifier1 9;
            uwsgi_pass unix:///var/run/luci-webui.socket;
        }

        location ~ /cgi-bin/cgi-(backup|download|upload|exec) {
            include uwsgi_params;
            uwsgi_param SERVER_ADDR $server_addr;
            uwsgi_modifier1 9;
            uwsgi_pass unix:///var/run/luci-cgi_io.socket;
        }

        location /luci-static {
            error_log stderr crit;
        }

        location /ubus {
                ubus_interpreter;
                ubus_socket_path /var/run/ubus/ubus.sock;
                ubus_parallel_req 2;
        }

        root /www;
        ssl_session_cache shared:SSL:32k;
        ssl_session_timeout 64m;
    }
}

/etc/nginx/reverse_proxy.conf (reverse proxy HTTP)

#### INFRA

server {
    server_name isengard.libre-en-communs.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://isengard.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name gestion.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
    set $target "http://gestion.lan:80";
    proxy_pass $target;
    }
}

server {
    server_name don.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://gestion.lan:80";
        proxy_pass $target;
    }

}

server {
    server_name adhesion.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://gestion.lan:80";
        proxy_pass $target;
    }
}

server {    
    server_name audio.a-lec.org;    
    listen 80;    
    proxy_redirect off;    
    proxy_set_header X-Real-IP       
    $remote_addr;    
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    

    location / {
        set $target "http://audio.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name coffre.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://gestion.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name git.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://git.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name www.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://www.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://www.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name toot.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://toot.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name mail.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://mail.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name autoconfig.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://mail.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name xmpp.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://xmpp.lan:80";
        proxy_pass $target;
    }
}
server {
    server_name salons.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://xmpp.lan:80";
        proxy_pass $target;
    }
}
server {
    server_name pubsub.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://xmpp.lan:80";
        proxy_pass $target;
    }
}
server {
    server_name proxy.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://proxy.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name ghn.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://ghn.lan:80";
        proxy_pass $target;
    }
}

### CHALEC

server {
    server_name audio.chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://audio.chalec.org.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name toot.chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    location / {
        set $target "http://toot.chalec.org.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name nuage.chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    location / {
        set $target "http://nuage.chalec.org.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name forge.chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://forge.chalec.org.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name ctrlv.chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://ctrlv.chalec.org.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name sondage.chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://sondage.chalec.org.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name visio.chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://visio.chalec.org.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name video.chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://video.chalec.org.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name libreverse.chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://libreverse.chalec.org.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name xmpp.chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://xmpp.chalec.org.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name pad.chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://pad.chalec.org.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name stats.chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://stats.chalec.org.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name www.chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://www.chalec.org.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name www-wip.chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://www.chalec.org.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name petition.chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    location / {
        set $target "http://petition.chalec.org.lan:80";
        proxy_pass $target;
    }
}

server {
    server_name chalec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        set $target "http://www.chalec.org.lan:80";
        proxy_pass $target;
    }
}

/etc/nginx/reverse_proxy_ssl.conf (reverse proxy HTTPS)

map_hash_max_size 64;
map_hash_bucket_size 64;
map $ssl_preread_server_name $name_444 {
    ### INFRA
    gestion.a-lec.org gestion_a-lec_444;
    don.a-lec.org gestion_a-lec_444;
    adhesion.a-lec.org gestion_a-lec_444;
    coffre.a-lec.org gestion_a-lec_444;
    git.a-lec.org git_a-lec_444;
    www.a-lec.org www_a-lec_444;
    www-wip.a-lec.org www_a-lec_444;
    a-lec.org www_a-lec_444;
    mail.a-lec.org mail_a-lec_444;
    autoconfig.a-lec.org mail_a-lec_444;
    toot.a-lec.org toot_a-lec_444;
    routeur.libre-en-communs.org routeur_444;
    isengard.libre-en-communs.org isengard_444;
    audio.a-lec.org audio_a-lec_444;
    tootest.a-lec.org tootest_a-lec_444;
    ghn.a-lec.org ghn_a-lec_444;

    ### CHALEC
    audio.chalec.org audio_chalec_444;
    nuage.chalec.org nuage_chalec_444;
    toot.chalec.org toot_chalec_444;
    forge.chalec.org forge_chalec_444;                                          
    pad.chalec.org pad_chalec_444;                                          
    ctrlv.chalec.org ctrlv_chalec_444;
    sondage.chalec.org sondage_chalec_444;
    stats.chalec.org stats_chalec_444;                                          
    visio.chalec.org visio_chalec_444;                                          
    video.chalec.org video_chalec_444;                                          
    libreverse.chalec.org libreverse_chalec_444;
    www.chalec.org www_chalec_444;
    chalec.org www_chalec_444;
    www-wip.chalec.org www_chalec_444;
    petition.chalec.org petition_chalec_444;
    xmpp.chalec.org xmpp_chalec_444;                                          
}

    upstream gestion_a-lec_444 {
        server gestion:444;
    }

    upstream ghn_a-lec_444 {
        server ghn:444;
    }

    upstream tootest_a-lec_444 {
        server tootest:444;
    }

    upstream audio_a-lec_444 {
        server audio:444;
    }

    upstream git_a-lec_444 {
        server git:444;
    }

    upstream mail_a-lec_444 {
        server mail:444;
    }

    upstream www_a-lec_444 {
        server www:444;
    }

    upstream toot_a-lec_444 {
        server toot:444;
    }

    upstream routeur_444 {
        server 127.0.0.1:444;
    }

    upstream isengard_444 {
        server isengard:444;
    }


    ### CHALEC

    upstream audio_chalec_444 {
        server audio.chalec.org.lan:444;
    }

    upstream nuage_chalec_444 {
        server nuage.chalec.org.lan:444;
    }

    upstream toot_chalec_444 {
        server toot.chalec.org.lan:444;
    }

    upstream forge_chalec_444 {
        server forge.chalec.org.lan:444;
    }

    upstream ctrlv_chalec_444 {
        server ctrlv.chalec.org.lan:444;
    }

    upstream pad_chalec_444 {
        server pad.chalec.org.lan:444;
    }

    upstream sondage_chalec_444 {
        server sondage.chalec.org.lan:444;
    }

    upstream stats_chalec_444 {
        server stats.chalec.org.lan:444;
    }

    upstream visio_chalec_444 {
        server visio.chalec.org.lan:444;
    }

    upstream video_chalec_444 {
        server video.chalec.org.lan:444;
    }

    upstream libreverse_chalec_444 {
        server libreverse.chalec.org.lan:444;
    }

    upstream xmpp_chalec_444 {
        server xmpp.chalec.org.lan:444;
    }

    upstream petition_chalec_444 {
        server petition.chalec.org.lan:444;
    }


    upstream www_chalec_444 {
        server www.chalec.org.lan:444;
    }

### SERVER

server {
    listen 443;
    proxy_pass $name_444;
    proxy_protocol on;
    ssl_preread on;
}