robertobarreda/Vagrantfile

## haproxy.cfg
global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	# An alternative list with additional directives can be obtained from
	#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
	timeout connect 5000
	timeout client  50000
	timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

listen webservers
    bind :80
    balance roundrobin
    server web1 172.28.33.11:80 check
    server web2 172.28.33.12:80 check

listen admin
    bind :8080
    stats enable

## mini-ca.sh
#!/bin/bash

sudo apt-get install golang-go git
go get github.com/jsha/minica
./go/bin/minica -domains localhost
sudo cp minica.pem /etc/ssl/certs/
cat localhost/cert.pem localhost/key.pem | sudo tee /etc/ssl/private/jedi.pem
# openssl x509 -text -in minica.pem
# openssl x509 -text -in localhost/cert.pem

## rules.v4
*filter
# Allow all outgoing, but drop incoming and forwarding packets by default
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Custom per-protocol chains
:UDP - [0:0]
:TCP - [0:0]
:ICMP - [0:0]

# Acceptable UDP traffic

# Acceptable TCP traffic
-A TCP -p tcp --dport 22 -j ACCEPT

# Acceptable ICMP traffic

# Boilerplate acceptance policy
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT

# Drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Pass traffic to protocol-specific chains
## Only allow new connections (established and related should already be handled)
## For TCP, additionally only allow new SYN packets since that is the only valid
## method for establishing a new TCP connection
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP

# Reject anything that's fallen through to this point
## Try to be protocol-specific w/ rejection message
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

# Commit the changes
COMMIT

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

## self-signed.sh
#!/bin/bash

openssl req \
  -x509 -newkey rsa:2048 -nodes -sha256 -days 365 \
  -out /etc/ssl/private/jedi.crt \
  -keyout /etc/ssl/private/jedi.key
cat /etc/ssl/private/jedi.crt /etc/ssl/private/jedi.key > /etc/ssl/private/jedi.pem
openssl dhparam -out /etc/ssl/private/dhparam.pem 2048

## usr.sbin.nginx
#include <tunables/global>

/usr/sbin/nginx {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/totem>

  capability dac_override,

  /usr/sbin/nginx mr,
  /var/log/nginx/access.log w,
  /var/log/nginx/error.log w,
  owner /etc/nginx/mime.types r,
  owner /etc/nginx/nginx.conf r,
  owner /etc/nginx/sites-available/default r,
  owner /run/nginx.pid rw,
  /var/www/html/safe/index.html r,

}

## Vagrantfile
Vagrant.configure("2") do |config|
  config.vm.box = "debian/buster64"
  # config.vm.synced_folder ".", "/vagrant", disabled: true

  config.vm.provider "virtualbox" do |vb|
    vb.memory = "256"
  end

  config.vm.define :proxy, primary: true do |proxy|
    proxy.vm.hostname = "proxy"
    proxy.vm.network :forwarded_port, guest: 80, host: 8081
    proxy.vm.network :forwarded_port, guest: 443, host: 8082
    proxy.vm.network :forwarded_port, guest: 8080, host: 8080
    proxy.vm.network :private_network, ip: "172.28.33.10"
    proxy.vm.provision "shell", inline: <<-SHELL
      apt update && apt install -y haproxy
    SHELL
  end

  config.vm.define :web1 do |web1|
    web1.vm.hostname = "web1"
    web1.vm.network :private_network, ip: "172.28.33.11"
    web1.vm.provision "shell", inline: <<-SHELL
      apt update && apt install -y nginx
      echo "<html><head><title>${HOSTNAME}</title></head>" \
           "<body><h1>${HOSTNAME}</h1>" \
           "<p>This is the default web page for ${HOSTNAME}.</p></body></html>" \
          | sudo tee /var/www/html/index.html
    SHELL
  end

  config.vm.define :web2 do |web2|
    web2.vm.hostname = "web2"
    web2.vm.network :private_network, ip: "172.28.33.12"
    web2.vm.provision "shell", inline: <<-SHELL
      apt update && apt install -y nginx
      echo "<html><head><title>${HOSTNAME}</title></head>" \
           "<body><h1>${HOSTNAME}</h1>" \
           "<p>This is the default web page for ${HOSTNAME}.</p></body></html>" \
          | sudo tee /var/www/html/index.html
    SHELL
  end

end
	global
	log /dev/log local0
	log /dev/log local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	# An alternative list with additional directives can be obtained from
	# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

	defaults
	log global
	mode http
	option httplog
	option dontlognull
	timeout connect 5000
	timeout client 50000
	timeout server 50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

	listen webservers
	bind :80
	balance roundrobin
	server web1 172.28.33.11:80 check
	server web2 172.28.33.12:80 check

	listen admin
	bind :8080
	stats enable
	#!/bin/bash

	sudo apt-get install golang-go git
	go get github.com/jsha/minica
	./go/bin/minica -domains localhost
	sudo cp minica.pem /etc/ssl/certs/
	cat localhost/cert.pem localhost/key.pem \| sudo tee /etc/ssl/private/jedi.pem
	# openssl x509 -text -in minica.pem
	# openssl x509 -text -in localhost/cert.pem
	*filter
	# Allow all outgoing, but drop incoming and forwarding packets by default
	:INPUT DROP [0:0]
	:FORWARD DROP [0:0]
	:OUTPUT ACCEPT [0:0]

	# Custom per-protocol chains
	:UDP - [0:0]
	:TCP - [0:0]
	:ICMP - [0:0]

	# Acceptable UDP traffic

	# Acceptable TCP traffic
	-A TCP -p tcp --dport 22 -j ACCEPT

	# Acceptable ICMP traffic

	# Boilerplate acceptance policy
	-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	-A INPUT -i lo -j ACCEPT

	# Drop invalid packets
	-A INPUT -m conntrack --ctstate INVALID -j DROP

	# Pass traffic to protocol-specific chains
	## Only allow new connections (established and related should already be handled)
	## For TCP, additionally only allow new SYN packets since that is the only valid
	## method for establishing a new TCP connection
	-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
	-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
	-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP

	# Reject anything that's fallen through to this point
	## Try to be protocol-specific w/ rejection message
	-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
	-A INPUT -p tcp -j REJECT --reject-with tcp-reset
	-A INPUT -j REJECT --reject-with icmp-proto-unreachable

	# Commit the changes
	COMMIT

	*raw
	:PREROUTING ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	COMMIT

	*nat
	:PREROUTING ACCEPT [0:0]
	:INPUT ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	:POSTROUTING ACCEPT [0:0]
	COMMIT

	*security
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	COMMIT

	*mangle
	:PREROUTING ACCEPT [0:0]
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	:POSTROUTING ACCEPT [0:0]
	COMMIT
	#!/bin/bash

	openssl req \
	-x509 -newkey rsa:2048 -nodes -sha256 -days 365 \
	-out /etc/ssl/private/jedi.crt \
	-keyout /etc/ssl/private/jedi.key
	cat /etc/ssl/private/jedi.crt /etc/ssl/private/jedi.key > /etc/ssl/private/jedi.pem
	openssl dhparam -out /etc/ssl/private/dhparam.pem 2048
	#include <tunables/global>

	/usr/sbin/nginx {
	#include <abstractions/base>
	#include <abstractions/nameservice>
	#include <abstractions/openssl>
	#include <abstractions/totem>

	capability dac_override,

	/usr/sbin/nginx mr,
	/var/log/nginx/access.log w,
	/var/log/nginx/error.log w,
	owner /etc/nginx/mime.types r,
	owner /etc/nginx/nginx.conf r,
	owner /etc/nginx/sites-available/default r,
	owner /run/nginx.pid rw,
	/var/www/html/safe/index.html r,

	}
	Vagrant.configure("2") do \|config\|
	config.vm.box = "debian/buster64"
	# config.vm.synced_folder ".", "/vagrant", disabled: true

	config.vm.provider "virtualbox" do \|vb\|
	vb.memory = "256"
	end

	config.vm.define :proxy, primary: true do \|proxy\|
	proxy.vm.hostname = "proxy"
	proxy.vm.network :forwarded_port, guest: 80, host: 8081
	proxy.vm.network :forwarded_port, guest: 443, host: 8082
	proxy.vm.network :forwarded_port, guest: 8080, host: 8080
	proxy.vm.network :private_network, ip: "172.28.33.10"
	proxy.vm.provision "shell", inline: <<-SHELL
	apt update && apt install -y haproxy
	SHELL
	end

	config.vm.define :web1 do \|web1\|
	web1.vm.hostname = "web1"
	web1.vm.network :private_network, ip: "172.28.33.11"
	web1.vm.provision "shell", inline: <<-SHELL
	apt update && apt install -y nginx
	echo "<html><head><title>${HOSTNAME}</title></head>" \
	"<body><h1>${HOSTNAME}</h1>" \
	"<p>This is the default web page for ${HOSTNAME}.</p></body></html>" \
	\| sudo tee /var/www/html/index.html
	SHELL
	end

	config.vm.define :web2 do \|web2\|
	web2.vm.hostname = "web2"
	web2.vm.network :private_network, ip: "172.28.33.12"
	web2.vm.provision "shell", inline: <<-SHELL
	apt update && apt install -y nginx
	echo "<html><head><title>${HOSTNAME}</title></head>" \
	"<body><h1>${HOSTNAME}</h1>" \
	"<p>This is the default web page for ${HOSTNAME}.</p></body></html>" \
	\| sudo tee /var/www/html/index.html
	SHELL
	end

	end