Last active
June 27, 2020 15:18
-
-
Save robertobarreda/6614e15fe81741a63797f4b64dc730cc to your computer and use it in GitHub Desktop.
JEDI SI PAC1 (system security)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global | |
log /dev/log local0 | |
log /dev/log local1 notice | |
chroot /var/lib/haproxy | |
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | |
stats timeout 30s | |
user haproxy | |
group haproxy | |
daemon | |
# Default SSL material locations | |
ca-base /etc/ssl/certs | |
crt-base /etc/ssl/private | |
# Default ciphers to use on SSL-enabled listening sockets. | |
# For more information, see ciphers(1SSL). This list is from: | |
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | |
# An alternative list with additional directives can be obtained from | |
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | |
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS | |
ssl-default-bind-options no-sslv3 | |
defaults | |
log global | |
mode http | |
option httplog | |
option dontlognull | |
timeout connect 5000 | |
timeout client 50000 | |
timeout server 50000 | |
errorfile 400 /etc/haproxy/errors/400.http | |
errorfile 403 /etc/haproxy/errors/403.http | |
errorfile 408 /etc/haproxy/errors/408.http | |
errorfile 500 /etc/haproxy/errors/500.http | |
errorfile 502 /etc/haproxy/errors/502.http | |
errorfile 503 /etc/haproxy/errors/503.http | |
errorfile 504 /etc/haproxy/errors/504.http | |
listen webservers | |
bind :80 | |
balance roundrobin | |
server web1 172.28.33.11:80 check | |
server web2 172.28.33.12:80 check | |
listen admin | |
bind :8080 | |
stats enable |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
sudo apt-get install golang-go git | |
go get github.com/jsha/minica | |
./go/bin/minica -domains localhost | |
sudo cp minica.pem /etc/ssl/certs/ | |
cat localhost/cert.pem localhost/key.pem | sudo tee /etc/ssl/private/jedi.pem | |
# openssl x509 -text -in minica.pem | |
# openssl x509 -text -in localhost/cert.pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*filter | |
# Allow all outgoing, but drop incoming and forwarding packets by default | |
:INPUT DROP [0:0] | |
:FORWARD DROP [0:0] | |
:OUTPUT ACCEPT [0:0] | |
# Custom per-protocol chains | |
:UDP - [0:0] | |
:TCP - [0:0] | |
:ICMP - [0:0] | |
# Acceptable UDP traffic | |
# Acceptable TCP traffic | |
-A TCP -p tcp --dport 22 -j ACCEPT | |
# Acceptable ICMP traffic | |
# Boilerplate acceptance policy | |
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
-A INPUT -i lo -j ACCEPT | |
# Drop invalid packets | |
-A INPUT -m conntrack --ctstate INVALID -j DROP | |
# Pass traffic to protocol-specific chains | |
## Only allow new connections (established and related should already be handled) | |
## For TCP, additionally only allow new SYN packets since that is the only valid | |
## method for establishing a new TCP connection | |
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP | |
# Reject anything that's fallen through to this point | |
## Try to be protocol-specific w/ rejection message | |
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable | |
-A INPUT -p tcp -j REJECT --reject-with tcp-reset | |
-A INPUT -j REJECT --reject-with icmp-proto-unreachable | |
# Commit the changes | |
COMMIT | |
*raw | |
:PREROUTING ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
COMMIT | |
*nat | |
:PREROUTING ACCEPT [0:0] | |
:INPUT ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:POSTROUTING ACCEPT [0:0] | |
COMMIT | |
*security | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
COMMIT | |
*mangle | |
:PREROUTING ACCEPT [0:0] | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:POSTROUTING ACCEPT [0:0] | |
COMMIT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
openssl req \ | |
-x509 -newkey rsa:2048 -nodes -sha256 -days 365 \ | |
-out /etc/ssl/private/jedi.crt \ | |
-keyout /etc/ssl/private/jedi.key | |
cat /etc/ssl/private/jedi.crt /etc/ssl/private/jedi.key > /etc/ssl/private/jedi.pem | |
openssl dhparam -out /etc/ssl/private/dhparam.pem 2048 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <tunables/global> | |
/usr/sbin/nginx { | |
#include <abstractions/base> | |
#include <abstractions/nameservice> | |
#include <abstractions/openssl> | |
#include <abstractions/totem> | |
capability dac_override, | |
/usr/sbin/nginx mr, | |
/var/log/nginx/access.log w, | |
/var/log/nginx/error.log w, | |
owner /etc/nginx/mime.types r, | |
owner /etc/nginx/nginx.conf r, | |
owner /etc/nginx/sites-available/default r, | |
owner /run/nginx.pid rw, | |
/var/www/html/safe/index.html r, | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Vagrant.configure("2") do |config| | |
config.vm.box = "debian/buster64" | |
# config.vm.synced_folder ".", "/vagrant", disabled: true | |
config.vm.provider "virtualbox" do |vb| | |
vb.memory = "256" | |
end | |
config.vm.define :proxy, primary: true do |proxy| | |
proxy.vm.hostname = "proxy" | |
proxy.vm.network :forwarded_port, guest: 80, host: 8081 | |
proxy.vm.network :forwarded_port, guest: 443, host: 8082 | |
proxy.vm.network :forwarded_port, guest: 8080, host: 8080 | |
proxy.vm.network :private_network, ip: "172.28.33.10" | |
proxy.vm.provision "shell", inline: <<-SHELL | |
apt update && apt install -y haproxy | |
SHELL | |
end | |
config.vm.define :web1 do |web1| | |
web1.vm.hostname = "web1" | |
web1.vm.network :private_network, ip: "172.28.33.11" | |
web1.vm.provision "shell", inline: <<-SHELL | |
apt update && apt install -y nginx | |
echo "<html><head><title>${HOSTNAME}</title></head>" \ | |
"<body><h1>${HOSTNAME}</h1>" \ | |
"<p>This is the default web page for ${HOSTNAME}.</p></body></html>" \ | |
| sudo tee /var/www/html/index.html | |
SHELL | |
end | |
config.vm.define :web2 do |web2| | |
web2.vm.hostname = "web2" | |
web2.vm.network :private_network, ip: "172.28.33.12" | |
web2.vm.provision "shell", inline: <<-SHELL | |
apt update && apt install -y nginx | |
echo "<html><head><title>${HOSTNAME}</title></head>" \ | |
"<body><h1>${HOSTNAME}</h1>" \ | |
"<p>This is the default web page for ${HOSTNAME}.</p></body></html>" \ | |
| sudo tee /var/www/html/index.html | |
SHELL | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment