Liens. https://blog.ssdnodes.com/blog/linux-containers-lxc-haproxy/ https://gist.github.com/theprojectsomething/83f7a0ab151a2483934fb675a42cc13d#1-updating-the-vps
Distribution : Ubuntu 18.04 LTS
CPU : 4
RAM : 50 Go
Nom du disque système : sysdiskhl03
Taille : 50 Go
Nom (Hostname) : serverhl03
Adresse ipv4 : serveurip
Identifiant administrateur : admin
util01@station02:~$ ssh admin@serveurip
admin@217.70.190.39's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-22-generic x86_64)
...
admin@serverhl03:~$
admin@serverhl01:~$ su
Password:
root@serverhl01:/home/admin#
admin@serverhl03:~$ su -
Password:
root@serverhl03:~#
root@serverhl03:~# visudo
Chercher :
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
Remplacer par :
admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
sudo ALL=(ALL:ALL) ALL
root@serverhl03:/home/admin# exit
admin@serverhl03:~$
admin@serverhl03:~$ sudo apt-get update && sudo apt-get upgrade
admin@serverhl03:~$ sudo apt-get install mc vim htop screen iptables ufw
admin@serverhl03:~$ sudo apt install zfsutils-linux
admin@serverhl03:~$ sudo apt install snapd
admin@serverhl03:~$ sudo snap install lxd
admin@serverhl03:~$ . /etc/profile.d/apps-bin-path.sh
admin@serverhl03:~$ sudo lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]: lxc_pool
Name of the storage backend to use (btrfs, ceph, dir, lvm, zfs) [default=zfs]:
Create a new ZFS pool? (yes/no) [default=yes]:
Would you like to use an existing block device? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=15GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: none
Would you like LXD to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
admin@serverhl03:~$
admin@serverhl03:~$ sudo usermod -aG lxd admin
admin@serverhl03:~$ sudo lxc launch ubuntu:18.04 HAProxy
Creating HAProxy
Starting HAProxy
admin@serverhl03:~$
admin@serverhl03:~$ sudo lxc launch ubuntu:18.04 Discus
Creating Discus
Starting Discus
admin@serverhl03:~$
admin@serverhl03:~$ sudo lxc launch ubuntu:18.04 Imagin
Creating Imagin
Starting Imagin
admin@serverhl03:~$
admin@serverhl03:~$ sudo lxc launch ubuntu:18.04 Nekrofage
Creating Nekrofage
Starting Nekrofage
admin@serverhl03:~$
admin@serverhl03:~$ sudo lxc launch ubuntu:18.04 Forum
Creating Forum
Starting Forum
admin@serverhl03:~$
admin@serverhl03:~$ sudo lxc list
+-----------+---------+-----------------------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+-----------+---------+-----------------------+------+------------+-----------+
| Discus | RUNNING | 10.156.249.17 (eth0) | | PERSISTENT | 0 |
+-----------+---------+-----------------------+------+------------+-----------+
| Forum | RUNNING | 10.156.249.150 (eth0) | | PERSISTENT | 0 |
+-----------+---------+-----------------------+------+------------+-----------+
| HAProxy | RUNNING | 10.156.249.147 (eth0) | | PERSISTENT | 0 |
+-----------+---------+-----------------------+------+------------+-----------+
| Imagin | RUNNING | 10.156.249.127 (eth0) | | PERSISTENT | 0 |
+-----------+---------+-----------------------+------+------------+-----------+
| Nekrofage | RUNNING | 10.156.249.198 (eth0) | | PERSISTENT | 0 |
+-----------+---------+-----------------------+------+------------+-----------+
admin@serverhl03:~$
admin@serverhl03:~$ ifconfig
eth0: flags=4163<up,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet serveurip netmask 255.255.252.0 broadcast 217.70.191.255
inet6 2001:4b98:dc0:41:216:3eff:fe26:5780 prefixlen 64 scopeid 0x0<global>
inet6 fe80::216:3eff:fe26:5780 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:26:57:80 txqueuelen 1000 (Ethernet)
RX packets 257809 bytes 511007466 (511.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26799 bytes 2603604 (2.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
...
admin@serverhl03:~$ sudo iptables -t nat -I PREROUTING -i eth0 -p TCP -d 217.70.190.39/32 --dport 80 -j DNAT --to-destination 10.156.249.147:80
admin@serverhl03:~$ sudo iptables -t nat -I PREROUTING -i eth0 -p TCP -d 217.70.190.39/32 --dport 443 -j DNAT --to-destination 10.156.249.147:443
admin@serverhl03:~$ sudo apt install iptables-persistent
admin@serverhl03:~$ sudo ufw allow http
Rules updated
Rules updated (v6)
admin@serverhl03:~$
admin@serverhl03:~$ sudo ufw allow https
Rules updated
Rules updated (v6)
admin@serverhl03:~$
admin@serverhl03:~$ sudo ufw allow ssh
Rules updated
Rules updated (v6)
admin@serverhl03:~$
admin@serverhl03:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
admin@serverhl03:~$
admin@serverhl03:~$ sudo lxc exec HAProxy -- bash
root@HAProxy:~#
root@HAProxy:~# apt-get update && apt-get upgrade
root@HAProxy:~# apt install vim screen mc
root@HAProxy:~# apt install haproxy
Ouvrir :
/etc/haproxy/haproxy.cfg
Chercher :
daemon
Ajouter après :
maxconn 2048
tune.ssl.default-dh-param 2048
Chercher :
option dontlognull
Ajouter après :
option forwardfor
option http-server-close
Ouvrir :
/etc/haproxy/haproxy.cfg
Ajouter à la fin :
frontend http_frontend
bind *:80
acl web_host1 hdr(host) -i discus.hacklab.fr
acl web_host2 hdr(host) -i imagin.hacklab.fr
acl web_host3 hdr(host) -i nekrofage.hacklab.fr
acl web_host4 hdr(host) -i forum.hacklab.fr
use_backend Discus if web_host1
use_backend Imagin if web_host2
use_backend Nekrofage if web_host3
use_backend Forum if web_host4
backend Discus
balance leastconn
http-request set-header X-Client-IP %[src]
server Discus Discus.lxd:80 check
backend Imagin
balance leastconn
http-request set-header X-Client-IP %[src]
server Imagin Imagin.lxd:80 check
backend Nekrofage
balance leastconn
http-request set-header X-Client-IP %[src]
server Nekrofage Nekrofage.lxd:80 check
backend Forum
balance leastconn
http-request set-header X-Client-IP %[src]
server Forum Forum.lxd:80 check
root@HAProxy:~# /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c
Configuration file is valid
root@HAProxy:~# service haproxy reload
root@HAProxy:~# exit
exit
admin@serverhl03:~$
admin@serverhl03:~$ lxc exec Discus -- bash
root@Discus:~# apt update && apt upgrade && apt install mc screen vim htop
root@Discus:~# exit
exit
admin@serverhl03:~$
admin@serverhl03:~$ lxc exec Imagin -- bash
root@Imagin:~# apt update && apt upgrade && apt install mc screen vim htop
root@Imagin:~# exit
exit
admin@serverhl03:~$
admin@serverhl03:~$ lxc exec Nekrofage -- bash
root@Nekrofage:~# apt update && apt upgrade && apt install mc screen vim htop
root@Nekrofage:~# apt install apache2
root@Nekrofage:~# systemctl stop apache2.service
root@Nekrofage:~# systemctl start apache2.service
root@Nekrofage:~# systemctl enable apache2.service
/var/www/html/index.html
Chercher : Apache2 Ubuntu Default Page Remplacer par :
Nekrofage
root@Nekrofage:~# exit
exit
admin@serverhl03:~$
admin@serverhl03:~$ lxc exec Forum -- bash
root@Forum:~# apt update && apt upgrade && apt install mc screen vim htop
root@Forum:~# apt install apache2
root@Forum:~# systemctl stop apache2.service
root@Forum:~# systemctl start apache2.service
root@Forum:~# systemctl enable apache2.service
/var/www/html/index.html
Chercher :
Apache2 Ubuntu Default Page
Remplacer par :
Forum
root@Forum:~# exit
exit
admin@serverhl03:~$
http://nekrofage.hacklab.fr/ http://forum.hacklab.fr/
admin@serverhl03:~$ sudo lxc list
[sudo] password for admin:
+-----------+---------+-----------------------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+-----------+---------+-----------------------+------+------------+-----------+
| Discus | RUNNING | 10.156.249.17 (eth0) | | PERSISTENT | 0 |
+-----------+---------+-----------------------+------+------------+-----------+
| Forum | RUNNING | 10.156.249.150 (eth0) | | PERSISTENT | 0 |
+-----------+---------+-----------------------+------+------------+-----------+
| HAProxy | RUNNING | 10.156.249.147 (eth0) | | PERSISTENT | 0 |
+-----------+---------+-----------------------+------+------------+-----------+
| Imagin | RUNNING | 10.156.249.127 (eth0) | | PERSISTENT | 0 |
+-----------+---------+-----------------------+------+------------+-----------+
| Nekrofage | RUNNING | 10.156.249.198 (eth0) | | PERSISTENT | 0 |
+-----------+---------+-----------------------+------+------------+-----------+
admin@serverhl03:~$
admin@serverhl03:~$ lxc snapshot Discus Discus_snap0
admin@serverhl03:~$ lxc snapshot Forum Forum_snap0
admin@serverhl03:~$ lxc snapshot HAProxy HAProxy_snap0
admin@serverhl03:~$ lxc snapshot Imagin Imagin_snap0
admin@serverhl03:~$ lxc snapshot Nekrofage Nekrofage_snap0
admin@serverhl03:~$ sudo lxc list
+-----------+---------+-----------------------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+-----------+---------+-----------------------+------+------------+-----------+
| Discus | RUNNING | 10.156.249.17 (eth0) | | PERSISTENT | 1 |
+-----------+---------+-----------------------+------+------------+-----------+
| Forum | RUNNING | 10.156.249.150 (eth0) | | PERSISTENT | 1 |
+-----------+---------+-----------------------+------+------------+-----------+
| HAProxy | RUNNING | 10.156.249.147 (eth0) | | PERSISTENT | 1 |
+-----------+---------+-----------------------+------+------------+-----------+
| Imagin | RUNNING | 10.156.249.127 (eth0) | | PERSISTENT | 1 |
+-----------+---------+-----------------------+------+------------+-----------+
| Nekrofage | RUNNING | 10.156.249.198 (eth0) | | PERSISTENT | 1 |
+-----------+---------+-----------------------+------+------------+-----------+
admin@serverhl03:~$
Discus : 9017
Forum :9150
HAProxy : 9147
Imagin : 9127
Nekrofage : 9198
admin@serverhl03:~$ lxc exec Discus -- bash
root@Discus:~#
Ouvrir :
/etc/ssh/sshd_config
Chercher :
# Port 22
Remplacer par :
Port 9017
Action :
service sshd restart
admin@serverhl03:~$ lxc exec Forum -- bash
root@Forum:~#
Ouvrir :
/etc/ssh/sshd_config
Chercher :
#Port 22
Remplacer par : Port 9150 Action :
service sshd restart
admin@serverhl03:~$ lxc exec HAProxy -- bash
root@HAProxy:~#
Ouvrir :
/etc/ssh/sshd_config
Chercher :
#Port 22
Remplacer par :
Port 9150
Action :
service sshd restart
admin@serverhl03:~$ lxc exec Nekrofage -- bash
Ouvrir :
/etc/ssh/sshd_config
Chercher :
#Port 22
Remplacer par :
Port 9198
Action :
service sshd restart
admin@serverhl03:~$ lxc exec Imagin -- bash
Ouvrir :
/etc/ssh/sshd_config
Chercher :
#Port 22
Remplacer par :
Port 9150
Action :
service sshd restart
admin@serverhl03:~$ lxc exec Nekrofage -- bash
root@Nekrofage:~#
root@Nekrofage:~# adduser administrator
root@Nekrofage:~# usermod -aG sudo administrator
root@Nekrofage:~# su administrator
administrator@Nekrofage:/root$ cd
administrator@Nekrofage:~$
administrator@Nekrofage:~$ mkdir -p ~/.ssh
Ouvrir :
~/.ssh/authorized_keys
Ajouter :
<clé rsa>
administrator@Nekrofage:~$ chmod -R go= ~/.ssh
administrator@Nekrofage:~$ chown -R administrator:administrator ~/.ssh
administrator@Nekrofage:~$ exit
exit
root@Nekrofage:~#
root@Nekrofage:~# exit
administrator@Nekrofage:/root$
root@Nekrofage:~# exit
exit
admin@serverhl03:~$
Modèle de régle :
iptables -t nat -A PREROUTING -i {interface} -p tcp --dport {container_ssh_port} -j DNAT --to {container_ip}:{container_ssh_port}
admin@serverhl03:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9017 -j DNAT --to 10.156.249.17:9017
admin@serverhl03:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9150 -j DNAT --to 10.156.249.150:9150
admin@serverhl03:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9147 -j DNAT --to 10.156.249.147:9147
admin@serverhl03:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9127 -j DNAT --to 10.156.249.127:9127
admin@serverhl03:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9198 -j DNAT --to 10.156.249.198:9198
util01@station02:~$ ssh -p 9198 administrator@217.70.190.39
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-22-generic x86_64)
...
administrator@Nekrofage:~$
util01@station02:~$ ssh -p 9017 administrator@217.70.190.39
...
administrator@Discus:~$
util01@station02:~$ ssh -p 9150 administrator@217.70.190.39
...
administrator@Forum:~$
util01@station02:~$ ssh -p 9147 administrator@217.70.190.39
...
administrator@HAProxy:~$
util01@station02:~$ ssh -p 9127 administrator@217.70.190.39
...
administrator@Imagin:~$
admin@serverhl03:~$ sudo iptables -t nat --line-numbers -L
[sudo] password for admin:
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- anywhere serverhl03 tcp dpt:https to:10.156.249.147:443
2 DNAT tcp -- anywhere serverhl03 tcp dpt:http to:10.156.249.147:80
3 DNAT tcp -- anywhere anywhere tcp dpt:9198 to:10.156.249.198:9198
4 DNAT tcp -- anywhere anywhere tcp dpt:9198 to:10.156.249.198:9198
5 DNAT tcp -- anywhere anywhere tcp dpt:9017 to:10.156.249.17:9017
6 DNAT tcp -- anywhere anywhere tcp dpt:9150 to:10.156.249.150:9150
7 DNAT tcp -- anywhere anywhere tcp dpt:9147 to:10.156.249.147:9147
8 DNAT tcp -- anywhere anywhere tcp dpt:9127 to:10.156.249.127:9127
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 10.156.249.0/24 !10.156.249.0/24 /* generated for LXD network lxdbr0 */
admin@serverhl03:~$
admin@serverhl03:~$ sudo su
root@serverhl03:/home/admin# iptables-save > /etc/iptables/rules.v4
root@serverhl03:/home/admin# exit
exit
admin@serverhl03:~$
admin@serverhl03:~$ lxc exec HAProxy -- bash
root@HAProxy:~#
root@HAProxy:~# service haproxy stop
root@HAProxy:~# add-apt-repository ppa:certbot/certbot
root@HAProxy:~# apt update
root@HAProxy:~# apt install certbot
root@HAProxy:~# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): lesanglierdesardennes@gmail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): nekrofage.hacklab.fr, discus.hacklab.fr, imagin.hacklab.fr, forum.hacklab.fr
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for discus.hacklab.fr
http-01 challenge for forum.hacklab.fr
http-01 challenge for imagin.hacklab.fr
http-01 challenge for nekrofage.hacklab.fr
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/discus.hacklab.fr/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/discus.hacklab.fr/privkey.pem
Your cert will expire on 2020-01-25. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root@HAProxy:~#
root@HAProxy:~# ls -l /etc/letsencrypt/live
total 3
-rw-r--r-- 1 root root 740 Oct 27 10:49 README
drwxr-xr-x 2 root root 7 Oct 27 10:56 nekrofage.hacklab.fr
root@HAProxy:~#
root@HAProxy:~# mkdir -p /etc/haproxy/certs
root@HAProxy:~# cat /etc/letsencrypt/live/nekrofage.hacklab.fr/fullchain.pem /etc/letsencrypt/live/nekrofage.hacklab.fr/privkey.pem > /etc/haproxy/certs/nekrofage.hacklab.fr.pem
Ouvrir :
/etc/haproxy/haproxy.cfg
Ajouter à la fin de 'frontend http_frontend' :
frontend www-https
bind *:443 ssl crt /etc/haproxy/certs/nekrofage.hacklab.fr.pem
reqadd X-Forwarded-Proto:\ https
acl web_host3 hdr(host) -i nekrofage.hacklab.fr
acl web_host4 hdr(host) -i forum.hacklab.fr
use_backend Nekrofage if web_host3
use_backend Forum if web_host4
Chercher :
backend Nekrofage
balance leastconn
http-request set-header X-Client-IP %[src]
server Nekrofage Nekrofage.lxd:80 check
Remplacer par :
backend Nekrofage
balance leastconn
http-request set-header X-Client-IP %[src]
redirect scheme https if !{ ssl_fc }
server Nekrofage Nekrofage.lxd:80 check
Chercher :
backend Forum
balance leastconn
http-request set-header X-Client-IP %[src]
server Forum Forum.lxd:80 check
Remplacer par :
backend Forum
balance leastconn
http-request set-header X-Client-IP %[src]
redirect scheme https if !{ ssl_fc }
server Forum Forum.lxd:80 check
root@HAProxy:~# /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c
Configuration file is valid
root@HAProxy:~#
root@HAProxy:~# service haproxy start
https://nekrofage.hacklab.fr/ https://forum.hacklab.fr/
root@HAProxy:~# service haproxy stop
root@HAProxy:~# certbot renew
root@HAProxy:~# rm /etc/haproxy/certs/nekrofage.hacklab.fr.pem
root@HAProxy:~# cat /etc/letsencrypt/live/nekrofage.hacklab.fr/fullchain.pem /etc/letsencrypt/live/nekrofage.hacklab.fr/privkey.pem > /etc/haproxy/certs/nekrofage.hacklab.fr.pem
root@HAProxy:~# service haproxy start