This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Cewebb on 14 Jan 2014.)

Abstract: This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).

Tip: At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.

Hardware

Setup LXC Host Box

Boot Alpine USB

Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.

Alpine Setup

setup-alpine

You will be prompted something like this...	Suggestion on what you could enter...
`Select keyboard layout [none]:`	Type an appropriate layout for you
`Select variant:`	Type an appropriate layout for you (if prompted)
`Enter system hostname (short form, e.g. 'foo') [localhost]:`	Enter the hostname, e.g. lxc-host
`Available interfaces are: eth0 Enter '?' for help on bridges, bonding and vlans. Which one do you want to initialize? (or '?' done')`	Enter bond0.3
`Available bond slaves are: eth0 eth1 Which slave(s) do you want to add to bond0? (or 'done') [eth0]`	eth0 eth1
`IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:`	Press Enter confirming 'none'
`IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:`	<%LXCHOST_MANAGEMENT_IP_ADDRESS%>
`Netmask? [255.255.255.0]:`	<%DMVPN_MANAGEMENT_NETMASK%>
`Gateway? (or 'none') [none]:`	<%DMVPN_MANAGEMENT_NET_IP%>
`Do you want to do any manual network configuration? [no]`	no
`DNS domain name? (e.g. 'bar.com') []:`	Enter the domain name of your intranet, e.g., office.example.net
`DNS nameservers(s)? []:`	8.8.8.8 8.8.4.4 (we will change them later)
`Changing password for root New password:`	Enter a secure password for the console
`Retype password:`	Retype the above password
`Which timezone are you in? ('?' for list) [UTC]:`	Press Enter confirming 'UTC'
`HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]`	http://<%DMVPN_USR_NET_IP%>:8080
`Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:`	Select a mirror close to you and press Enter
`Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:`	Press Enter confirming 'openssh'
`Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:`	Press Enter confirming 'chrony'
`Which disk(s) would you like to use? (or '?' for help or 'none') [none]:`	sda sdb
`How would you like to use them? ('sys', 'data' or '?' for help):`	data
`Enter where to store configs ('floppy', 'usb' or 'none') [usb]:`	Press Enter confirming 'usb'
`Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:`	Press Enter confirming '/media/usb/cache'

Upgrade packages

apk update apk upgrade

Save Changes

lbu commit

Finish Setup with a reboot

reboot

Setup Networking

With your favorite editor configure /etc/network/interfaces

Contents of /etc/network/interfaces

auto lo
iface lo inet loopback

auto bond0
iface bond0 inet manual
        bond-slaves eth0 eth1
        up ip link set $IFACE up
        up bond-mode balance-tlb
        up bond-miimon 100
        down ip link set $IFACE down

auto bond0.3
iface bond0.3 inet static
	address <%LXCHOST_MANAGEMENT_IP_ADDRESS%>
	netmask <%DMVPN_MANAGEMENT_NETMASK%>
	gateway <%DMVPN_MANAGEMENT_IP%>

auto bond0.101
iface bond0.101 inet manual
	up ip link set $IFACE up
	down ip link set $IFACE down

auto bond0.1101
iface bond0.1101 inet manual
	up ip link set $IFACE up
	down ip link set $IFACE down

auto bond0.701
iface bond0.601 inet manual
	up ip link set $IFACE up
	down ip link set $IFACE down

Apply changes by restarting networking

/etc/init.d/networking restart

Enable IP Forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

Setup Firewall

apk add acf-awall

With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json

Contents of /etc/awall/optional/base.json

{
  "description": "Base Policy",

  "policy": [
    { "in": "_fw", "action": "accept" }
  ],

  "filter": [
    {
      "out": "_fw",
      "service": [ "ssh", "https", "ping" ],
      "action": "accept"
    }
  ]
}

Activate the Firewall

modprobe ip_tables awall enable base awall activate

Configure ip_tables to start automatically when host is booted up

rc-update add awall

Install LXC

Install the LXC and Bridge packages

apk add lxc bridge

With your favorite editor configure /etc/lxc/default.conf

Contents of /etc/lxc/default.conf

## Allow containers in the same VLAN to see each other
lxc.network.type = macvlan
lxc.network.macvlan.mode = bridge
lxc.network.link = bond0.3
lxc.network.name = eth0

## Restrict capabilities of the containers
lxc.cap.drop = sys_admin audit_control audit_write fsetid ipc_lock
lxc.cap.drop = ipc_owner lease linux_immutable mac_admin mac_override
lxc.cap.drop = mknod setfcap setpcap sys_module sys_nice sys_pacct
lxc.cap.drop = sys_ptrace sys_rawio sys_tty_config sys_time

Finish Installation

lbu ci reboot

Install the Web Proxy Container

Create and the container

lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine

Create the startup Script

ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy

Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container

Contents of /var/lib/lxc/webproxy/config

...
lxc.network.link = bond0.101
...

Start the container

/etc/iniit.d/lxc.webproxy

Configure the container to automatically start

rc-update add lxc.webproxy

Enter the webproxy container

lxc-console -n webproxy

Login as root

Note: If the need arises to exit the container press Ctrl+ a + k

Remove obsolete /etc/network/interfaces

rm /etc/network/interfaces

Create and configure the new /etc/network/interfaces as shown below:

Contents of /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
	address <%WEB_PROXY_IP_ADDRESS%>
	netmask <%DMVPN_USR_NET_NETMASK%>
	gateway <%DMVPN_USR_NET_IP_ADDRESS%>

Startup networking

/etc/init.d/networking start

Add rule to DMVPN awall policy to allow this proxy out to the internet

Note: this is to be configured on the DMVPN awall config

Contents of /etc/awall/optional/internet-host.json

{
     "in": "B",
      "src": "$I2D_PROXY",
      "out": "E",
      "action": "accept",
},

Configure remote administration

apk update setup-sshd -c openssh sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config

Start ssh

/etc/init.d/sshd start

Configure a passwd for the container

passwd

Setup acf for web administration

setup-acf

Setup Firewall

Create the policies for the firewall

Contents of /etc/awall/optional/base.json

{
  "description": "BSN Appliance Management",

  "policy": [
    { "in": "_fw", "action": "accept" }
  ],

  "filter": [
    {
      "out": "_fw",
      "service": [ "ssh", "https", "ping" ],
      "action": "accept"
    }
  ]
}

Contents of /etc/awall/optional/webproxy.json

{
     "description": "BSN Appliance Web Proxy",
 
     "filter": [
       {
         "out": "_fw",
         "service": [ "http", "http-alt" ],
         "action": "accept"
       }
    ]
}

Activate the firewall, and allow iptables to startup automatically at boot

awall enable base awall enable webproxy awall activate rc-update add iptables

Install and Configure the Squid Web Proxy Service

Install the required packages

apk add acf-squid squark acf-lighttpd

Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%>

Contents of /etc/init.d/squid/squid.conf

#Squid config for webproxy

# This port listens for client requests
http_port 8080

visible_hostname <%HOSTNAME%>.<%DOMAIN%>
cache_mem 8 MB
# If you don't have an HD installed comment the "cache_dir" line below
cache_dir aufs /var/cache/squid 900 16 256

# Even though we only use one proxy, this line is recommended
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html
hierarchy_stoplist cgi-bin ?

# Keep 7 days of access logs
logfile_rotate 7

logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG
access_log /var/log/squid/access.log squark
cache_store_log none
pid_filename /var/run/squid.pid

# Make sure client IP is passed to Squark
log_uses_indirect_client on
acl_uses_indirect_client on

# Fix for problems with branch file transfer application
# ignore_expect_100 on (deprecated)

# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections
# for more info
# Keep 7 days of cache log
debug_options rotate=7

# Web auditors want to see the full uri, even with the query terms
strip_query_terms off

refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

coredump_dir /var/cache/squid

# 
# Authentication
#


#
# Access Control Lists (ACL's)
#

# Standard ACL settings
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%>
acl SSL_ports port 443 563 8004 9000
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT

# Squark filter
url_rewrite_program /usr/bin/squark-filter
url_rewrite_children 1 concurrency=128

# Require authentication
acl userlist  src all

# Definition of zones (replace <%BRN%> with your branch number)
acl Zone_B src <%USERNET_SUBNET%>/<%USERNET_SLASH_NOTATION%>
#acl Zone_D src <%DZONE_SUBNET%>/<%DZONE_SLASH_NOTATION%>

# Settings migrated from smn
acl Zone_B_AllowedUserDomains     dstdomain "/etc/squid/alloweduserdomains"
acl Zone_B_AllowedServicesHosts   src "/etc/squid/allowedserviceshosts"
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"

# Settings migrated from services
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"
acl AnonIPAddrs src "/etc/squid/anoniplist"
acl AnonDomain url_regex "/etc/squid/anondomainlist"

#
# Access restrictions
#

cache deny QUERY

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# Allow hosts in Zone_B and Zone_C to access hosts listed in
# /etc/squid/alloweduserdomains
http_access allow Zone_B Zone_B_AllowedUserDomains

# Allow hosts listed in /etc/squid/allowedserviceshosts to
# access domains listed in /etc/squid/allowedservicesdomains
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains


# Denying all access not explictly allowed
http_access deny all

##Squark URL rewriter
#Prevent squark from filtering itself
url_rewrite_access deny manager
url_rewrite_access deny to_localhost

#We do not want authentication for these sites:
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains

http_reply_access allow all
icp_access allow all

Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%>

Contents of /etc/lighttpd/lighttpd.conf

##############################################################################
# Default lighttpd.conf for Gentoo.
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $
###############################################################################
var.basedir  = "/var/www/localhost"
var.logdir   = "/var/log/lighttpd"
var.statedir = "/var/lib/lighttpd"

server.modules = (
    "mod_access",
    "mod_accesslog",
    "mod_extforward"
)
include "mime-types.conf" 

include "mod_cgi.conf"

server.username      = "lighttpd"

server.groupname     = "lighttpd"

server.document-root = var.basedir + "/squark"

server.pid-file      = "/var/run/lighttpd.pid"
    
server.errorlog      = var.logdir  + "/error.log"

server.indexfiles    = ("index.php", "index.html",
                                                "index.htm", "default.htm")
server.follow-symlink = "enable"

static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")

accesslog.filename   = var.logdir + "/access.log"

url.access-deny = ("~", ".inc")

extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")

Configure mod_cgi.conf

Contents of /etc/lighttpd/mod_cgi.conf

###############################################################################
# mod_cgi.conf
# include'd by lighttpd.conf.
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $
###############################################################################

#
# see cgi.txt for more information on using mod_cgi
#

server.modules += ("mod_cgi")

# NOTE: this requires mod_alias
alias.url = (
     "/cgi-bin/"	    =>	    var.basedir + "/cgi-bin/"
)

#
# Note that you'll also want to enable the
# cgi-bin alias via mod_alias (above).
#

$HTTP["url"] =~ "^/cgi-bin/" {
    # disable directory listings
    dir-listing.activate = "disable"
    # only allow cgi's in this directory
    cgi.assign = (
		".pl"	=>	"/usr/bin/perl",
		".cgi"	=>	"/usr/bin/haserl"
	)
}