https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&user=Cewebb&feedformat=atom
Alpine Linux - User contributions [en]
2024-03-28T15:19:30Z
User contributions
MediaWiki 1.40.0
https://wiki.alpinelinux.org/w/index.php?title=Dynamic_Multipoint_VPN_(DMVPN)&diff=9837
Dynamic Multipoint VPN (DMVPN)
2014-01-31T13:25:49Z
<p>Cewebb: Local DNS will be handled by DHCP/DNS container in Small Office Services document</p>
<hr />
<div>{{Draft}}<br />
<br />
http://alpinelinux.org/about under '''Why the Name Alpine?''' states: [ref?]<br />
<br />
''The first open-source implementation of Cisco's DMVPN, called OpenNHRP, was written for Alpine Linux.''<br />
<br />
So the aim of this document is to be the reference Linux DMVPN setup, with all the networking services needed for the clients that will use the DMVPN (DNS, DHCP, firewall, etc.).<br />
<br />
= Terminology =<br />
;NBMA: ''Non-Broadcast Multi-Access'' network as described in [http://tools.ietf.org/html/rfc2332 RFC 2332]<br />
<br />
;Hub: the ''Next Hop Server'' (NHS) performing the Next Hop Resolution Protocol service within the NBMA cloud.<br />
<br />
;Spoke: the ''Next Hop Resolution Protocol Client'' (NHC) which initiates NHRP requests of various types in order to obtain access to the NHRP service.<br />
<br />
{{Tip|At the time of this writing the recommended Alpine version for building a DMVPN should be at minimum 2.4.11. Don't use 2.5.x, or 2.6.0 since the kernel has in-tunnel IP fragmentation issues. Alpine 2.6.1 or later should be okay instead.}}<br />
<br />
{{Note|This document assumes that all Alpine installations are run in [[Installation#Basics|diskless mode]] and that the configuration is saved on USB key}}<br />
<br />
= Hardware =<br />
If you are looking for hundreds of megabits of throughput for your VPN with a limited budget, you should consider using [http://www.via.com.tw/en/initiatives/padlock/hardware.jsp VIA Padlock] engine present in VIA processor C7, Eden, Nano and Quad. If you need gigabits throughput you should go instead for an Intel Xeon processor with [http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni AES-NI] and [http://software.intel.com/en-us/articles/intel-sha-extensions SHA Extensions]<br />
<br />
For supporting VIA Padlock engine enable its modules:<br />
<br />
{{Cmd|echo -e "padlock_aes\npadlock-sha" >> /etc/modules}}<br />
<br />
= Extract Certificates =<br />
We will use certificates for DMVPN and for OpenVPN (RoadWarrior clients). If you are in need to generate your own certificates, please see [[Generating_SSL_certs_with_ACF]]. You should use a separate machine for this purpose. If you downloaded the certificates on a Windows machine, you may use [http://winscp.net/eng/download.php WinSCP] to copy them on the DMVPN box.<br />
<br />
Here are the general purpose instruction for extracting certificates from pfx files:<br />
<br />
{{Cmd|openssl pkcs12 -in cert.pfx -cacerts -nokeys -out cacert.pem<br />
openssl pkcs12 -in cert.pfx -nocerts -nodes -out serverkey.pem<br />
openssl pkcs12 -in cert.pfx -nokeys -clcerts -out cert.pem<br />
}}<br />
<br />
Set appropriate permission for your certificate files:<br />
<br />
{{Cmd|chmod 600 *.pem *.pfx}}<br />
<br />
= Spoke Node =<br />
A local spoke node network has support for multiple ISP connections, along with redundant layer 2 switches. At least one 802.1q capable switch is required, and a second is optional for redundancy purposes. The typical spoke node network looks like:<br />
<br />
[[File:DMVPN-Spoke.png]]<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
We will setup the network interfaces as follows:<br />
<br />
bond0.3 = Management '''(not implemented below yet)'''<br><br />
bond0.8 = LAN<br><br />
bond0.64 = DMZ<br><br />
bond0.80 = Voice '''(not implemented below yet)'''<br><br />
bond0.96 = Internet Access Only (no access to the DMVPN network)'''(not implemented below yet)'''<br><br />
bond0.620 = WiFi Transit Zone for Internet Access Only (no access to the DMVPN network)<br><br />
bond0.256 = ISP1<br><br />
bond0.257 = ISP2<br><br />
<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''vpnc'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.8'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [none]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.8? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Enter the IP address of your LAN interface, e.g.'' '''10.1.0.1'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|''Press Enter confirming '255.255.255.0' or type another appropriate subnet mask''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''yes'''<br />
|-<br />
|''Make a copy of the bond0.8 configuration for bond0.64, bond0.620, bond0.256 and bond0.257 (optional) interfaces.<br>Don't forget to add a gateway and a metric value for ISP interfaces when multiple gateways are set.<br>Save and close the file (:wq)''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|''Press Enter confirming 'none' or type 'none' if needed''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
== Networking ==<br />
Update the networking configuration.<br />
<br />
With your favorite editor open <code>/etc/network/interfaces</code> and add interfaces:<br />
<br />
{{cat|/etc/network/interfaces|<br />
...<br />
<br />
auto bond0.8<br />
iface bond0.8 inet static<br />
address 10.1.0.1<br />
netmask 255.255.255.0<br />
<br />
auto bond0.64<br />
iface bond0.64 inet static<br />
address <%DMVPN_DMZ_ADDRESS%><br />
netmask <%DMVPN_DMZ_NETMASK%><br />
<br />
auto bond0.620<br />
iface bond0.620 inet static<br />
address <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
<br />
...<br />
<br />
auto bond0.256<br />
iface bond0.256 inet static<br />
address <%ISP1_IP_ADDRESS%><br />
netmask <%ISP1_NETMASK%><br />
<br />
auto bond0.257<br />
iface bond0.257 inet static<br />
address <%ISP2_IP_ADDRESS%><br />
netmask <%ISP2_NETMASK%><br />
}}<br />
<br />
== Bonding ==<br />
Update the bonding configuration.<br />
<br />
With your favorite editor open <code>/etc/network/interfaces</code> and add <code>bond-mode</code>, <code>bond-miimon</code> and <code>bond-updelay</code> parameters to the <code>bond0</code> stanza:<br />
<br />
{{cat|/etc/network/interfaces|<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
...<br />
}}<br />
<br />
Bring up the new bonding settings:<br />
<br />
{{Cmd|ifdown bond0<br />
ifup bond0}}<br />
<br />
<br />
== Physically install ==<br />
At this point, you're ready to connect the VPN Spoke Node to the network if you haven't already done so. Please set up an 802.1q capable switch with the VLANs listed in AlpineSetup section. Once done, tag all of the VLANs on one port. Connect that port to <code>eth0</code>. Then, connect your first ISP's CPE to a switchport with VLAN 256 untagged.<br />
<br />
== SSH ==<br />
Remove password authentication and DNS reverse lookup:<br />
<br />
{{Cmd|sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Restart ssh:<br />
{{Cmd|/etc/init.d/sshd restart}}<br />
<br />
== NTP server ==<br />
In order to have attached devices syncing their time agains this host, we need to do some modifications to chrony config.<BR><br />
Add '<code>allow all</code>' to the end of the '<code>/etc/chrony/chrony.conf</code>' so the file looks something like this:<br />
<br />
{{cat|/etc/chrony/chrony.conf|<br />
server pool.ntp.org <br />
initstepslew 10 pool.ntp.org<br />
commandkey 10<br />
keyfile /etc/chrony/chrony.keys<br />
driftfile /etc/chrony/chrony.drift<br />
allow all<br />
}}<br />
<br />
Restart chronyd for the changes to take effect<br />
{{cmd|/etc/init.d/chronyd restart}}<br />
<br />
== Recursive DNS ==<br />
Install package(s):<br />
<br />
{{Cmd|apk add -U unbound}}<br />
<br />
With your favorite editor open <code>/etc/unbound/unbound.conf</code> and add the following configuration. If you have a domain that you want unbound to resolve but is internal to your network only, the stub-zone stanza is present:<br />
<br />
{{cat|/etc/unbound/unbound.conf|<br />
server:<br />
verbosity: 1<br />
interface: 10.1.0.1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
do-not-query-localhost: no<br />
<br />
root-hints: "/etc/unbound/root.hints"<br />
<br />
stub-zone:<br />
name: "location1.example.net"<br />
stub-addr: 10.1.0.2<br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
}}<br />
<br />
Start unbound and start using unbound on this host:<br />
<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver 10.1.0.1 > /etc/resolv.conf}}<br />
<br />
== GRE Tunnel ==<br />
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:<br />
<br />
{{cat|/etc/network/interfaces|<nowiki><br />
auto gre1<br />
iface gre1 inet static<br />
pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key 12.34.56.78 || true<br />
address 172.16.1.1<br />
netmask 255.255.0.0<br />
post-down ip tunnel del $IFACE || true<br />
</nowiki>}}<br />
<br />
Bring up the new <code>gre1</code> interface:<br />
<br />
{{Cmd|ifup gre1}}<br />
<br />
== IPSEC ==<br />
Install package(s):<br />
<br />
{{Cmd|apk add ipsec-tools}}<br />
<br />
With your favorite editor create <code>/etc/ipsec.conf</code> and set the content to the following:<br />
<br />
{{cat|/etc/ipsec.conf|<br />
spdflush;<br />
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;<br />
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;<br />
}}<br />
<br />
Create missing directory:<br />
<br />
{{Cmd|mkdir /etc/racoon/}}<br />
<br />
Extract your pfx into <code>/etc/racoon</code>, using the filenames '''<code>ca.pem</code>''', '''<code>cert.pem</code>''', and '''<code>key.pem</code>''' (see [[Dynamic_Multipoint_VPN_%28DMVPN%29#Extract_Certificates|instructions above]] for command).<br />
<br />
With your favorite editor create <code>/etc/racoon/racoon.conf</code> and set the content to the following:<br />
<br />
{{cat|/etc/racoon/racoon.conf|<br />
path certificate "/etc/racoon/";<br />
remote anonymous {<br />
exchange_mode main;<br />
lifetime time 2 hour;<br />
certificate_type x509 "/etc/racoon/cert.pem" "/etc/racoon/key.pem";<br />
ca_type x509 "/etc/racoon/ca.pem";<br />
my_identifier asn1dn;<br />
nat_traversal on;<br />
script "/etc/opennhrp/racoon-ph1dead.sh" phase1_dead;<br />
dpd_delay 120;<br />
proposal {<br />
encryption_algorithm aes 256;<br />
hash_algorithm sha1;<br />
authentication_method rsasig;<br />
dh_group modp4096;<br />
}<br />
proposal {<br />
encryption_algorithm aes 256;<br />
hash_algorithm sha1;<br />
authentication_method rsasig;<br />
dh_group 2;<br />
}<br />
}<br />
<br />
sainfo anonymous {<br />
pfs_group 2;<br />
lifetime time 2 hour;<br />
encryption_algorithm aes 256;<br />
authentication_algorithm hmac_sha1;<br />
compression_algorithm deflate;<br />
}<br />
}}<br />
<br />
Edit <code>/etc/conf.d/racoon</code> and unset <code>RACOON_PSK_FILE</code>:<br />
<br />
{{cat|/etc/conf.d/racoon|<br />
...<br />
RACOON_PSK_FILE{{=}}<br />
...<br />
}}<br />
<br />
Start service(s):<br />
<br />
{{Cmd|/etc/init.d/racoon start<br />
rc-update add racoon}}<br />
<br />
== Next Hop Resolution Protocol (NHRP) ==<br />
Install package(s):<br />
<br />
{{Cmd|apk add opennhrp}}<br />
<br />
With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> and change the content to the following:<br />
<br />
{{cat|/etc/opennhrp/opennhrp.conf|<br />
interface gre1<br />
dynamic-map 172.16.0.0/16 hub.example.com<br />
shortcut<br />
redirect<br />
non-caching<br />
<br />
interface bond0.8<br />
shortcut-destination<br />
<br />
interface bond0.64<br />
shortcut-destination<br />
<br />
interface bond0.620<br />
shortcut-destination<br />
}}<br />
<br />
You must have a DNS A record ''<code>hub.example.com</code>'' for each hub node IP address.<br />
<br />
With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and change the content to the following:<br />
<br />
{{cat|/etc/opennhrp/opennhrp-script|<nowiki>#!/bin/sh<br />
<br />
MYAS=$(sed -n 's/router bgp \(\d*\)/\1/p' < /etc/quagga/bgpd.conf)<br />
<br />
case $1 in<br />
interface-up)<br />
echo "Interface $NHRP_INTERFACE is up"<br />
if [ "$NHRP_INTERFACE" = "gre1" ]; then<br />
ip route flush proto 42 dev $NHRP_INTERFACE<br />
ip neigh flush dev $NHRP_INTERFACE<br />
<br />
vtysh -d bgpd \<br />
-c "configure terminal" \<br />
-c "router bgp $MYAS" \<br />
-c "no neighbor core" \<br />
-c "neighbor core peer-group"<br />
fi<br />
;;<br />
peer-register)<br />
;;<br />
peer-up)<br />
if [ -n "$NHRP_DESTMTU" ]; then<br />
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`<br />
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU<br />
fi<br />
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"<br />
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1<br />
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1<br />
;;<br />
peer-down)<br />
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"<br />
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA<br />
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42<br />
;;<br />
nhs-up)<br />
echo "NHS UP $NHRP_DESTADDR"<br />
(<br />
flock -x 200<br />
vtysh -d bgpd \<br />
-c "configure terminal" \<br />
-c "router bgp $MYAS" \<br />
-c "neighbor $NHRP_DESTADDR remote-as 65000" \<br />
-c "neighbor $NHRP_DESTADDR peer-group core" \<br />
-c "exit" \<br />
-c "exit" \<br />
-c "clear bgp $NHRP_DESTADDR"<br />
) 200>/var/lock/opennhrp-script.lock<br />
;;<br />
nhs-down)<br />
(<br />
flock -x 200<br />
vtysh -d bgpd \<br />
-c "configure terminal" \<br />
-c "router bgp $MYAS" \<br />
-c "no neighbor $NHRP_DESTADDR"<br />
) 200>/var/lock/opennhrp-script.lock<br />
;;<br />
route-up)<br />
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"<br />
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE<br />
ip route flush cache<br />
;;<br />
route-down)<br />
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"<br />
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42<br />
ip route flush cache<br />
;;<br />
esac<br />
<br />
exit 0<br />
</nowiki>}}<br />
<br />
Make it executable and start service(s):<br />
<br />
{{Cmd|chmod +x /etc/opennhrp/opennhrp-script<br />
/etc/init.d/opennhrp start<br />
rc-update add opennhrp}}<br />
<br />
== BGP ==<br />
Install package(s):<br />
<br />
{{Cmd|apk add quagga<br />
touch /etc/quagga/zebra.conf}}<br />
<br />
With your favorite editor open <code>/etc/quagga/bgpd.conf</code> and change the content to the following (replace <code>strongpassword</code> with a password of your choice and <code>%HUB_GRE_IP%</code> with the '''Hub''' node GRE IP address):<br />
* Add the line <code>neighbor %HUB_GRE_IP% remote-as 65000</code> for each '''Hub''' host you have in your NBMA cloud.<br />
<br />
{{cat|/etc/quagga/bgpd.conf|<br />
password strongpassword<br />
enable password strongpassword<br />
log syslog<br />
<br />
access-list 1 remark Command line access authorized IP<br />
access-list 1 permit 127.0.0.1<br />
line vty<br />
access-class 1<br />
<br />
hostname vpnc.example.net<br />
<br />
router bgp 65001<br />
bgp router-id 172.16.1.1<br />
network 10.1.0.0/16<br />
neighbor %HUB_GRE_IP% remote-as 65000<br />
neighbor %HUB_GRE_IP% remote-as 65000<br />
...<br />
}}<br />
<br />
Start service(s):<br />
<br />
{{Cmd|/etc/init.d/bgpd start<br />
rc-update add bgpd}}<br />
<br />
== OpenVPN ==<br />
Install package(s):<br />
<br />
{{Cmd|echo tun >> /etc/modules<br />
modprobe tun<br />
apk add openvpn openssl<br />
openssl dhparam -out /etc/openvpn/dh1024.pem 1024}}<br />
<br />
Configure openvpn:<br />
<br />
{{cat|/etc/openvpn/openvpn.conf|<br />
dev tun<br />
proto udp<br />
port 1194<br />
<br />
server 10.1.128.0 255.255.255.0<br />
push "route 10.0.0.0 255.0.0.0"<br />
push "dhcp-option DNS 10.1.0.1"<br />
<br />
tls-server<br />
ca /etc/openvpn/cacert.pem<br />
cert /etc/openvpn/servercert.pem<br />
key /etc/openvpn/serverkey.pem<br />
<br />
crl-verify /etc/openvpn/crl.pem<br />
<br />
dh /etc/openvpn/dh1024.pem<br />
<br />
persist-key<br />
persist-tun<br />
<br />
keepalive 10 120<br />
<br />
comp-lzo<br />
<br />
status /var/log/openvpn.status<br />
mute 20<br />
verb 3<br />
}}<br />
<br />
Start service(s):<br />
<br />
{{Cmd|/etc/init.d/openvpn start<br />
rc-update add openvpn}}<br />
<br />
== Firewall ==<br />
Install package(s):<br />
<br />
{{Cmd|apk add awall}}<br />
<br />
Enable IP forwarding:<br />
<br />
{{Cmd|sysctl -w net.ipv4.ip_forward{{=}}1<br />
sed -i 's/.*net\.ipv4\.ip_forward.*$/net.ipv4.ip_forward {{=}} 1/g' /etc/sysctl.conf}}<br />
<br />
With your favorite editor, edit the following files and set their contents as follows:<br />
<br />
<br />
{{cat|/etc/awall/optional/params.json|<br />
{<br />
"description": "params",<br />
<br />
"variable": {<br />
"B_IF": "bond0.8",<br />
"C_IF": "bond0.64",<br />
"DE_IF": "bond0.620",<br />
"ISP1_IF": "bond0.256",<br />
"ISP2_IF": "bond0.257"<br />
}<br />
}<br />
}}<br />
<br />
<br />
<br />
{{cat|/etc/awall/optional/internet-host.json|<br />
{<br />
"description": "Internet host",<br />
<br />
"import": "params",<br />
<br />
"zone": {<br />
"E": { "iface": [ "$ISP1_IF", "$ISP2_IF" ] },<br />
"ISP1": { "iface": "$ISP1_IF" },<br />
"ISP2": { "iface": "$ISP2_IF" }<br />
},<br />
<br />
"filter": [<br />
{<br />
"in": "E",<br />
"service": "ping",<br />
"action": "accept",<br />
"flow-limit": { "count": 10, "interval": 6 }<br />
},<br />
{<br />
"in": "E",<br />
"out": "_fw",<br />
"service": [ "ssh", "https" ],<br />
"action": "accept",<br />
"conn-limit": { "count": 3, "interval": 60 }<br />
},<br />
<br />
{<br />
"in": "_fw",<br />
"out": "E",<br />
"service": [ "dns", "http", "ntp" ],<br />
"action": "accept"<br />
},<br />
{<br />
"in": "_fw",<br />
"service": [ "ping", "ssh" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
<br />
<br />
<br />
{{cat|/etc/awall/optional/openvpn.json|<br />
{<br />
"description": "OpenVPN support",<br />
<br />
"import": "internet-host",<br />
<br />
"service": { <br />
"openvpn": { "proto": "udp", "port": 1194 }<br />
},<br />
<br />
"filter": [ <br />
{ "in": "E", "out": "_fw", "service": "openvpn", "action": "accept" }<br />
]<br />
}<br />
}}<br />
<br />
<br />
<br />
{{cat|/etc/awall/optional/clampmss.json|<br />
{<br />
"description": "Deal with ISPs afraid of ICMP",<br />
<br />
"import": "internet-host",<br />
<br />
"clamp-mss": [ { "out": "E" } ]<br />
}<br />
}}<br />
<br />
<br />
<br />
{{cat|/etc/awall/optional/mark.json|<br />
{<br />
"description": "Mark traffic based on ISP",<br />
<br />
"import": [ "params", "internet-host" ],<br />
<br />
"route-track": [<br />
{ "out": "ISP1", "mark": 1 },<br />
{ "out": "ISP2", "mark": 2 }<br />
]<br />
}<br />
}}<br />
<br />
<br />
<br />
{{cat|/etc/awall/optional/dmvpn.json|<br />
{<br />
"description": "DMVPN router",<br />
<br />
"import": "internet-host",<br />
<br />
"variable": {<br />
"A_ADDR": [ "10.0.0.0/8", "172.16.0.0/16" ]<br />
},<br />
<br />
"zone": {<br />
"A": { "addr": "$A_ADDR", "iface": "gre1" }<br />
},<br />
<br />
"filter": [<br />
{ "in": "E", "out": "_fw", "service": "ipsec", "action": "accept" },<br />
{ "in": "_fw", "out": "E", "service": "ipsec", "action": "accept" },<br />
{<br />
"in": "E",<br />
"out": "_fw",<br />
"ipsec": "in",<br />
"service": "gre",<br />
"action": "accept"<br />
},<br />
{<br />
"in": "_fw",<br />
"out": "E",<br />
"ipsec": "out",<br />
"service": "gre",<br />
"action": "accept"<br />
},<br />
<br />
{ "in": "_fw", "out": "A", "service": "bgp", "action": "accept" },<br />
{ "in": "A", "out": "_fw", "service": "bgp", "action": "accept"},<br />
{ "out": "E", "dest": "$A_ADDR", "action": "reject" }<br />
]<br />
}<br />
}}<br />
<br />
{{cat|/etc/awall/optional/vpnc.json|<br />
{<br />
"description": "VPNc",<br />
<br />
"import": [ "params", "internet-host", "dmvpn" ],<br />
<br />
"zone": {<br />
"B": { "iface": "$B_IF" },<br />
"C": { "iface": "$C_IF" },<br />
"DE": { "iface": "$DE_IF" }<br />
<br />
},<br />
<br />
"policy": [<br />
{ "in": "A", "action": "accept" },<br />
{ "in": "B", "out": "A", "action": "accept" },<br />
{ "in": "C", "out": [ "A", "E" ], "action": "accept" },<br />
{ "in": "DE", "out": "E", "action": "accept" },<br />
{ "in": "E", "action": "drop" },<br />
{ "in": "_fw", "out": "A", "action": "accept" }<br />
],<br />
<br />
"snat": [<br />
{ "out": "E" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"in": "A",<br />
"out": "_fw",<br />
"service": [ "ping", "ssh", "http", "https" ],<br />
"action": "accept"<br />
},<br />
<br />
{<br />
"in": [ "B", "C" ],<br />
"out": "_fw",<br />
"service": [ "dns", "ntp", "http", "https", "ssh" ],<br />
"action": "accept"<br />
},<br />
<br />
{<br />
"in": "_fw",<br />
"out": [ "B", "C" ],<br />
"service": [ "dns", "ntp" ],<br />
"action": "accept"<br />
},<br />
<br />
{ <br />
"in": [ "A", "B", "C" ],<br />
"out": "_fw",<br />
"proto": "icmp",<br />
"action": "accept"<br />
},<br />
<br />
{<br />
"out": "DE",<br />
"service": [ "ssh", "http", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
<br />
]<br />
}<br />
}}<br />
<br />
Activate the firewall:<br />
<br />
{{Cmd|modprobe ip_tables<br />
modprobe iptable_nat <br />
awall enable clampmss<br />
awall enable openvpn<br />
awall enable vpnc<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== ISP Failover ==<br />
Install package(s):<br />
<br />
{{Cmd|apk add pingu<br />
echo -e "1\tisp1">> /etc/iproute2/rt_tables<br />
echo -e "2\tisp2">> /etc/iproute2/rt_tables}}<br />
<br />
Configure pingu to monitor our <code>bond0.256</code> and <code>bond0.257</code> interfaces in <code>/etc/pingu/pingu.conf</code>. Add the hosts to monitor for ISP failover to <code>/etc/pingu/pingu.conf</code> and bind to primary ISP. We also set the ping timeout to 4 seconds.:<br />
<br />
{{cat|/etc/pingu/pingu.conf|<br />
timeout 4<br />
required 2<br />
retry 11<br />
<br />
interface bond0.256 { <br />
# route-table must correspond with mark in /etc/awall/optional/mark.json<br />
route-table 1<br />
fwmark 1<br />
rule-priority 20000<br />
# google dns<br />
ping 8.8.8.8<br />
# opendns<br />
ping 208.67.222.222<br />
}<br />
<br />
interface bond0.257 {<br />
# route-table must correspond with mark in /etc/awall/optional/mark.json<br />
route-table 2<br />
fwmark 2<br />
rule-priority 20000<br />
}<br />
}}<br />
<br />
Make sure we can reach the public IP from our LAN by adding static route rules for our private net(s). Edit <code>/etc/pingu/route-rules</code>:<br />
<br />
{{cat|/etc/pingu/route-rules|<br />
to 10.0.0.0/8 table main prio 1000<br />
to 172.16.0.0/12 table main prio 1000<br />
}}<br />
<br />
Start service(s):<br />
<br />
{{Cmd|/etc/init.d/pingu start<br />
rc-update add pingu}}<br />
<br />
Now, if both hosts stop responding to pings, ISP-1 will be considered down and all gateways via bond0.256 will be removed from main route table. Note that the gateway will not be removed from the route table '1'. This is so we can continue try ping via <code>bond0.256</code> so we can detect that the ISP is back online. When ISP starts working again, the gateways will be added back to main route table again.<br />
<br />
== Commit Configuration ==<br />
Commit configuration:<br />
<br />
{{Cmd|lbu ci}}<br />
<br />
= Hub Node =<br />
We will document only what changes from the Spoke node setup.<br />
<br />
== Routing Tables ==<br />
{{Todo|Would we need to change this command - or add some description on why it's documented?}}<br />
<br />
{{Cmd|echo -e "42\tnhrp_shortcut\n43\tnhrp_mtu\n44\tquagga\n}}<br />
<br />
== NHRP ==<br />
With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> on Hub 2 and set the content as follows:<br />
<br />
{{cat|/etc/opennhrp/opennhrp.conf|<br />
interface gre1<br />
map %Hub1_GRE_IP%/%MaskBit% hub1.example.org<br />
route-table 44<br />
shortcut<br />
redirect<br />
non-caching<br />
}}<br />
<br />
Do the same on Hub 1 adding the data relative to Hub 2.<br />
<br />
With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and set the content as follows:<br />
<br />
<pre><br />
#!/bin/sh<br />
case $1 in<br />
interface-up)<br />
ip route flush proto 42 dev $NHRP_INTERFACE<br />
ip neigh flush dev $NHRP_INTERFACE<br />
;;<br />
peer-register)<br />
CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`<br />
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then<br />
logger -t opennhrp-script -p auth.err "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"<br />
exit 1<br />
fi<br />
logger -t opennhrp-script -p auth.info "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA authenticated"<br />
<br />
(<br />
flock -x 200<br />
<br />
AS=`echo "$CERT" | grep "^AS=" | cut -b 4-`<br />
vtysh -d bgpd -c "configure terminal" \<br />
-c "router bgp 65000" \<br />
-c "neighbor $NHRP_DESTADDR remote-as $AS" \<br />
-c "neighbor $NHRP_DESTADDR peer-group leaf" \<br />
-c "neighbor $NHRP_DESTADDR prefix-list net-$AS-in in"<br />
<br />
SEQ=5<br />
(echo "$CERT" | grep "^NET=" | cut -b 5-) | while read NET; do<br />
vtysh -d bgpd -c "configure terminal" \<br />
-c "ip prefix-list net-$AS-in seq $SEQ permit $NET le 26"<br />
SEQ=$(($SEQ+5))<br />
done<br />
) 200>/var/lock/opennhrp-script.lock<br />
;;<br />
peer-up)<br />
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"<br />
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1<br />
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1 <br />
<br />
CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`<br />
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then<br />
logger -p daemon.err "GRE mapping of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"<br />
exit 1<br />
fi<br />
<br />
if [ -n "$NHRP_DESTMTU" ]; then<br />
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`<br />
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU table nhrp_mtu<br />
fi<br />
;;<br />
peer-down)<br />
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"<br />
if [ "$NHRP_PEER_DOWN_REASON" != "lower-down" ]; then<br />
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA<br />
fi<br />
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42 table nhrp_mtu<br />
;;<br />
route-up)<br />
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"<br />
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE table nhrp_shortcut<br />
ip route flush cache<br />
;;<br />
route-down)<br />
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"<br />
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 table nhrp_shortcut<br />
ip route flush cache<br />
;;<br />
esac<br />
<br />
exit 0<br />
</pre><br />
<br />
== BGP ==<br />
With your favorite editor open <code>/etc/quagga/bgpd.conf</code> on Hub 2 and set the content as follows:<br />
<br />
{{cat|/etc/quagga/bgpd.conf|<br />
password zebra<br />
enable password zebra<br />
log syslog<br />
<br />
router bgp 65000<br />
bgp router-id %Hub2_GRE_IP%<br />
bgp deterministic-med<br />
network %GRE_NETWORK%/%MASK_BITS%<br />
neighbor hub peer-group<br />
neighbor hub next-hop-self<br />
neighbor hub route-map CORE-IN in<br />
neighbor spoke peer-group<br />
neighbor spoke passive<br />
neighbor spoke next-hop-self<br />
neighbor %Spoke1_GRE_IP% remote-as 65001<br />
neighbor %Spoke1_GRE_IP% peer-group spoke<br />
neighbor %Spoke1_GRE_IP% prefix-list net-65001-in in<br />
...<br />
...<br />
...<br />
<br />
neighbor hub remote-as 65000<br />
neighbor %Hub1_GRE_IP% peer-group core<br />
<br />
ip prefix-list net-65001-in seq 5 permit 10.1.0.0/16 le 26<br />
...<br />
<br />
route-map CORE-IN permit 10<br />
set metric +100<br />
}}<br />
<br />
Add the lines <code>neighbor %Spoke1_GRE_IP%...</code> for each spoke node you have. Do the same on Hub 1, changing the relevant data for Hub 2.<br />
<br />
= Troubleshooting the DMVPN =<br />
== Broken [http://en.wikipedia.org/wiki/Path_MTU_Discovery Path MTU Discovery (PMTUD)] ==<br />
ISPs afraid of ICMP (which is somehow legitimate) often just blindly add <code>no ip unreachables</code> in their router interfaces, effectively creating a [http://en.wikipedia.org/wiki/Black_hole_%28networking%29 blackhole router] that breaks PMTUD, since ICMP Type 3 Code 4 packets (Fragmentation Needed) are dropped. PMTUD is needed by ISAKMP that runs on UDP (TCP works because it uses CLAMPMSS).<br />
<br />
For technical details see http://packetlife.net/blog/2008/oct/9/disabling-unreachables-breaks-pmtud/<br />
<br />
PMTUD could also be broken due to badly configured DSL modem/routers or bugged firmware. Turning off the firewall on modem itself or any VPN passthrough functionality it may help.<br />
<br />
You can easily detect which host is the blackhole router by pinging with DF bit set and with packets of standard MTU size, each hop given in your traceroute to destination:<br />
<br />
{{Cmd|ping -M do -s 1472 %IP%}}<br />
{{Note|"-M do" requires GNU ping, present in <code>iputils</code> package}}<br />
<br />
If you don't get a response back (either Echo-Response or Fragmentation-Needed) there's firewall dropping ICMP packets. If it answers to normal ping packets (DF bit cleared), most likely you have hit a blackhole router.<br />
<br />
== Kernel and NHRP Routing Cache Issues ==<br />
{{Todo|...}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9825
Small Office Services
2014-01-23T19:52:38Z
<p>Cewebb: /* Install and Configure the Proxy service */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
{{Todo|Need to decide what shoud be the appropriate hardware for the setup}}<br />
<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the base policy for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n dhcpdns -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.dhcpdns}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/dhcpdns/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/dhcpdns/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.dhcpdns}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.dhcpdns}}<br />
<br />
== Enter the dhcpdns container ==<br />
{{Cmd|lxc-console -n dhcpdns}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Voice VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%DHCPDNS_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
up ip address add <%DHCPDNS_VOIP_IP_ADDRESS2%>/25 dev eth0<br />
#Management VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
<br />
<br />
#WiFi VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%DHCPDNS_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
<br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dhcp.json|<br />
{<br />
"description": "DHCP",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dhcp",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dns.json|<br />
{<br />
"description": "DNS",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dns",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable dhcp<br />
awall enable dns<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%DHCPDNS_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%DHCPDNS_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%DHCPDNS_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%DHCPDNS_VOICE_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%DHCPDNS_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%DHCPDNS_VOICE_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%DHCPDNS_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
{{Todo|Need to lock down firewall rules}}<br />
<br />
==Install and Configure the Recursive DNS Service ==<br />
Install unbound package<br />
{{Cmd|apk add unbound}}<br />
With your favorite editor configure /etc/unbound/unbound.conf<br />
{{cat|/etc/unbound/unobund.conf|<br />
server:<br />
verbosity: 1<br />
interface: 172.17.48.1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 172.17.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
do-not-query-localhost: no<br />
<br />
root-hints: "/etc/unbound/root.hints"<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
== Install and Configure the Proxy service ==<br />
Install the necessary packages<br />
{{Cmd|apk add squid squark lighttpd}}<br />
With your preferred editor configure /etc/squid/squid.conf<br />
{{cat|/etc/squid/squid.conf|<br />
<pre><br />
#Squid config <br />
<br />
# This port listens for client requests<br />
http_port 172.17.48.1:8080 transparent<br />
http_port 127.0.0.1:8081<br />
<br />
visible_hostname wifi.local<br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
dns_nameservers 172.17.48.1<br />
<br />
# <br />
# Authentication<br />
#<br />
# Squark external acl<br />
#external_acl_type squark_snmp_auth_D children-max=1 ttl=4 grace=1 negative_ttl=0 concurrency=128 %SRC /usr/bin/squark-auth-snmp -c public -R <SWITCH_IP> -i <D_VLAN_IF> -v <D_VLAN_ID> -f "%N-%i=%I" -T /etc/squark/topology.conf<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst 172.17.48.1<br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
#acl SquarkAuth external squark_auth<br />
#acl SquarkSnmpAuthD external squark_snmp_auth_D<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones<br />
acl Zone_D src 172.17.48.0/24<br />
<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_D to access the entire Internet<br />
http_access allow Zone_D<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#Finally, permit access<br />
url_rewrite_access allow Zone_D<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
Configure lighttpd<br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
<br />
include "mime-types.conf"<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
<br />
<br />
server.follow-symlink = "enable"<br />
<br />
server.port = 81<br />
server.bind = "172.17.48.1"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("172.17.48.1" => "trust")<br />
</pre><br />
}}<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
<br />
# vim: set ft=conf foldmethod=marker et :<br />
</pre><br />
}}<br />
Link Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
Start lighttpd and configure the Web service to start at boot<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
Start Squid and configure it to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9824
Small Office Services
2014-01-23T19:37:42Z
<p>Cewebb: /* Create and Configure the container */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
{{Todo|Need to decide what shoud be the appropriate hardware for the setup}}<br />
<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the base policy for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n dhcpdns -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.dhcpdns}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/dhcpdns/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/dhcpdns/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.dhcpdns}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.dhcpdns}}<br />
<br />
== Enter the dhcpdns container ==<br />
{{Cmd|lxc-console -n dhcpdns}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Voice VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%DHCPDNS_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
up ip address add <%DHCPDNS_VOIP_IP_ADDRESS2%>/25 dev eth0<br />
#Management VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
<br />
<br />
#WiFi VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%DHCPDNS_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
<br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dhcp.json|<br />
{<br />
"description": "DHCP",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dhcp",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dns.json|<br />
{<br />
"description": "DNS",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dns",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable dhcp<br />
awall enable dns<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%DHCPDNS_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%DHCPDNS_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%DHCPDNS_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%DHCPDNS_VOICE_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%DHCPDNS_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%DHCPDNS_VOICE_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%DHCPDNS_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
{{Todo|Need to lock down firewall rules}}<br />
<br />
==Install and Configure the Recursive DNS Service ==<br />
Install unbound package<br />
{{Cmd|apk add unbound}}<br />
With your favorite editor configure /etc/unbound/unbound.conf<br />
{{cat|/etc/unbound/unobund.conf|<br />
server:<br />
verbosity: 1<br />
interface: 172.17.48.1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 172.17.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
do-not-query-localhost: no<br />
<br />
root-hints: "/etc/unbound/root.hints"<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
== Install and Configure the Proxy service ==<br />
Install the necessary packages<br />
{{Cmd|apk add squid squark lighttpd}}<br />
With your preferred editor configure /etc/squid/squid.conf<br />
{{cat|/etc/squid/squid.conf|<br />
<pre><br />
#Squid config for BSNA<br />
<br />
# This port listens for client requests<br />
http_port 172.17.48.1:8080 transparent<br />
http_port 127.0.0.1:8081<br />
<br />
visible_hostname rbsna.resnet.local<br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
dns_nameservers 172.17.48.1<br />
<br />
# <br />
# Authentication<br />
#<br />
# Squark external acl<br />
#external_acl_type squark_snmp_auth_D children-max=1 ttl=4 grace=1 negative_ttl=0 concurrency=128 %SRC /usr/bin/squark-auth-snmp -c public -R <SWITCH_IP> -i <D_VLAN_IF> -v <D_VLAN_ID> -f "%N-%i=%I" -T /etc/squark/topology.conf<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst 172.17.48.1<br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
#acl SquarkAuth external squark_auth<br />
#acl SquarkSnmpAuthD external squark_snmp_auth_D<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones<br />
acl Zone_D src 172.17.48.0/24<br />
<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_D to access the entire Internet<br />
http_access allow Zone_D<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#Finally, permit access<br />
url_rewrite_access allow Zone_D<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
Configure lighttpd<br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
<br />
include "mime-types.conf"<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
<br />
<br />
server.follow-symlink = "enable"<br />
<br />
server.port = 81<br />
server.bind = "172.17.48.1"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("172.17.48.1" => "trust")<br />
</pre><br />
}}<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
<br />
# vim: set ft=conf foldmethod=marker et :<br />
</pre><br />
}}<br />
Link Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
Start lighttpd and configure the Web service to start at boot<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
Start Squid and configure it to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9823
Small Office Services
2014-01-23T19:37:15Z
<p>Cewebb: /* Install the DHCP and DNS server Container */ WiFI Network sorted out, and will receive DHCP from the dhcpdns container</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
{{Todo|Need to decide what shoud be the appropriate hardware for the setup}}<br />
<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the base policy for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n dhcpdns -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.dhcpdns<br />
<br />
Edit the container's config file found at /var/lib/lxc/dhcpdns/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/dhcpdns/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.dhcpdns}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.dhcpdns}}<br />
<br />
== Enter the dhcpdns container ==<br />
{{Cmd|lxc-console -n dhcpdns}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Voice VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%DHCPDNS_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
up ip address add <%DHCPDNS_VOIP_IP_ADDRESS2%>/25 dev eth0<br />
#Management VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
<br />
<br />
#WiFi VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%DHCPDNS_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
<br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dhcp.json|<br />
{<br />
"description": "DHCP",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dhcp",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dns.json|<br />
{<br />
"description": "DNS",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dns",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable dhcp<br />
awall enable dns<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%DHCPDNS_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%DHCPDNS_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%DHCPDNS_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%DHCPDNS_VOICE_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%DHCPDNS_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%DHCPDNS_VOICE_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%DHCPDNS_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
{{Todo|Need to lock down firewall rules}}<br />
<br />
==Install and Configure the Recursive DNS Service ==<br />
Install unbound package<br />
{{Cmd|apk add unbound}}<br />
With your favorite editor configure /etc/unbound/unbound.conf<br />
{{cat|/etc/unbound/unobund.conf|<br />
server:<br />
verbosity: 1<br />
interface: 172.17.48.1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 172.17.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
do-not-query-localhost: no<br />
<br />
root-hints: "/etc/unbound/root.hints"<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
== Install and Configure the Proxy service ==<br />
Install the necessary packages<br />
{{Cmd|apk add squid squark lighttpd}}<br />
With your preferred editor configure /etc/squid/squid.conf<br />
{{cat|/etc/squid/squid.conf|<br />
<pre><br />
#Squid config for BSNA<br />
<br />
# This port listens for client requests<br />
http_port 172.17.48.1:8080 transparent<br />
http_port 127.0.0.1:8081<br />
<br />
visible_hostname rbsna.resnet.local<br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
dns_nameservers 172.17.48.1<br />
<br />
# <br />
# Authentication<br />
#<br />
# Squark external acl<br />
#external_acl_type squark_snmp_auth_D children-max=1 ttl=4 grace=1 negative_ttl=0 concurrency=128 %SRC /usr/bin/squark-auth-snmp -c public -R <SWITCH_IP> -i <D_VLAN_IF> -v <D_VLAN_ID> -f "%N-%i=%I" -T /etc/squark/topology.conf<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst 172.17.48.1<br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
#acl SquarkAuth external squark_auth<br />
#acl SquarkSnmpAuthD external squark_snmp_auth_D<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones<br />
acl Zone_D src 172.17.48.0/24<br />
<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_D to access the entire Internet<br />
http_access allow Zone_D<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#Finally, permit access<br />
url_rewrite_access allow Zone_D<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
Configure lighttpd<br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
<br />
include "mime-types.conf"<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
<br />
<br />
server.follow-symlink = "enable"<br />
<br />
server.port = 81<br />
server.bind = "172.17.48.1"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("172.17.48.1" => "trust")<br />
</pre><br />
}}<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
<br />
# vim: set ft=conf foldmethod=marker et :<br />
</pre><br />
}}<br />
Link Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
Start lighttpd and configure the Web service to start at boot<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
Start Squid and configure it to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9822
Small Office Services
2014-01-23T16:55:03Z
<p>Cewebb: renamed netserv to dhcpdns</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
{{Todo|Need to decide what shoud be the appropriate hardware for the setup}}<br />
<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the base policy for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n dhcpdns -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.dhcpdns<br />
<br />
Edit the container's config file found at /var/lib/lxc/dhcpdns/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/dhcpdns/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.dhcpdns}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.dhcpdns}}<br />
<br />
== Enter the dhcpdns container ==<br />
{{Cmd|lxc-console -n dhcpdns}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Voice VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%DHCPDNS_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
up ip address add <%DHCPDNS_VOIP_IP_ADDRESS2%>/25 dev eth0<br />
#Management VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
<br />
<br />
#WiFi VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%DHCPDNS_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
<br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dhcp.json|<br />
{<br />
"description": "DHCP",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dhcp",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dns.json|<br />
{<br />
"description": "DNS",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dns",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable dhcp<br />
awall enable dns<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%DHCPDNS_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%DHCPDNS_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%DHCPDNS_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%DHCPDNS_VOICE_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%DHCPDNS_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%DHCPDNS_VOICE_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%DHCPDNS_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
{{Todo|Need to lock down firewall rules}}<br />
<br />
==Install and Configure the Recursive DNS Service ==<br />
Install unbound package<br />
{{Cmd|apk add unbound}}<br />
With your favorite editor configure /etc/unbound/unbound.conf<br />
{{cat|/etc/unbound/unobund.conf|<br />
server:<br />
verbosity: 1<br />
interface: 172.17.48.1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 172.17.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
do-not-query-localhost: no<br />
<br />
root-hints: "/etc/unbound/root.hints"<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
== Install and Configure the Proxy service ==<br />
Install the necessary packages<br />
{{Cmd|apk add squid squark lighttpd}}<br />
With your preferred editor configure /etc/squid/squid.conf<br />
{{cat|/etc/squid/squid.conf|<br />
<pre><br />
#Squid config for BSNA<br />
<br />
# This port listens for client requests<br />
http_port 172.17.48.1:8080 transparent<br />
http_port 127.0.0.1:8081<br />
<br />
visible_hostname rbsna.resnet.local<br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
dns_nameservers 172.17.48.1<br />
<br />
# <br />
# Authentication<br />
#<br />
# Squark external acl<br />
#external_acl_type squark_snmp_auth_D children-max=1 ttl=4 grace=1 negative_ttl=0 concurrency=128 %SRC /usr/bin/squark-auth-snmp -c public -R <SWITCH_IP> -i <D_VLAN_IF> -v <D_VLAN_ID> -f "%N-%i=%I" -T /etc/squark/topology.conf<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst 172.17.48.1<br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
#acl SquarkAuth external squark_auth<br />
#acl SquarkSnmpAuthD external squark_snmp_auth_D<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones<br />
acl Zone_D src 172.17.48.0/24<br />
<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_D to access the entire Internet<br />
http_access allow Zone_D<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#Finally, permit access<br />
url_rewrite_access allow Zone_D<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
Configure lighttpd<br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
<br />
include "mime-types.conf"<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
<br />
<br />
server.follow-symlink = "enable"<br />
<br />
server.port = 81<br />
server.bind = "172.17.48.1"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("172.17.48.1" => "trust")<br />
</pre><br />
}}<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
<br />
# vim: set ft=conf foldmethod=marker et :<br />
</pre><br />
}}<br />
Link Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
Start lighttpd and configure the Web service to start at boot<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
Start Squid and configure it to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9821
Small Office Services
2014-01-23T16:16:32Z
<p>Cewebb: /* Hardware */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
{{Todo|Need to decide what shoud be the appropriate hardware for the setup}}<br />
<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the base policy for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Voice VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
up ip address add <%NETSERV_VOIP_IP_ADDRESS2%>/25 dev eth0<br />
#Management VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
<br />
<br />
#WiFi VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
<br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dhcp.json|<br />
{<br />
"description": "DHCP",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dhcp",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dns.json|<br />
{<br />
"description": "DNS",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dns",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable dhcp<br />
awall enable dns<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_VOICE_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_VOICE_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
{{Todo|Need to lock down firewall rules}}<br />
<br />
==Install and Configure the Recursive DNS Service ==<br />
Install unbound package<br />
{{Cmd|apk add unbound}}<br />
With your favorite editor configure /etc/unbound/unbound.conf<br />
{{cat|/etc/unbound/unobund.conf|<br />
server:<br />
verbosity: 1<br />
interface: 172.17.48.1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 172.17.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
do-not-query-localhost: no<br />
<br />
root-hints: "/etc/unbound/root.hints"<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
== Install and Configure the Proxy service ==<br />
Install the necessary packages<br />
{{Cmd|apk add squid squark lighttpd}}<br />
With your preferred editor configure /etc/squid/squid.conf<br />
{{cat|/etc/squid/squid.conf|<br />
<pre><br />
#Squid config for BSNA<br />
<br />
# This port listens for client requests<br />
http_port 172.17.48.1:8080 transparent<br />
http_port 127.0.0.1:8081<br />
<br />
visible_hostname rbsna.resnet.local<br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
dns_nameservers 172.17.48.1<br />
<br />
# <br />
# Authentication<br />
#<br />
# Squark external acl<br />
#external_acl_type squark_snmp_auth_D children-max=1 ttl=4 grace=1 negative_ttl=0 concurrency=128 %SRC /usr/bin/squark-auth-snmp -c public -R <SWITCH_IP> -i <D_VLAN_IF> -v <D_VLAN_ID> -f "%N-%i=%I" -T /etc/squark/topology.conf<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst 172.17.48.1<br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
#acl SquarkAuth external squark_auth<br />
#acl SquarkSnmpAuthD external squark_snmp_auth_D<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones<br />
acl Zone_D src 172.17.48.0/24<br />
<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_D to access the entire Internet<br />
http_access allow Zone_D<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#Finally, permit access<br />
url_rewrite_access allow Zone_D<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
Configure lighttpd<br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
<br />
include "mime-types.conf"<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
<br />
<br />
server.follow-symlink = "enable"<br />
<br />
server.port = 81<br />
server.bind = "172.17.48.1"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("172.17.48.1" => "trust")<br />
</pre><br />
}}<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
<br />
# vim: set ft=conf foldmethod=marker et :<br />
</pre><br />
}}<br />
Link Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
Start lighttpd and configure the Web service to start at boot<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
Start Squid and configure it to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9820
Small Office Services
2014-01-23T16:08:25Z
<p>Cewebb: Finished configuring Web Proxy</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the base policy for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Voice VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
up ip address add <%NETSERV_VOIP_IP_ADDRESS2%>/25 dev eth0<br />
#Management VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
<br />
<br />
#WiFi VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
<br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dhcp.json|<br />
{<br />
"description": "DHCP",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dhcp",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dns.json|<br />
{<br />
"description": "DNS",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dns",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable dhcp<br />
awall enable dns<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_VOICE_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_VOICE_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
{{Todo|Need to lock down firewall rules}}<br />
<br />
==Install and Configure the Recursive DNS Service ==<br />
Install unbound package<br />
{{Cmd|apk add unbound}}<br />
With your favorite editor configure /etc/unbound/unbound.conf<br />
{{cat|/etc/unbound/unobund.conf|<br />
server:<br />
verbosity: 1<br />
interface: 172.17.48.1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 172.17.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
do-not-query-localhost: no<br />
<br />
root-hints: "/etc/unbound/root.hints"<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
== Install and Configure the Proxy service ==<br />
Install the necessary packages<br />
{{Cmd|apk add squid squark lighttpd}}<br />
With your preferred editor configure /etc/squid/squid.conf<br />
{{cat|/etc/squid/squid.conf|<br />
<pre><br />
#Squid config for BSNA<br />
<br />
# This port listens for client requests<br />
http_port 172.17.48.1:8080 transparent<br />
http_port 127.0.0.1:8081<br />
<br />
visible_hostname rbsna.resnet.local<br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
dns_nameservers 172.17.48.1<br />
<br />
# <br />
# Authentication<br />
#<br />
# Squark external acl<br />
#external_acl_type squark_snmp_auth_D children-max=1 ttl=4 grace=1 negative_ttl=0 concurrency=128 %SRC /usr/bin/squark-auth-snmp -c public -R <SWITCH_IP> -i <D_VLAN_IF> -v <D_VLAN_ID> -f "%N-%i=%I" -T /etc/squark/topology.conf<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst 172.17.48.1<br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
#acl SquarkAuth external squark_auth<br />
#acl SquarkSnmpAuthD external squark_snmp_auth_D<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones<br />
acl Zone_D src 172.17.48.0/24<br />
<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_D to access the entire Internet<br />
http_access allow Zone_D<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#Finally, permit access<br />
url_rewrite_access allow Zone_D<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
Configure lighttpd<br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
<br />
include "mime-types.conf"<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
<br />
<br />
server.follow-symlink = "enable"<br />
<br />
server.port = 81<br />
server.bind = "172.17.48.1"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("172.17.48.1" => "trust")<br />
</pre><br />
}}<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
<br />
# vim: set ft=conf foldmethod=marker et :<br />
</pre><br />
}}<br />
Link Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
Start lighttpd and configure the Web service to start at boot<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
Start Squid and configure it to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9813
Small Office Services
2014-01-22T21:37:33Z
<p>Cewebb: /* Install and Configure the Proxy service */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the base policy for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Voice VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
up ip address add <%NETSERV_VOIP_IP_ADDRESS2%>/25 dev eth0<br />
#Management VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
<br />
<br />
#WiFi VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
<br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dhcp.json|<br />
{<br />
"description": "DHCP",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dhcp",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dns.json|<br />
{<br />
"description": "DNS",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dns",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable dhcp<br />
awall enable dns<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_VOICE_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_VOICE_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
{{Todo|Need to lock down firewall rules}}<br />
<br />
==Install and Configure the Recursive DNS Service ==<br />
Install unbound package<br />
{{Cmd|apk add unbound}}<br />
With your favorite editor configure /etc/unbound/unbound.conf<br />
{{cat|/etc/unbound/unobund.conf|<br />
server:<br />
verbosity: 1<br />
interface: 172.17.48.1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 172.17.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
do-not-query-localhost: no<br />
<br />
root-hints: "/etc/unbound/root.hints"<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
== Install and Configure the Proxy service ==<br />
Install the necessary packages<br />
{{Cmd|apk add squid squark lighttpd}}<br />
With your preferred editor configure /etc/squid/squid.conf<br />
{{cat|/etc/squid/squid.conf|<br />
<pre><br />
#Squid config for BSNA<br />
<br />
# This port listens for client requests<br />
http_port 172.17.48.1:8080 transparent<br />
http_port 127.0.0.1:8081<br />
<br />
visible_hostname rbsna.resnet.local<br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
dns_nameservers 172.17.48.1<br />
<br />
# <br />
# Authentication<br />
#<br />
# Squark external acl<br />
#external_acl_type squark_snmp_auth_D children-max=1 ttl=4 grace=1 negative_ttl=0 concurrency=128 %SRC /usr/bin/squark-auth-snmp -c public -R <SWITCH_IP> -i <D_VLAN_IF> -v <D_VLAN_ID> -f "%N-%i=%I" -T /etc/squark/topology.conf<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst 172.17.48.1<br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
#acl SquarkAuth external squark_auth<br />
#acl SquarkSnmpAuthD external squark_snmp_auth_D<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones<br />
acl Zone_D src 172.17.48.0/24<br />
<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_D to access the entire Internet<br />
http_access allow Zone_D<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#Finally, permit access<br />
url_rewrite_access allow Zone_D<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
Configure lighttpd<br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
<br />
include "mime-types.conf"<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
<br />
<br />
server.follow-symlink = "enable"<br />
<br />
server.port = 81<br />
server.bind = "172.17.48.1"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("172.17.48.1" => "trust")<br />
</pre><br />
}}<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
<br />
# vim: set ft=conf foldmethod=marker et :<br />
</pre><br />
}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9812
Small Office Services
2014-01-22T20:55:59Z
<p>Cewebb: /* Install the wifi Container */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the base policy for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Voice VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
up ip address add <%NETSERV_VOIP_IP_ADDRESS2%>/25 dev eth0<br />
#Management VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
<br />
<br />
#WiFi VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
<br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dhcp.json|<br />
{<br />
"description": "DHCP",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dhcp",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dns.json|<br />
{<br />
"description": "DNS",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dns",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable dhcp<br />
awall enable dns<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_VOICE_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_VOICE_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
{{Todo|Need to lock down firewall rules}}<br />
<br />
==Install and Configure the Recursive DNS Service ==<br />
Install unbound package<br />
{{Cmd|apk add unbound}}<br />
With your favorite editor configure /etc/unbound/unbound.conf<br />
{{cat|/etc/unbound/unobund.conf|<br />
server:<br />
verbosity: 1<br />
interface: 172.17.48.1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 172.17.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
do-not-query-localhost: no<br />
<br />
root-hints: "/etc/unbound/root.hints"<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
== Install and Configure the Proxy service ==<br />
Install the necessary packages<br />
{{Cmd|apk add squid squark lighttpd}}<br />
With your preferred editor configure /etc/squid/squid.conf<br />
{{cat|/etc/squid/squid.conf|<br />
<pre><br />
#Squid config for BSNA<br />
<br />
# This port listens for client requests<br />
http_port 172.17.48.1:8080 transparent<br />
http_port 127.0.0.1:8081<br />
<br />
visible_hostname rbsna.resnet.local<br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
dns_nameservers 172.17.48.1<br />
<br />
# <br />
# Authentication<br />
#<br />
# Squark external acl<br />
#external_acl_type squark_snmp_auth_D children-max=1 ttl=4 grace=1 negative_ttl=0 concurrency=128 %SRC /usr/bin/squark-auth-snmp -c public -R <SWITCH_IP> -i <D_VLAN_IF> -v <D_VLAN_ID> -f "%N-%i=%I" -T /etc/squark/topology.conf<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst 172.17.48.1<br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
#acl SquarkAuth external squark_auth<br />
#acl SquarkSnmpAuthD external squark_snmp_auth_D<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones<br />
acl Zone_D src 172.17.48.0/24<br />
<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_D to access the entire Internet<br />
http_access allow Zone_D<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#Finally, permit access<br />
url_rewrite_access allow Zone_D<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
Configure /etc/lighttpd/lighttpd.conf<br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
<br />
include "mime-types.conf"<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
<br />
<br />
server.follow-symlink = "enable"<br />
<br />
server.port = 81<br />
server.bind = "172.17.48.1"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("172.17.48.1" => "trust")<br />
</pre><br />
}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9811
Small Office Services
2014-01-22T19:48:32Z
<p>Cewebb: Addng unbound to the wifi container to handle it's own DNS resolution</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the base policy for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Voice VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
up ip address add <%NETSERV_VOIP_IP_ADDRESS2%>/25 dev eth0<br />
#Management VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
<br />
<br />
#WiFi VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
<br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dhcp.json|<br />
{<br />
"description": "DHCP",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dhcp",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dns.json|<br />
{<br />
"description": "DNS",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dns",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable dhcp<br />
awall enable dns<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_VOICE_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_VOICE_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
{{Todo|Need to lock down firewall rules}}<br />
<br />
==Install and Configure the Recursive DNS Service ==<br />
Install unbound package<br />
{{Cmd|apk add unbound}}<br />
With your favorite editor configure /etc/unbound/unbound.conf<br />
{{cat|/etc/unbound/unobund.conf|<br />
server:<br />
verbosity: 1<br />
interface: 172.17.48.1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 172.17.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
do-not-query-localhost: no<br />
<br />
root-hints: "/etc/unbound/root.hints"<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9810
Small Office Services
2014-01-22T19:24:22Z
<p>Cewebb: /* Setup Firewall */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the base policy for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Voice VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
up ip address add <%NETSERV_VOIP_IP_ADDRESS2%>/25 dev eth0<br />
#Management VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
<br />
<br />
#WiFi VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
<br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dhcp.json|<br />
{<br />
"description": "DHCP",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dhcp",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dns.json|<br />
{<br />
"description": "DNS",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dns",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable dhcp<br />
awall enable dns<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_VOICE_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_VOICE_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
{{Todo|Need to lock down firewall rules}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9809
Small Office Services
2014-01-22T16:51:25Z
<p>Cewebb: Configure DNS to utilize second VOICE IP</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the base policy for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Voice VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
up ip address add <%NETSERV_VOIP_IP_ADDRESS2%>/25 dev eth0<br />
#Management VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
<br />
<br />
#WiFi VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
<br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dhcp.json|<br />
{<br />
"description": "DHCP",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dhcp",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dns.json|<br />
{<br />
"description": "DNS",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dns",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable dhcp<br />
awall enable dns<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_VOICE_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_VOICE_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{Todo|Need to add proxy settings and also and confirm where this container should look for packages}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9808
Small Office Services
2014-01-22T16:49:37Z
<p>Cewebb: /* Enter the netserv container */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the base policy for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Voice VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
up ip address add <%NETSERV_VOIP_IP_ADDRESS2%>/25 dev eth0<br />
#Management VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
<br />
<br />
#WiFi VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
<br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dhcp.json|<br />
{<br />
"description": "DHCP",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dhcp",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dns.json|<br />
{<br />
"description": "DNS",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dns",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable dhcp<br />
awall enable dns<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{Todo|Need to add proxy settings and also and confirm where this container should look for packages}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9807
Small Office Services
2014-01-22T14:39:24Z
<p>Cewebb: Change Default GW to DMVPN VOICE</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the base policy for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Voice VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#Management VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
up ip address add <%MANAGEMENT_IP_ADDRESS2%>/26 dev eth0<br />
<br />
#WiFi VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
<br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dhcp.json|<br />
{<br />
"description": "DHCP",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dhcp",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dns.json|<br />
{<br />
"description": "DNS",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dns",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable dhcp<br />
awall enable dns<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{Todo|Need to add proxy settings and also and confirm where this container should look for packages}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9806
Small Office Services
2014-01-22T14:26:15Z
<p>Cewebb: Remove WiFi interface from Unbound</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the base policy for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
up ip address add <%MANAGEMENT_IP_ADDRESS2%>/26 dev eth0<br />
<br />
#WiFi VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dhcp.json|<br />
{<br />
"description": "DHCP",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dhcp",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dns.json|<br />
{<br />
"description": "DNS",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dns",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable dhcp<br />
awall enable dns<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{Todo|Need to add proxy settings and also and confirm where this container should look for packages}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9805
Small Office Services
2014-01-22T14:05:45Z
<p>Cewebb: Removing use of Web Proxy container</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the base policy for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate -f<br />
rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
up ip address add <%MANAGEMENT_IP_ADDRESS2%>/26 dev eth0<br />
<br />
#WiFi VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dhcp.json|<br />
{<br />
"description": "DHCP",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dhcp",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/dns.json|<br />
{<br />
"description": "DNS",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "dns",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable dhcp<br />
awall enable dns<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{Todo|Need to add proxy settings and also and confirm where this container should look for packages}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9798
Small Office Services
2014-01-21T21:19:55Z
<p>Cewebb: </p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
up ip address add <%MANAGEMENT_IP_ADDRESS2%>/26 dev eth0<br />
<br />
#WiFi VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
==Setup Firewall==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
Create the policies for the firewall <br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}<br />
= Install the wifi Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n wifi -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container<br />
<br />
{{cat|/var/lib/lxc/wifi/config|<br />
...<br />
lxc.network.link {{=}} bond0.701<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.wifi}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.wifi}}<br />
<br />
== Enter the wifi container ==<br />
{{Cmd|lxc-console -n wifi}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WIFI_IP_ADDRESS%><br />
netmask <%VPNc_WIFI_NETMASK%><br />
<br />
auto eth1<br />
iface eth1 inet static<br />
address <%WIFI_TRANSIT_IP_ADDRESS%><br />
netmask <%WIFI_TRANSIT_NETMASK%><br />
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%><br />
<br />
auto eth2<br />
iface eth2 inet static<br />
address <%WIFI_MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
==Setup Firewall==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{Todo|Need to add proxy settings and also and confirm where this container should look for packages}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9796
Small Office Services
2014-01-21T13:28:41Z
<p>Cewebb: /* Install and Configure DHCP and DNS services */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
up ip address add <%MANAGEMENT_IP_ADDRESS2%>/26 dev eth0<br />
<br />
#WiFi VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
==Setup Firewall==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
Create the policies for the firewall <br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9794
Small Office Services
2014-01-21T13:15:23Z
<p>Cewebb: /* Install and Configure DHCP and DNS services */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
bond-mode balance-tlb<br />
bond-miimon 100<br />
bond-updelay 500<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
up ip address add <%MANAGEMENT_IP_ADDRESS2%>/26 dev eth0<br />
<br />
#WiFi VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: yes<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsd-control-setup<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
==Setup Firewall==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
Create the policies for the firewall <br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9792
Small Office Services
2014-01-20T19:52:47Z
<p>Cewebb: /* Install and Configure Freeswitch */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
up ip address add <%MANAGEMENT_IP_ADDRESS2%>/26 dev eth0<br />
<br />
#WiFi VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsd-control-setup<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
==Setup Firewall==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
Create the policies for the firewall <br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}<br />
Start Freeswitch and configure to start at boot<br />
{{Cmd|/etc/init.d/freeswitch start<br />
rc-update add freeswitch}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9791
Small Office Services
2014-01-20T19:51:21Z
<p>Cewebb: </p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
up ip address add <%MANAGEMENT_IP_ADDRESS2%>/26 dev eth0<br />
<br />
#WiFi VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsd-control-setup<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
==Setup Firewall==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio<br />
<br />
=Install the B2BUA container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n b2bua -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.b2bua}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/b2bua/config, to reflect the network for the B2BUA container<br />
<br />
{{cat|/var/lib/lxc/b2bua/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/init.d/lxc.b2bua}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.b2bua}}<br />
<br />
== Enter the B2BUA container ==<br />
{{Cmd|lxc-console -n b2bua}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%B2BUA_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
Create the policies for the firewall <br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip-track.json|<br />
{<br />
<br />
"description": "Phone system with SIP connection tracking",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Enable and activate firewall policies, and configure iptables to start at boot<br />
{{Cmd|awall enable base<br />
awall enable sip-track<br />
awall activate -f<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure Freeswitch ==<br />
Install package<br />
{{Cmd|Install Freeswitch Package}}<br />
<br />
Configure /etc/freeswitch/freeswitch.xml<br />
{{cat|/etc/freeswitch/freeswitch.xml|<br />
<pre><br />
<?xml version="1.0"?><br />
<document type="freeswitch/xml"><br />
<br />
<!-- Variables we need to set --><br />
<br />
<X-PRE-PROCESS cmd="set" data="b2bua=<%B2BUA_IP_ADDRESS%>"/><br />
<X-PRE-PROCESS cmd="set" data="domain=office.example.net"/><br />
<X-PRE-PROCESS cmd="set" data="siprouter=office.example.net"/><br />
<br />
<!-- Variables we don´t need to set --><br />
<br />
<!-- External SIP Profile --><br />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5060"/><br />
<!-- Glogal codecs --><br />
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA,GSM"/><br />
<!-- Outbound codecs --><br />
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/><br />
<br />
<section name="configuration" description="Various Configuration"><br />
<br />
<configuration name="modules.conf" description="Modules"><br />
<modules><br />
<load module="mod_commands"/><br />
<load module="mod_console"/><br />
<load module="mod_dptools"/><br />
<load module="mod_dialplan_xml"/><br />
<load module="mod_event_socket"/><br />
<load module="mod_logfile"/><br />
<load module="mod_sofia"/><br />
</modules><br />
</configuration><br />
<br />
<configuration name="console.conf" description="Console Logger"><br />
<mappings><br />
<map name="all" value="console,debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
<settings><br />
<param name="loglevel" value="info"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="logfile.conf" description="File Logging"><br />
<settings><br />
<param name="rotate-on-hup" value="true"/><br />
</settings><br />
<profiles><br />
<profile name="default"><br />
<settings><br />
<param name="rollover" value="10485760"/><br />
</settings><br />
<mappings><br />
<map name="all" value="debug,info,notice,warning,err,crit,alert"/><br />
</mappings><br />
</profile><br />
</profiles><br />
</configuration><br />
<br />
<configuration name="sofia.conf" description="sofia Endpoint"><br />
<global_settings><br />
<param name="log-level" value="0"/><br />
<param name="debug-presence" value="0"/><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="log-auth-failures" value="false"/><br />
<param name="forward-unsolicited-mwi-notify" value="false"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="5060"/><br />
<param name="dialplan" value="XML"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="tls" value="false"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="auth-all-packets" value="false"/><br />
<param name="rtp-timeout-sec" value="300"/><br />
<param name="rtp-hold-timeout-sec" value="1800"/><br />
<param name="challenge-realm" value="auto_from"/><br />
</global_settings><br />
<br />
<profiles><br />
<profile name="$${domain}"><br />
<domains><br />
<domain name="all" alias="false" parse="true"/><br />
</domains><br />
<settings><br />
<param name="debug" value="0"/><br />
<param name="sip-trace" value="no"/><br />
<param name="rfc2833-pt" value="101"/><br />
<param name="sip-port" value="$${external_sip_port}"/><br />
<param name="dialplan" value="XML"/><br />
<param name="context" value="default"/><br />
<param name="dtmf-duration" value="2000"/><br />
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/><br />
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/><br />
<param name="rtp-timer-name" value="soft"/><br />
<param name="local-network-acl" value="rfc1918.auto"/><br />
<param name="manage-presence" value="false"/><br />
<param name="inbound-codec-negotiation" value="generous"/><br />
<param name="nonce-ttl" value="60"/><br />
<param name="auth-calls" value="false"/><br />
<param name="rtp-ip" value="$${b2bua}"/><br />
<param name="sip-ip" value="$${b2bua}"/><br />
<param name="tls" value="false"/><br />
</settings><br />
</profile> <br />
</profiles> <br />
<br />
</configuration><br />
<br />
<configuration name="switch.conf" description="Core Configuration"><br />
<br />
<cli-keybindings><br />
<key name="1" value="help"/><br />
<key name="2" value="status"/><br />
<key name="3" value="show channels"/><br />
<key name="4" value="show calls"/><br />
<key name="5" value="sofia status"/><br />
<key name="6" value="reloadxml"/><br />
</cli-keybindings><br />
<br />
<settings><br />
<param name="colorize-console" value="true"/><br />
<param name="max-sessions" value="1000"/><br />
<param name="sessions-per-second" value="30"/><br />
<param name="loglevel" value="debug"/><br />
<param name="dump-cores" value="yes"/><br />
<param name="rtp-enable-zrtp" value="false"/><br />
<param name="rtp-start-port" value="13000"/><br />
<param name="rtp-end-port" value="18000"/><br />
</settings><br />
</configuration><br />
<br />
<configuration name="post_load_modules.conf" description="Post-load modules"/><br />
<br />
</section><br />
<br />
<!-- Incomming Calls --><br />
<section name="dialplan" description="Regex/XML Dialplan"><br />
<context name="default"><br />
<extension name="b2b-in"><br />
<condition field="destination_number" expression="^(\d*)$"><br />
<action application="set" data="ringback=%(2000,4000,440.0,480.0)"/><br />
<action application="set" data="hangup_after_bridge=true"/><br />
<action application="set" data="continue_on_fail=true"/><br />
<action application="set" data="ignore_early_media=true"/> <br />
<action application="set" data="bypass_media=true"/> <br />
<action application="answer"/><br />
<action application="sleep" data="1000"/><br />
<action application="unset" data="sip_h_P-ARP"/><br />
<action application="bridge" data="sofia/$${domain}/$1@$${siprouter}"/><br />
</condition><br />
</extension><br />
</context> <br />
</section><br />
</document><br />
</pre><br />
}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9790
Small Office Services
2014-01-20T14:47:16Z
<p>Cewebb: /* Install and Configure Postgresql */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
up ip address add <%MANAGEMENT_IP_ADDRESS2%>/26 dev eth0<br />
<br />
#WiFi VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsd-control-setup<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
==Setup Firewall==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
== Install Kamailio ==<br />
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9788
Small Office Services
2014-01-20T14:08:35Z
<p>Cewebb: /* Install and Configure DHCP and DNS services */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
up ip address add <%MANAGEMENT_IP_ADDRESS2%>/26 dev eth0<br />
<br />
#WiFi VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
option domain-name "office.example.net";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "office.example.net"<br />
stub-addr: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%NETSERV_MANAGEMENT_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsd-control-setup<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
==Setup Firewall==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
{{Todo| configure Kamalio}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9787
Small Office Services
2014-01-20T14:00:56Z
<p>Cewebb: /* Setup Networking */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.701 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
up ip address add <%MANAGEMENT_IP_ADDRESS2%>/26 dev eth0<br />
<br />
#WiFi VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option domain-name-servers <%DMVPN_LAN_IP_ADDRESS%>;<br />
option domain-name "location.example.net";<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "location1.example.net"<br />
stub-addr: <%MANAGEMENT_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%MANAGEMENT_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsd-control-setup<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
==Setup Firewall==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
{{Todo| configure Kamalio}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9786
Small Office Services
2014-01-20T13:56:47Z
<p>Cewebb: /* Enter the sip container */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
up ip address add <%MANAGEMENT_IP_ADDRESS2%>/26 dev eth0<br />
<br />
#WiFi VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option domain-name-servers <%DMVPN_LAN_IP_ADDRESS%>;<br />
option domain-name "location.example.net";<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "location1.example.net"<br />
stub-addr: <%MANAGEMENT_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%MANAGEMENT_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsd-control-setup<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
==Setup Firewall==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
{{Todo| configure Kamalio}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9785
Small Office Services
2014-01-20T13:55:26Z
<p>Cewebb: /* Install and Configure DHCP and DNS services */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
up ip address add <%MANAGEMENT_IP_ADDRESS2%>/26 dev eth0<br />
<br />
#WiFi VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option domain-name-servers <%DMVPN_LAN_IP_ADDRESS%>;<br />
option domain-name "location.example.net";<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_VOICE_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "location1.example.net"<br />
stub-addr: <%MANAGEMENT_IP_ADDRESS2%><br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_VOICE_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: <%MANAGEMENT_IP_ADDRESS2%><br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsd-control-setup<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%SIP_NETMASK%><br />
gateway <%DMVPN_SIP_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
==Setup Firewall==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
{{Todo| configure Kamalio}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9783
Small Office Services
2014-01-20T13:47:35Z
<p>Cewebb: /* Enter the netserv container */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth0<br />
iface eth0 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
up ip address add <%MANAGEMENT_IP_ADDRESS2%>/26 dev eth0<br />
<br />
#WiFi VLAN<br />
auto eth1<br />
iface eth1 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%WIFI_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth2<br />
iface eth2 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%VOICE_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option domain-name-servers <%DMVPN_LAN_IP_ADDRESS%>;<br />
option domain-name "location.example.net";<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_LAN_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "location1.example.net"<br />
stub-addr: 127.0.0.1<br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_LAN_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: 127.0.0.1<br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsdc rebuild<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%SIP_NETMASK%><br />
gateway <%DMVPN_SIP_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
==Setup Firewall==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
{{Todo| configure Kamalio}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9782
Small Office Services
2014-01-20T13:43:33Z
<p>Cewebb: /* Create and Configure the container */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth_3<br />
iface eth_3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth_1101<br />
iface eth_1101 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#LAN VLAN<br />
auto eth_101<br />
iface eth_101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#WiFi VLAN<br />
auto eth_701<br />
iface eth_701 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option domain-name-servers <%DMVPN_LAN_IP_ADDRESS%>;<br />
option domain-name "location.example.net";<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_LAN_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "location1.example.net"<br />
stub-addr: 127.0.0.1<br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_LAN_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: 127.0.0.1<br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsdc rebuild<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%SIP_NETMASK%><br />
gateway <%DMVPN_SIP_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
==Setup Firewall==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
{{Todo| configure Kamalio}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9779
Small Office Services
2014-01-17T15:21:46Z
<p>Cewebb: /* Install and Configure Postgresql */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth0<br />
<br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#LAN Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.101<br />
lxc.network.name = eth_101<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth_3<br />
iface eth_3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth_1101<br />
iface eth_1101 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#LAN VLAN<br />
auto eth_101<br />
iface eth_101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#WiFi VLAN<br />
auto eth_701<br />
iface eth_701 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option domain-name-servers <%DMVPN_LAN_IP_ADDRESS%>;<br />
option domain-name "location.example.net";<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_LAN_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "location1.example.net"<br />
stub-addr: 127.0.0.1<br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_LAN_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: 127.0.0.1<br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsdc rebuild<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%SIP_NETMASK%><br />
gateway <%DMVPN_SIP_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
==Setup Firewall==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
Start up the database and configure postgresql to start at boot up<br />
{{Cmd|/etc/init.d/postgresql start<br />
rc-update add postgresql}}<br />
{{Todo| configure Kamalio}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9778
Small Office Services
2014-01-16T21:35:17Z
<p>Cewebb: </p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth0<br />
<br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#LAN Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.101<br />
lxc.network.name = eth_101<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth_3<br />
iface eth_3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth_1101<br />
iface eth_1101 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#LAN VLAN<br />
auto eth_101<br />
iface eth_101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#WiFi VLAN<br />
auto eth_701<br />
iface eth_701 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option domain-name-servers <%DMVPN_LAN_IP_ADDRESS%>;<br />
option domain-name "location.example.net";<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_LAN_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "location1.example.net"<br />
stub-addr: 127.0.0.1<br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_LAN_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: 127.0.0.1<br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsdc rebuild<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}<br />
<br />
= Install the SIP Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n sip -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.sip}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container<br />
<br />
{{cat|/var/lib/lxc/sip/config|<br />
...<br />
lxc.network.link {{=}} bond0.1101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.sip}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.sip}}<br />
<br />
== Enter the sip container ==<br />
{{Cmd|lxc-console -n sip}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%SIP_IP_ADDRESS%><br />
netmask <%SIP_NETMASK%><br />
gateway <%DMVPN_SIP_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
==Setup Firewall==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/sip.json|<br />
{<br />
<br />
"description": "Phone System",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "sip", "sip-tls" ],<br />
"action": "accept",<br />
}<br />
]<br />
<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/syslog.json|<br />
{<br />
<br />
"description": "Syslog server",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": "syslog",<br />
"action": "accept"<br />
}<br />
]<br />
<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable sip<br />
awall enable syslog<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
==Install and Configure Postgresql==<br />
Install postgresql package<br />
{{Cmd|apk update<br />
apk add acf-postgresql}}<br />
Prepare the database<br />
{{Cmd|/etc/init.d/postgresql setup}}<br />
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:<br />
{{cat|/var/lib/postgresql/9.3/data/postresql.conf|<br />
..<br />
listen_addresses {{=}}'<%SIP_IP_ADDRESS%><br />
..<br />
log_destination {{=}}'syslog'<br />
}}<br />
{{Todo|Finish up database items, and configure Kamalio}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9777
Small Office Services
2014-01-16T14:28:56Z
<p>Cewebb: /* Install the DHCP and DNS server (netserv) Container */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi network's behavior}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth0<br />
<br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#LAN Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.101<br />
lxc.network.name = eth_101<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth_3<br />
iface eth_3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth_1101<br />
iface eth_1101 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#LAN VLAN<br />
auto eth_101<br />
iface eth_101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#WiFi VLAN<br />
auto eth_701<br />
iface eth_701 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option domain-name-servers <%DMVPN_LAN_IP_ADDRESS%>;<br />
option domain-name "location.example.net";<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_LAN_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "location1.example.net"<br />
stub-addr: 127.0.0.1<br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_LAN_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: 127.0.0.1<br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsdc rebuild<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9759
Small Office Services
2014-01-15T20:39:07Z
<p>Cewebb: /* Install and Configure DHCP and DNS services */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi networks role}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth0<br />
<br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#LAN Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.101<br />
lxc.network.name = eth_101<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth_3<br />
iface eth_3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth_1101<br />
iface eth_1101 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#LAN VLAN<br />
auto eth_101<br />
iface eth_101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#WiFi VLAN<br />
auto eth_701<br />
iface eth_701 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option domain-name-servers <%DMVPN_LAN_IP_ADDRESS%>;<br />
option domain-name "location.example.net";<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_LAN_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "location1.example.net"<br />
stub-addr: 127.0.0.1<br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_LAN_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: 127.0.0.1<br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN office.example.net.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.office.example.net.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsdc rebuild<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9758
Small Office Services
2014-01-15T20:34:48Z
<p>Cewebb: /* Install the DHCP and DNS server (netserv) Container */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFi networks role}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth0<br />
<br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#LAN Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.101<br />
lxc.network.name = eth_101<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth_3<br />
iface eth_3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth_1101<br />
iface eth_1101 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#LAN VLAN<br />
auto eth_101<br />
iface eth_101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#WiFi VLAN<br />
auto eth_701<br />
iface eth_701 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option domain-name-servers <%DMVPN_LAN_IP_ADDRESS%>;<br />
option domain-name "location.example.net";<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_LAN_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "location1.example.net"<br />
stub-addr: 127.0.0.1<br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_LAN_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: 127.0.0.1<br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN <%VOICE_DOMAIN%>.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.<%VOICE_DOMAIN%>.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.<%VOICE_DOMAIN%>.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsdc rebuild<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9757
Small Office Services
2014-01-15T20:34:23Z
<p>Cewebb: </p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
{{Todo|Needs revisit to restructure WiFI networks role}}<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth0<br />
<br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth_3<br />
<br />
#LAN Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.101<br />
lxc.network.name = eth_101<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = eth_701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = eth_1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto eth_3<br />
iface eth_3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto eth_1101<br />
iface eth_1101 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#LAN VLAN<br />
auto eth_101<br />
iface eth_101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#WiFi VLAN<br />
auto eth_701<br />
iface eth_701 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option domain-name-servers <%DMVPN_LAN_IP_ADDRESS%>;<br />
option domain-name "location.example.net";<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_LAN_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "location1.example.net"<br />
stub-addr: 127.0.0.1<br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_LAN_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: 127.0.0.1<br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN <%VOICE_DOMAIN%>.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.<%VOICE_DOMAIN%>.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.<%VOICE_DOMAIN%>.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}<br />
<br />
Check nsd configuration and start service<br />
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf<br />
nsdc rebuild<br />
/etc/init.d/nsd start<br />
rc-update add nsd}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9756
Small Office Services
2014-01-15T20:27:08Z
<p>Cewebb: </p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth0<br />
<br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = man3<br />
<br />
#LAN Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.101<br />
lxc.network.name = lan101<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = wifi701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = voice1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the network_services container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto man3<br />
iface man3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto voice1101<br />
iface voice1101 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#LAN VLAN<br />
auto usr101<br />
iface usr101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#WiFi VLAN<br />
auto res701<br />
iface res701 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto man3<br />
iface man3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto voice1101<br />
iface voice1101 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#LAN VLAN<br />
auto usr101<br />
iface usr101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#WiFi VLAN<br />
auto res701<br />
iface res701 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Configure and enable proxy settings<br />
{{Cmd|setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080<br />
. /etc/profile.d/proxy.sh}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
{{Todo|Need to setup Firewall rules}}<br />
<br />
== Install and Configure DHCP and DNS services ==<br />
install the dhcpd package<br />
{{Cmd|apk add acf-dhcp}}<br />
Create a new dhcpd.conf file<br />
{{cat|/etc/dhcp/dhcpd.conf|<br />
<pre><br />
## Common settings<br />
default-lease-time 302400;<br />
max-lease-time 604800;<br />
ddns-update-style none;<br />
log-facility local7;<br />
authoritative;<br />
<br />
## Common options<br />
option domain-name-servers <%DMVPN_LAN_IP_ADDRESS%>;<br />
option domain-name "location.example.net";<br />
option time-servers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server code 66 = string;<br />
<br />
## Voice<br />
subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%><br />
{<br />
range <%VOICE_DHCP_RANGE%>;<br />
option domain-name-servers <%NETSERV_VOICE_IP_ADDRESS%>;<br />
option routers <%DMVPN_VOICE_IP_ADDRESS%>;<br />
option boot-server "http://<%SIP_IP_ADDRESS%>";<br />
}<br />
<br />
## WiFi<br />
subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%><br />
{<br />
range <%WIFI_DHCP_RANGE%>;<br />
option routers <%WIFI_PROXY_IP_ADDRESS%>;<br />
option domain-name-servers <%NETSERV_WIFI_IP_ADDRESS%>; <br />
option domain-name "<%WIFI_DOMAIN%>";<br />
}<br />
</pre><br />
}}<br />
Start DHCP service and add to runlevel default <br />
{{Cmd|rc-service dhcpd start <br />
rc-update add dhcpd}}<br />
<br />
Install nsd and unbound packages<br />
{{Cmd|apk add unbound }}<br />
<br />
Remove unbound.conf<br />
{{Cmd|rm /etc/unbound/unbound.conf}}<br />
<br />
Create with your favorite editor a new configuration for unbound<br />
{{cat|/etc/unbound/unbound.conf|<br />
#Recursive DNS configuration<br />
<br />
server:<br />
interface: <%NETSERV_WIFI_IP_ADDRESS%><br />
interface: <%NETSERV_LAN_IP_ADDRESS%><br />
do-not-query-localhost: no<br />
verbosity: 1<br />
do-ip4: yes<br />
do-ip6: no<br />
do-udp: yes<br />
do-tcp: yes<br />
do-daemonize: yes<br />
access-control: 10.1.0.0/16 allow<br />
access-control: 127.0.0.0/8 allow<br />
<br />
#use the root.hints file to determine where to send DNS queries outside of network<br />
root-hints: "/etc/unbound/root.hints" <br />
<br />
stub-zone:<br />
name: "location1.example.net"<br />
stub-addr: 127.0.0.1<br />
<br />
stub-zone:<br />
name: "example.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
stub-zone:<br />
name: "example2.net"<br />
stub-addr: 172.16.255.1<br />
stub-addr: 172.16.255.2<br />
stub-addr: 172.16.255.3<br />
stub-addr: 172.16.255.4<br />
stub-addr: 172.16.255.5<br />
stub-addr: 172.16.255.7<br />
<br />
python:<br />
remote-control:<br />
control-enable: no<br />
}}<br />
Start Unbound and allow the container to use it<br />
{{Cmd|/etc/init.d/unbound start<br />
rc-update add unbound<br />
echo nameserver <%NETSERV_LAN_IP_ADDRESS%> > /etc/resolv.conf<br />
<br />
Install nsd<br />
{{Cmd|apk add nsd}}<br />
Configure nsd configuration<br />
{{cat|/etc/nsd/nsd.conf|<br />
server:<br />
ip-address: 127.0.0.1<br />
port: 53<br />
server-count: 1<br />
ip4-only: yes<br />
hide-version: yes<br />
identity: ""<br />
zonesdir: "/etc/nsd"<br />
zone:<br />
name: office.example.net<br />
zonefile: office.example.net.zone<br />
}}<br />
<br />
Configure Zone file for nsd<br />
{{cat|/etc/nsd/nsd.conf|<br />
$ORIGIN <%VOICE_DOMAIN%>.<br />
$TTL 86400<br />
<br />
@ IN SOA ns admin (<br />
2013032200 ; Serial number [yyyymmddnn]<br />
28800 ; Refresh<br />
7200 ; Retry<br />
864000 ; Expire<br />
86400 ; Min TTL<br />
)<br />
<br />
@ NS ns1<br />
; NSA Servers<br />
ns1 IN A <%NETSERV_VOICE_IP_ADDRESS%><br />
<br />
;A Records for SIP Devices<br />
sip IN A <%SIP_IP_ADDRESS%><br />
map IN A <%VMAIL_IP_ADDRESS%><br />
<br />
;NAPTR Records<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.<%VOICE_DOMAIN%>.<br />
@ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.vmail.<%VOICE_DOMAIN%>.<br />
<br />
;SIP SRV Record<br />
_sip._udp IN SRV 10 1 5060 sip<br />
_sip._udp IN SRV 10 1 5060 vmail<br />
}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9754
Small Office Services
2014-01-15T13:08:09Z
<p>Cewebb: </p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth0<br />
<br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = man3<br />
<br />
#LAN Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.101<br />
lxc.network.name = lan101<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = wifi701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = voice1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the network_services container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto man3<br />
iface man3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto voice1101<br />
iface voice1101 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#LAN VLAN<br />
auto usr101<br />
iface usr101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#WiFi VLAN<br />
auto res701<br />
iface res701 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
{{Todo|Need to setup DHCP server and DNS server}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9753
Small Office Services
2014-01-15T13:06:53Z
<p>Cewebb: </p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add iptables}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth0<br />
<br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = man3<br />
<br />
#LAN Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.101<br />
lxc.network.name = lan101<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = wifi701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = voice1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the netserv container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto man3<br />
iface man3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto voice1001<br />
iface voice1001 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#LAN VLAN<br />
auto usr101<br />
iface usr101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#WiFi VLAN<br />
auto res601<br />
iface res601 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
{{Todo|Need to setup DHCP server and DNS server}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9752
Small Office Services
2014-01-14T20:21:12Z
<p>Cewebb: /* Install and Configure the Squid Web Proxy Service */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones <br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
<br />
= Install the DHCP and DNS server (netserv) Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth0<br />
<br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = man3<br />
<br />
#LAN Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.101<br />
lxc.network.name = lan101<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = wifi701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = voice1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the network_services container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto man3<br />
iface man3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto voice1001<br />
iface voice1001 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#LAN VLAN<br />
auto usr101<br />
iface usr101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#WiFi VLAN<br />
auto res601<br />
iface res601 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
{{Todo|Need to setup DHCP server and DNS server}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9751
Small Office Services
2014-01-14T20:19:59Z
<p>Cewebb: /* Setup Firewall */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones (replace <%BRN%> with your branch number)<br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
= Install the DHCP and DNS server (netserv) Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth0<br />
<br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = man3<br />
<br />
#LAN Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.101<br />
lxc.network.name = lan101<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = wifi701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = voice1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the network_services container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto man3<br />
iface man3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto voice1001<br />
iface voice1001 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#LAN VLAN<br />
auto usr101<br />
iface usr101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#WiFi VLAN<br />
auto res601<br />
iface res601 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
{{Todo|Need to setup DHCP server and DNS server}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9750
Small Office Services
2014-01-14T20:03:46Z
<p>Cewebb: /* Enter the network_services container */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "BSN Appliance Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "BSN Appliance Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones (replace <%BRN%> with your branch number)<br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
= Install the DHCP and DNS server (netserv) Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth0<br />
<br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = man3<br />
<br />
#LAN Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.101<br />
lxc.network.name = lan101<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = wifi701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = voice1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the network_services container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto man3<br />
iface man3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto voice1001<br />
iface voice1001 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#LAN VLAN<br />
auto usr101<br />
iface usr101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#WiFi VLAN<br />
auto res601<br />
iface res601 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
{{Todo|Need to setup DHCP server and DNS server}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9749
Small Office Services
2014-01-14T20:03:05Z
<p>Cewebb: /* Create and Configure the container */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "BSN Appliance Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "BSN Appliance Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones (replace <%BRN%> with your branch number)<br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
= Install the DHCP and DNS server (netserv) Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth0<br />
<br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = man3<br />
<br />
#LAN Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.101<br />
lxc.network.name = lan101<br />
<br />
#WiFi Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = wifi701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = voice1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the network_services container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto man3<br />
iface man3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto voice1001<br />
iface voice1001 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#User VLAN<br />
auto usr101<br />
iface usr101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#ResNet VLAN<br />
auto res601<br />
iface res601 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
{{Todo|Need to setup DHCP server and DNS server}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9748
Small Office Services
2014-01-14T19:59:12Z
<p>Cewebb: </p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "BSN Appliance Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "BSN Appliance Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones (replace <%BRN%> with your branch number)<br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
= Install the DHCP and DNS server (netserv) Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth0<br />
<br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = man3<br />
<br />
#Usernet Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.101<br />
lxc.network.name = lan101<br />
<br />
#ResNet Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = wifi701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = voice1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the network_services container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto man3<br />
iface man3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto voice1001<br />
iface voice1001 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#User VLAN<br />
auto usr101<br />
iface usr101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#ResNet VLAN<br />
auto res601<br />
iface res601 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
{{Todo|Need to setup DHCP server and DNS server}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9747
Small Office Services
2014-01-14T19:16:30Z
<p>Cewebb: </p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_LAN_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
gateway <%DMVPN_LAN_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$WEB_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "BSN Appliance Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "BSN Appliance Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones (replace <%BRN%> with your branch number)<br />
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%><br />
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
Download the latest version of the Squark filter database, which contains the most current list of websites that should be filtered.<br />
{{Cmd|mkdir -p /var/lib/squark/<br />
wget http://squark.core.wtbts.net/squark.db -O /var/lib/squark/squark.db}}<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}<br />
= Install the DHCP and DNS server (netserv) Container =<br />
== Create and Configure the container ==<br />
{{Cmd|lxc-create -n netserv -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.netserv<br />
<br />
Edit the container's config file found at /var/lib/lxc/netserv/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/netserv/config|<br />
<pre><br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = eth0<br />
<br />
#Management Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.3<br />
lxc.network.name = man3<br />
<br />
#Usernet Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.101<br />
lxc.network.name = lan101<br />
<br />
#ResNet Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.701<br />
lxc.network.name = wifi701<br />
<br />
#Voice Network Config<br />
lxc.network.type = macvlan<br />
lxc.network.macvlan.mode = bridge<br />
lxc.network.link = bond0.1101<br />
lxc.network.name = voice1101<br />
</pre><br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.netserv}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.netserv}}<br />
<br />
== Enter the network_services container ==<br />
{{Cmd|lxc-console -n netserv}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
#Management VLAN<br />
auto man3<br />
iface man3 inet static<br />
address <%MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
<br />
#Voice VLAN<br />
auto voice1001<br />
iface voice1001 inet static<br />
address <%NETSERV_VOICE_IP_ADDRESS%><br />
netmask <%DMVPN_VOICE_NETMASK%><br />
gateway <%DMVPN_VOICE_IP_ADDRESS%><br />
<br />
#User VLAN<br />
auto usr101<br />
iface usr101 inet static<br />
address <%LAN_IP_ADDRESS%><br />
netmask <%DMVPN_LAN_NETMASK%><br />
<br />
#ResNet VLAN<br />
auto res601<br />
iface res601 inet static<br />
address <%NETSERV_WIFI_IP_ADDRESS%><br />
netmask <%VPNC_WIFI_NETMASK%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
{{Todo|Need to setup DHCP server and DNS server}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9746
Small Office Services
2014-01-14T18:02:23Z
<p>Cewebb: </p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_USR_NET_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_USR_NET_NETMASK%><br />
gateway <%DMVPN_USR_NET_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$I2D_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "BSN Appliance Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "BSN Appliance Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones (replace <%BRN%> with your branch number)<br />
acl Zone_B src <%USERNET_SUBNET%>/<%USERNET_SLASH_NOTATION%><br />
#acl Zone_D src <%DZONE_SUBNET%>/<%DZONE_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}<br />
<br />
Link the Squark web pages to the Web server home directory<br />
{{Cmd|ln -s /usr/share/squark/www/ /var/www/localhost/squark}}<br />
<br />
Create a Squark group<br />
{{Cmd|addgroup squark}}<br />
<br />
Make 'squid' and 'lighttpd' users member of the group squark<br />
{{Cmd|addgroup squid squark<br />
addgroup lighttpd squark}}<br />
<br />
Start lighttpd, and configure the service to start on when container is booted<br />
{{Cmd|/etc/init.d/lighttpd start<br />
rc-update add lighttpd}}<br />
<br />
Download the latest version of the Squark filter database, which contains the most current list of websites that should be filtered.<br />
{{Cmd|mkdir -p /var/lib/squark/<br />
wget http://squark.core.wtbts.net/squark.db -O /var/lib/squark/squark.db}}<br />
<br />
Start Squid, and configure to start at boot<br />
{{Cmd|/etc/init.d/squid start<br />
rc-update add squid}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9745
Small Office Services
2014-01-14T15:54:34Z
<p>Cewebb: /* Configure Firewall */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_USR_NET_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_USR_NET_NETMASK%><br />
gateway <%DMVPN_USR_NET_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$I2D_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Setup Firewall ==<br />
Create the policies for the firewall<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "BSN Appliance Management",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
{{cat|/etc/awall/optional/webproxy.json|<br />
{<br />
"description": "BSN Appliance Web Proxy",<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "http", "http-alt" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the firewall, and allow iptables to startup automatically at boot<br />
{{Cmd|awall enable base<br />
awall enable webproxy<br />
awall activate<br />
rc-update add iptables<br />
}}<br />
<br />
== Install and Configure the Squid Web Proxy Service ==<br />
Install the required packages <br />
{{Cmd|apk add acf-squid squark acf-lighttpd}}<br />
<br />
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%><br />
{{cat|/etc/init.d/squid/squid.conf|<br />
<pre><br />
#Squid config for webproxy<br />
<br />
# This port listens for client requests<br />
http_port 8080<br />
<br />
visible_hostname <%HOSTNAME%>.<%DOMAIN%><br />
cache_mem 8 MB<br />
# If you don't have an HD installed comment the "cache_dir" line below<br />
cache_dir aufs /var/cache/squid 900 16 256<br />
<br />
# Even though we only use one proxy, this line is recommended<br />
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html<br />
hierarchy_stoplist cgi-bin ?<br />
<br />
# Keep 7 days of access logs<br />
logfile_rotate 7<br />
<br />
logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG<br />
access_log /var/log/squid/access.log squark<br />
cache_store_log none<br />
pid_filename /var/run/squid.pid<br />
<br />
# Make sure client IP is passed to Squark<br />
log_uses_indirect_client on<br />
acl_uses_indirect_client on<br />
<br />
# Fix for problems with branch file transfer application<br />
# ignore_expect_100 on (deprecated)<br />
<br />
# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections<br />
# for more info<br />
# Keep 7 days of cache log<br />
debug_options rotate=7<br />
<br />
# Web auditors want to see the full uri, even with the query terms<br />
strip_query_terms off<br />
<br />
refresh_pattern ^ftp: 1440 20% 10080<br />
refresh_pattern ^gopher: 1440 0% 1440<br />
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br />
refresh_pattern . 0 20% 4320<br />
<br />
coredump_dir /var/cache/squid<br />
<br />
# <br />
# Authentication<br />
#<br />
<br />
<br />
#<br />
# Access Control Lists (ACL's)<br />
#<br />
<br />
# Standard ACL settings<br />
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp<br />
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%><br />
acl SSL_ports port 443 563 8004 9000<br />
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535<br />
acl purge method PURGE<br />
acl CONNECT method CONNECT<br />
<br />
# Squark filter<br />
url_rewrite_program /usr/bin/squark-filter<br />
url_rewrite_children 1 concurrency=128<br />
<br />
# Require authentication<br />
acl userlist src all<br />
<br />
# Definition of zones (replace <%BRN%> with your branch number)<br />
acl Zone_B src <%USERNET_SUBNET%>/<%USERNET_SLASH_NOTATION%><br />
#acl Zone_D src <%DZONE_SUBNET%>/<%DZONE_SLASH_NOTATION%><br />
<br />
# Settings migrated from smn<br />
acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains"<br />
acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts"<br />
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"<br />
<br />
# Settings migrated from services<br />
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"<br />
acl AnonIPAddrs src "/etc/squid/anoniplist"<br />
acl AnonDomain url_regex "/etc/squid/anondomainlist"<br />
<br />
#<br />
# Access restrictions<br />
#<br />
<br />
cache deny QUERY<br />
<br />
# Only allow cachemgr access from localhost<br />
http_access allow manager localhost<br />
http_access deny manager<br />
<br />
# Only allow purge requests from localhost<br />
http_access allow purge localhost<br />
http_access deny purge<br />
<br />
# Deny requests to unknown ports<br />
http_access deny !Safe_ports<br />
<br />
# Deny CONNECT to other than SSL ports<br />
http_access deny CONNECT !SSL_ports<br />
<br />
# Allow hosts in Zone_B and Zone_C to access hosts listed in<br />
# /etc/squid/alloweduserdomains<br />
http_access allow Zone_B Zone_B_AllowedUserDomains<br />
<br />
# Allow hosts listed in /etc/squid/allowedserviceshosts to<br />
# access domains listed in /etc/squid/allowedservicesdomains<br />
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains<br />
<br />
<br />
# Denying all access not explictly allowed<br />
http_access deny all<br />
<br />
##Squark URL rewriter<br />
#Prevent squark from filtering itself<br />
url_rewrite_access deny manager<br />
url_rewrite_access deny to_localhost<br />
<br />
#We do not want authentication for these sites:<br />
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains<br />
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains<br />
<br />
http_reply_access allow all<br />
icp_access allow all<br />
</pre><br />
}}<br />
<br />
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%><br />
{{cat|/etc/lighttpd/lighttpd.conf|<br />
<pre><br />
##############################################################################<br />
# Default lighttpd.conf for Gentoo.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $<br />
###############################################################################<br />
var.basedir = "/var/www/localhost"<br />
var.logdir = "/var/log/lighttpd"<br />
var.statedir = "/var/lib/lighttpd"<br />
<br />
server.modules = (<br />
"mod_access",<br />
"mod_accesslog",<br />
"mod_extforward"<br />
)<br />
include "mime-types.conf" <br />
<br />
include "mod_cgi.conf"<br />
<br />
server.username = "lighttpd"<br />
<br />
server.groupname = "lighttpd"<br />
<br />
server.document-root = var.basedir + "/squark"<br />
<br />
server.pid-file = "/var/run/lighttpd.pid"<br />
<br />
server.errorlog = var.logdir + "/error.log"<br />
<br />
server.indexfiles = ("index.php", "index.html",<br />
"index.htm", "default.htm")<br />
server.follow-symlink = "enable"<br />
<br />
static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")<br />
<br />
accesslog.filename = var.logdir + "/access.log"<br />
<br />
url.access-deny = ("~", ".inc")<br />
<br />
extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")<br />
<br />
</pre><br />
}}<br />
<br />
Configure mod_cgi.conf<br />
{{cat|/etc/lighttpd/mod_cgi.conf|<br />
<pre><br />
###############################################################################<br />
# mod_cgi.conf<br />
# include'd by lighttpd.conf.<br />
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $<br />
###############################################################################<br />
<br />
#<br />
# see cgi.txt for more information on using mod_cgi<br />
#<br />
<br />
server.modules += ("mod_cgi")<br />
<br />
# NOTE: this requires mod_alias<br />
alias.url = (<br />
"/cgi-bin/" => var.basedir + "/cgi-bin/"<br />
)<br />
<br />
#<br />
# Note that you'll also want to enable the<br />
# cgi-bin alias via mod_alias (above).<br />
#<br />
<br />
$HTTP["url"] =~ "^/cgi-bin/" {<br />
# disable directory listings<br />
dir-listing.activate = "disable"<br />
# only allow cgi's in this directory<br />
cgi.assign = (<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/haserl"<br />
)<br />
}<br />
</pre><br />
}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9744
Small Office Services
2014-01-14T13:26:51Z
<p>Cewebb: </p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_USR_NET_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}<br />
= Install the Web Proxy Container =<br />
== Create and the container ==<br />
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}<br />
Create the startup Script<br />
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}<br />
<br />
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container<br />
<br />
{{cat|/var/lib/lxc/webproxy/config|<br />
...<br />
lxc.network.link {{=}} bond0.101<br />
...<br />
}}<br />
<br />
Start the container<br />
{{Cmd|/etc/iniit.d/lxc.webproxy}}<br />
<br />
Configure the container to automatically start<br />
{{Cmd|rc-update add lxc.webproxy}}<br />
<br />
== Enter the webproxy container ==<br />
{{Cmd|lxc-console -n webproxy}}<br />
Login as root<br />
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}<br />
Remove obsolete /etc/network/interfaces<br />
{{Cmd|rm /etc/network/interfaces}}<br />
Create and configure the new /etc/network/interfaces as shown below:<br />
{{cat|/etc/network/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
iface eth0 inet static<br />
address <%WEB_PROXY_IP_ADDRESS%><br />
netmask <%DMVPN_USR_NET_NETMASK%><br />
gateway <%DMVPN_USR_NET_IP_ADDRESS%><br />
}}<br />
<br />
Startup networking <br />
{{Cmd| /etc/init.d/networking start}}<br />
<br />
Add rule to DMVPN awall policy to allow this proxy out to the internet<br />
{{Note| this is to be configured on the DMVPN awall config}}<br />
{{cat| /etc/awall/optional/internet-host.json|<br />
{<br />
"in": "B",<br />
"src": "$I2D_PROXY",<br />
"out": "E",<br />
"action": "accept",<br />
},<br />
}}<br />
<br />
Configure remote administration<br />
{{Cmd|apk update<br />
setup-sshd -c openssh<br />
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}<br />
<br />
Start ssh<br />
{{Cmd|/etc/init.d/sshd start}}<br />
<br />
Configure a passwd for the container<br />
{{Cmd|passwd}}<br />
<br />
Setup acf for web administration<br />
{{Cmd|setup-acf}}<br />
<br />
== Configure Firewall ==</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9741
Small Office Services
2014-01-13T16:30:20Z
<p>Cewebb: /* Setup Host Box */</p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_USR_NET_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/netowork/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9740
Small Office Services
2014-01-13T16:23:45Z
<p>Cewebb: </p>
<hr />
<div>{{Draft}}<br />
'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_USR_NET_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/netowork/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9739
Small Office Services
2014-01-13T16:17:11Z
<p>Cewebb: /* Setup Host Box */</p>
<hr />
<div>'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup LXC Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_USR_NET_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/netowork/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Setup SSH ==<br />
Remove password authentication and DNS reverse lookup:<br />
<br />
{{Cmd|sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config<br />
/etc/init.d/ssh/restart}}<br />
<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}</div>
Cewebb
https://wiki.alpinelinux.org/w/index.php?title=Small_Office_Services&diff=9738
Small Office Services
2014-01-13T16:15:34Z
<p>Cewebb: added SSH information</p>
<hr />
<div>'''Abstract''': This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).<br />
<br />
{{Tip|At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.}}<br />
<br />
= Hardware =<br />
= Setup Host Box =<br />
<br />
== Boot Alpine USB == <br />
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.<br />
<br />
== Alpine Setup ==<br />
{{Cmd|setup-alpine}}<br />
<br />
{|class="wikitable"<br />
!'''You will be prompted something like this...'''<br />
!'''Suggestion on what you could enter...'''<br />
|-<br />
|<code>Select keyboard layout [none]:</code><br />
|''Type an appropriate layout for you''<br />
|-<br />
|<code>Select variant:</code><br />
|''Type an appropriate layout for you (if prompted)''<br />
|-<br />
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
|''Enter the hostname, e.g.'' '''lxc-host'''<br />
|-<br />
|<code>Available interfaces are: eth0<br>Enter '?' for help on bridges, bonding and vlans.<br>Which one do you want to initialize? (or '?' done')</code><br />
|''Enter'' '''bond0.3'''<br />
|-<br />
|<code>Available bond slaves are: eth0 eth1<br>Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code><br />
|'''eth0 eth1'''<br />
|-<br />
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|''Press Enter confirming 'none'''<br />
|-<br />
|<code>IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:</code><br />
|'''<%LXCHOST_MANAGEMENT_IP_ADDRESS%>'''<br />
|-<br />
|<code>Netmask? [255.255.255.0]:</code><br />
|'''<%DMVPN_MANAGEMENT_NETMASK%>'''<br />
|-<br />
|<code>Gateway? (or 'none') [none]:</code><br />
|'''<%DMVPN_MANAGEMENT_NET_IP%>'''<br />
|-<br />
|<code>Do you want to do any manual network configuration? [no]</code><br />
|'''no'''<br />
|-<br />
|<code>DNS domain name? (e.g. 'bar.com') []:</code><br />
|''Enter the domain name of your intranet, e.g.,'' '''office.example.net'''<br />
|-<br />
|<code>DNS nameservers(s)? []:</code><br />
|'''8.8.8.8 8.8.4.4''' (we will change them later)<br />
|-<br />
|<code>Changing password for root<br>New password:</code><br />
|''Enter a secure password for the console''<br />
|-<br />
|<code>Retype password:</code><br />
|''Retype the above password''<br />
|-<br />
|<code>Which timezone are you in? ('?' for list) [UTC]:</code><br />
|''Press Enter confirming 'UTC'''<br />
|-<br />
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
|''http://'''<%DMVPN_USR_NET_IP%>''':8080''<br />
|-<br />
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code><br />
|''Select a mirror close to you and press Enter''<br />
|-<br />
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code><br />
|''Press Enter confirming 'openssh'''<br />
|-<br />
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code><br />
|''Press Enter confirming 'chrony'''<br />
|-<br />
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code><br />
|'''sda sdb'''<br />
|-<br />
|<code>How would you like to use them? ('sys', 'data' or '?' for help):</code><br />
|'''data'''<br />
|-<br />
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code><br />
|''Press Enter confirming 'usb'''<br />
|-<br />
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code><br />
|''Press Enter confirming '/media/usb/cache'''<br />
|}<br />
<br />
Upgrade packages<br />
{{Cmd|apk update<br />
apk upgrade}}<br />
<br />
Save Changes <br />
{{Cmd|lbu commit}}<br />
<br />
Finish Setup with a reboot<br />
{{Cmd|reboot}}<br />
<br />
== Setup Networking ==<br />
With your favorite editor configure /etc/network/interfaces<br />
{{cat|/etc/netowork/interfaces|<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto bond0<br />
iface bond0 inet manual<br />
bond-slaves eth0 eth1<br />
up ip link set $IFACE up<br />
up bond-mode balance-tlb<br />
up bond-miimon 100<br />
down ip link set $IFACE down<br />
<br />
auto bond0.3<br />
iface bond0.3 inet static<br />
address <%LXCHOST_MANAGEMENT_IP_ADDRESS%><br />
netmask <%DMVPN_MANAGEMENT_NETMASK%><br />
gateway <%DMVPN_MANAGEMENT_IP%><br />
<br />
auto bond0.101<br />
iface bond0.101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.1101<br />
iface bond0.1101 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
auto bond0.701<br />
iface bond0.601 inet manual<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
}}<br />
<br />
Apply changes by restarting networking<br />
{{Cmd|/etc/init.d/networking restart}}<br />
<br />
== Setup SSH ==<br />
Remove password authentication and DNS reverse lookup:<br />
<br />
{{Cmd|sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config<br />
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config<br />
/etc/init.d/ssh/restart}}<br />
<br />
<br />
== Enable IP Forwarding ==<br />
{{Cmd|echo "1" > /proc/sys/net/ipv4/ip_forward}}<br />
== Setup Firewall ==<br />
{{Cmd|apk add acf-awall}}<br />
<br />
With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json<br />
{{cat|/etc/awall/optional/base.json|<br />
{<br />
"description": "Base Policy",<br />
<br />
"policy": [<br />
{ "in": "_fw", "action": "accept" }<br />
],<br />
<br />
"filter": [<br />
{<br />
"out": "_fw",<br />
"service": [ "ssh", "https", "ping" ],<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
}}<br />
Activate the Firewall<br />
{{Cmd|modprobe ip_tables<br />
awall enable base<br />
awall activate<br />
}}<br />
Configure ip_tables to start automatically when host is booted up<br />
{{Cmd| rc-update add awall}}<br />
<br />
== Install LXC ==<br />
Install the LXC and Bridge packages<br />
{{Cmd|apk add lxc bridge}}<br />
With your favorite editor configure /etc/lxc/default.conf<br />
{{cat|/etc/lxc/default.conf|<br />
## Allow containers in the same VLAN to see each other<br />
lxc.network.type {{=}} macvlan<br />
lxc.network.macvlan.mode {{=}} bridge<br />
lxc.network.link {{=}} bond0.3<br />
lxc.network.name {{=}} eth0<br />
<br />
## Restrict capabilities of the containers<br />
lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock<br />
lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override<br />
lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct<br />
lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time<br />
}}<br />
Finish Installation<br />
{{Cmd|lbu ci<br />
reboot}}</div>
Cewebb