Small Office Services: Difference between revisions
m (add in features) |
No edit summary |
||
Line 130: | Line 130: | ||
down ip link set $IFACE down | down ip link set $IFACE down | ||
auto bond0.620 | |||
iface bond0.620 inet manual | |||
up ip link set $IFACE up | |||
down ip link set $IFACE down | |||
auto bond0.1101 | auto bond0.1101 | ||
iface bond0.1101 inet manual | iface bond0.1101 inet manual | ||
Line 966: | Line 970: | ||
{{Cmd|/etc/init.d/postgresql start | {{Cmd|/etc/init.d/postgresql start | ||
rc-update add postgresql}} | rc-update add postgresql}} | ||
==Install ACF-Provisioning== | |||
TO POPULATE | |||
== Install Kamailio == | == Install Kamailio == | ||
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio | Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio | ||
=Install the | =Install the SIP Media container = | ||
== Create and Configure the container == | == Create and Configure the container == | ||
{{Cmd|lxc-create -n | {{Cmd|lxc-create -n media -f /etc/lxc/default.conf -t alpine}} | ||
Create the startup Script | Create the startup Script | ||
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc. | {{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.media}} | ||
Edit the container's config file found at /var/lib/lxc/ | Edit the container's config file found at /var/lib/lxc/media/config, to reflect the network for the SIP Media container | ||
{{cat|/var/lib/lxc/ | {{cat|/var/lib/lxc/media/config| | ||
... | ... | ||
lxc.network.link {{=}} bond0.1101 | lxc.network.link {{=}} bond0.1101 | ||
Line 984: | Line 993: | ||
Start the container | Start the container | ||
{{Cmd|/etc/init.d/lxc. | {{Cmd|/etc/init.d/lxc.media}} | ||
Configure the container to automatically start | Configure the container to automatically start | ||
{{Cmd|rc-update add lxc. | {{Cmd|rc-update add lxc.media}} | ||
== Enter the | == Enter the SIP Media container == | ||
{{Cmd|lxc-console -n | {{Cmd|lxc-console -n media}} | ||
Login as root | Login as root | ||
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| q}}}} | {{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| q}}}} | ||
Line 1,002: | Line 1,011: | ||
auto eth0 | auto eth0 | ||
iface eth0 inet static | iface eth0 inet static | ||
address <% | address <%SIP_MEDIA_IP_ADDRESS%> | ||
netmask <%VOICE_NETMASK%> | netmask <%VOICE_NETMASK%> | ||
gateway <%DMVPN_VOICE_IP_ADDRESS%> | gateway <%DMVPN_VOICE_IP_ADDRESS%> | ||
Line 1,079: | Line 1,088: | ||
{{cat|/etc/freeswitch/freeswitch.xml| | {{cat|/etc/freeswitch/freeswitch.xml| | ||
<pre> | <pre> | ||
TO POPULATE | |||
</pre> | </pre> | ||
}} | }} | ||
Line 1,240: | Line 1,094: | ||
{{Cmd|/etc/init.d/freeswitch start | {{Cmd|/etc/init.d/freeswitch start | ||
rc-update add freeswitch}} | rc-update add freeswitch}} | ||
= Install the wifi Container = | = Install the wifi Container = | ||
Revision as of 20:08, 20 July 2014
Abstract: This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC). It is designed to be a complement to the DMVPN spoke node.
The following services will be available in addition to the encrypted communications between offices provided by the DMVPN network:
- Internet browsing proxy server with domain filtering (wired clients on protected internal network)
- Separate proxy for wifi clients
- SIP phone system including web based provisioning and basic voicemail services
Hardware
For an office that will serve under 20 people, the following containers can easily run on low-power hardware such as a Via Nano 1.6Ghz Jetway board with 8GB RAM with dual 500GB SATA hard drives running in RAID 1 (software).
Setup LXC Host Box
Boot Alpine USB
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.
Alpine Setup
setup-alpine
You will be prompted something like this... | Suggestion on what you could enter... |
---|---|
Select keyboard layout [none]:
|
Type an appropriate layout for you |
Select variant:
|
Type an appropriate layout for you (if prompted) |
Enter system hostname (short form, e.g. 'foo') [localhost]:
|
Enter the hostname, e.g. lxc-host |
Available interfaces are: eth0
|
Enter bond0.3 |
Available bond slaves are: eth0 eth1
|
eth0 eth1 |
IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:
|
Press Enter confirming 'none' |
IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:
|
<%LXCHOST_MANAGEMENT_IP_ADDRESS%> |
Netmask? [255.255.255.0]:
|
<%DMVPN_MANAGEMENT_NETMASK%> |
Gateway? (or 'none') [none]:
|
<%DMVPN_MANAGEMENT_NET_IP%> |
Do you want to do any manual network configuration? [no]
|
no |
DNS domain name? (e.g. 'bar.com') []:
|
Enter the domain name of your intranet, e.g., office.example.net |
DNS nameservers(s)? []:
|
8.8.8.8 8.8.4.4 (we will change them later) |
Changing password for root
|
Enter a secure password for the console |
Retype password:
|
Retype the above password |
Which timezone are you in? ('?' for list) [UTC]:
|
Press Enter confirming 'UTC' |
HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]
|
http://<%DMVPN_LAN_IP%>:8080 |
Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:
|
Select a mirror close to you and press Enter |
Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:
|
Press Enter confirming 'openssh' |
Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:
|
Press Enter confirming 'chrony' |
Which disk(s) would you like to use? (or '?' for help or 'none') [none]:
|
sda sdb |
How would you like to use them? ('sys', 'data' or '?' for help):
|
data |
Enter where to store configs ('floppy', 'usb' or 'none') [usb]:
|
Press Enter confirming 'usb' |
Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:
|
Press Enter confirming '/media/usb/cache' |
Upgrade packages
apk update apk upgrade
Save Changes
lbu commit
Finish Setup with a reboot
reboot
Setup Networking
With your favorite editor configure /etc/network/interfaces
Contents of /etc/network/interfaces
Apply changes by restarting networking
/etc/init.d/networking restart
Enable IP Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
Setup Firewall
apk add acf-awall
With your favorite editor, create the base policy for the firewall
Contents of /etc/awall/optional/base.json
Activate the firewall, and allow iptables to startup automatically at boot
modprobe ip_tables awall enable base awall activate -f rc-update add iptables
Install LXC
Install the LXC and Bridge packages
apk add lxc bridge
With your favorite editor configure /etc/lxc/default.conf
Contents of /etc/lxc/default.conf
Finish Installation
lbu ci reboot
Install the Web Proxy Container
Create and Configure the container
lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine
Create the startup Script
ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container
Contents of /var/lib/lxc/webproxy/config
Start the container
/etc/iniit.d/lxc.webproxy
Configure the container to automatically start
rc-update add lxc.webproxy
Enter the webproxy container
lxc-console -n webproxy
Login as root
Remove obsolete /etc/network/interfaces
rm /etc/network/interfaces
Create and configure the new /etc/network/interfaces as shown below:
Contents of /etc/network/interfaces
Startup networking
/etc/init.d/networking start
Add rule to DMVPN awall policy to allow this proxy out to the internet
Contents of /etc/awall/optional/internet-host.json
Configure remote administration
apk update setup-sshd -c openssh sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
Start ssh
/etc/init.d/sshd start
Configure a passwd for the container
passwd
Setup acf for web administration
setup-acf
Setup Firewall
apk add acf-awall
With your favorite editor, create the policies for the firewall
Contents of /etc/awall/optional/base.json
Contents of /etc/awall/optional/webproxy.json
Activate the firewall, and allow iptables to startup automatically at boot
awall enable base awall enable webproxy awall activate -f rc-update add iptables
Install and Configure the Squid Web Proxy Service
Install the required packages
apk add acf-squid squark acf-lighttpd
Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%>
Contents of /etc/init.d/squid/squid.conf
#Squid config for webproxy # This port listens for client requests http_port 8080 visible_hostname <%HOSTNAME%>.<%DOMAIN%> cache_mem 8 MB # If you don't have an HD installed comment the "cache_dir" line below cache_dir aufs /var/cache/squid 900 16 256 # Even though we only use one proxy, this line is recommended # More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html hierarchy_stoplist cgi-bin ? # Keep 7 days of access logs logfile_rotate 7 logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG access_log /var/log/squid/access.log squark cache_store_log none pid_filename /var/run/squid.pid # Make sure client IP is passed to Squark log_uses_indirect_client on acl_uses_indirect_client on # Fix for problems with branch file transfer application # ignore_expect_100 on (deprecated) # Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections # for more info # Keep 7 days of cache log debug_options rotate=7 # Web auditors want to see the full uri, even with the query terms strip_query_terms off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 coredump_dir /var/cache/squid # # Authentication # # # Access Control Lists (ACL's) # # Standard ACL settings acl QUERY urlpath_regex cgi-bin \? asp aspx jsp acl to_localhost dst <%WEBPROXY_IP_ADDRESS%> acl SSL_ports port 443 563 8004 9000 acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535 acl purge method PURGE acl CONNECT method CONNECT # Squark filter url_rewrite_program /usr/bin/squark-filter url_rewrite_children 1 concurrency=128 # Require authentication acl userlist src all # Definition of zones acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%> #acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%> # Settings migrated from smn acl Zone_B_AllowedUserDomains dstdomain "/etc/squid/alloweduserdomains" acl Zone_B_AllowedServicesHosts src "/etc/squid/allowedserviceshosts" acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains" # Settings migrated from services acl AnonBrowsers browser "/etc/squid/anonbrowserlist" acl AnonIPAddrs src "/etc/squid/anoniplist" acl AnonDomain url_regex "/etc/squid/anondomainlist" # # Access restrictions # cache deny QUERY # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Only allow purge requests from localhost http_access allow purge localhost http_access deny purge # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # Allow hosts in Zone_B and Zone_C to access hosts listed in # /etc/squid/alloweduserdomains http_access allow Zone_B Zone_B_AllowedUserDomains # Allow hosts listed in /etc/squid/allowedserviceshosts to # access domains listed in /etc/squid/allowedservicesdomains http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains # Denying all access not explictly allowed http_access deny all ##Squark URL rewriter #Prevent squark from filtering itself url_rewrite_access deny manager url_rewrite_access deny to_localhost #We do not want authentication for these sites: url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains http_reply_access allow all icp_access allow all
Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%>
Contents of /etc/lighttpd/lighttpd.conf
############################################################################## # Default lighttpd.conf for Gentoo. # $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $ ############################################################################### var.basedir = "/var/www/localhost" var.logdir = "/var/log/lighttpd" var.statedir = "/var/lib/lighttpd" server.modules = ( "mod_access", "mod_accesslog", "mod_extforward" ) include "mime-types.conf" include "mod_cgi.conf" server.username = "lighttpd" server.groupname = "lighttpd" server.document-root = var.basedir + "/squark" server.pid-file = "/var/run/lighttpd.pid" server.errorlog = var.logdir + "/error.log" server.indexfiles = ("index.php", "index.html", "index.htm", "default.htm") server.follow-symlink = "enable" static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi") accesslog.filename = var.logdir + "/access.log" url.access-deny = ("~", ".inc") extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")
Configure mod_cgi.conf
Contents of /etc/lighttpd/mod_cgi.conf
############################################################################### # mod_cgi.conf # include'd by lighttpd.conf. # $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $ ############################################################################### # # see cgi.txt for more information on using mod_cgi # server.modules += ("mod_cgi") # NOTE: this requires mod_alias alias.url = ( "/cgi-bin/" => var.basedir + "/cgi-bin/" ) # # Note that you'll also want to enable the # cgi-bin alias via mod_alias (above). # $HTTP["url"] =~ "^/cgi-bin/" { # disable directory listings dir-listing.activate = "disable" # only allow cgi's in this directory cgi.assign = ( ".pl" => "/usr/bin/perl", ".cgi" => "/usr/bin/haserl" ) }
Link the Squark web pages to the Web server home directory
ln -s /usr/share/squark/www/ /var/www/localhost/squark
Create a Squark group
addgroup squark
Make 'squid' and 'lighttpd' users member of the group squark
addgroup squid squark addgroup lighttpd squark
Start lighttpd, and configure the service to start on when container is booted
/etc/init.d/lighttpd start rc-update add lighttpd
Start Squid, and configure to start at boot
/etc/init.d/squid start rc-update add squid
Install the DHCP and DNS server Container
Create and Configure the container
lxc-create -n dhcpdns -f /etc/lxc/default.conf -t alpine
Create the startup Script
ln -s /etc/init.d/lxc /etc/init.d/lxc.dhcpdns
Edit the container's config file found at /var/lib/lxc/dhcpdns/config, to reflect the network for the web proxy container
Contents of /var/lib/lxc/dhcpdns/config
#Management Network Config lxc.network.type = macvlan lxc.network.macvlan.mode = bridge lxc.network.link = bond0.3 lxc.network.name = eth_3 #WiFi Network Config lxc.network.type = macvlan lxc.network.macvlan.mode = bridge lxc.network.link = bond0.701 lxc.network.name = eth_701 #Voice Network Config lxc.network.type = macvlan lxc.network.macvlan.mode = bridge lxc.network.link = bond0.1101 lxc.network.name = eth_1101
Start the container
/etc/iniit.d/lxc.dhcpdns
Configure the container to automatically start
rc-update add lxc.dhcpdns
Enter the dhcpdns container
lxc-console -n dhcpdns
Login as root
Remove obsolete /etc/network/interfaces
rm /etc/network/interfaces
Create and configure the new /etc/network/interfaces as shown below:
Contents of /etc/network/interfaces
Startup networking
/etc/init.d/networking start
Configure and enable proxy settings
setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080 . /etc/profile.d/proxy.sh
Configure remote administration
apk update setup-sshd -c openssh sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
Start ssh
/etc/init.d/sshd start
Configure a passwd for the container
passwd
Setup acf for web administration
setup-acf
Setup Firewall
apk add acf-awall
With your favorite editor, create the policies for the firewall
Contents of /etc/awall/optional/base.json
Contents of /etc/awall/optional/dhcp.json
Contents of /etc/awall/optional/dns.json
Activate the firewall, and allow iptables to startup automatically at boot
awall enable base awall enable dhcp awall enable dns awall activate -f rc-update add iptables
Install and Configure DHCP and DNS services
install the dhcpd package
apk add acf-dhcp
Create a new dhcpd.conf file
Contents of /etc/dhcp/dhcpd.conf
## Common settings default-lease-time 302400; max-lease-time 604800; ddns-update-style none; log-facility local7; authoritative; ## Common options option time-servers <%DMVPN_VOICE_IP_ADDRESS%>; option boot-server code 66 = string; ## Voice subnet <%VOICE_SUBNET%> netmask <%VOICE_NETMASK%> { range <%VOICE_DHCP_RANGE%>; option domain-name-servers <%DHCPDNS_VOICE_IP_ADDRESS%>; option routers <%DMVPN_VOICE_IP_ADDRESS%>; option boot-server "http://<%SIP_IP_ADDRESS%>"; option domain-name "office.example.net"; } ## WiFi subnet <%WIFI_SUBNET%> netmask <%WIFI_NETMASK%> { range <%WIFI_DHCP_RANGE%>; option routers <%WIFI_PROXY_IP_ADDRESS%>; option domain-name-servers <%DHCPDNS_WIFI_IP_ADDRESS%>; option domain-name "<%WIFI_DOMAIN%>"; }
Start DHCP service and add to runlevel default
rc-service dhcpd start rc-update add dhcpd
Install nsd and unbound packages
apk add unbound
Remove unbound.conf
rm /etc/unbound/unbound.conf
Create with your favorite editor a new configuration for unbound
Contents of /etc/unbound/unbound.conf
Start Unbound and allow the container to use it {{Cmd|/etc/init.d/unbound start rc-update add unbound echo nameserver <%DHCPDNS_VOICE_IP_ADDRESS%> > /etc/resolv.conf
Install nsd
apk add nsd
Configure nsd configuration
Contents of /etc/nsd/nsd.conf
Configure Zone file for nsd
Contents of /etc/nsd/nsd.conf
Check nsd configuration and start service
nsd-checkconf /etc/nsd/nsd.conf /etc/init.d/nsd start rc-update add nsd
Install the SIP Container
Create and Configure the container
lxc-create -n sip -f /etc/lxc/default.conf -t alpine
Create the startup Script
ln -s /etc/init.d/lxc /etc/init.d/lxc.sip
Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container
Contents of /var/lib/lxc/sip/config
Start the container
/etc/iniit.d/lxc.sip
Configure the container to automatically start
rc-update add lxc.sip
Enter the sip container
lxc-console -n sip
Login as root
Remove obsolete /etc/network/interfaces
rm /etc/network/interfaces
Create and configure the new /etc/network/interfaces as shown below:
Contents of /etc/network/interfaces
Startup networking
/etc/init.d/networking start
Configure and enable proxy settings
setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080 . /etc/profile.d/proxy.sh
Configure remote administration
apk update setup-sshd -c openssh sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
Start ssh
/etc/init.d/sshd start
Configure a passwd for the container
passwd
Setup acf for web administration
setup-acf
Setup Firewall
apk add acf-awall
With your favorite editor, create the policies for the firewall
Contents of /etc/awall/optional/base.json
Contents of /etc/awall/optional/sip.json
Contents of /etc/awall/optional/syslog.json
Activate the firewall, and allow iptables to startup automatically at boot
awall enable base awall enable sip awall enable syslog awall activate -f rc-update add iptables
Install and Configure Postgresql
Install postgresql package
apk update apk add acf-postgresql
Prepare the database
/etc/init.d/postgresql setup
Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'listen_addresses', and the 'log_destination' variables to show:
Contents of /var/lib/postgresql/9.3/data/postresql.conf
Start up the database and configure postgresql to start at boot up
/etc/init.d/postgresql start rc-update add postgresql
Install ACF-Provisioning
TO POPULATE
Install Kamailio
Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio
Install the SIP Media container
Create and Configure the container
lxc-create -n media -f /etc/lxc/default.conf -t alpine
Create the startup Script
ln -s /etc/init.d/lxc /etc/init.d/lxc.media
Edit the container's config file found at /var/lib/lxc/media/config, to reflect the network for the SIP Media container
Contents of /var/lib/lxc/media/config
Start the container
/etc/init.d/lxc.media
Configure the container to automatically start
rc-update add lxc.media
Enter the SIP Media container
lxc-console -n media
Login as root
Remove obsolete /etc/network/interfaces
rm /etc/network/interfaces
Create and configure the new /etc/network/interfaces as shown below:
Contents of /etc/network/interfaces
Startup networking
/etc/init.d/networking start
Configure and enable proxy settings
setup-proxy http://<%WEBPROXY_IP_ADDRESS%>:8080 . /etc/profile.d/proxy.sh
Configure remote administration
apk update setup-sshd -c openssh sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
Start ssh
/etc/init.d/sshd start
Configure a passwd for the container
passwd
Setup acf for web administration
setup-acf
Setup Firewall
apk add acf-awall
With your favorite editor, create the policies for the firewall
Contents of /etc/awall/optional/base.json
Contents of /etc/awall/optional/sip-track.json
Enable and activate firewall policies, and configure iptables to start at boot
awall enable base awall enable sip-track awall activate -f rc-update add iptables
Install and Configure Freeswitch
Install package
Install Freeswitch Package
Configure /etc/freeswitch/freeswitch.xml
Contents of /etc/freeswitch/freeswitch.xml
TO POPULATE
Start Freeswitch and configure to start at boot
/etc/init.d/freeswitch start rc-update add freeswitch
Install the wifi Container
Create and Configure the container
lxc-create -n wifi -f /etc/lxc/default.conf -t alpine
Create the startup Script
ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi
Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container
Contents of /var/lib/lxc/wifi/config
Start the container
/etc/iniit.d/lxc.wifi
Configure the container to automatically start
rc-update add lxc.wifi
Enter the wifi container
lxc-console -n wifi
Login as root
Remove obsolete /etc/network/interfaces
rm /etc/network/interfaces
Create and configure the new /etc/network/interfaces as shown below:
Contents of /etc/network/interfaces
Startup networking
/etc/init.d/networking start
Configure remote administration
apk update setup-sshd -c openssh sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
Start ssh
/etc/init.d/sshd start
Configure a passwd for the container
passwd
Setup acf for web administration
setup-acf
Setup Firewall
apk add acf-awall
Install and Configure the Recursive DNS Service
Install unbound package
apk add unbound
With your favorite editor configure /etc/unbound/unbound.conf
Contents of /etc/unbound/unobund.conf
Install and Configure the Proxy service
Install the necessary packages
apk add squid squark lighttpd
With your preferred editor configure /etc/squid/squid.conf
Contents of /etc/squid/squid.conf
#Squid config # This port listens for client requests http_port 172.17.48.1:8080 transparent http_port 127.0.0.1:8081 visible_hostname wifi.local cache_mem 8 MB # If you don't have an HD installed comment the "cache_dir" line below cache_dir aufs /var/cache/squid 900 16 256 # Even though we only use one proxy, this line is recommended # More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html hierarchy_stoplist cgi-bin ? # Keep 7 days of access logs logfile_rotate 7 logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG access_log /var/log/squid/access.log squark cache_store_log none pid_filename /var/run/squid.pid # Make sure client IP is passed to Squark log_uses_indirect_client on acl_uses_indirect_client on # Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections # for more info # Keep 7 days of cache log debug_options rotate=7 # Web auditors want to see the full uri, even with the query terms strip_query_terms off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 coredump_dir /var/cache/squid dns_nameservers 172.17.48.1 # # Authentication # # Squark external acl #external_acl_type squark_snmp_auth_D children-max=1 ttl=4 grace=1 negative_ttl=0 concurrency=128 %SRC /usr/bin/squark-auth-snmp -c public -R <SWITCH_IP> -i <D_VLAN_IF> -v <D_VLAN_ID> -f "%N-%i=%I" -T /etc/squark/topology.conf # # Access Control Lists (ACL's) # # Standard ACL settings acl QUERY urlpath_regex cgi-bin \? asp aspx jsp acl to_localhost dst 172.17.48.1 acl SSL_ports port 443 563 8004 9000 acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535 acl purge method PURGE acl CONNECT method CONNECT #acl SquarkAuth external squark_auth #acl SquarkSnmpAuthD external squark_snmp_auth_D # Squark filter url_rewrite_program /usr/bin/squark-filter url_rewrite_children 1 concurrency=128 # Require authentication acl userlist src all # Definition of zones acl Zone_D src 172.17.48.0/24 # # Access restrictions # cache deny QUERY # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Only allow purge requests from localhost http_access allow purge localhost http_access deny purge # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # Allow hosts in Zone_D to access the entire Internet http_access allow Zone_D # Denying all access not explictly allowed http_access deny all ##Squark URL rewriter #Prevent squark from filtering itself url_rewrite_access deny manager url_rewrite_access deny to_localhost #Finally, permit access url_rewrite_access allow Zone_D http_reply_access allow all icp_access allow all
Configure lighttpd
Contents of /etc/lighttpd/lighttpd.conf
var.basedir = "/var/www/localhost" var.logdir = "/var/log/lighttpd" var.statedir = "/var/lib/lighttpd" server.modules = ( "mod_access", "mod_accesslog", "mod_extforward" ) include "mime-types.conf" include "mod_cgi.conf" server.username = "lighttpd" server.groupname = "lighttpd" server.document-root = var.basedir + "/squark" server.pid-file = "/var/run/lighttpd.pid" server.errorlog = var.logdir + "/error.log" server.indexfiles = ("index.php", "index.html", "index.htm", "default.htm") server.follow-symlink = "enable" server.port = 81 server.bind = "172.17.48.1" static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi") accesslog.filename = var.logdir + "/access.log" url.access-deny = ("~", ".inc") extforward.forwarder = ("172.17.48.1" => "trust")
Contents of /etc/lighttpd/mod_cgi.conf
############################################################################### # mod_cgi.conf # include'd by lighttpd.conf. # $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $ ############################################################################### # # see cgi.txt for more information on using mod_cgi # server.modules += ("mod_cgi") # NOTE: this requires mod_alias alias.url = ( "/cgi-bin/" => var.basedir + "/cgi-bin/" ) # # Note that you'll also want to enable the # cgi-bin alias via mod_alias (above). # $HTTP["url"] =~ "^/cgi-bin/" { # disable directory listings dir-listing.activate = "disable" # only allow cgi's in this directory cgi.assign = ( ".pl" => "/usr/bin/perl", ".cgi" => "/usr/bin/haserl" ) } # vim: set ft=conf foldmethod=marker et :
Link Squark web pages to the Web server home directory
ln -s /usr/share/squark/www/ /var/www/localhost/squark
Make 'squid' and 'lighttpd' users member of the group squark
addgroup squid squark addgroup lighttpd squark
Start lighttpd and configure the Web service to start at boot
/etc/init.d/lighttpd start rc-update add lighttpd
Start Squid and configure it to start at boot
/etc/init.d/squid start rc-update add squid