documentation/Serveurs/linksys.md

19 KiB

Routeur linksys : serveur-mère de l'infrastructure de Libre en Communs

Matériel

Linksys WRT3200ACM (ARMv7 Processor rev 1 (v7l))

Logiciel

Système d'exploitation : OpenWrt 21.02.1 / LuCI openwrt-21.02
Reverse proxy HTTP(S) : nginx Interface graphique : luci VPN : openvpn Certificats SSL : acme

Caractéristiques notables

Domaine : routeur.libre-en-communs.org
Adresse ipv4 publique : 80.67.179.96
Adresse ipv4 locale : 192.169.1.1
Adresse ipv6 publique : 2001:910:1360::1

Configuration des interfaces

/etc/config/network
config interface 'loopback'
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd91:24db:dc7e::/48'

config device
    option name 'br-lan'
    option type 'bridge'
    list ports 'lan1'
    list ports 'lan2'
    list ports 'lan3'
    list ports 'lan4'

config interface 'lan'
    option device 'br-lan'
    option proto 'static'
    option ipaddr '192.169.1.1'
    option ip6assign '64'
    list ip6class 'wan6'
    option netmask '255.255.255.0'
    list dns '80.67.169.12'
    list dns '80.67.169.40'

config device
    option name 'wan'
    option macaddr 'ea:9f:80:1a:08:80'

config interface 'wan'
    option device 'wan'
    option proto 'dhcp'

config interface 'wan6'
    option device 'wan'
    option proto 'static'
    option ip6prefix '2001:910:1360::/48'
    list ip6addr '2001:910:1360:ffff::1'

Configuration des certificats SSL

/etc/config/acme

config acme
option state_dir '/etc/acme'
option debug '0'
option account_email 'cominfra@a-lec.org'

config cert 'example_wildcard'
option update_nginx '1'
option enabled '1'
list domains 'routeur.libre-en-communs.org'
option update_uhttpd '0'
option validation_method 'webroot'
option webroot '/www'
option keylength 'ec-384'
option use_staging '0'

Configuration DHCP (IP statiques allouées aux VM et serveurs)

/etc/config/dhcp

config dnsmasq
    option domainneeded '1'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
    option localservice '1'
    option ednspacket_max '1232'
    option logqueries '1'
    option boguspriv '0'
    option allservers '1'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv4 'server'
    option ra 'hybrid'
    option dhcpv6 'hybrid'
    option ndp 'hybrid'
    list ra_flags 'none'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'
    option loglevel '4'

config domain
    option ip '2001:910:1360::1'
    option name 'routeur'

config domain
    option name 'routeur'
    option ip '192.169.1.1'

config domain
    option name 'mother.libre-en-communs.org'
    option ip '192.169.1.108'

config domain
    option name 'mother'
    option ip '2001:910:1360::2'

config domain
    option name 'mother'
    option ip '192.169.1.108'

config domain
    option name 'aunt.libre-en-communs.org'
    option ip '192.169.1.206'

config domain
    option name 'aunt'
    option ip '2001:910:1360::3'

config domain
    option name 'aunt'
    option ip '192.169.1.206'

config domain
    option name 'mail'
    option ip '2001:910:1360::148'

config domain
    option name 'mail'
    option ip '192.169.1.201'

config domain
    option name 'dns'
    option ip '2001:910:1360::11c'

config domain
    option name 'dns'
    option ip '192.169.1.242'

config domain
    option name 'git.a-lec.org'
    option ip '192.169.1.108'

config domain
    option name 'git'
    option ip '2001:910:1360::42'

config domain
    option name 'git'
    option ip '192.169.1.131'

config domain
    option name 'gestion'
    option ip '2001:910:1360::1ab'

config domain
    option name 'gestion'
    option ip '192.169.1.236'

config domain
    option name 'www'
    option ip '2001:910:1360::1ca'

config domain
    option name 'www'
    option ip '192.169.1.188'

config domain
    option name 'xmpp'
    option ip '2001:910:1360::142'

config domain
    option name 'xmpp.a-lec.org'
    option ip '2001:910:1360::142'

config domain
    option name 'xmpp'
    option ip '192.169.1.211'

config domain
    option name 'xmpp.a-lec.org'
    option ip '192.169.1.211'

config domain
    option name 'toot'
    option ip '2001:910:1360::16a'

config domain
    option name 'toot'
    option ip '192.169.1.179'

config host
    option name 'mother'
    option dns '1'
    option mac '08:60:6E:11:C3:CA'
    option ip '192.169.1.108'

config host
    option name 'aunt'
    option dns '1'
    option mac '20:CF:30:67:08:A7'
    option ip '192.169.1.206'

config host
    option mac '52:54:00:C1:D0:69'
    option ip '192.169.1.242'
    option name 'dns'
    option dns '1'

config host
    option name 'gestion'
    option dns '1'
    option mac '52:54:00:C8:83:EC'
    option ip '192.169.1.236'

config host
    option name 'git'
    option dns '1'
    option mac '52:54:00:FD:63:1C'
    option ip '192.169.1.131'

config host
    option mac '52:54:00:12:BC:CF'
    option ip '192.169.1.201'
    option name 'mail'
    option dns '1'

config host
    option name 'toot'
    option dns '1'
    option mac '52:54:00:E4:2A:97'
    option ip '192.169.1.179'

config host
    option mac '52:54:00:07:F1:3C'
    option ip '192.169.1.188'
    option name 'www'
    option dns '1'

config host
    option name 'xmpp'
    option dns '1'
    option mac '52:54:00:0B:A6:ED'
    option ip '192.169.1.211'

config host
    option name 'xmpp.chalec.org'
    option dns '1'
    option mac '52:54:00:FC:74:4C'
    option ip '192.169.1.204'

config host
    option name 'tootest'
    option dns '1'
    option mac '52:54:00:25:18:BB'
    option ip '192.169.1.232'

config host
    option name 'audio'
    option dns '1'
    option mac '52:54:00:F1:8B:EC'
    option ip '192.169.1.186'

Configuration du pare-feu (et redirections de ports pour IPV4)

/etc/config/firewall

config defaults
    option input 'ACCEPT'
    option output 'ACCEPT'
    option synflood_protect '1'
    option forward 'ACCEPT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option output 'ACCEPT'
    option mtu_fix '1'
    list device 'tun0'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option masq '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config rule
    option name 'Support-UDP-Traceroute'
    option src 'wan'
    option dest_port '33434:33689'
    option proto 'udp'
    option family 'ipv4'
    option target 'REJECT'
    option enabled 'false'

config include
    option path '/etc/firewall.user'

config forwarding
    option src 'wan'
    option dest 'lan'

config redirect
    option target 'DNAT'
    option name 'ssh 222 -> mother'
    option src 'wan'
    option src_dport '222'
    option dest 'lan'
    option dest_ip '192.169.1.108'
    option dest_port '222'

config redirect
    option target 'DNAT'
    option name 'ssh 223 -> aunt'
    option src 'wan'
    option src_dport '223'
    option dest 'lan'
    option dest_ip '192.169.1.206'
    option dest_port '223'

config redirect
    option target 'DNAT'
    option name 'dns 53 -> dns'
    option src 'wan'
    option src_dport '53'
    option dest 'lan'
    option dest_port '53'
    option dest_ip '192.169.1.242'

config redirect
    option target 'DNAT'
    option src 'wan'
    option src_dport '25'
    option dest 'lan'
    option dest_port '25'
    option name 'smtp -> mail'
    option dest_ip '192.169.1.201'

config redirect
    option target 'DNAT'
    option src 'wan'
    option src_dport '587'
    option dest 'lan'
    option dest_port '587'
    option name 'smtps -> mail'
    option dest_ip '192.169.1.201'

config redirect
    option target 'DNAT'
    option src 'wan'
    option src_dport '993'
    option dest 'lan'
    option dest_port '993'
    option name 'imaps -> mail'
    option dest_ip '192.169.1.201'

config redirect
    option target 'DNAT'
    option name 'ssh 666 -> mail'
    option src 'wan'
    option src_dport '666'
    option dest 'lan'
    option dest_port '22'
    option dest_ip '192.169.1.201'

config redirect
    option target 'DNAT'
    option name 'ssh 22 -> git'
    option src 'wan'
    option src_dport '22'
    option dest 'lan'
    option dest_port '22'
    option dest_ip '192.169.1.131'

config redirect
    option target 'DNAT'
    option name 'ssh 777 -> www'
    option src 'wan'
    option src_dport '777'
    option dest 'lan'
    option dest_port '22'
    option dest_ip '192.169.1.188'

config redirect
    option target 'DNAT'
    option name 'xmpp c2s'
    option src 'wan'
    option src_dport '5222'
    option dest 'lan'
    option dest_port '5222'
    option dest_ip '192.169.1.211'

config redirect
    option target 'DNAT'
    option src 'wan'
    option src_dport '5223'
    option dest 'lan'
    option dest_port '5223'
    option name 'xmpp c2s tls'
    option dest_ip '192.169.1.211'

config redirect
    option target 'DNAT'
    option name 'xmpp s2s'
    option src 'wan'
    option src_dport '5269'
    option dest 'lan'
    option dest_port '5269'
    option dest_ip '192.169.1.211'

config redirect
    option target 'DNAT'
    option name 'xmpp https'
    option src 'wan'
    option src_dport '5443'
    option dest 'lan'
    option dest_port '5443'
    option dest_ip '192.169.1.211'

config redirect
    option target 'DNAT'
    option name 'xmpp http'
    option src 'wan'
    option src_dport '5280'
    option dest 'lan'
    option dest_port '5280'
    option dest_ip '192.169.1.211'

config redirect
    option target 'DNAT'
    option name 'xmpp stun'
    option src 'wan'
    option src_dport '3478'
    option dest 'lan'
    option dest_port '3478'
    option dest_ip '192.169.1.211'

Configuration Reverse Proxy (nginx)

Note : IPV4 uniquement

/etc/nginx/uci.conf (fichier principal de configuration)

worker_processes auto;

user root;

events {
    worker_connections  1024;    
}

include reverse_proxy_ssl.conf;

http {
    access_log off;
    log_format openwrt
        '$request_method $scheme://$host$request_uri => $status'
        ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';

    include mime.types;
    default_type application/octet-stream;
    sendfile on;

    client_max_body_size 128M;
    large_client_header_buffers 2 1k;
    server_names_hash_bucket_size 64;

    gzip on;
    gzip_vary on;
    gzip_proxied any;

    root /www;

    server { #see uci show 'nginx._lan'
        listen 444 ssl proxy_protocol default_server;
        listen [::]:444 ssl default_server;
        server_name routeur.libre-en-communs.org;
        include conf.d/*.locations;
        ssl_certificate /etc/acme/routeur.libre-en-communs.org_ecc/fullchain.cer;
        ssl_certificate_key /etc/acme/routeur.libre-en-communs.org_ecc/routeur.libre-en-communs.org.key;
        ssl_session_cache shared:SSL:32k;
        ssl_session_timeout 64m;
        access_log off; # logd openwrt;
    }

    server {
        if ($host = routeur.libre-en-communs.org) {
            return 301 https://$host$request_uri;
        }
        server_name                 routeur.libre-en-communs.org;
        listen 80;
        return 404;
    }


    include reverse_proxy.conf;
    include conf.d/*.conf;
}

/etc/nginx/reverse_proxy.conf (reverse proxy HTTP)

server {
    server_name gestion.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
    proxy_pass http://gestion:80;
    }
}

server {
    server_name coffre.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        proxy_pass http://gestion:80;
    }
}

server {
    server_name git.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        proxy_pass http://git:80;
    }
}

server {
    server_name www.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        proxy_pass http://www:80;
    }
}

server {
    server_name a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        proxy_pass http://www:80;
    }
}

server {
    server_name toot.a-lec.org;
    listen 80;
    proxy_redirect off;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        proxy_pass http://toot:80;
    }
}

/etc/nginx/reverse_proxy_ssl.conf (reverse proxy HTTPS)

stream {

map_hash_max_size 64;
map_hash_bucket_size 64;
    map $ssl_preread_server_name $name_443 {
        gestion.a-lec.org gestion_a-lec_443;
    coffre.a-lec.org gestion_a-lec_443;
        git.a-lec.org git_a-lec_443;
        www.a-lec.org www_a-lec_443;
    a-lec.org www_a-lec_443;
    mail.a-lec.org mail_a-lec_443;
    toot.a-lec.org toot_a-lec_443;
    routeur.libre-en-communs.org routeur_444;
    }

    upstream gestion_a-lec_443 {
        server gestion:443;
    }

    upstream git_a-lec_443 {
        server git:443;
    }

    upstream mail_a-lec_443 {
        server mail:443;
    }

    upstream www_a-lec_443 {
        server www:443;
    }

    upstream toot_a-lec_443 {
        server toot:443;
    }

    upstream routeur_444 {
        server 127.0.0.1:444;
    }

    server {
        listen 443;
        proxy_pass $name_443;
    proxy_protocol on;
        ssl_preread on;
    }

log_format basic '$remote_addr [$time_local] '
             '$protocol $status $bytes_sent $bytes_received '
             '$session_time "$upstream_addr" '
             '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

}