Ceci est une ancienne révision du document !
proxy-01
Fonctionnalités
- Reçoit les requêtes depuis internet
- Redirige les requêtes vers les machines concernées via Nginx
- Filtre les requêtes via un pare-feu iptables
- Bannit les tentatives d'attaques via Fail2Ban
Configuration
Adressage IP
# VM-LAN allow-hotplug enp7s0 iface enp7s0 inet static address 192.168.10.2 netmask 255.255.255.0 gateway 192.168.10.1 dns-nameservers 213.133.99.99 213.133.100.100 213.133.98.98
Configuration Nginx
# Blocage des pays douteux : geoip_country /usr/share/GeoIP/GeoIP.dat; map $geoip_country_code $allow_country { default yes; PH no; MYS no; IN no; BY no; UA no; CN no; RU no; KR no; KP no; }
# Configuration globale : server { # Frontaux Web HTTP : server_name _; listen 80; location / { proxy_pass https://192.168.10.5/; proxy_http_version 1.1; proxy_cache_bypass $http_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; } # Bloquer les pays douteux : if ($allow_country = no) { return 403; } } server { # Frontal Web HTTPS Liberta Vidéo (Peertube) : server_name video.liberta.vip; listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/liberta.vip/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/liberta.vip/privkey.pem; location / { proxy_pass https://192.168.10.8/; proxy_http_version 1.1; proxy_cache_bypass $http_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; } # Bloquer les pays douteux : if ($allow_country = no) { return 403; } } server { # Frontaux Web HTTPS Liberta : server_name liberta.vip *.liberta.vip; listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/liberta.vip/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/liberta.vip/privkey.pem; location / { proxy_pass https://192.168.10.5/; proxy_http_version 1.1; proxy_cache_bypass $http_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; } # Bloquer les pays douteux : if ($allow_country = no) { return 403; } } server { # Frontaux Web SILICS : server_name silics.fr *.silics.fr; listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/silics.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/silics.fr/privkey.pem; location / { proxy_pass https://192.168.10.5/; proxy_http_version 1.1; proxy_cache_bypass $http_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; } } server { # Frontaux Web TarnMarket : server_name tarnmarket.fr *.tarnmarket.fr; listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/tarnmarket.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/tarnmarket.fr/privkey.pem; location / { proxy_pass https://192.168.10.5/; proxy_http_version 1.1; proxy_cache_bypass $http_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; } }
Liste des paquets
root@proxy-01 ~ # dpkg --get-selections | grep -v 'deinstall' | awk '{ print $1}' adduser apparmor apt apt-listchanges apt-utils aspell aspell-fr base-files base-passwd bash bash-completion bind9-host bsdmainutils bsdutils busybox bzip2 ca-certificates certbot console-setup console-setup-linux coreutils cpio cron dash dbus debconf debconf-i18n debian-archive-keyring debian-faq debianutils dictionaries-common diffutils discover discover-data distro-info-data dmidecode dmsetup doc-debian dpkg e2fsprogs eject emacsen-common exuberant-ctags fail2ban fdisk file findutils firmware-linux-free fontconfig-config fonts-dejavu-core gcc-8-base:amd64 gdbm-l10n geoip-bin geoip-database gettext-base gpgv grep groff-base grub-common grub-pc grub-pc-bin grub2-common gzip hdparm hostname htop ifrench-gut iftop ifupdown init init-system-helpers initramfs-tools initramfs-tools-core installation-report iotop iproute2 iptables iputils-ping isc-dhcp-client isc-dhcp-common iso-codes ispell kbd keyboard-configuration klibc-utils kmod krb5-locales laptop-detect less libacl1:amd64 libapparmor1:amd64 libapt-inst2.0:amd64 libapt-pkg5.0:amd64 libargon2-1:amd64 libaspell15:amd64 libattr1:amd64 libaudit-common libaudit1:amd64 libbind9-161:amd64 libblkid1:amd64 libbsd0:amd64 libbz2-1.0:amd64 libc-bin libc-l10n libc6:amd64 libcap-ng0:amd64 libcap2:amd64 libcap2-bin libcom-err2:amd64 libcryptsetup12:amd64 libcurl3-gnutls:amd64 libdb5.3:amd64 libdbus-1-3:amd64 libdebconfclient0:amd64 libdevmapper1.02.1:amd64 libdiscover2 libdns-export1104 libdns1104:amd64 libedit2:amd64 libefiboot1:amd64 libefivar1:amd64 libelf1:amd64 libestr0:amd64 libexpat1:amd64 libext2fs2:amd64 libfastjson4:amd64 libfdisk1:amd64 libffi6:amd64 libfontconfig1:amd64 libfreetype6:amd64 libfstrm0:amd64 libfuse2:amd64 libgcc1:amd64 libgcrypt20:amd64 libgd3:amd64 libgdbm-compat4:amd64 libgdbm6:amd64 libgeoip1:amd64 libgmp10:amd64 libgnutls30:amd64 libgpg-error0:amd64 libgpm2:amd64 libgssapi-krb5-2:amd64 libhogweed4:amd64 libicu63:amd64 libidn11:amd64 libidn2-0:amd64 libip4tc0:amd64 libip6tc0:amd64 libiptc0:amd64 libisc-export1100:amd64 libisc1100:amd64 libisccc161:amd64 libisccfg163:amd64 libjbig0:amd64 libjpeg62-turbo:amd64 libjson-c3:amd64 libk5crypto3:amd64 libkeyutils1:amd64 libklibc:amd64 libkmod2:amd64 libkrb5-3:amd64 libkrb5support0:amd64 libldap-2.4-2:amd64 libldap-common liblmdb0:amd64 liblocale-gettext-perl liblockfile-bin liblognorm5:amd64 liblwres161:amd64 liblz4-1:amd64 liblzma5:amd64 libmagic-mgc libmagic1:amd64 libmnl0:amd64 libmount1:amd64 libmpdec2:amd64 libncurses6:amd64 libncursesw6:amd64 libnetfilter-conntrack3:amd64 libnettle6:amd64 libnewt0.52:amd64 libnfnetlink0:amd64 libnftnl11:amd64 libnghttp2-14:amd64 libnginx-mod-http-auth-pam libnginx-mod-http-dav-ext libnginx-mod-http-echo libnginx-mod-http-geoip libnginx-mod-http-image-filter libnginx-mod-http-subs-filter libnginx-mod-http-upstream-fair libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libnss-systemd:amd64 libp11-kit0:amd64 libpam-modules:amd64 libpam-modules-bin libpam-runtime libpam-systemd:amd64 libpam0g:amd64 libpcap0.8:amd64 libpci3:amd64 libpcre2-8-0:amd64 libpcre3:amd64 libperl5.28:amd64 libpipeline1:amd64 libpng16-16:amd64 libpopt0:amd64 libprocps7:amd64 libprotobuf-c1:amd64 libpsl5:amd64 libpython-stdlib:amd64 libpython2-stdlib:amd64 libpython2.7-minimal:amd64 libpython2.7-stdlib:amd64 libpython3-stdlib:amd64 libpython3.7-minimal:amd64 libpython3.7-stdlib:amd64 libreadline7:amd64 librtmp1:amd64 libsasl2-2:amd64 libsasl2-modules:amd64 libsasl2-modules-db:amd64 libseccomp2:amd64 libselinux1:amd64 libsemanage-common libsemanage1:amd64 libsensors-config libsensors5:amd64 libsepol1:amd64 libslang2:amd64 libsmartcols1:amd64 libsqlite3-0:amd64 libss2:amd64 libssh2-1:amd64 libssl1.1:amd64 libstdc++6:amd64 libsystemd0:amd64 libtasn1-6:amd64 libtext-charwidth-perl libtext-iconv-perl libtext-wrapi18n-perl libtiff5:amd64 libtinfo6:amd64 libuchardet0:amd64 libudev1:amd64 libunistring2:amd64 libusb-0.1-4:amd64 libusb-1.0-0:amd64 libuuid1:amd64 libwebp6:amd64 libwrap0:amd64 libx11-6:amd64 libx11-data libxau6:amd64 libxcb1:amd64 libxdmcp6:amd64 libxext6:amd64 libxml2:amd64 libxmuu1:amd64 libxpm4:amd64 libxslt1.1:amd64 libxtables12:amd64 libzstd1:amd64 linux-base linux-image-4.19.0-13-amd64 linux-image-4.19.0-14-amd64 linux-image-amd64 locales login logrotate lsb-base lsb-release lsof man-db manpages mawk mime-support mount nano ncurses-base ncurses-bin ncurses-term net-tools netbase netcat-traditional nginx nginx-common nginx-full openssh-client openssh-server openssh-sftp-server openssl os-prober passwd pciutils perl perl-base perl-modules-5.28 powermgmt-base procps publicsuffix python python-apt-common python-minimal python-pyicu python2 python2-minimal python2.7 python2.7-minimal python3 python3-acme python3-apt python3-asn1crypto python3-certbot python3-certifi python3-cffi-backend python3-chardet python3-configargparse python3-configobj python3-cryptography python3-debconf python3-debian python3-debianbts python3-distutils python3-future python3-httplib2 python3-idna python3-josepy python3-lib2to3 python3-minimal python3-mock python3-openssl python3-parsedatetime python3-pbr python3-pkg-resources python3-pycurl python3-pyinotify python3-pysimplesoap python3-reportbug python3-requests python3-requests-toolbelt python3-rfc3339 python3-setuptools python3-six python3-systemd python3-tz python3-urllib3 python3-zope.component python3-zope.event python3-zope.hookable python3-zope.interface python3.7 python3.7-minimal readline-common reportbug rsync rsyslog sed sensible-utils sysstat systemd systemd-sysv sysvinit-utils tar task-french task-ssh-server tasksel tasksel-data tcpdump telnet traceroute tzdata ucf udev ufw usb.ids usbutils util-linux util-linux-locales vim vim-common vim-runtime vim-tiny wamerican wfrench wget whiptail whois xauth xkb-data xxd xz-utils zlib1g:amd64