Small Office Services: Difference between revisions

From Alpine Linux
Line 1,156: Line 1,156:
auto eth0
auto eth0
iface eth0 inet static
iface eth0 inet static
address <%WIFI_IP_ADDRESS%>
address 172.17.48.1
netmask <%VPNc_WIFI_NETMASK%>
netmask 255.255.255.0


auto eth1
auto eth1
iface eth1 inet static
iface eth1 inet static
address <%WIFI_TRANSIT_IP_ADDRESS%>
address 10.1.0.254
netmask <%WIFI_TRANSIT_NETMASK%>
netmask 255.255.255.252
gateway <%DMVPN_WIFI_TRANSIT_IP_ADDRESS%>
gateway 10.1.0.253


auto eth2
auto eth2
iface eth2 inet static
iface eth2 inet static
address <%WIFI_MANAGEMENT_IP_ADDRESS%>
address 10.1.0.131
netmask <%MANAGEMENT_NETMASK%>
netmask 255.255.255.192
}}
}}



Revision as of 20:27, 20 July 2014

Abstract: This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC). It is designed to be a complement to the DMVPN spoke node.

The following services will be available in addition to the encrypted communications between offices provided by the DMVPN network:

  • Internet browsing proxy server with domain filtering (wired clients on protected internal network)
  • Separate proxy for wifi clients
  • SIP phone system including web based provisioning and basic voicemail services

The assumption is made that the following VLANs and subnets are used as the DMVPN document did:

Interface Description Subnet
bond0.3 Management 10.1.0.129/26
bond0.101 LAN 10.1.0.0/25
bond0.256 Internet from ISP1 Allocated from ISP
bond0.257 Internet from ISP2 Allocated from ISP
bond0.620 Transit between wifi proxy and dmvpn spoke node 10.1.0.252/30
bond0.701 WiFi clients (no access to DMVPN network) 172.17.48.0/24
bond0.1101 Voice 10.2.0.0/24


Tip: At the time of writing, the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.9 64 bit.

Hardware

For an office that will serve under 20 people, the following containers can easily run on low-power hardware such as a Via Nano 1.6Ghz Jetway board with 8GB RAM with dual 500GB SATA hard drives running in RAID 1 (software).

Setup LXC Host Box

Boot Alpine USB

Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.

Alpine Setup

setup-alpine

You will be prompted something like this... Suggestion on what you could enter...
Select keyboard layout [none]: Type an appropriate layout for you
Select variant: Type an appropriate layout for you (if prompted)
Enter system hostname (short form, e.g. 'foo') [localhost]: Enter the hostname, e.g. lxc-host
Available interfaces are: eth0
Enter '?' for help on bridges, bonding and vlans.
Which one do you want to initialize? (or '?' done')
Enter bond0.3
Available bond slaves are: eth0 eth1
Which slave(s) do you want to add to bond0? (or 'done') [eth0]
eth0 eth1
IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]: Press Enter confirming 'none'
IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]: <%LXCHOST_MANAGEMENT_IP_ADDRESS%>
Netmask? [255.255.255.0]: <%DMVPN_MANAGEMENT_NETMASK%>
Gateway? (or 'none') [none]: <%DMVPN_MANAGEMENT_NET_IP%>
Do you want to do any manual network configuration? [no] no
DNS domain name? (e.g. 'bar.com') []: Enter the domain name of your intranet, e.g., office.example.net
DNS nameservers(s)? []: 8.8.8.8 8.8.4.4 (we will change them later)
Changing password for root
New password:
Enter a secure password for the console
Retype password: Retype the above password
Which timezone are you in? ('?' for list) [UTC]: Press Enter confirming 'UTC'
HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none] http://<%DMVPN_LAN_IP%>:8080
Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]: Select a mirror close to you and press Enter
Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]: Press Enter confirming 'openssh'
Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]: Press Enter confirming 'chrony'
Which disk(s) would you like to use? (or '?' for help or 'none') [none]: sda sdb
How would you like to use them? ('sys', 'data' or '?' for help): data
Enter where to store configs ('floppy', 'usb' or 'none') [usb]: Press Enter confirming 'usb'
Enter apk cache directory (or '?' or 'none') [/media/usb/cache]: Press Enter confirming '/media/usb/cache'

Upgrade packages

apk update apk upgrade

Save Changes

lbu commit

Finish Setup with a reboot

reboot

Setup Networking

With your favorite editor configure /etc/network/interfaces

Contents of /etc/network/interfaces

auto lo iface lo inet loopback auto bond0 iface bond0 inet manual bond-slaves eth0 eth1 bond-mode balance-tlb bond-miimon 100 bond-updelay 500 up ip link set $IFACE up down ip link set $IFACE down auto bond0.3 iface bond0.3 inet static address <%LXCHOST_MANAGEMENT_IP_ADDRESS%> netmask <%DMVPN_MANAGEMENT_NETMASK%> gateway <%DMVPN_MANAGEMENT_IP%> auto bond0.101 iface bond0.101 inet manual up ip link set $IFACE up down ip link set $IFACE down auto bond0.1101 iface bond0.1101 inet manual up ip link set $IFACE up down ip link set $IFACE down auto bond0.701 iface bond0.701 inet manual up ip link set $IFACE up down ip link set $IFACE down

Apply changes by restarting networking

/etc/init.d/networking restart

Enable IP Forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

Setup Firewall

apk add acf-awall

With your favorite editor, create the base policy for the firewall

Contents of /etc/awall/optional/base.json

{ "description": "Management", "policy": [ { "in": "_fw", "action": "accept" } ], "filter": [ { "out": "_fw", "service": [ "ssh", "https", "ping" ], "action": "accept" } ] }

Activate the firewall, and allow iptables to startup automatically at boot

modprobe ip_tables awall enable base awall activate -f rc-update add iptables

Install LXC

Install the LXC and Bridge packages

apk add lxc bridge

With your favorite editor configure /etc/lxc/default.conf

Contents of /etc/lxc/default.conf

## Allow containers in the same VLAN to see each other lxc.network.type = macvlan lxc.network.macvlan.mode = bridge lxc.network.link = bond0.3 lxc.network.name = eth0 ## Restrict capabilities of the containers lxc.cap.drop = sys_admin audit_control audit_write fsetid ipc_lock lxc.cap.drop = ipc_owner lease linux_immutable mac_admin mac_override lxc.cap.drop = mknod setfcap setpcap sys_module sys_nice sys_pacct lxc.cap.drop = sys_ptrace sys_rawio sys_tty_config sys_time

Finish Installation

lbu ci reboot

Install the Web Proxy Container

Create and Configure the container

lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine

Create the startup Script

ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy

Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container

Contents of /var/lib/lxc/webproxy/config

... lxc.network.link = bond0.101 ...

Start the container

/etc/iniit.d/lxc.webproxy

Configure the container to automatically start

rc-update add lxc.webproxy

Enter the webproxy container

lxc-console -n webproxy

Login as root

Note: If the need arises to exit the container press Ctrl+ a + q

Remove obsolete /etc/network/interfaces

rm /etc/network/interfaces

Create and configure the new /etc/network/interfaces as shown below:

Contents of /etc/network/interfaces

auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 10.1.0.2 netmask 255.255.255.192 gateway 10.1.0.1

Startup networking

/etc/init.d/networking start

Add rule to DMVPN awall policy to allow this proxy out to the internet

Note: this is to be configured on the DMVPN awall config

Contents of /etc/awall/optional/internet-host.json

{ "in": "B", "src": "$10.1.0.2", "out": "E", "action": "accept", },

Configure remote administration

apk update setup-sshd -c openssh sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config

Start ssh

/etc/init.d/sshd start

Configure a passwd for the container

passwd

Setup acf for web administration

setup-acf

Setup Firewall

apk add acf-awall

With your favorite editor, create the policies for the firewall

Contents of /etc/awall/optional/base.json

{ "description": "Management", "policy": [ { "in": "_fw", "action": "accept" } ], "filter": [ { "out": "_fw", "service": [ "ssh", "https", "ping" ], "action": "accept" } ] }

Contents of /etc/awall/optional/webproxy.json

{ "description": "Web Proxy", "filter": [ { "out": "_fw", "service": [ "http", "http-alt" ], "action": "accept" } ] }

Activate the firewall, and allow iptables to startup automatically at boot

awall enable base awall enable webproxy awall activate -f rc-update add iptables

Install and Configure the Squid Web Proxy Service

Install the required packages

apk add acf-squid squark acf-lighttpd

Configure /etc/squid/squid.conf, replace <%WEBPROXY_IP_ADDRESS%>, <%HOSTNAME%>, and <%DOMAIN%>

Contents of /etc/init.d/squid/squid.conf

#Squid config for webproxy

# This port listens for client requests
http_port 8080

visible_hostname <%HOSTNAME%>.<%DOMAIN%>
cache_mem 8 MB
# If you don't have an HD installed comment the "cache_dir" line below
cache_dir aufs /var/cache/squid 900 16 256

# Even though we only use one proxy, this line is recommended
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html
hierarchy_stoplist cgi-bin ?

# Keep 7 days of access logs
logfile_rotate 7

logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG
access_log /var/log/squid/access.log squark
cache_store_log none
pid_filename /var/run/squid.pid

# Make sure client IP is passed to Squark
log_uses_indirect_client on
acl_uses_indirect_client on

# Fix for problems with branch file transfer application
# ignore_expect_100 on (deprecated)

# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections
# for more info
# Keep 7 days of cache log
debug_options rotate=7

# Web auditors want to see the full uri, even with the query terms
strip_query_terms off

refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

coredump_dir /var/cache/squid

# 
# Authentication
#


#
# Access Control Lists (ACL's)
#

# Standard ACL settings
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp
acl to_localhost dst <%WEBPROXY_IP_ADDRESS%>
acl SSL_ports port 443 563 8004 9000
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT

# Squark filter
url_rewrite_program /usr/bin/squark-filter
url_rewrite_children 1 concurrency=128

# Require authentication
acl userlist  src all

# Definition of zones 
acl Zone_B src <%LAN_SUBNET%>/<%LAN_SLASH_NOTATION%>
#acl Zone_D src <%WiFi_SUBNET%>/<%WiFi_SLASH_NOTATION%>

# Settings migrated from smn
acl Zone_B_AllowedUserDomains     dstdomain "/etc/squid/alloweduserdomains"
acl Zone_B_AllowedServicesHosts   src "/etc/squid/allowedserviceshosts"
acl Zone_B_AllowedServicesDomains dstdomain "/etc/squid/allowedservicesdomains"

# Settings migrated from services
acl AnonBrowsers browser "/etc/squid/anonbrowserlist"
acl AnonIPAddrs src "/etc/squid/anoniplist"
acl AnonDomain url_regex "/etc/squid/anondomainlist"

#
# Access restrictions
#

cache deny QUERY

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# Allow hosts in Zone_B and Zone_C to access hosts listed in
# /etc/squid/alloweduserdomains
http_access allow Zone_B Zone_B_AllowedUserDomains

# Allow hosts listed in /etc/squid/allowedserviceshosts to
# access domains listed in /etc/squid/allowedservicesdomains
http_access allow Zone_B_AllowedServicesHosts Zone_B_AllowedServicesDomains


# Denying all access not explictly allowed
http_access deny all

##Squark URL rewriter
#Prevent squark from filtering itself
url_rewrite_access deny manager
url_rewrite_access deny to_localhost

#We do not want authentication for these sites:
url_rewrite_access deny Zone_B Zone_B_AllowedUserDomains
url_rewrite_access deny Zone_B Zone_B_AllowedServicesDomains

http_reply_access allow all
icp_access allow all

Configure /etc/lighttpd/lighttpd.conf, replace <%WEBPROXY_IP_ADDRESS%>

Contents of /etc/lighttpd/lighttpd.conf

##############################################################################
# Default lighttpd.conf for Gentoo.
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $
###############################################################################
var.basedir  = "/var/www/localhost"
var.logdir   = "/var/log/lighttpd"
var.statedir = "/var/lib/lighttpd"

server.modules = (
    "mod_access",
    "mod_accesslog",
    "mod_extforward"
)
include "mime-types.conf" 

include "mod_cgi.conf"

server.username      = "lighttpd"

server.groupname     = "lighttpd"

server.document-root = var.basedir + "/squark"

server.pid-file      = "/var/run/lighttpd.pid"
    
server.errorlog      = var.logdir  + "/error.log"

server.indexfiles    = ("index.php", "index.html",
                                                "index.htm", "default.htm")
server.follow-symlink = "enable"

static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")

accesslog.filename   = var.logdir + "/access.log"

url.access-deny = ("~", ".inc")

extforward.forwarder = ("<%WEBPROXY_IP_ADDRESS%>" => "trust")

Configure mod_cgi.conf

Contents of /etc/lighttpd/mod_cgi.conf

###############################################################################
# mod_cgi.conf
# include'd by lighttpd.conf.
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $
###############################################################################

#
# see cgi.txt for more information on using mod_cgi
#

server.modules += ("mod_cgi")

# NOTE: this requires mod_alias
alias.url = (
     "/cgi-bin/"	    =>	    var.basedir + "/cgi-bin/"
)

#
# Note that you'll also want to enable the
# cgi-bin alias via mod_alias (above).
#

$HTTP["url"] =~ "^/cgi-bin/" {
    # disable directory listings
    dir-listing.activate = "disable"
    # only allow cgi's in this directory
    cgi.assign = (
		".pl"	=>	"/usr/bin/perl",
		".cgi"	=>	"/usr/bin/haserl"
	)
}

Link the Squark web pages to the Web server home directory

ln -s /usr/share/squark/www/ /var/www/localhost/squark

Create a Squark group

addgroup squark

Make 'squid' and 'lighttpd' users member of the group squark

addgroup squid squark addgroup lighttpd squark

Start lighttpd, and configure the service to start on when container is booted

/etc/init.d/lighttpd start rc-update add lighttpd


Start Squid, and configure to start at boot

/etc/init.d/squid start rc-update add squid

Install the DHCP and DNS server Container

Create and Configure the container

lxc-create -n dhcpdns -f /etc/lxc/default.conf -t alpine

Create the startup Script

ln -s /etc/init.d/lxc /etc/init.d/lxc.dhcpdns

Edit the container's config file found at /var/lib/lxc/dhcpdns/config, to reflect the network for the web proxy container

Contents of /var/lib/lxc/dhcpdns/config

#Management Network Config
lxc.network.type = macvlan
lxc.network.macvlan.mode = bridge
lxc.network.link = bond0.3
lxc.network.name = eth0

#WiFi Network Config
lxc.network.type = macvlan
lxc.network.macvlan.mode = bridge
lxc.network.link = bond0.701
lxc.network.name = eth1

#Voice Network Config
lxc.network.type = macvlan
lxc.network.macvlan.mode = bridge
lxc.network.link = bond0.1101
lxc.network.name = eth2

Start the container

/etc/init.d/lxc.dhcpdns

Configure the container to automatically start

rc-update add lxc.dhcpdns

Enter the dhcpdns container

lxc-console -n dhcpdns

Login as root

Note: If the need arises to exit the container press Ctrl+ a + q

Remove obsolete /etc/network/interfaces

rm /etc/network/interfaces

Create and configure the new /etc/network/interfaces as shown below:

Contents of /etc/network/interfaces

auto lo iface lo inet loopback #Management VLAN auto eth0 iface eth0 inet static address 10.1.0.130 netmask 255.255.255.192 #WiFi VLAN auto eth1 iface eth1 inet static address 172.16.48.2 netmask 255.255.255.0 #Voice VLAN auto eth2 iface eth2 inet static address 10.2.0.2 netmask 255.255.255.0 gateway 10.2.0.1 up ip address add 10.2.0.3/24 dev eth0

Startup networking

/etc/init.d/networking start

Configure and enable proxy settings

setup-proxy http://10.1.0.2:8080 . /etc/profile.d/proxy.sh

Configure remote administration

apk update setup-sshd -c openssh sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config

Start ssh

/etc/init.d/sshd start

Configure a passwd for the container

passwd

Setup acf for web administration

setup-acf

Setup Firewall

apk add acf-awall

With your favorite editor, create the policies for the firewall

Contents of /etc/awall/optional/base.json

{ "description": "Management", "policy": [ { "in": "_fw", "action": "accept" } ], "filter": [ { "out": "_fw", "service": [ "ssh", "https", "ping" ], "action": "accept" } ] }

Contents of /etc/awall/optional/dhcp.json

{ "description": "DHCP", "filter": [ { "out": "_fw", "service": "dhcp", "action": "accept" } ] }

Contents of /etc/awall/optional/dns.json

{ "description": "DNS", "filter": [ { "out": "_fw", "service": "dns", "action": "accept" } ] }

Activate the firewall, and allow iptables to startup automatically at boot

awall enable base awall enable dhcp awall enable dns awall activate -f rc-update add iptables

Install and Configure DHCP and DNS services

install the dhcpd package

apk add acf-dhcp

Create a new dhcpd.conf file

Contents of /etc/dhcp/dhcpd.conf

## Common settings
default-lease-time 302400;
max-lease-time 604800;
ddns-update-style none;
log-facility local7;
authoritative;

## Common options
option time-servers 10.2.0.1;
option boot-server code 66 = string;

## Voice
subnet 10.2.0.0 netmask 255.255.255.0
{
   range "10.2.0.20 10.2.0.250";
   option domain-name-servers 10.2.0.2;
   option routers 10.2.0.1;
   option boot-server "http://10.2.0.4";
   option domain-name "office.example.net";
}

## WiFi
subnet 172.17.48.0 netmask 255.255.255.0
{
  range "172.17.48.10 172.17.48.250";
  option routers 172.17.48.1;
  option domain-name-servers 172.17.48.1;  
}

Start DHCP service and add to runlevel default

rc-service dhcpd start rc-update add dhcpd

Install nsd and unbound packages

apk add unbound

Remove unbound.conf

rm /etc/unbound/unbound.conf

Create with your favorite editor a new configuration for unbound

Contents of /etc/unbound/unbound.conf

#Recursive DNS configuration server: interface: 10.2.0.2 do-not-query-localhost: no verbosity: 1 do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes do-daemonize: yes access-control: 10.1.0.0/16 allow access-control: 127.0.0.0/8 allow #use the root.hints file to determine where to send DNS queries outside of network root-hints: "/etc/unbound/root.hints" stub-zone: name: "office.example.net" stub-addr: 10.2.0.3 stub-zone: name: "example.net" stub-addr: 172.16.255.1 stub-addr: 172.16.255.2 stub-addr: 172.16.255.3 stub-addr: 172.16.255.4 stub-addr: 172.16.255.5 stub-addr: 172.16.255.7 stub-zone: name: "example2.net" stub-addr: 172.16.255.1 stub-addr: 172.16.255.2 stub-addr: 172.16.255.3 stub-addr: 172.16.255.4 stub-addr: 172.16.255.5 stub-addr: 172.16.255.7

Start Unbound and allow the container to use it {{Cmd|/etc/init.d/unbound start rc-update add unbound echo nameserver 10.2.0.2 > /etc/resolv.conf

Install nsd

apk add nsd

Configure nsd configuration

Contents of /etc/nsd/nsd.conf

server: ip-address: 10.2.0.3 port: 53 server-count: 1 ip4-only: yes hide-version: yes identity: "" zonesdir: "/etc/nsd" zone: name: office.example.net zonefile: office.example.net.zone

Configure Zone file for nsd

Contents of /etc/nsd/nsd.conf

$ORIGIN office.example.net. $TTL 86400 @ IN SOA ns admin ( 2013032200 ; Serial number [yyyymmddnn] 28800 ; Refresh 7200 ; Retry 864000 ; Expire 86400 ; Min TTL ) @ NS ns1 ; NSA Servers ns1 IN A 10.2.0.3 ;A Records for SIP Devices sip IN A 10.2.0.4 media IN A 10.2.0.5 ;NAPTR Records @ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.sip.office.example.net. @ IN NAPTR 10 1 "s" "SIP+D2U" "" _sip._udp.media.office.example.net. ;SIP SRV Record _sip._udp.sip IN SRV 10 1 5060 sip _sip._udp.media IN SRV 10 1 5060 media

Check nsd configuration and start service

nsd-checkconf /etc/nsd/nsd.conf /etc/init.d/nsd start rc-update add nsd

Install the SIP Container

Create and Configure the container

lxc-create -n sip -f /etc/lxc/default.conf -t alpine

Create the startup Script

ln -s /etc/init.d/lxc /etc/init.d/lxc.sip

Edit the container's config file found at /var/lib/lxc/sip/config, to reflect the network for the sip container

Contents of /var/lib/lxc/sip/config

... lxc.network.link = bond0.1101 ...

Start the container

/etc/iniit.d/lxc.sip

Configure the container to automatically start

rc-update add lxc.sip

Enter the sip container

lxc-console -n sip

Login as root

Note: If the need arises to exit the container press Ctrl+ a + q

Remove obsolete /etc/network/interfaces

rm /etc/network/interfaces

Create and configure the new /etc/network/interfaces as shown below:

Contents of /etc/network/interfaces

auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 10.2.0.4 netmask 255.255.255.0 gateway 10.2.0.1

Startup networking

/etc/init.d/networking start

Configure and enable proxy settings

setup-proxy http://10.1.0.2:8080 . /etc/profile.d/proxy.sh

Configure remote administration

apk update setup-sshd -c openssh sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config

Start ssh

/etc/init.d/sshd start

Configure a passwd for the container

passwd

Setup acf for web administration

setup-acf

Setup Firewall

apk add acf-awall

With your favorite editor, create the policies for the firewall

Contents of /etc/awall/optional/base.json

{ "description": "Management", "policy": [ { "in": "_fw", "action": "accept" } ], "filter": [ { "out": "_fw", "service": [ "ssh", "https", "ping" ], "action": "accept" } ] }

Contents of /etc/awall/optional/sip.json

{ "description": "Phone System", "filter": [ { "out": "_fw", "service": [ "sip", "sip-tls" ], "action": "accept", } ] }

Contents of /etc/awall/optional/syslog.json

{ "description": "Syslog server", "filter": [ { "out": "_fw", "service": "syslog", "action": "accept" } ] }

Activate the firewall, and allow iptables to startup automatically at boot

awall enable base awall enable sip awall enable syslog awall activate -f rc-update add iptables

Install and Configure Postgresql

Install postgresql package

apk update apk add acf-postgresql

Prepare the database

/etc/init.d/postgresql setup

Configure /var/lib/postgresql/9.3/data/postgresql.conf to set the 'log_destination' variable to show:

Contents of /var/lib/postgresql/9.3/data/postresql.conf

.. log_destination ='syslog'

Start up the database and configure postgresql to start at boot up

/etc/init.d/postgresql start rc-update add postgresql

Install acf-provisioning

TO POPULATE

Install Kamailio

Follow the instructions found here: http://wiki.alpinelinux.org/wiki/Kamailio to install and configure Kamailio

Install the SIP Media container

Create and Configure the container

lxc-create -n sipmedia -f /etc/lxc/default.conf -t alpine

Create the startup Script

ln -s /etc/init.d/lxc /etc/init.d/lxc.sipmedia

Edit the container's config file found at /var/lib/lxc/sipmedia/config, to reflect the network for the SIP Media container

Contents of /var/lib/lxc/sipmedia/config

... lxc.network.link = bond0.1101 ...

Start the container

/etc/init.d/lxc.sipmedia

Configure the container to automatically start

rc-update add lxc.sipmedia

Enter the SIP Media container

lxc-console -n sipmedia

Login as root

Note: If the need arises to exit the container press Ctrl+ a + q

Remove obsolete /etc/network/interfaces

rm /etc/network/interfaces

Create and configure the new /etc/network/interfaces as shown below:

Contents of /etc/network/interfaces

auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 10.2.0.5 netmask 255.255.255.0 gateway 10.2.0.1

Startup networking

/etc/init.d/networking start

Configure and enable proxy settings

setup-proxy http://10.1.0.2:8080 . /etc/profile.d/proxy.sh

Configure remote administration

apk update setup-sshd -c openssh sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config

Start ssh

/etc/init.d/sshd start

Configure a passwd for the container

passwd

Setup acf for web administration

setup-acf

Setup Firewall

apk add acf-awall

With your favorite editor, create the policies for the firewall

Contents of /etc/awall/optional/base.json

{ "description": "Management", "policy": [ { "in": "_fw", "action": "accept" } ], "filter": [ { "out": "_fw", "service": [ "ssh", "https", "ping" ], "action": "accept" } ] }

Contents of /etc/awall/optional/sip-track.json

{ "description": "Phone system with SIP connection tracking", "filter": [ { "out": "_fw", "service": [ "sip", "sip-tls" ], "action": "accept" } ] }

Enable and activate firewall policies, and configure iptables to start at boot

awall enable base awall enable sip-track awall activate -f rc-update add iptables

Install and Configure Freeswitch

Install package

Install Freeswitch Package

Configure /etc/freeswitch/freeswitch.xml

Contents of /etc/freeswitch/freeswitch.xml

TO POPULATE

Start Freeswitch and configure to start at boot

/etc/init.d/freeswitch start rc-update add freeswitch

Install the WiFi Web Proxy Container

Create and Configure the container

lxc-create -n wifi -f /etc/lxc/default.conf -t alpine

Create the startup Script

ln -s /etc/init.d/lxc /etc/init.d/lxc.wifi

Edit the container's config file found at /var/lib/lxc/wifi/config, to reflect the network for the wifi container

Contents of /var/lib/lxc/wifi/config

... lxc.network.link = bond0.701 ...

Start the container

/etc/iniit.d/lxc.wifi

Configure the container to automatically start

rc-update add lxc.wifi

Enter the wifi container

lxc-console -n wifi

Login as root

Note: If the need arises to exit the container press Ctrl+ a + q

Remove obsolete /etc/network/interfaces

rm /etc/network/interfaces

Create and configure the new /etc/network/interfaces as shown below:

Contents of /etc/network/interfaces

auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 172.17.48.1 netmask 255.255.255.0 auto eth1 iface eth1 inet static address 10.1.0.254 netmask 255.255.255.252 gateway 10.1.0.253 auto eth2 iface eth2 inet static address 10.1.0.131 netmask 255.255.255.192

Startup networking

/etc/init.d/networking start


Configure remote administration

apk update setup-sshd -c openssh sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config

Start ssh

/etc/init.d/sshd start

Configure a passwd for the container

passwd

Setup acf for web administration

setup-acf

Setup Firewall

apk add acf-awall

Todo: Need to lock down firewall rules


Install and Configure the Recursive DNS Service

Install unbound package

apk add unbound

With your favorite editor configure /etc/unbound/unbound.conf

Contents of /etc/unbound/unobund.conf

server: verbosity: 1 interface: 172.17.48.1 do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes do-daemonize: yes access-control: 172.17.0.0/16 allow access-control: 127.0.0.0/8 allow do-not-query-localhost: no root-hints: "/etc/unbound/root.hints" python: remote-control: control-enable: no

Install and Configure the Proxy service

Install the necessary packages

apk add squid squark lighttpd

With your preferred editor configure /etc/squid/squid.conf

Contents of /etc/squid/squid.conf

#Squid config 

# This port listens for client requests
http_port 172.17.48.1:8080 transparent
http_port 127.0.0.1:8081

visible_hostname wifi.local
cache_mem 8 MB
# If you don't have an HD installed comment the "cache_dir" line below
cache_dir aufs /var/cache/squid 900 16 256

# Even though we only use one proxy, this line is recommended
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html
hierarchy_stoplist cgi-bin ?

# Keep 7 days of access logs
logfile_rotate 7

logformat squark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %rG
access_log /var/log/squid/access.log squark
cache_store_log none
pid_filename /var/run/squid.pid

# Make sure client IP is passed to Squark
log_uses_indirect_client on
acl_uses_indirect_client on

# Debugging Squid, see http://wiki.squid-cache.org/KnowledgeBase/DebugSections
# for more info
# Keep 7 days of cache log
debug_options rotate=7

# Web auditors want to see the full uri, even with the query terms
strip_query_terms off

refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

coredump_dir /var/cache/squid

dns_nameservers 172.17.48.1

# 
# Authentication
#
# Squark external acl
#external_acl_type squark_snmp_auth_D children-max=1 ttl=4 grace=1 negative_ttl=0 concurrency=128 %SRC /usr/bin/squark-auth-snmp -c public -R <SWITCH_IP> -i <D_VLAN_IF> -v <D_VLAN_ID> -f "%N-%i=%I" -T /etc/squark/topology.conf

#
# Access Control Lists (ACL's)
#

# Standard ACL settings
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp
acl to_localhost dst 172.17.48.1
acl SSL_ports port 443 563 8004 9000
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT

#acl SquarkAuth external squark_auth
#acl SquarkSnmpAuthD external squark_snmp_auth_D

# Squark filter
url_rewrite_program /usr/bin/squark-filter
url_rewrite_children 1 concurrency=128

# Require authentication
acl userlist  src all

# Definition of zones
acl Zone_D src 172.17.48.0/24


#
# Access restrictions
#

cache deny QUERY

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# Allow hosts in Zone_D to access the entire Internet
http_access allow Zone_D

# Denying all access not explictly allowed
http_access deny all

##Squark URL rewriter
#Prevent squark from filtering itself
url_rewrite_access deny manager
url_rewrite_access deny to_localhost

#Finally, permit access
url_rewrite_access allow Zone_D

http_reply_access allow all
icp_access allow all

Configure lighttpd

Contents of /etc/lighttpd/lighttpd.conf

var.basedir  = "/var/www/localhost"
var.logdir   = "/var/log/lighttpd"
var.statedir = "/var/lib/lighttpd"

server.modules = (
    "mod_access",
    "mod_accesslog",
    "mod_extforward"
)

include "mime-types.conf"
include "mod_cgi.conf"

server.username      = "lighttpd"
server.groupname     = "lighttpd"

server.document-root = var.basedir + "/squark"
server.pid-file      = "/var/run/lighttpd.pid"

server.errorlog      = var.logdir  + "/error.log"

server.indexfiles    = ("index.php", "index.html",
						"index.htm", "default.htm")


server.follow-symlink = "enable"

server.port          = 81
server.bind          = "172.17.48.1"

static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")

accesslog.filename   = var.logdir + "/access.log"

url.access-deny = ("~", ".inc")

extforward.forwarder = ("172.17.48.1" => "trust")

Contents of /etc/lighttpd/mod_cgi.conf

###############################################################################
# mod_cgi.conf
# include'd by lighttpd.conf.
# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $
###############################################################################

#
# see cgi.txt for more information on using mod_cgi
#

server.modules += ("mod_cgi")

# NOTE: this requires mod_alias
alias.url = (
     "/cgi-bin/"	    =>	    var.basedir + "/cgi-bin/"
)

#
# Note that you'll also want to enable the
# cgi-bin alias via mod_alias (above).
#

$HTTP["url"] =~ "^/cgi-bin/" {
    # disable directory listings
    dir-listing.activate = "disable"
    # only allow cgi's in this directory
    cgi.assign = (
		".pl"	=>	"/usr/bin/perl",
		".cgi"	=>	"/usr/bin/haserl"
	)
}

# vim: set ft=conf foldmethod=marker et :

Link Squark web pages to the Web server home directory

ln -s /usr/share/squark/www/ /var/www/localhost/squark

Make 'squid' and 'lighttpd' users member of the group squark

addgroup squid squark addgroup lighttpd squark

Start lighttpd and configure the Web service to start at boot

/etc/init.d/lighttpd start rc-update add lighttpd

Start Squid and configure it to start at boot

/etc/init.d/squid start rc-update add squid