azcrumpty's Site
  • Home
  • Journal
  • Search

IPv6 Home Network DMZ: Ubuntu Tier 1 Server

10/6/2012

 
The tier one Internet facing server is an Ubuntu 12.04 server that runs the Squid caching proxy in reverse proxy mode, which is overkill for this site but this series of articles is just a demo so anything else can dropped into place.

The server's real host name  tier 1 is different from its vanity name.

The configuration consists of static resolv.conf files and static interface definitions.  The proxy IP and port are added to /etc/environment so services that do HTTP/FTP can reach the web.  The base file for resolvconf is gets nameservice using the same interface as the proxy since the router provides these services to the host. The /etc/interfaces file has has the static assignments to activate networking.

Application configuration comes next.  Postfix is told to receive mail as the vanity domain azcrumpty.dyndns.org while the apt package manager is told to use the proxy.  Squid Proxy server is configured to listen on port 80 which is HTTP in plaintext, connect to its peer on tier 2, and ensure ACLs are permissible.

/etc/environment

azcrumpty@tier1:~$ cat /etc/environment
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
http_proxy="http://[2001:470:f379:31::1]:3128"
https_proxy="http://[2001:470:f379:31::1]:3128"
ftp_proxy="http://[2001:470:f379:31::1]:3128"

/etc/resolv.conf

azcrumpty@tier1:~$ cat /etc/resolvconf/resolv.conf.d/base
nameserver 2001:470:f379:31::1
domain chickenkiller.com
search chickenkiller.com

/etc/network/interfaces

azcrumpty@tier1:~$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#iface eth0 inet dhcp
# This is an autoconfigured IPv6 interface
auto eth0
iface eth0 inet6 static
     address 2001:470:f379:31::10
     netmask 64
     gateway 2001:470:f379:31::1

/etc/postfix/main.cf

azcrumpty@tier1:~$ grep mydest /etc/postfix/main.cf
mydestination = tier1.CHICKENKILLER.COM, tier1, azcrumpty.dyndns.org, localhost.localdomain, localhost

Apt Proxy Configuration

azcrumpty@tier1:~$ cat /etc/apt/apt.conf.d/00Proxy
Acquire::http::Proxy "http://[2001:470:f379:31::1]:3128";

/etc/squid3/squid.conf

#This file is large and only the changes are shown

...
http_port 80 accel defaultsite=azcrumpty.dyndns.org
...
cache_peer fd01:470:f379:32::20 parent 80 0 no-query originserver name=myAccel
...
acl our_sites dstdomain azcrumpty.dyndns.org
http_access allow our_sites
cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all
...
Previous: Firewall Rules
Next: Tier 2 Web Application

IPv6 Home Network DMZ: Ubuntu Tier 2 Server

10/6/2012

 
The tier two server runs application logic for WordPress 3.4.2.  The LAMP install option was chosen in the Ubuntu Server install page, and this server uses static configuration files for name service and network configuration like the other nodes.

Note that the environment file uses tier 2 addresses unlike the tier 1 server.  I could have opened the firewall ports for services to all one interface so the environment files would use the same values.

WordPress was installed into /var/www and configured to talk to the MySQL database in tier three.  You can see the WordPress config has the tier3 name in the database field and that all WordPress files are installed into /var/www.

/etc/environment

# Add proxies to environment file
#
azcrumpty@tier2:~$ cat /etc/environment
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
http_proxy="http://[fd01:470:f379:32::1]:3128"
https_proxy="http://[fd01:470:f379:32::1]:3128"
ftp_proxy="http://[fd01:470:f379:32::1]:3128"

/etc/resolv.conf

# set domain name server and domain in resolv conf base

azcrumpty@tier2:~$ cat /etc/resolvconf/resolv.conf.d/base
nameserver fd01:470:f379:32::1
domain chickenkiller.com
search chickenkiller.com

/etc/network/interfaces

azcrumpty@tier2:~$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#iface eth0 inet dhcp
# This is an autoconfigured IPv6 interface
auto eth2
iface eth2 inet6 static
     address fd01:470:f379:32::20
     netmask 64
     gateway fd01:470:f379:32::1

wp-config.php

azcrumpty@tier2:~$ grep tier3 /var/www/wp-config.php
define('DB_HOST', 'tier3.chickenkiller.com');

/var/www

# Note WordPress is installed into /var/www without being in a subdir

azcrumpty@tier2:~$ ls -ltr /var/www
total 172
-rw-r--r-- 1 wpwriter wpwriter 1997 Oct 23 2010 wp-links-opml.php
-rw-r--r-- 1 wpwriter wpwriter 3177 Nov 1 2010 wp-config-sample.php
-rw-r--r-- 1 wpwriter wpwriter 4264 Dec 13 2011 wp-activate.php
-rw-r--r-- 1 wpwriter wpwriter 3700 Jan 8 2012 wp-trackback.php
-rw-r--r-- 1 wpwriter wpwriter 271 Jan 8 2012 wp-blog-header.php
-rw-r--r-- 1 wpwriter wpwriter 395 Jan 8 2012 index.php
-rw-r--r-- 1 wpwriter wpwriter 2726 Jan 9 2012 wp-cron.php
-rw-r--r-- 1 wpwriter wpwriter 2788 Feb 16 2012 xmlrpc.php
-rw-r--r-- 1 wpwriter wpwriter 3522 Apr 10 11:21 wp-comments-post.php
-rw-r--r-- 1 wpwriter wpwriter 18299 Apr 21 00:40 wp-signup.php
-rw-r--r-- 1 wpwriter wpwriter 9916 Apr 26 22:54 wp-settings.php
-rw-r--r-- 1 wpwriter wpwriter 7712 May 2 07:32 wp-mail.php
-rw-r--r-- 1 wpwriter wpwriter 19929 May 6 01:28 license.txt
-rw-r--r-- 1 wpwriter wpwriter 1354 May 13 15:41 wp-app.php
-rw-r--r-- 1 wpwriter wpwriter 29084 Jun 26 12:53 wp-login.php
-rw-r--r-- 1 wpwriter wpwriter 9177 Sep 3 17:23 readme.html
-rw-r--r-- 1 wpwriter wpwriter 2395 Sep 4 14:31 wp-load.php
drwxr-xr-x 8 wpwriter wpwriter 4096 Sep 6 13:43 wp-includes
drwxr-xr-x 4 wpwriter wpwriter 4096 Sep 6 13:43 wp-content
drwxr-xr-x 9 wpwriter wpwriter 4096 Sep 6 13:43 wp-admin
-r--r--r-- 1 wpwriter wpwriter 3670 Sep 29 20:38 wp-config.php
-rw-r--r-- 1 wpwriter wpwriter 1150 Sep 29 23:46 favicon.ico
Previous: Tier 1 Reverse Proxy
Next: Tier 3 MySQL Database

IPv6 Home Network DMZ: Ubuntu Tier 3 Server

10/6/2012

 
This tier three server is configured with MySQL, Apache, and phpMyAdmin. The MySQL option was chosen in the Ubuntu Server installer page. PhpMyAdmin can only be reached internally due to the firewall rules granting access and the tier 2 and tier 3 ip addresses being local.

Like tier 2, the environment must be setup to tell software to use the proxy on the nearest interface and apt-get is configured this way as well. This is seen in the configuration files below.

/etc/resolv.conf

azcrumpty@tier3:~$ cat /etc/resolvconf/resolv.conf.d/base
nameserver fd01:470:f379:33::1
domain chickenkiller.com
search chickenkiller.com

/etc/network/interfaces

azcrumpty@tier3:~$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#iface eth0 inet dhcp
# This is an autoconfigured IPv6 interface
auto eth2
iface eth2 inet6 static
     address fd01:470:f379:33::30
     netmask 64
     gateway fd01:470:f379:33::1
Picture
phpMyAdmin Managing Wordpress Database
Previous: Tier 2 Web Application
Next: IPv6 External Testing Network

Easy Home DMZ Using Guest LAN

7/22/2012

 
Picture
Home DMZ Using Guest Network
My previous article on my home network with its DMZ is one of my more popular articles, but the design is very complex and might put off people looking for a simple rapid solution.  If you are one of the few people with a newer router, it might come with the guest LAN feature which can be utilized for a DMZ.  My guests either have a smartphone, or can go without the Internet during their visits, leaving my guest LAN unused for most of its lifetime.  

The guest LAN's network is 192.168.2.0/24 and the firewall rules deny this network from reaching the main 192.168.1.0/24 network and the cable modem.  Traffic from 192.168.1.0 is allowed to reach all hosts on 192.168.2.0, enabling easy management of servers on this network.

I have long since erased my default Linksys management firmware and replaced it with DD-WRT, so I can't demo how to do it with the software you probably already have.  I will guess that there are no reasons why you can't set forwarding to the guest LAN on your router using the default management software.  So, a simple DMZ setup would involve joining your server to the guest LAN with a static address, and telling your router to send requests to that host.

This should be a quick and simple solution for you since your guest LAN is already prohibited from connecting to your main network.  I hope this home hosting howto works for you.

Home Virtualized DMZ Designs Not Chosen

6/8/2011

 
I have completed moving the WonderBlog into a three tier architecture in a virtualized DMZ and will document the configuration in the next few weeks, but I wanted to look over virtualized home network DMZ designs I didn't choose and discuss why I didn't choose them.

I wrote about the home based DMZ architecture I used, but that entry focused more on how the network was laid out. This post will discuss the designs I played with but didn't use for my home network architecture. My blog shows a three tier architecture in use, which consists of a client facing tier, an application tier, and a database tier. These three tiers are separate virtual machines, totaling four virtual machines on one server. The computer running those only has three gigabytes of RAM and I actually wanted 9 virtual machines. So I solved this problem of stuffing all of these virtual machines into three gigabytes by using operating system-level virtualization. This type of virtualization tends to be extremely efficient since it uses one virtual machine and lets the operating system partition off the virtual servers.

I used OpenBSD and OpenBSD's packet filter (pf), to manage all of the Solaris Zones and FreeBSD jails.  I thought about some other offshoot designs. The first design was to simply do the whole thing on one virtualized server. I could have put the firewall rules into the Solaris or FreeBSD host machine and used only one VM, but I found I liked working with separate pieces that made changing one part without harming others something I couldn't resist working with.  You have many choices. 

Simiar articles
  • Home Network Features (azcrumpty.wordpress.com)
  • Home Network With DMZ (azcrumpty.wordpress.com)

OpenBSD ifconfig Output

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33204
     groups: lo
     inet 127.0.0.1 netmask 0xff000000
     inet6 ::1 prefixlen 128
     inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
     lladdr 08:00:27:57:24:6b
     groups: egress
     media: Ethernet autoselect (1000baseT full-duplex)
     status: active
     inet 192.168.1.20 netmask 0xffffff00 broadcast 192.168.1.255
     inet6 fe80::a00:27ff:fe57:246b%em0 prefixlen 64 scopeid 0x1
     inet6 2002:43a4:a7f0:0:a00:27ff:fe57:246b prefixlen 64 autoconf pltime 16 vltime 26
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
     lladdr 08:00:27:fb:e9:df
     media: Ethernet autoselect (1000baseT full-duplex)
     status: active
     inet 192.168.8.1 netmask 0xffffff00 broadcast 192.168.8.255
     inet6 fe80::a00:27ff:fefb:e9df%em1 prefixlen 64 scopeid 0x2
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
     lladdr 08:00:27:68:63:2a
     media: Ethernet autoselect (1000baseT full-duplex)
     status: activea
     inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
     inet6 fe80::a00:27ff:fe68:632a%em2 prefixlen 64 scopeid 0x3
em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
     lladdr 08:00:27:a3:ad:7c
     media: Ethernet autoselect (1000baseT full-duplex)
     status: active
     inet 192.168.12.1 netmask 0xffffff00 broadcast 192.168.12.255
     inet6 fe80::a00:27ff:fea3:ad7c%em3 prefixlen 64 scopeid 0x4
     enc0: flags=0<> mtu 1536
     pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33204
     groups: pflog
Picture
Solaris Zones Behind OpenBSD Router
Picture
OpenBSD in VirtualBOX With 4 Interfaces
The first interface is bridged to the Ubuntu host's ethernet adapter. The tier interfaces follow as int1, int2, int3. I have used this design with Linux's Kernel Based Virtual Machine (KVM), Virtualbox, and VirtualPC. The picture above shows Solaris is configured to use each interface. The Solaris Zones are assigned to each interface and they route to the OpenBSD server which performs firewall functions in packet filter.

Studying Opera Unite as a Home Based Web Server

5/26/2011

 
I have been running Opera Unite as a Home Based Web Server for over a week now. I have learned that you can proxy and run software of your own choosing with much success and that it might just be a viable solution if you serve only a few users per day.  

Here are some observations:
  • The logs always come from the same IP running the Opera Browser
  • Images don't show up in the apache logs since the Opera Unite WebProxy chooses to serve those directly
  • Opera Unite seems to startup automatically if the browser is allowed to save the password
  • Opera Unite doesn't seem to work with The Onion Router
  • There doesn't seem to be great community support on the Opera Unite forums
  • You can't place robots.txt or sitemap.xml in the domain root since the Opera Unite Reverse proxy manages that path
Opera Unite still doesn't offer SSL.

Home Web Server with Opera Unite

5/21/2011

 
Picture
Opera Unite Web Server Content
I wrote about using a home based web server in a demilitarized zone within your home a few months ago.  This is a fun and useful task to do, but I left out a strong caution.  Your ISP may prohibit you from doing this as part of your contractual agreement.  Your ISP may even go so far as to filter out the HTTP and HTTPS, ports 80 and 443 respectively, to keep you from running your own home based web server.  So, what can you do?

You can use Opera's Unite system or a competitor home server system such as Tonido.  You should pick a system that agrees to provide the service you want so you don't have to wake up one morning finding your site isn't accessible to the world anymore.  

Picture
Opera Unite With Wordpress
You can find plenty of help with configuring Opera Unite. You can use whatever server you wanted to host your home based web server as your Opera Unite server.

I have found some things with Opera Unite that might be of interest to you.  The URLs can get really long.  Take http://home.azcrumpty.operaunite.com/webserver/content/az/Blog/Blog.html as an example.  This monster URL is configured to use Opera's web server.  The word webserver seems to identify the service I am using.  The word content can be replaced by the word activity for stats.  So two words in the URI are reserved for determining where to retrieve content from.  Finally, your content lies beneath all that in the URL and the path can get really long depending on what you do with your conten.  Opera's built in web server doesn't offer the robust configuration options of Apache or IIS so CGI, plugins, and other functions are nonexistent.

Picture
WordPress URL Needs Rewriting
Opera provides you with a reverse proxy to address your web site's complexity needs.  This gives you complete access to your web server software.  But you may find issues with URLs and need to do some URL rewriting. I found both Wordpress and MovableType hard code some paths into the HTML they generate, however, such things were fixable by Googling or hacking the code. Hard coded host names lead to content not showing up. Internal host names showing up is a general problem that has to be considered when using a reverse proxy.  It seems plenty of sites expect the document root to be available for content.  This is not the case when using Opera Unite's Reverse Proxy.  Opera adds the host name to the URL and shifts the document root over to the right by one path.  This becomes and issue with sites that have URIs that reference the document root.  For example, an image reference href="/images/foo.gif" would look like http://home.azcrumpty.operaunite.com/images/foo.gif.  This would fail since the reverse proxy needs the host name in the URL in order to get the image.  The HTML would have to have the reference as href="/wb/images/foo.gif" or be relative as href="images/foo.gif".  You must check and correct all such links for this problem if you didn't write all the HTML yourself.

Picture
Opera Unite Stats
Performance and security discussions on these services can be found online.  I didn't use performance measurement tools but I watched the images load in on the site and it felt like a dial up modem. This is probably due to the spotty performance I am getting with my ISP right now.  As far as security goes, I would NAT Opera Unite behind pfSense with rules denying access to the internal LAN or I would put the rules on the Opera Unite host itself to minimize the attack possibles should a back door be opened from the Opera browser.  You can also tell your desktop or laptop firewall software to deny all connections from your Opera Unite host. I would only push content to the Opera Unite host that I wanted shared with the world so any unauthorized access to the host would only reveal data I wanted on  the Internet.

Home Network Designs That Didn't Make the Cut

4/11/2011

 
I posted my Home Network with DMZ on my blog a few months ago where I listed how I setup a DMZ in my home network. There are so many different ways to do your home network that I could not describe them all; people like short blog posts. I choose this setup for a two main reasons:

1) My pfSense server is a laptop which is very old (purchased in 2000) and I wanted a design that was easy to swap out the laptop should it fail. I can swap the Linksys router into the edge of the network quickly if the pfSense server fails.

2) The laptop has two PCMCIA ports and a network adapter (NIC) fills each port. I could do more with multiple NICs and would have preferred 8 ports on the laptop.  I didn't want to use a USB network adapter because the laptop uses the slow  USB 1.1 interface.
Picture
Two NAT Devices With Middle DMZ
I contemplated doing a double NAT type configuration, pictured left, with the pfSense router at the network edge in the red zone, a network hub in the middle to service the hosts in the DMZ, and the Linksys router connected via its WAN port. The DMZ servers would be in the green zone between the two routers. The inner router would provide firewall and NAT services to the blue zone. I declined this design because there are enough cables, wires, and lost outlets where the equipment goes. I wanted to keep the design simple and I wanted the design to consume less power. Also, some software works poorly when positioned behind two NAT routers.

Lastly, my preferred choice was to use a filtering bridge, pictured below, in place of the Linksys e3000. The filtering bridge would filter the upper portion of the network (.200) as DMZ servers while leaving the lower portion without filtering. The pfSense box only has two NICs so I would have needed an extra machine or a separate hub. Again, this design offers too much complexity for home use.

Picture
Filtering using one composite LAN
The first design above allows the user to use an older 802.11b or 802.11g router in the design bypassing using pfSense. It is cheap and easy to setup as many people have their old broadband routers laying around somewhere. The second design requires more effort and more parts when you have only two ports on the filtering bridge. It also requires writing filtering rules and possibly bridging two physical LANs together. The best feature of the bridge is that it eliminates the need for the clients in the green zone to pass through two NATs.

    Journal

    This is the place for notes and updates.

    azcrumptyon

    Archives

    March 2013
    December 2012
    October 2012
    September 2012
    August 2012
    July 2012
    April 2012
    March 2012
    November 2011
    October 2011
    July 2011
    June 2011
    May 2011
    April 2011

    Categories

    All
    6to4
    Academic Degree
    Anonymous
    Apache
    Apache Http Server
    Automobile
    Blue
    Bridge
    Car
    Cars
    Chrome
    Chrome Os
    Chromium
    Common Gateway Interface
    Compress
    Configure
    Copy
    Dd Wrt
    DD-WRT
    Diesel
    Diesel Engine
    Directories
    Disklabel
    Disk Management
    Disks
    Distance
    Distance Education
    Distance Learning
    Dmz
    Dns
    Driving
    Eco
    Education
    Efficiency
    E-learning
    File
    Filtering
    Firewall
    Freebsd
    Fuel
    Fuel Economy In Automobiles
    Fuel Efficiency
    Green
    Gzip
    Hardware
    Hardware Virtualization
    Hitwise
    Home
    Hosting
    Howto
    Hub
    Hurricane Electric
    Hypertext Transfer Protocol
    Ibm
    Ibm Websphere
    Iis
    Importer
    Internet Service Provider
    Ip
    Ipad
    Ip Address
    Ipv4
    Ipv6
    Lan
    Lastpass
    Learning
    Linux
    Local Area Network
    Master Of Business Administration
    Microsoft
    Microsoft Windows
    Movabletype
    Movable Type
    Multitier Architecture
    Mysql
    Nat
    Network
    Network Interface Controller
    Network Time Protocol
    New York
    New York Times
    Onion
    Online
    Openbsd
    Openvpn
    Operating Systems
    Opera Unite
    Partitions
    Passenger
    Password Management
    Passwordsafe
    Paywall
    Pfsense
    Protocols
    Proxy
    Proxying And Filtering
    Publishing
    Rdns
    Reading
    Red
    Remote
    Replicate
    Reverse
    Reverse Proxy
    Router
    Samba
    Secure Shell
    Security
    Server
    Server Message Block
    Ssh
    Storage
    Tdi
    The Onion Router
    Theory And Research
    Tor
    Torque
    Transfer
    Turbo
    Turbodiesel
    Twitter
    Ubuntu
    Uniform Resource Locator
    United States
    Universal Serial Bus
    Unix
    Usb Flash Drive
    User (computing)
    Virtualbox
    Virtual Hosting
    Virtualized Dmz
    Virtual Machine
    Virtual Private Network
    Vpn
    Wan
    Web
    Web Server
    Windows
    Windows Xp
    Wordpress
    Zone

    RSS Feed

Powered by Create your own unique website with customizable templates.