Skip to content

Instantly share code, notes, and snippets.

@chhans
Last active Nov 17, 2022
Embed
What would you like to do?
Create Azure VM rerouting traffic
#!/bin/bash
if [ $# -ne 3 ]; then
echo "No argument supplied. Usage: $0 <name_to_take_over> <zone> <subscription>"
exit
fi
if [ -f "$HOME/.ssh/id_rsa.pub" ]; then
SSH_KEY="$HOME/.ssh/id_rsa.pub"
else
echo "RSA SSH key not found in $HOME/.ssh"
exit -1
fi
# Create a resource group
az group create --name $1 --location $2 --subscription $3
# # Create a small VM
az vm create \
--resource-group $1 \
--name $1 \
--subscription $3 \
--image UbuntuLTS \
--size Standard_B1ls \
--admin-username binsec \
--ssh-key-value $SSH_KEY
# # Update DNS
az network public-ip update -g $1 -n "$1PublicIP" --dns-name $1 --subscription $3
# # Open up firewall for 80 and 443 from anywhere
az network nsg rule create -g "$1" --nsg-name "$1NSG" -n AllowAllInternetTraffic \
--priority 500 --source-address-prefixes Internet --destination-port-ranges "*" \
--access Allow --protocol "*" --description "Allow Internet Traffic" --subscription $3
# Do various post-deploy setup
# Install and start Nginx server
az vm run-command invoke --command-id RunShellScript -g $1 -n $1 --script @post-deploy.sh --parameters "$1 $2"
#!/bin/bash
# Install Nginx
apt update -y -q && apt install nginx -y -q
# Nginx Config
cat << 'EOF' > /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
##
# Basic Settings
##
# Rate limit 5 request per minute
limit_req_zone $server_name zone=perserver:1m rate=5r/m;
# Needed for certbot to work
server_names_hash_bucket_size 128;
# Block requests that does not have a Host header with letters
server {
listen 80;
server_name "(!?[a-zA-Z])"
"*.ipip.net"
"*.sogou.com";
return 444;
}
server {
listen 80 default_server;
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
location / {
if ($host !~ "[a-zA-Z]+" ) {
return 444;
}
if ($server_protocol ~* "HTTP/1.0") {
return 444;
}
if ($http_user_agent ~* "Azure Traffic Manager Endpoint Monitor") {
return 200;
}
set $allow_origin '*';
if ($http_origin) {
set $allow_origin $http_origin;
}
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, PATCH, DELETE';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Origin' $allow_origin;
return 204;
}
limit_req zone=perserver;
rewrite /(.*) /ping?id=$1 break;
proxy_pass https://<your-callback-server>;
proxy_set_header Host <your-callback-server>;
proxy_ssl_server_name on;
proxy_ssl_name <your-callback-server>;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Original-Request $request;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Original-Host $host;
}
}
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
}
EOF
# Reload configuration
/etc/init.d/nginx reload
# Redirect all ports to our webserver
# iptables -t nat -A PREROUTING -p tcp --dport 10000:65535 -j REDIRECT --to-ports 80
iptables -t nat -A PREROUTING -p tcp --dport 500:65535 -j REDIRECT --to-ports 80
iptables -t nat -A PREROUTING -p tcp --dport 81:442 -j REDIRECT --to-ports 80
# Block Internet scanners
# 1. Censys.io
iptables -A INPUT -s 192.35.168.0/23,162.142.125.0/24,74.120.14.0/24,167.248.133.0/24 -j DROP
# Annoying scanners
iptables -A INPUT -s 23.98.148.135 -j DROP
# Let's encrypt
snap install core
snap refresh core
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
certbot --nginx --no-redirect --non-interactive --agree-tos --register-unsafely-without-email -d "$1.$2.cloudapp.azure.com"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment