proxy-01

Fonctionnalités

  • Reçoit les requêtes depuis internet
  • Redirige les requêtes vers les machines concernées via Nginx
  • Filtre les requêtes via un pare-feu iptables
  • Bannit les tentatives d'attaques via Fail2Ban

Configuration

Système d'exploitation

Debian stable (Debian 10 « Buster » au moment de la rédaction de cette page)

Adressage IP

# VM-LAN
allow-hotplug enp7s0
iface enp7s0 inet static
	address 192.168.10.2
	netmask 255.255.255.0
	gateway 192.168.10.1
	dns-nameservers 213.133.99.99 213.133.100.100 213.133.98.98

Configuration Nginx

# Blocage des pays douteux :
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allow_country {
	default yes;
	PH no;
	MYS no;
	IN no;
	BY no;
	UA no;
	CN no;
	RU no;
	KR no;
	KP no;
}
# Configuration globale :
server {
        # Frontaux Web HTTP :
        server_name _;
        listen 80;

        location / {
                proxy_pass https://192.168.10.5/;
		proxy_http_version                 1.1;
		proxy_cache_bypass                 $http_upgrade;
		proxy_set_header Upgrade           $http_upgrade;
		proxy_set_header Connection        "upgrade";
		proxy_set_header Host              $host;
		proxy_set_header X-Real-IP         $remote_addr;
		proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Host  $host;
		proxy_set_header X-Forwarded-Port  $server_port;
        }
	
	# Bloquer les pays douteux :
	if ($allow_country = no) {
		return 403;
	}
}
server {
	# Frontal Web HTTPS Liberta Vidéo (Peertube) :
	server_name video.liberta.vip;
	listen 443 ssl http2;
	ssl_certificate /etc/letsencrypt/live/liberta.vip/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/liberta.vip/privkey.pem;
	
	location / {
		proxy_pass https://192.168.10.8/;
                proxy_http_version                 1.1;
                proxy_cache_bypass                 $http_upgrade;
                proxy_set_header Upgrade           $http_upgrade;
                proxy_set_header Connection        "upgrade";
                proxy_set_header Host              $host;
                proxy_set_header X-Real-IP         $remote_addr;
                proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host  $host;
                proxy_set_header X-Forwarded-Port  $server_port;
        }
	
	# Bloquer les pays douteux :
	if ($allow_country = no) {
                return 403;
        }
}
server {
	# Frontaux Web HTTPS Liberta :
	server_name liberta.vip *.liberta.vip;
	listen 443 ssl http2;
	ssl_certificate /etc/letsencrypt/live/liberta.vip/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/liberta.vip/privkey.pem;
	
	location / {
		proxy_pass https://192.168.10.5/;
                proxy_http_version                 1.1;
                proxy_cache_bypass                 $http_upgrade;
                proxy_set_header Upgrade           $http_upgrade;
                proxy_set_header Connection        "upgrade";
                proxy_set_header Host              $host;
                proxy_set_header X-Real-IP         $remote_addr;
                proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host  $host;
                proxy_set_header X-Forwarded-Port  $server_port;
        }
	
	# Bloquer les pays douteux :
	if ($allow_country = no) {
		return 403;
	}
}
server {
	# Frontaux Web SILICS :
	server_name silics.fr *.silics.fr;
	listen 443 ssl http2;
	ssl_certificate /etc/letsencrypt/live/silics.fr/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/silics.fr/privkey.pem;
	
	location / {
		proxy_pass https://192.168.10.5/;
                proxy_http_version                 1.1;
                proxy_cache_bypass                 $http_upgrade;
                proxy_set_header Upgrade           $http_upgrade;
                proxy_set_header Connection        "upgrade";
                proxy_set_header Host              $host;
                proxy_set_header X-Real-IP         $remote_addr;
                proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host  $host;
                proxy_set_header X-Forwarded-Port  $server_port;
        }
}
server {
        # Frontaux Web TarnMarket :
        server_name tarnmarket.fr *.tarnmarket.fr;
        listen 443 ssl http2;
        ssl_certificate /etc/letsencrypt/live/tarnmarket.fr/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/tarnmarket.fr/privkey.pem;

        location / {
                proxy_pass https://192.168.10.5/;
                proxy_http_version                 1.1;
                proxy_cache_bypass                 $http_upgrade;
                proxy_set_header Upgrade           $http_upgrade;
                proxy_set_header Connection        "upgrade";
                proxy_set_header Host              $host;
                proxy_set_header X-Real-IP         $remote_addr;
                proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host  $host;
                proxy_set_header X-Forwarded-Port  $server_port;
        }
}

Liste des paquets

root@proxy-01 ~ # dpkg --get-selections | grep -v 'deinstall' | awk '{ print $1}'
adduser
apparmor
apt
apt-listchanges
apt-utils
aspell
aspell-fr
base-files
base-passwd
bash
bash-completion
bind9-host
bsdmainutils
bsdutils
busybox
bzip2
ca-certificates
certbot
console-setup
console-setup-linux
coreutils
cpio
cron
dash
dbus
debconf
debconf-i18n
debian-archive-keyring
debian-faq
debianutils
dictionaries-common
diffutils
discover
discover-data
distro-info-data
dmidecode
dmsetup
doc-debian
dpkg
e2fsprogs
eject
emacsen-common
exuberant-ctags
fail2ban
fdisk
file
findutils
firmware-linux-free
fontconfig-config
fonts-dejavu-core
gcc-8-base:amd64
gdbm-l10n
geoip-bin
geoip-database
gettext-base
gpgv
grep
groff-base
grub-common
grub-pc
grub-pc-bin
grub2-common
gzip
hdparm
hostname
htop
ifrench-gut
iftop
ifupdown
init
init-system-helpers
initramfs-tools
initramfs-tools-core
installation-report
iotop
iproute2
iptables
iputils-ping
isc-dhcp-client
isc-dhcp-common
iso-codes
ispell
kbd
keyboard-configuration
klibc-utils
kmod
krb5-locales
laptop-detect
less
libacl1:amd64
libapparmor1:amd64
libapt-inst2.0:amd64
libapt-pkg5.0:amd64
libargon2-1:amd64
libaspell15:amd64
libattr1:amd64
libaudit-common
libaudit1:amd64
libbind9-161:amd64
libblkid1:amd64
libbsd0:amd64
libbz2-1.0:amd64
libc-bin
libc-l10n
libc6:amd64
libcap-ng0:amd64
libcap2:amd64
libcap2-bin
libcom-err2:amd64
libcryptsetup12:amd64
libcurl3-gnutls:amd64
libdb5.3:amd64
libdbus-1-3:amd64
libdebconfclient0:amd64
libdevmapper1.02.1:amd64
libdiscover2
libdns-export1104
libdns1104:amd64
libedit2:amd64
libefiboot1:amd64
libefivar1:amd64
libelf1:amd64
libestr0:amd64
libexpat1:amd64
libext2fs2:amd64
libfastjson4:amd64
libfdisk1:amd64
libffi6:amd64
libfontconfig1:amd64
libfreetype6:amd64
libfstrm0:amd64
libfuse2:amd64
libgcc1:amd64
libgcrypt20:amd64
libgd3:amd64
libgdbm-compat4:amd64
libgdbm6:amd64
libgeoip1:amd64
libgmp10:amd64
libgnutls30:amd64
libgpg-error0:amd64
libgpm2:amd64
libgssapi-krb5-2:amd64
libhogweed4:amd64
libicu63:amd64
libidn11:amd64
libidn2-0:amd64
libip4tc0:amd64
libip6tc0:amd64
libiptc0:amd64
libisc-export1100:amd64
libisc1100:amd64
libisccc161:amd64
libisccfg163:amd64
libjbig0:amd64
libjpeg62-turbo:amd64
libjson-c3:amd64
libk5crypto3:amd64
libkeyutils1:amd64
libklibc:amd64
libkmod2:amd64
libkrb5-3:amd64
libkrb5support0:amd64
libldap-2.4-2:amd64
libldap-common
liblmdb0:amd64
liblocale-gettext-perl
liblockfile-bin
liblognorm5:amd64
liblwres161:amd64
liblz4-1:amd64
liblzma5:amd64
libmagic-mgc
libmagic1:amd64
libmnl0:amd64
libmount1:amd64
libmpdec2:amd64
libncurses6:amd64
libncursesw6:amd64
libnetfilter-conntrack3:amd64
libnettle6:amd64
libnewt0.52:amd64
libnfnetlink0:amd64
libnftnl11:amd64
libnghttp2-14:amd64
libnginx-mod-http-auth-pam
libnginx-mod-http-dav-ext
libnginx-mod-http-echo
libnginx-mod-http-geoip
libnginx-mod-http-image-filter
libnginx-mod-http-subs-filter
libnginx-mod-http-upstream-fair
libnginx-mod-http-xslt-filter
libnginx-mod-mail
libnginx-mod-stream
libnss-systemd:amd64
libp11-kit0:amd64
libpam-modules:amd64
libpam-modules-bin
libpam-runtime
libpam-systemd:amd64
libpam0g:amd64
libpcap0.8:amd64
libpci3:amd64
libpcre2-8-0:amd64
libpcre3:amd64
libperl5.28:amd64
libpipeline1:amd64
libpng16-16:amd64
libpopt0:amd64
libprocps7:amd64
libprotobuf-c1:amd64
libpsl5:amd64
libpython-stdlib:amd64
libpython2-stdlib:amd64
libpython2.7-minimal:amd64
libpython2.7-stdlib:amd64
libpython3-stdlib:amd64
libpython3.7-minimal:amd64
libpython3.7-stdlib:amd64
libreadline7:amd64
librtmp1:amd64
libsasl2-2:amd64
libsasl2-modules:amd64
libsasl2-modules-db:amd64
libseccomp2:amd64
libselinux1:amd64
libsemanage-common
libsemanage1:amd64
libsensors-config
libsensors5:amd64
libsepol1:amd64
libslang2:amd64
libsmartcols1:amd64
libsqlite3-0:amd64
libss2:amd64
libssh2-1:amd64
libssl1.1:amd64
libstdc++6:amd64
libsystemd0:amd64
libtasn1-6:amd64
libtext-charwidth-perl
libtext-iconv-perl
libtext-wrapi18n-perl
libtiff5:amd64
libtinfo6:amd64
libuchardet0:amd64
libudev1:amd64
libunistring2:amd64
libusb-0.1-4:amd64
libusb-1.0-0:amd64
libuuid1:amd64
libwebp6:amd64
libwrap0:amd64
libx11-6:amd64
libx11-data
libxau6:amd64
libxcb1:amd64
libxdmcp6:amd64
libxext6:amd64
libxml2:amd64
libxmuu1:amd64
libxpm4:amd64
libxslt1.1:amd64
libxtables12:amd64
libzstd1:amd64
linux-base
linux-image-4.19.0-13-amd64
linux-image-4.19.0-14-amd64
linux-image-amd64
locales
login
logrotate
lsb-base
lsb-release
lsof
man-db
manpages
mawk
mime-support
mount
nano
ncurses-base
ncurses-bin
ncurses-term
net-tools
netbase
netcat-traditional
nginx
nginx-common
nginx-full
openssh-client
openssh-server
openssh-sftp-server
openssl
os-prober
passwd
pciutils
perl
perl-base
perl-modules-5.28
powermgmt-base
procps
publicsuffix
python
python-apt-common
python-minimal
python-pyicu
python2
python2-minimal
python2.7
python2.7-minimal
python3
python3-acme
python3-apt
python3-asn1crypto
python3-certbot
python3-certifi
python3-cffi-backend
python3-chardet
python3-configargparse
python3-configobj
python3-cryptography
python3-debconf
python3-debian
python3-debianbts
python3-distutils
python3-future
python3-httplib2
python3-idna
python3-josepy
python3-lib2to3
python3-minimal
python3-mock
python3-openssl
python3-parsedatetime
python3-pbr
python3-pkg-resources
python3-pycurl
python3-pyinotify
python3-pysimplesoap
python3-reportbug
python3-requests
python3-requests-toolbelt
python3-rfc3339
python3-setuptools
python3-six
python3-systemd
python3-tz
python3-urllib3
python3-zope.component
python3-zope.event
python3-zope.hookable
python3-zope.interface
python3.7
python3.7-minimal
readline-common
reportbug
rsync
rsyslog
sed
sensible-utils
sysstat
systemd
systemd-sysv
sysvinit-utils
tar
task-french
task-ssh-server
tasksel
tasksel-data
tcpdump
telnet
traceroute
tzdata
ucf
udev
ufw
usb.ids
usbutils
util-linux
util-linux-locales
vim
vim-common
vim-runtime
vim-tiny
wamerican
wfrench
wget
whiptail
whois
xauth
xkb-data
xxd
xz-utils
zlib1g:amd64