Merge Request #17
← To merge requests
From
fix_external_firewall
into
master
Fix external firewall
The goal of this MR is to use the integration machine as SSH gateway (instead of reverseproxy).
Commits (16)
-
SSH connections going through reverseproxy -> integration -> <final host> Signed-off-by: Sergio Oliveira <sergio@tracy.com.br> Signed-off-by: Antonio Terceiro <terceiro@softwarelivre.org>
-
Signed-off-by: Sergio Oliveira <sergio@tracy.com.br> Signed-off-by: Antonio Terceiro <terceiro@softwarelivre.org>
- 8 of 16 commits displayed. Click here to show all
3 participants
Showing
11 changed files
Show diff stats
Rakefile
| @@ -114,13 +114,14 @@ $ALT_SSH_PORT = config.fetch('alt_ssh_port', 2222) | @@ -114,13 +114,14 @@ $ALT_SSH_PORT = config.fetch('alt_ssh_port', 2222) | ||
| 114 | $nodes.find { |n| n.hostname == 'reverseproxy' }.data['ssh_port'] = $ALT_SSH_PORT | 114 | $nodes.find { |n| n.hostname == 'reverseproxy' }.data['ssh_port'] = $ALT_SSH_PORT |
| 115 | desc 'Makes configurations needed before the bootstrap phase' | 115 | desc 'Makes configurations needed before the bootstrap phase' |
| 116 | task :preconfig => ssh_config_file do | 116 | task :preconfig => ssh_config_file do |
| 117 | + sh 'mkdir', '-p', 'tmp/' | ||
| 117 | preconfig_file = "tmp/preconfig.#{$SPB_ENV}.stamp" | 118 | preconfig_file = "tmp/preconfig.#{$SPB_ENV}.stamp" |
| 118 | if File.exist?(preconfig_file) | 119 | if File.exist?(preconfig_file) |
| 119 | puts "I: preconfig already done." | 120 | puts "I: preconfig already done." |
| 120 | puts "I: delete #{preconfig_file} to force running again" | 121 | puts "I: delete #{preconfig_file} to force running again" |
| 121 | else | 122 | else |
| 122 | sh 'scp', '-F', ssh_config_file, 'utils/reverseproxy_ssh_setup', 'reverseproxy.unconfigured:/tmp' | 123 | sh 'scp', '-F', ssh_config_file, 'utils/reverseproxy_ssh_setup', 'reverseproxy.unconfigured:/tmp' |
| 123 | - sh 'ssh', '-F', ssh_config_file, 'reverseproxy.unconfigured', 'sudo', '/tmp/reverseproxy_ssh_setup', $ALT_SSH_PORT.to_s | 124 | + sh 'ssh', '-F', ssh_config_file, 'reverseproxy.unconfigured', 'sudo', '/tmp/reverseproxy_ssh_setup', $ALT_SSH_PORT.to_s, ips['reverseproxy'], ips['integration'] |
| 124 | 125 | ||
| 125 | File.open(preconfig_file, 'w') do |f| | 126 | File.open(preconfig_file, 'w') do |f| |
| 126 | f.puts($ALT_SSH_PORT) | 127 | f.puts($ALT_SSH_PORT) |
config/dev/ssh_config
| 1 | Host * | 1 | Host * |
| 2 | ForwardAgent yes | 2 | ForwardAgent yes |
| 3 | 3 | ||
| 4 | -Host reverseproxy | 4 | +Host reverseproxy.unconfigured |
| 5 | Hostname 189.9.151.16 | 5 | Hostname 189.9.151.16 |
| 6 | User spb | 6 | User spb |
| 7 | 7 | ||
| 8 | +Host reverseproxy | ||
| 9 | + Hostname 10.18.0.15 | ||
| 10 | + User spb | ||
| 11 | + Port 5555 | ||
| 12 | + ProxyCommand ssh spb@189.9.151.16 -p 22 nc %h 5555 | ||
| 13 | + | ||
| 8 | Host database | 14 | Host database |
| 9 | Hostname 10.18.0.16 | 15 | Hostname 10.18.0.16 |
| 10 | User spb | 16 | User spb |
| @@ -24,7 +30,6 @@ Host email | @@ -24,7 +30,6 @@ Host email | ||
| 24 | ProxyCommand ssh spb@189.9.151.16 nc %h %p | 30 | ProxyCommand ssh spb@189.9.151.16 nc %h %p |
| 25 | 31 | ||
| 26 | Host integration | 32 | Host integration |
| 27 | - Hostname 10.18.0.19 | 33 | + Hostname 189.9.151.16 |
| 28 | User spb | 34 | User spb |
| 29 | - # connect via reverseproxy host | ||
| 30 | - ProxyCommand ssh spb@189.9.151.16 nc %h %p | 35 | + # Porta 22 de 189.9.151.16 cai aqui entao nao precisa de ProxyCommand |
config/homologa/config.yaml
| @@ -3,6 +3,7 @@ admins: | @@ -3,6 +3,7 @@ admins: | ||
| 3 | - ["Marisa Souza dos Santos", "marisa.santos@planejamento.gov.br"] | 3 | - ["Marisa Souza dos Santos", "marisa.santos@planejamento.gov.br"] |
| 4 | external_hostname: homologa.softwarepublico.gov.br | 4 | external_hostname: homologa.softwarepublico.gov.br |
| 5 | external_ip: 189.9.151.65 | 5 | external_ip: 189.9.151.65 |
| 6 | +alt_ssh_port: 55555 | ||
| 6 | site_url: https://homologa.softwarepublico.gov.br | 7 | site_url: https://homologa.softwarepublico.gov.br |
| 7 | colab_from_address: '"Portal do Software Publico (homologação)" <noreply@homologa.softwarepublico.gov.br>' | 8 | colab_from_address: '"Portal do Software Publico (homologação)" <noreply@homologa.softwarepublico.gov.br>' |
| 8 | server_email: '"Portal do Software Publico (homologação)" <noreply@homologa.softwarepublico.gov.br>' | 9 | server_email: '"Portal do Software Publico (homologação)" <noreply@homologa.softwarepublico.gov.br>' |
config/homologa/ssh_config
| @@ -8,8 +8,9 @@ Host reverseproxy.unconfigured | @@ -8,8 +8,9 @@ Host reverseproxy.unconfigured | ||
| 8 | Host reverseproxy | 8 | Host reverseproxy |
| 9 | Hostname 10.0.13.2 | 9 | Hostname 10.0.13.2 |
| 10 | User spb | 10 | User spb |
| 11 | + Port 55555 | ||
| 11 | # connect via reverseproxy host | 12 | # connect via reverseproxy host |
| 12 | - ProxyCommand ssh spb@189.9.151.65 nc %h %p | 13 | + ProxyCommand ssh spb@189.9.151.65 -p 22 nc %h 55555 |
| 13 | 14 | ||
| 14 | Host database | 15 | Host database |
| 15 | Hostname 10.0.13.6 | 16 | Hostname 10.0.13.6 |
| @@ -30,6 +31,6 @@ Host email | @@ -30,6 +31,6 @@ Host email | ||
| 30 | ProxyCommand ssh spb@189.9.151.65 nc %h %p | 31 | ProxyCommand ssh spb@189.9.151.65 nc %h %p |
| 31 | 32 | ||
| 32 | Host integration | 33 | Host integration |
| 33 | - Hostname 10.0.13.7 | 34 | + Hostname 189.9.151.65 |
| 34 | User spb | 35 | User spb |
| 35 | # Porta 22 de 189.9.151.65 cai aqui entao nao precisa de ProxyCommand | 36 | # Porta 22 de 189.9.151.65 cai aqui entao nao precisa de ProxyCommand |
config/local/iptables-filter-rules
| 1 | 1 | ||
| 2 | # Accept SSH connection from virtualbox host | 2 | # Accept SSH connection from virtualbox host |
| 3 | +-A INPUT -s 10.10.10.1 -p tcp -m state --state NEW --dport 5555 -j ACCEPT | ||
| 3 | -A INPUT -s 10.10.10.1 -p tcp -m state --state NEW --dport 22 -j ACCEPT | 4 | -A INPUT -s 10.10.10.1 -p tcp -m state --state NEW --dport 22 -j ACCEPT |
| 4 | -A INPUT -s 10.0.2.2 -p tcp -m state --state NEW --dport 22 -j ACCEPT | 5 | -A INPUT -s 10.0.2.2 -p tcp -m state --state NEW --dport 22 -j ACCEPT |
config/production/ssh_config
| @@ -2,32 +2,27 @@ Host * | @@ -2,32 +2,27 @@ Host * | ||
| 2 | ForwardAgent yes | 2 | ForwardAgent yes |
| 3 | 3 | ||
| 4 | Host reverseproxy | 4 | Host reverseproxy |
| 5 | - Hostname 164.41.9.49 | 5 | + Hostname 10.10.40.49 |
| 6 | Port 55555 | 6 | Port 55555 |
| 7 | + ProxyCommand ssh 164.41.9.49 -p 22 nc %h 55555 | ||
| 7 | 8 | ||
| 8 | Host reverseproxy.unconfigured | 9 | Host reverseproxy.unconfigured |
| 9 | Hostname 164.41.9.49 | 10 | Hostname 164.41.9.49 |
| 10 | 11 | ||
| 12 | +Host integration | ||
| 13 | + Hostname 164.41.9.49 | ||
| 14 | + | ||
| 11 | Host database | 15 | Host database |
| 12 | Hostname 10.10.40.47 | 16 | Hostname 10.10.40.47 |
| 13 | - Port 55555 | ||
| 14 | # connect via reverseproxy host | 17 | # connect via reverseproxy host |
| 15 | ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | 18 | ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 |
| 16 | 19 | ||
| 17 | Host social | 20 | Host social |
| 18 | Hostname 10.10.40.46 | 21 | Hostname 10.10.40.46 |
| 19 | - Port 55555 | ||
| 20 | # connect via reverseproxy host | 22 | # connect via reverseproxy host |
| 21 | ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | 23 | ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 |
| 22 | 24 | ||
| 23 | Host email | 25 | Host email |
| 24 | Hostname 10.10.40.48 | 26 | Hostname 10.10.40.48 |
| 25 | - Port 55555 | ||
| 26 | - # connect via reverseproxy host | ||
| 27 | - ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | ||
| 28 | - | ||
| 29 | -Host integration | ||
| 30 | - Hostname 10.10.40.45 | ||
| 31 | - Port 55555 | ||
| 32 | # connect via reverseproxy host | 27 | # connect via reverseproxy host |
| 33 | ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | 28 | ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 |
cookbooks/basics/recipes/default.rb
| @@ -73,7 +73,17 @@ if node['platform'] == 'centos' | @@ -73,7 +73,17 @@ if node['platform'] == 'centos' | ||
| 73 | end | 73 | end |
| 74 | end | 74 | end |
| 75 | 75 | ||
| 76 | +# reload node[:fqdn] to make sure it reflects the contents of /etc/hosts | ||
| 77 | +# without that the variable :fqdn would not be available on first run | ||
| 78 | +ruby_block 'fqdn:update' do | ||
| 79 | + block do | ||
| 80 | + node.default[:fqdn] = `hostname --fqdn`.strip | ||
| 81 | + end | ||
| 82 | + action :nothing | ||
| 83 | +end | ||
| 84 | + | ||
| 76 | template '/etc/hosts' do | 85 | template '/etc/hosts' do |
| 77 | owner 'root' | 86 | owner 'root' |
| 78 | mode 0644 | 87 | mode 0644 |
| 88 | + notifies :run, 'ruby_block[fqdn:update]', :immediately | ||
| 79 | end | 89 | end |
cookbooks/firewall/templates/default/iptables.erb
| @@ -18,8 +18,8 @@ | @@ -18,8 +18,8 @@ | ||
| 18 | 18 | ||
| 19 | -A INPUT -i lo -j ACCEPT | 19 | -A INPUT -i lo -j ACCEPT |
| 20 | 20 | ||
| 21 | -# Everybody need to accept SSH from reverseproxy | ||
| 22 | --A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT | 21 | +# Everybody need to accept SSH from integration |
| 22 | +-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT | ||
| 23 | 23 | ||
| 24 | <%= node['firewall'] %> | 24 | <%= node['firewall'] %> |
| 25 | <%= render 'iptables-filter.erb' %> | 25 | <%= render 'iptables-filter.erb' %> |
cookbooks/firewall/templates/host-integration/iptables-filter.erb
| 1 | 1 | ||
| 2 | +# Allow SMTP connections | ||
| 3 | +-A INPUT -s <%= node['peers']['email'] %> -p tcp -m state --state NEW --dport 25 -j ACCEPT | ||
| 4 | + | ||
| 2 | # Allow HTTP access | 5 | # Allow HTTP access |
| 3 | -A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT | 6 | -A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT |
| 7 | + | ||
| 8 | +# Allow SSH connections redirected from integration | ||
| 9 | +-A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT |
cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb
| @@ -6,4 +6,8 @@ | @@ -6,4 +6,8 @@ | ||
| 6 | -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | 6 | -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT |
| 7 | 7 | ||
| 8 | # Real SSH connection | 8 | # Real SSH connection |
| 9 | --A INPUT -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT | 9 | +-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT |
| 10 | + | ||
| 11 | +# Allow forwarding to integration on port 22 | ||
| 12 | +-A FORWARD -p tcp -d <%= node['peers']['integration'] %> --dport 22 -j ACCEPT | ||
| 13 | +-A FORWARD -s <%= node['peers']['integration'] %> -p tcp --sport 22 -j ACCEPT |
utils/reverseproxy_ssh_setup
| 1 | #!/bin/sh | 1 | #!/bin/sh |
| 2 | 2 | ||
| 3 | set -e | 3 | set -e |
| 4 | +set -x | ||
| 4 | 5 | ||
| 5 | port="$1" | 6 | port="$1" |
| 7 | +reverseproxy_ip="$2" | ||
| 8 | +integration_ip="$3" | ||
| 6 | 9 | ||
| 7 | # switch SSH to port $port | 10 | # switch SSH to port $port |
| 8 | sed -i -e 's/^#\?\s*Port\s*[0-9]\+\s*$/Port '$port'/g' /etc/ssh/sshd_config | 11 | sed -i -e 's/^#\?\s*Port\s*[0-9]\+\s*$/Port '$port'/g' /etc/ssh/sshd_config |
| @@ -23,3 +26,8 @@ fi | @@ -23,3 +26,8 @@ fi | ||
| 23 | 26 | ||
| 24 | # Restart SSH | 27 | # Restart SSH |
| 25 | systemctl restart sshd | 28 | systemctl restart sshd |
| 29 | + | ||
| 30 | +# Setup port redirect | ||
| 31 | +iptables -t nat -A PREROUTING -d $reverseproxy_ip/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination $integration_ip:22 | ||
| 32 | +iptables -t nat -A POSTROUTING -d $integration_ip/32 -p tcp -m tcp --dport 22 -j SNAT --to-source $reverseproxy_ip | ||
| 33 | +sysctl -w net.ipv4.ip_forward=1 |
-
Added 31 new commits:
- 81f6188b - Fixed ssh proxy command for reverseproxy on prod environment
- a17fd863 - Merge remote-tracking branch 'origin' into fix_external_firewall
- 28a8fdc6 - DNS doc: don't include any header, just the tables
- ca349857 - checkpoint + Data for the staging environment
- 12282a24 - Fix DNS tests
- 0d471dbc - Adjustments
- 84b6e8d2 - add iptables filter rules for homologa
- 0cf50427 - Preprocess all documentation
- 779c4822 - docs/firewall.rst.in: reformat tables
- 2ffd92c7 - docs: change version
- 0f03ffa4 - Documentation v1
- 484e08a2 - Add DNS tests and documentation generator
- dee504c4 - Include DNS information in the documentation
- 2ee1cfc0 - Add task to build docs from the top level
- b7ed4bec - Using rst instead of markdown for dns tables
- 5f9c8637 - remove broken link
- e027d93b - Estrutura básica do Manual de Operação
- f7aa2bc2 - architecture: placeholder image
- 11ad1650 - split intro into its own file
- b7d9fecb - Added firewall docs
- 01b52992 - Initial documentation to backup/restore
- c4b4aa28 - Merge remote-tracking branch 'origin/doc' into doc
- dbb4efb7 - minor wording change
- 6f79024c - Add task to view PDF documentation
- d9cc7a19 - Merge branch 'doc'
- 840fee00 - add pdfupload task to upload the PDF to the git repository
- df29bbe2 - pdfupload: push only the tag that was just created
- ad506c07 - docs: move all autogenerated files to _build/
- 5cd1d036 - Using box from vagrant cloud.
- c8fcf6d2 - Merge branch 'vagrant-box' into 'master'
- ee211922 - Merge remote-tracking branch 'origin' into fix_external_firewall
-
Também precisamos validar/atualizar os arquivos
config/dev/ssh_configeconfig/homologa/ssh_config. -
Added 23 new commits:
- a7b28c0c - Merge branch 'master' into fix_external_firewall
- a0ec6a64 - homologa: insert SSH configuration
- 0190f0ad - Complete config for devevelopment environment
- 91a1d114 - relay: support an external outgoing relay
- ff7b3a78 - tests: hit the externally available locations
- c3f96231 - Rename development environment
- 4dd0ec80 - pdf: include $SPB_ENV in filename
- 548fd9e6 - doc: put $SPB_ENV in tag names
- c574e691 - DNS tests/doc: include SPF data
- 57ea5789 - Support using lxc containers
- ff4a882e - Activate the plugins used for noosfero
- a83978ef - Fix wrong plugin name with double " ie "Plugin""
- f3b84d8f - Fix activate plugins. Now it uses a rake task to activate all plugins that are enabled
- 039e2ae8 - Merge branch 'activate_plugins' into 'master'
- eaad492b - Enabled memcached service on social
- c3cfe258 - Install and start memcached for colab
- 5ee6094d - Merge branch 'enable_memcached' into 'master'
- bf4e46ee - lxc: cache sudo credentials before bringing boxes up
- fb9fc3fc - fix plugin enablement
- 10387ca5 - avoid running rake task before it exists
- 03e701e0 - Merge remote-tracking branch 'origin' into fix_external_firewall
- 14fcbd84 - Added alternative ssh port
- b518a8a4 - Updated ssh proxy commands
-
mentioned in commit da04baca47b7c5f431116a0c0e0051e002203b71
