22 KiB
22 KiB
Routeur routeur : routeur principal de l'infrastructure de Libre en Communs
Matériel
Linksys WRT3200ACM (ARMv7 Processor rev 1 (v7l))
Logiciel
Système d'exploitation : OpenWrt 21.02.1 / LuCI openwrt-21.02
Reverse proxy HTTP(S) : nginx
Interface graphique : luci
VPN : openvpn
Certificats SSL : acme
Caractéristiques notables
Domaine : routeur.libre-en-communs.org
Adresse ipv4 publique : 80.67.176.33
Adresse ipv4 locale : 192.168.1.1
Adresse ipv6 publique : 2001:910:1021::1
Configuration des interfaces
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd91:24db:dc7e::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'
option ip6assign '64'
config device
option name 'wan'
option macaddr 'ea:9f:80:1a:08:80'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option username 'association.libre.en.comm@fdn.ilf.kosc'
option password 'zrqk3q6gt'
option ipv6 'auto'
Configuration des certificats SSL
/etc/config/acme
config acme
option state_dir '/etc/acme'
option debug '0'
option account_email 'cominfra@a-lec.org'
config cert 'example_wildcard'
option update_nginx '1'
option enabled '1'
list domains 'routeur.libre-en-communs.org'
option update_uhttpd '0'
option validation_method 'webroot'
option webroot '/www'
option keylength 'ec-384'
option use_staging '0'
Configuration DHCP (IP statiques allouées aux VM et serveurs)
/etc/config/dhcp
config dnsmasq
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option logqueries '1'
option boguspriv '0'
option allservers '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra 'hybrid'
option dhcpv6 'hybrid'
option ndp 'hybrid'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option name 'routeur'
option ip '2001:910:1021::1'
config domain
option name 'mother.libre-en-communs.org'
option ip '192.168.1.108'
config domain
option name 'mother'
option ip '2001:910:1021::2'
config domain
option name 'aunt.libre-en-communs.org'
option ip '192.168.1.206'
config domain
option name 'aunt'
option ip '2001:910:1021::3'
config host
option name 'mother'
option dns '1'
option ip '192.168.1.108'
option mac '52:C6:86:7C:8F:7E'
config host
option name 'aunt'
option dns '1'
option ip '192.168.1.206'
option mac 'F2:8A:D8:B6:5D:60'
config host
option mac '52:54:00:C1:D0:69'
option name 'dns'
option dns '1'
option ip '192.168.1.242'
config host
option name 'gestion'
option dns '1'
option mac '52:54:00:C8:83:EC'
option ip '192.168.1.236'
config host
option name 'git'
option dns '1'
option mac '52:54:00:FD:63:1C'
option ip '192.168.1.131'
config host
option mac '52:54:00:12:BC:CF'
option name 'mail'
option dns '1'
option ip '192.168.1.201'
config host
option name 'toot'
option dns '1'
option mac '52:54:00:E4:2A:97'
option ip '192.168.1.179'
config host
option mac '52:54:00:07:F1:3C'
option name 'www'
option dns '1'
option ip '192.168.1.188'
config host
option name 'xmpp'
option dns '1'
option mac '52:54:00:0B:A6:ED'
option ip '192.168.1.211'
config host
option name 'xmpp.chalec.org'
option dns '1'
option mac '52:54:00:FC:74:4C'
option ip '192.168.1.204'
config host
option name 'audio'
option dns '1'
option mac '52:54:00:EE:93:E0'
option ip '192.168.1.186'
config host
option mac '52:54:00:F2:BB:55'
option name 'tootest'
option dns '1'
option ip '192.168.1.232'
config host
option mac '52:54:00:86:69:5F'
option name 'generic'
option dns '1'
option ip '192.168.1.195'
config domain
option name 'mail.a-lec.org'
option ip '192.168.1.201'
config domain
option name 'git.a-lec.org'
option ip '192.168.1.131'
config domain
option name 'mother.libre-en-communs.org'
option ip '192.168.1.108'
config domain
option name 'aunt.libre-en-communs.org'
option ip '192.168.1.206'
config domain
option name 'xmpp.a-lec.org'
option ip '192.168.1.211'
config domain
option name 'dns.libre-en-communs.org'
option ip '192.168.1.242'
config domain
option name 'dns.libre-en-communs.org'
option ip '2001:910:1021::242'
Configuration du pare-feu (et redirections de ports pour IPV4)
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'wan'
list device 'pppoe-wan'
list device 'tun0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config forwarding
option src 'wan'
option dest 'lan'
config redirect
option target 'DNAT'
option name 'ssh 222 -> mother'
option src 'wan'
option src_dport '222'
option dest 'lan'
option dest_ip '192.168.1.108'
option dest_port '222'
config redirect
option target 'DNAT'
option name 'ssh 223 -> aunt'
option src 'wan'
option src_dport '223'
option dest 'lan'
option dest_ip '192.168.1.206'
option dest_port '223'
config redirect
option target 'DNAT'
option name 'dns 53 -> dns'
option src 'wan'
option src_dport '53'
option dest 'lan'
option dest_port '53'
option dest_ip '192.168.1.242'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '25'
option dest 'lan'
option dest_port '25'
option name 'smtp -> mail'
option dest_ip '192.168.1.201'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '587'
option dest 'lan'
option dest_port '587'
option name 'smtps -> mail'
option dest_ip '192.168.1.201'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '993'
option dest 'lan'
option dest_port '993'
option name 'imaps -> mail'
option dest_ip '192.168.1.201'
config redirect
option target 'DNAT'
option name 'ssh 666 -> mail'
option src 'wan'
option src_dport '666'
option dest 'lan'
option dest_port '22'
option dest_ip '192.168.1.201'
config redirect
option target 'DNAT'
option name 'ssh 22 -> git'
option src 'wan'
option src_dport '22'
option dest 'lan'
option dest_port '22'
option dest_ip '192.168.1.131'
config redirect
option target 'DNAT'
option name 'ssh 777 -> www'
option src 'wan'
option src_dport '777'
option dest 'lan'
option dest_port '22'
option dest_ip '192.168.1.188'
config redirect
option target 'DNAT'
option name 'xmpp c2s'
option src 'wan'
option src_dport '5222'
option dest 'lan'
option dest_port '5222'
option dest_ip '192.168.1.211'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '5223'
option dest 'lan'
option dest_port '5223'
option name 'xmpp c2s tls'
option dest_ip '192.168.1.211'
config redirect
option target 'DNAT'
option name 'xmpp s2s'
option src 'wan'
option src_dport '5269'
option dest 'lan'
option dest_port '5269'
option dest_ip '192.168.1.211'
config redirect
option target 'DNAT'
option name 'xmpp https'
option src 'wan'
option src_dport '5443'
option dest 'lan'
option dest_port '5443'
option dest_ip '192.168.1.211'
config redirect
option target 'DNAT'
option name 'xmpp http'
option src 'wan'
option src_dport '5280'
option dest 'lan'
option dest_port '5280'
option dest_ip '192.168.1.211'
config redirect
option target 'DNAT'
option name 'xmpp stun'
option src 'wan'
option src_dport '3478'
option dest 'lan'
option dest_port '3478'
option dest_ip '192.168.1.211'
config redirect
option target 'DNAT'
option name 'mumble -> audio'
option src 'wan'
option src_dport '64738'
option dest 'lan'
option dest_ip '192.168.1.186'
option dest_port '64738'
Configuration Reverse Proxy (nginx)
Note : IPV4 uniquement
/etc/nginx/uci.conf (fichier principal de configuration)
worker_processes auto;
user root;
events {
worker_connections 1024;
}
include reverse_proxy_ssl.conf;
http {
access_log off;
log_format openwrt
'$request_method $scheme://$host$request_uri => $status'
' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';
include mime.types;
default_type application/octet-stream;
sendfile on;
client_max_body_size 128M;
large_client_header_buffers 2 1k;
server_names_hash_bucket_size 64;
gzip on;
gzip_vary on;
gzip_proxied any;
root /www;
server { #see uci show 'nginx._lan'
listen 444 ssl proxy_protocol default_server;
listen [::]:444 ssl default_server;
server_name routeur.libre-en-communs.org;
include conf.d/*.locations;
ssl_certificate /etc/acme/routeur.libre-en-communs.org_ecc/fullchain.cer;
ssl_certificate_key /etc/acme/routeur.libre-en-communs.org_ecc/routeur.libre-en-communs.org.key;
ssl_session_cache shared:SSL:32k;
ssl_session_timeout 64m;
access_log off; # logd openwrt;
}
server {
if ($host = routeur.libre-en-communs.org) {
return 302 https://$host$request_uri;
}
server_name routeur.libre-en-communs.org;
listen 80;
return 404;
}
include reverse_proxy.conf;
include conf.d/*.conf;
}
/etc/nginx/reverse_proxy.conf (reverse proxy HTTP)
server {
server_name gestion.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://gestion:80;
}
}
server {
server_name audio.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP
$remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://audio:80;
}
}
server {
server_name coffre.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://gestion:80;
}
}
server {
server_name git.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://git:80;
}
}
server {
server_name www.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://www:80;
}
}
server {
server_name a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://www:80;
}
}
server {
server_name toot.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://toot:80;
}
}
server {
root@routeur:~# cat /etc/nginx/reverse_proxy.conf
server {
server_name gestion.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://gestion:80;
}
}
server {
server_name audio.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP
$remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://audio:80;
}
}
server {
server_name coffre.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://gestion:80;
}
}
server {
server_name git.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://git:80;
}
}
server {
server_name www.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://www:80;
}
}
server {
server_name a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://www:80;
}
}
server {
server_name toot.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://toot:80;
}
}
server {
server_name mail.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://mail:80;
}
}
server {
server_name tootest.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://tootest:80;
}
}
/etc/nginx/reverse_proxy_ssl.conf (reverse proxy HTTPS)
stream {
map_hash_max_size 64;
map_hash_bucket_size 64;
map $ssl_preread_server_name $name_443 {
gestion.a-lec.org gestion_a-lec_443;
coffre.a-lec.org gestion_a-lec_443;
git.a-lec.org git_a-lec_443;
www.a-lec.org www_a-lec_443;
a-lec.org www_a-lec_443;
mail.a-lec.org mail_a-lec_443;
toot.a-lec.org toot_a-lec_443;
routeur.libre-en-communs.org routeur_444;
audio.a-lec.org audio_a-lec_443;
tootest.a-lec.org tootest_a-lec_443;
}
upstream gestion_a-lec_443 {
server gestion:443;
}
upstream tootest_a-lec_443 {
server tootest:443;
}
upstream audio_a-lec_443 {
server audio:443;
}
upstream git_a-lec_443 {
server git:443;
}
upstream mail_a-lec_443 {
server mail:443;
}
upstream www_a-lec_443 {
server www:443;
}
upstream toot_a-lec_443 {
server toot:443;
}
upstream routeur_444 {
server 127.0.0.1:444;
}
server {
listen 443;
proxy_pass $name_443;
proxy_protocol on;
ssl_preread on;
}
log_format basic '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
}