Remplacement de nginx par haproxy

2020-08-06 21:51:52 +02:00 · 2020-08-06 21:51:52 +02:00 · 0bc657893f
parent 4cd01f46cd
commit 0bc657893f
1 changed files with 100 additions and 64 deletions
--- a/README.md
+++ b/README.md
@ -25,15 +25,15 @@ rm /etc/update-motd.d/50-motd-news # Pour Ubuntu
 echo -n "
 echo \"

- ██ ▄█▀ ██▀███   ██░ ██  ▄▄▄       ▄████▄   ██ ▄█▀▓█████  ███▄    █ 
- ██▄█▒ ▓██ ▒ ██▒▓██░ ██▒▒████▄    ▒██▀ ▀█   ██▄█▒ ▓█   ▀  ██ ▀█   █ 
+ ██ ▄█▀ ██▀███   ██░ ██  ▄▄▄       ▄████▄   ██ ▄█▀▓█████  ███▄    █
+ ██▄█▒ ▓██ ▒ ██▒▓██░ ██▒▒████▄    ▒██▀ ▀█   ██▄█▒ ▓█   ▀  ██ ▀█   █
 ▓███▄░ ▓██ ░▄█ ▒▒██▀▀██░▒██  ▀█▄  ▒▓█    ▄ ▓███▄░ ▒███   ▓██  ▀█ ██▒
 ▓██ █▄ ▒██▀▀█▄  ░▓█ ░██ ░██▄▄▄▄██ ▒▓▓▄ ▄██▒▓██ █▄ ▒▓█  ▄ ▓██▒  ▐▌██▒
 ▒██▒ █▄░██▓ ▒██▒░▓█▒░██▓ ▓█   ▓██▒▒ ▓███▀ ░▒██▒ █▄░▒████▒▒██░   ▓██░
-▒ ▒▒ ▓▒░ ▒▓ ░▒▓░ ▒ ░░▒░▒ ▒▒   ▓▒█░░ ░▒ ▒  ░▒ ▒▒ ▓▒░░ ▒░ ░░ ▒░   ▒ ▒ 
+▒ ▒▒ ▓▒░ ▒▓ ░▒▓░ ▒ ░░▒░▒ ▒▒   ▓▒█░░ ░▒ ▒  ░▒ ▒▒ ▓▒░░ ▒░ ░░ ▒░   ▒ ▒
 ░ ░▒ ▒░  ░▒ ░ ▒░ ▒ ░▒░ ░  ▒   ▒▒ ░  ░  ▒   ░ ░▒ ▒░ ░ ░  ░░ ░░   ░ ▒░
-░ ░░ ░   ░░   ░  ░  ░░ ░  ░   ▒   ░        ░ ░░ ░    ░      ░   ░ ░ 
-░  ░      ░      ░  ░  ░      ░  ░░ ░      ░  ░      ░  ░         ░ 
+░ ░░ ░   ░░   ░  ░  ░░ ░  ░   ▒   ░        ░ ░░ ░    ░      ░   ░ ░
+░  ░      ░      ░  ░  ░      ░  ░░ ░      ░  ░      ░  ░         ░
                                  ░                                 
 \"
 " >> /etc/update-motd.d/00-header
@ -57,7 +57,7 @@ systemctl restart ssh
 apt install zsh zsh-common zsh-syntax-highlighting zsh-doc zsh-autosuggestions
 # Garder les variables d'environnement
 echo "emulate sh -c 'source /etc/profile'" >> /etc/zsh/zprofile
-sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" # oui cette commande pique les yeux ^^ 
+sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" # oui cette commande pique les yeux ^^
 ```
 On choisit un beau de thème de shell (steeef par exemple !):
 ```
@ -122,7 +122,7 @@ table filter {
        # for LXD
        proto (udp tcp) dport domain ACCEPT;
        proto udp dport bootps ACCEPT;
-        
+
        # WEB
        proto tcp dport http ACCEPT;
        proto tcp dport https ACCEPT;
@ -289,70 +289,106 @@ Si tout s'est bien passé :
 certbot certonly --dns-ovh --dns-ovh-credentials ~/.ovh.ini -d *.krhacken.org
 ```

+#### Mise en place des certificats pour HAProxy
+
+HAProxy a besoin d'un seul fichier pour le certificat wildcard, voici comment créer ce fichier.

-#### Fichiers de configuration Nginx
-Adapter `/etc/nginx/nginx.conf`
 ```
-ssl_protocols TLSv1.2 TLSv1.3; 
-ssl_prefer_server_ciphers on;
-ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
-ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
-ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
-ssl_session_timeout 10m;
-ssl_session_cache shared:SSL:10m;
-ssl_session_tickets off; # Requires nginx >= 1.5.9
-ssl_stapling on; # Requires nginx >= 1.3.7
-ssl_stapling_verify on; # Requires nginx => 1.3.7
-resolver 80.67.169.12 80.67.169.40 valid=300s;
-resolver_timeout 5s;
+cat /etc/letsencrypt/live/krhacken.org/privkey.pem /etc/letsencrypt/live/krhacken.org/fullchain.pem > /etc/ssl/letsencrypt/krhacken.org.pem
 ```

+On modifie le script de renouvellement utilisé par certbot pour inclure cette action

-vhost pour nextcloud : `/etc/nginx/sites-available/nextcloud`
+`/opt/certbot-renew.sh`
 ```
-server {
-	listen 80;
-	server_name cloud.krhacken.org;
-	return 301 https://$server_name$request_uri;
-}
-server {
-	listen 443 ssl;
-	server_name cloud.krhacken.org;
-
-	location / {
-		proxy_pass http://IP_nextcloud_server;
-		include /etc/nginx/proxy_params;
-	}
-
-	# Upload settings
-	client_max_body_size 1G;
-	fastcgi_buffers 64 4K;
-
-	# C{ard,al}Dav tweaks
-	location = /.well-known/carddav {
-		rewrite ^(.*) https://$server_name/remote.php/dav permanent;
-	}
-	location = /.well-known/caldav {
-		rewrite ^(.*) https://$server_name/remote.php/dav permanent;
-	}
-	location = /.well-known/webfinger {
-		rewrite ^(.*) https://$server_name/public.php?service=webfinger permanent;
-	}
-	
-	# TLS
-	ssl_certificate /etc/letsencrypt/live/krhacken.org/fullchain.pem;
-        ssl_certificate_key /etc/letsencrypt/live/krhacken.org/privkey.pem;
-	
-	# Logs
-	access_log /var/log/nginx/nextcloud.access.log;
-	error_log /var/log/nginx/nextcloud.error.log;
-	
-	# STS
-	add_header Strict-Transport-Security "max-age=31536000;includeSubDomains" always;
-}
+#!/bin/bash
+/usr/bin/certbot renew
+/bin/cat /etc/letsencrypt/live/krhacken.org/privkey.pem /etc/letsencrypt/live/krhacken.org/fullchain.pem > /etc/ssl/letsencrypt/krhacken.org.pem
+/bin/systemctl reload haproxy.service
 ```

-Il possible qu'un bug survienne lors du redémarrage de Nginx, la solution est [ici](https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1581864).
+#### Fichiers de configuration HAProxy
+Adapter `/etc/haproxy/haproxy.conf`
+```
+global
+  log /dev/log local0
+  log /dev/log local1 notice
+  stats socket /run/haproxy/admin.sock
+  stats timeout 30s
+  user haproxy
+  group haproxy
+  daemon
+  ca-base /etc/ssl/certs
+  crt-base /etc/ssl/private
+  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+  ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+  ssl-default-server-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
+  ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+  nbproc 1
+
+defaults
+  log global
+  mode http
+  option dontlognull
+  timeout connect 5000
+  timeout client 50000
+  timeout server 50000
+  errorfile 400 /etc/haproxy/errors/400.http
+  errorfile 403 /etc/haproxy/errors/403.http
+  errorfile 408 /etc/haproxy/errors/408.http
+  errorfile 500 /etc/haproxy/errors/500.http
+  errorfile 502 /etc/haproxy/errors/502.http
+  errorfile 503 /etc/haproxy/errors/503.http
+  errorfile 504 /etc/haproxy/errors/504.http
+
+frontend unsecure-all
+  bind :::80 accept-proxy v4v6
+  mode http
+  redirect scheme https code 301
+  default_backend drop-http
+
+frontend secure-all
+  bind :::443 v4v6 accept-proxy ssl no-sslv3 crt /etc/ssl/letsencrypt/krhacken.org.pem
+  mode http
+  option forwardfor
+  option httplog
+  acl www hdr_beg(host) -i www.
+  reqirep ^Host:\ www.(.*)$ Host:\ \1 if www
+  rspadd Strict-Transport-Security:\ max-age=63072000
+
+  acl cloud hdr_end(host) cloud.krhacken.org
+  acl git hdr_end(host) git.krhacken.org
+  acl matrix hdr_end(host) matrix.krhacken.org
+
+  use_backend cloud if cloud
+  use_backend git if git
+  use_backend matrix if matrix
+
+  default_backend drop-http
+
+backend cloud
+  mode http
+  server cloud-1 10.0.0.51:80 check
+
+backend git
+  mode http
+  server git-1 10.0.0.202:80 check
+
+backend matrix
+  mode http
+  server matrix-1 10.0.0.66:80 check
+
+backend drop-http
+  mode http
+  http-request silent-drop
+```
+
+Pour chaque nouveau service il faut ajouter :
+- Un ACL pour le domaine
+- Une instruction use_backend par ACL
+- Une backend

 ### Nextcloud (Syze)
 #### Pré-requis :
@ -393,7 +429,7 @@ server {
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;
-    
+
    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;