menu
Laasaga taʻitasi faʻatonuga mo le faʻaogaina o le Hailbytes VPN ma le Firezone GUI o loʻo tuʻuina atu iinei.
Puleaina: O le setiina o le server instance e fesoʻotaʻi tonu lava i lenei vaega.
Ta'iala mo Tagata Fa'aoga: Pepa fesoasoani e mafai ona a'oa'o ai oe ile fa'aogaina ole Firezone ma fo'ia fa'afitauli masani. A mae'a ona fa'atino lelei le server, fa'asino i le vaega lea.
Split Tunneling: Fa'aoga le VPN e na'o le auina atu o felauaiga i nofoaga patino IP.
Whitelisting: Seti le VPN server's static IP address ina ia mafai ai ona fa'aoga le whitelisting.
Alafua Fa'afeagai: Fausia alāvai i le va o isi tupulaga e fa'aaoga ai ala fa'afeagai.
Matou te fiafia e fesoasoani ia te oe pe a e manaʻomia se fesoasoani faʻapipiʻi, faʻapipiʻi, poʻo le faʻaogaina o le Hailbytes VPN.
Aʻo leʻi mafai e tagata faʻaoga ona gaosia pe sii mai faila faʻapipiʻi masini, e mafai ona faʻatulagaina le Firezone e manaʻomia ai le faʻamaonia. Atonu e manaʻomia foʻi e tagata faʻaoga le toe faʻamaonia mai lea taimi i lea taimi ina ia faʻaauau pea a latou fesoʻotaʻiga VPN.
E ui lava o le auala e saini ai le Firezone o le imeli i le lotoifale ma le uputatala, e mafai foi ona tuʻufaʻatasia ma soʻo se OpenID Connect (OIDC) e tuʻuina atu faʻamatalaga. Ua mafai nei e tagata fa'aoga ona ulufale i totonu o le Firezone e fa'aaoga ai a latou Okta, Google, Azure AD, po'o fa'amatalaga tu'ufa'atasi e tu'uina atu.
Tu'ufa'atasia se Fa'asoa OIDC lautele
O fa'asologa fa'atulagaina e mana'omia e le Firezone e fa'ataga ai le SSO e fa'aogaina le OIDC o lo'o fa'aalia i le fa'ata'ita'iga i lalo. I /etc/firezone/firezone.rb, e mafai ona e mauaina le faila faila. Tafe le firezone-ctl reconfigure ma firezone-ctl toe amata e faʻafou le talosaga ma faʻaaogaina suiga.
# O se faʻataʻitaʻiga lea e faʻaaoga ai Google ma Okta o se SSO e tuʻuina atu faʻamatalaga.
# Tele OIDC configs e mafai ona faʻaopoopo i le Firezone lava e tasi.
# Firezone e mafai ona faʻamalo le VPN a le tagata faʻaoga pe a iai se mea sese e iloa o taumafai
# e fa'afou a latou avanoa_token. Ua fa'amaonia e galue mo Google, Okta, ma
# Azure SSO ma e faʻaaogaina e vavae ese ai le VPN a le tagata faʻaoga pe a aveese
# mai le kamupani OIDC. Tu'u le fa'aletonu pe afai o lau 'au'aunaga OIDC
# o lo'o iai fa'afitauli fa'afouina fa'ailoga avanoa e ono fa'afuase'i ona fa'alavelave a
# fa'aoga VPN sauniga.
faaletonu ['firezone']['authentication']['disable_vpn_on_oidc_error'] = sese
default['firezone']['fa'amaoni']['oidc'] = {
google: {
discovery_document_uri: “https://accounts.google.com/.well-known/openid-configuration”,
client_id: “ ”,
client_secret: “ ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",
response_type: “code”,
lautele: "talatala imeli tatala",
igoa: “Google”
},
okta: {
discovery_document_uri: “https:// /.well-known/openid-configuration",
client_id: “ ”,
client_secret: “ ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",
response_type: “code”,
lautele: "tutala imeli fa'amatalaga offline_access",
igoa: “Okta”
}
}
O fa'atonuga nei e mana'omia mo le tu'ufa'atasiga:
Mo ta'itasi o lo'o tu'uina atu le OIDC ua fa'atūina se URL matagofie talafeagai mo le toe tu'u atu i le URL saini a le kamupani fa'atonu. Mo le faʻataʻitaʻiga OIDC config i luga, o URL o:
O lo'o iai a matou fa'amaumauga mo:
Afai e iai lau feso'ota'iga lautele o le OIDC ma e le'o lisiina i luga, fa'amolemole alu i latou fa'amaumauga mo fa'amatalaga i le auala e toe aumai ai le fa'atulagaga talafeagai.
E mafai ona suia le fa'atulagaina i lalo o fa'atonuga/saogalemu e mana'omia ai le toe fa'amaonia mai lea taimi i lea taimi. E mafai ona faʻaogaina lenei mea e faʻamalosia ai le manaʻoga e ulufale ai tagata faʻaoga i totonu o le Firezone i taimi masani ina ia faʻaauau ai a latou sauniga VPN.
O le umi o le sauniga e mafai ona fa'atulagaina i le va o le tasi itula ma le ivasefulu aso. E ala i le setiina i le Never, e mafai ona e faʻaogaina sauniga VPN i soo se taimi. O le tulaga lea.
E tatau i le tagata fa'aoga ona fa'amutaina la latou sauniga VPN ma saini i totonu o le faitotoa o le Firezone ina ia toe fa'amaonia se sauniga VPN ua mae'a (URL ua fa'amaoti i le taimi o le fa'aogaina).
E mafai ona e toe fa'amaonia lau vasega e ala ile mulimuli i fa'atonuga sa'o ole tagata o lo'o maua iinei.
Tulaga o VPN So'oga
Ole koluma ole laulau VPN Feso'ota'iga ile itulau a Tagata fa'aoga e fa'aalia ai le tulaga o feso'ota'iga a le tagata fa'aoga. O tulaga nei o feso'ota'iga:
ENABLED - Ua mafai le feso'ota'iga.
TAGATA - O le fesoʻotaʻiga ua le mafaia e se pule poʻo le faʻafouina o le OIDC.
FA'ATA'I - Ua le mafaia le feso'ota'iga ona o le fa'amutaina o le fa'amaoni po'o le tagata fa'aoga e le'i sainia mo le taimi muamua.
E ala i le feso'ota'iga lautele o le OIDC, ua mafai ai e le Firezone ona fa'ataga le Saini Tu'atasi (SSO) ma le Google Workspace ma le Cloud Identity. O lenei taʻiala o le a faʻaali atu ia te oe le auala e maua ai le faʻasologa o faʻasologa o loʻo lisiina i lalo, e manaʻomia mo le tuʻufaʻatasia:
1. OAuth Config ScreenLe
Afai o le taimi muamua lea ua e faia ai se ID fou ole tagata o tausia OAuth, ole a talosagaina oe e fa'atulaga se lau fa'atagaga.
* Filifili totonu mo le ituaiga tagata faʻaoga. E fa'amautinoa ai e na'o fa'amatalaga a tagata fa'aoga i lau Fa'alapotopotoga a le Google Workspace e mafai ona faia ni fa'aoga masini. AUA LE filifili Fafo se'i vagana ua e mana'o e fa'atagaina so'o se tasi o lo'o iai sana Google Account e fa'atupu fa'atonuga masini.
I luga ole lau fa'amatalaga App:
2. Fausia ID Client OAuthLe
O lenei vaega o lo'o fa'avae i luga ole Google lava fa'amaumauga ile fa'atūina le OAuth 2.0.
Asiasi ile Google Cloud Console Itulau fa'amaonia itulau, kiliki + Fausia Fa'amatalaga ma filifili OAuth client ID.
I luga o le OAuth client ID mata o le fausiaina:
A mae'a ona fai le OAuth client ID, o le a tu'uina atu ia te oe se Client ID ma Client Secret. O nei mea o le a faʻaaogaina faʻatasi ma le toe faʻafeiloaʻi URI i le isi laasaga.
faʻatonutonu /etc/firezone/firezone.rb e aofia ai filifiliga i lalo:
# Fa'aaogā Google e fai ma fa'asinomaga SSO
default['firezone']['fa'amaoni']['oidc'] = {
google: {
discovery_document_uri: “https://accounts.google.com/.well-known/openid-configuration”,
client_id: “ ”,
client_secret: “ ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",
response_type: “code”,
lautele: "talatala imeli tatala",
igoa: “Google”
}
}
Tafe le firezone-ctl reconfigure ma firezone-ctl toe amata e faʻafou le talosaga. Ua tatau nei ona e va'ai i se fa'amau Fa'ailoga ma Google ile a'a Firezone URL.
O lo'o fa'aogaina e le Firezone le feso'ota'iga lautele ole OIDC e fa'afaigofie ai le Saini Fa'atasi (SSO) ma le Okta. O lenei aʻoaʻoga o le a faʻaali atu ia te oe le auala e maua ai le faʻatulagaina o faʻasologa o loʻo lisiina i lalo, e manaʻomia mo le tuʻufaʻatasia:
O lenei vaega o le taʻiala e faʻavae i luga Fa'amaumauga a Okta.
I totonu o le Admin Console, alu ile Applications> Applications ma kiliki Create App Integration. Seti le auala e saini ai ile OICD – OpenID Connect ma le ituaiga Talosaga ile talosaga i luga ole laiga.
Fa'atulaga tulaga nei:
O le taimi lava e teu ai tulaga, o le a tuʻuina atu ia te oe se ID Client, Client Secret, ma le Okta Domain. O nei tau e 3 o le a faʻaaogaina i le Laasaga 2 e faʻapipiʻi ai le Firezone.
faʻatonutonu /etc/firezone/firezone.rb e aofia ai filifiliga i lalo. O lau discovery_document_url o le 'a /.well-known/openid-configuration fa'aopoopo i le pito o lau okta_domain.
# Faʻaaogaina Okta e fai ma faʻamatalaga SSO
default['firezone']['fa'amaoni']['oidc'] = {
okta: {
discovery_document_uri: “https:// /.well-known/openid-configuration",
client_id: “ ”,
client_secret: “ ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",
response_type: “code”,
lautele: "tutala imeli fa'amatalaga offline_access",
igoa: “Okta”
}
}
Tafe le firezone-ctl reconfigure ma firezone-ctl toe amata e faʻafou le talosaga. E tatau ona e vaʻai nei i se Faʻailoga faʻatasi ma Okta faʻamau i le aʻa Firezone URL.
O tagata faʻaoga e mafai ona maua le Firezone app e mafai ona faʻatapulaʻaina e Okta. Alu i lau Okta Admin Console's Firezone App Integration's Assignments page e ausia ai lenei mea.
E ala i le feso'ota'iga lautele ole OIDC, ua mafai ai e le Firezone ona fa'auluina le Single Sign-On (SSO) ma le Azure Active Directory. O lenei tusi lesona o le a faʻaali atu ia te oe le auala e maua ai le faʻatulagaina o faʻasologa o loʻo lisiina i lalo, e manaʻomia mo le tuʻufaʻatasia:
O lenei taiala e aumai mai le Azure Active Directory Docs.
Alu i le Azure portal's Azure Active Directory itulau. Filifili le Manage menu filifiliga, filifili New Registration, ona lesitala lea e ala i le tuʻuina atu o faʻamatalaga o loʻo i lalo:
A uma ona lesitala, tatala le faʻamatalaga auiliiliga o le talosaga ma kopi le Talosaga (tagata fa'atau) ID. Ole tau ole client_id lea. Sosoo ai, tatala le lisi pito i'u e toe aumai ai le OpenID Fesootai metadata pepa. Ole tau ole discovery_document_uri.
Fausia se mealilo fou a le tagata o tausia e ala i le kilikiina o le Tusi Faamaonia & mealilo filifiliga i lalo o le Manage menu. Kopi le mealilo a le kalani; o le tau faalilolilo a le tagata o tausia o le a lenei.
I le mea mulimuli, filifili le API faʻatagaina soʻotaga i lalo o le Manage menu, kiliki Fa'aopoopo se fa'atagaga, ma filifili Microsoft kalafi, faʻaopoopo imeli, matala, offline_access ma tino mai i fa'atagaga mana'omia.
faʻatonutonu /etc/firezone/firezone.rb e aofia ai filifiliga i lalo:
# Faʻaaogaina o le Azure Active Directory e fai ma faʻamatalaga SSO
default['firezone']['fa'amaoni']['oidc'] = {
lanu: {
discovery_document_uri: “https://login.microsoftonline.com/ /v2.0/.well-known/openid-configuration",
client_id: “ ”,
client_secret: “ ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/azure/callback/",
response_type: “code”,
lautele: "tutala imeli fa'amatalaga offline_access",
igoa: “Azure”
}
}
Tafe le firezone-ctl reconfigure ma firezone-ctl toe amata e faʻafou le talosaga. E tatau ona e vaʻai nei i se Faʻailoga i totonu ma Azure faʻamau i le aʻa Firezone URL.
Azure AD e mafai ai e pule ona faʻatapulaʻaina le avanoa o le app i se vaega patino o tagata faʻaoga i totonu o lau kamupani. E mafai ona maua nisi faʻamatalaga i le auala e fai ai lenei mea ile faʻamaumauga a Microsoft.
O Chef Omnibus o loʻo faʻaaogaina e le Firezone e faʻatautaia galuega e aofia ai le tuʻuina atu o pusa, vaavaaiga o faʻagasologa, pulega o ogalaau, ma isi mea.
Ruby code e fa'atupuina ai le faila fa'aopoopo muamua, lea e tu i le /etc/firezone/firezone.rb. Toe amata le sudo firezone-ctl reconfigure pe a uma ona fai suiga i lenei faila e mafua ai ona iloa e Chef suiga ma faʻaoga i le faiga o loʻo iai nei.
Va'ai le fa'asinomaga faila faila mo se lisi atoa o fesuiaiga fa'aopoopo ma latou fa'amatalaga.
O lau fa'ata'ita'iga Firezone e mafai ona pulea e ala ile firezone-ctl poloaiga, e pei ona faaalia i lalo. Ole tele o subcommands e mana'omia le fa'aulufaleina ma sudo.
root@demo:~# firezone-ctl
omnibus-ctl: poloaiga (subcommand)
Poloaiga Lautele:
faamama
Ave'ese *uma* fa'amatalaga sone afi, ma amata mai le sasa.
fatu-pe-toe-toe-pule
Toe setiina le uputatala mo le pule ile imeli ua fa'amaoti mai e ala i le faaletonu['firezone']['admin_email'] po'o le faia o se pule fou pe afai e le o iai lena imeli.
fesoasoani
Lolomi lenei fe'au fesoasoani.
toe faʻaleleia
Toe fetuunai le talosaga.
reset-network
Toe setiina nftables, WireGuard interface, ma le ta'avale laulau i tua i Firezone faaletonu.
fa'aali-config
Fa'aali atu le fa'atulagaga o le a fa'atupuina e ala i le toe fa'atulagaina.
teardown-network
Aveese le WireGuard interface ma firezone nftables laulau.
faamalosia-tusi-faafouga
Fa'amalosi le fa'afouga o le tusipasi i le taimi nei tusa lava pe le'i mae'a.
taofi-tusi-faafouga
Aveese cronjob e faafou tusi faamaonia.
uninstall
Taofi uma faiga ma aveese le supavaisa o le faagasologa (o le a faasaoina faamatalaga).
faʻamatalaga
Fa'aali le fa'aaliga o lo'o iai nei o le Firezone
Poloaiga Pulega o Au'aunaga:
alofa-fasioti
Taumafai e taofi malie, ona SIGKILL le vaega atoa o le faagasologa.
hup
Auina atu auaunaga se HUP.
int
Auina atu auaunaga se INT.
fasioti
Auina atu auaunaga a KILL.
fa'atasi
Amata le au'aunaga pe a fai o lo'o i lalo. Aua le toe amataina pe a taofi.
toe amata
Taofi le tautua pe a latou tamo'e, ona toe amata lea.
tautua-lisi
Lisi auaunaga uma (au'aunaga fa'aagaaga e aliali mai i se *.)
āmata
Amata au'aunaga pe'ā fa'aletonu, ma toe amata pe a taofi.
tulaga
Faaalia le tulaga o auaunaga uma.
taofi
Taofi auaunaga, ma aua le toe amataina.
siʻuʻu
Matamata i faamaumauga o auaunaga o auaunaga uma ua mafai.
vaitaimi e
Auina atu auaunaga i se TERM.
usr1
Auina atu auaunaga ile USR1.
usr2
Auina atu auaunaga ile USR2.
O sauniga VPN uma e tatau ona faʻamutaina aʻo leʻi faʻaleleia le Firezone, lea e manaʻomia ai foʻi le tapunia o le Upega Tafaʻilagi. Afai e iai se mea e faaletonu i le taimi o le faʻaleleia, matou te fautua atu e faʻaavanoa se itula mo le tausiga.
Ina ia faʻaleleia le Firezone, fai gaioiga nei:
A iai ni fa'afitauli e tula'i mai, fa'amolemole ta'u mai auina atu o se pepa lagolago.
O loʻo i ai ni nai suiga malepelepe ma suiga faʻatulagaina i le 0.5.0 e tatau ona faʻaalia. Saili atili i lalo.
Ua le toe lagolagoina e Nginx le malosi o le SSL ma le le-SSL port parameters e pei o le version 0.5.0. Talu ai e manaʻomia e le Firezone le SSL e galue, matou te fautuaina le aveeseina o le bundle Nginx service e ala i le setiina ['firezone']['nginx']['enabled'] = sese ma faʻatonu lau sui sui i le Phoenix app i luga o le taulaga 13000 nai lo (e ala i le faaletonu. ).
0.5.0 faʻafeiloaʻi le lagolago a le ACME mo le faʻafouina otometi tusi faʻamaonia SSL ma le tuʻufaʻatasia o le Nginx auaunaga. Ina ia mafai,
O le avanoa e faʻaopoopo ai tulafono faʻatasi ma faʻalua faʻasologa ua leai i le Firezone 0.5.0. O le matou tusitusiga o femalagaiga o le a otometi lava ona iloa nei tulaga i le taimi o le faʻaleleia i le 0.5.0 ma naʻo le tausia o tulafono e aofia ai le isi tulafono. E leai se mea e tatau ona e faia pe afai e lelei.
A leai, a'o le'i fa'afou, matou te fautua atu e sui lau tulafono fa'atonutonu e fa'ate'a ai nei tulaga.
O le Firezone 0.5.0 e aveese le lagolago mo le faʻatulagaina o Okta ma Google SSO tuai mo le faʻaogaina o le faʻaogaina o le OIDC fou, sili atu ona fetuutuunai.
Afai e iai sau fa'atonuga i lalo o le faaletonu ['firezone']['authentication']['okta'] po'o le default['firezone']['authentication']['google'] ki, e tatau ona e fa'asolo atu i la matou OIDC. -fa'avae fa'atulagaina e fa'aaoga ai le ta'iala i lalo.
Google OAuth configuration
Aveese laina nei o loʻo i ai le Google OAuth configs tuai mai lau faila faila o loʻo i /etc/firezone/firezone.rb
default['firezone']['authentication']['google']['enabled']
default['firezone']['authentication']['google']['client_id']
default['firezone']['authentication']['google']['client_secret']
faaletonu['firezone']['authentication']['google']['redirect_uri']
Ona, fetuutuunai Google e avea o se kamupani OIDC e ala i le mulimuli i taualumaga iinei.
(Tuuina atu faʻamatalaga fesoʻotaʻiga)<<<<<<<<<<<<<<<<
Fa'atulaga Google OAuth o iai
Aveese laina nei o loʻo i ai le Okta OAuth configs tuai mai lau faila faila o loʻo i /etc/firezone/firezone.rb
fa'aletonu['firezone']['fa'amaoni']['okta']['enabled']
faaletonu['firezone']['authentication']['okta']['client_id']
faaletonu['firezone']['faamaoni']['okta']['client_secret']
Default['firezone']['authentication']['okta']['site']
Ona, faʻapipiʻi Okta o se OIDC e tuʻuina atu e ala i le mulimuli i taualumaga iinei.
Fa'alagolago i lau seti ma le fa'asologa o lo'o iai nei, tausisi i fa'atonuga o lo'o i lalo:
Afai ua uma ona iai sau OIDC integration:
Mo nisi o lo'o tu'uina atu le OIDC, o le fa'afou i le >= 0.3.16 e mana'omia ai le mauaina o se fa'ailoga fa'afou mo le avanoa e tu'u initaneti. I le faia o lenei mea, ua mautinoa ai o loʻo faʻafouina le Firezone ma le tagata e tuʻuina atu faʻamatalaga ma e tapunia le fesoʻotaʻiga VPN pe a uma ona tape se tagata faʻaoga. O fa'amatalaga muamua a le Firezone e le'i iai lea vaega. I nisi taimi, o tagata fa'aoga ua tapeina mai lau fa'amatalaga e mafai ona feso'ota'i pea i se VPN.
E mana'omia le fa'aaofia ai o le avanoa tuusao i le tulaga lautele o lau faatulagaga o le OIDC mo kamupani OIDC o loo lagolagoina le avanoa tuusao. Firezone-ctl reconfigure e tatau ona faʻatinoina ina ia mafai ai ona faʻaoga suiga i le faila faʻapipiʻi Firezone, lea e tu i /etc/firezone/firezone.rb.
Mo tagata faʻaoga ua faʻamaonia e lau OIDC provider, o le a e vaʻai i le OIDC Connections ulutala i le itulau faʻamatalaga a le tagata faʻaoga o le upega tafaʻilagi UI pe afai e mafai e Firezone ona toe aumai ma le manuia le faʻailoga toe faʻafouina.
Afai e le aoga lenei mea, e te manaʻomia le tapeina o lau OAuth app o loʻo iai ma toe fai laasaga o le seti o le OIDC e faia se tu'ufa'atasiga fou .
O lo'o iai la'u fa'atasi OAuth
A'o le'i o'o i le 0.3.11, sa fa'aogaina e le Firezone ni fa'apolokalame OAuth2 na tu'uina atu.
Usitaʻi i faʻatonuga iinei e malaga atu i le OIDC.
Ou te le'i tu'ufa'atasia se tu'uina atu fa'amatalaga
Leai se mea e manaʻomia.
E mafai ona e mulimuli i faatonuga iinei e fa'aagaaga ai le SSO e ala ile OIDC provider.
I lona tulaga, o le faaletonu ['firezone']['external url'] ua suia le configuration option default ['firezone']['fqdn'].
Seti lea i le URL o lau Firezone i luga o le initaneti lea e mafai ona maua e tagata lautele. O le a fa'aletonu i le https:// fa'atasi ai ma le FQDN o lau 'au'aunaga pe a tu'u le fa'amalamalamaina.
O lo'o iai le faila fa'atulagaina i /etc/firezone/firezone.rb. Va'ai le fa'asinomaga faila faila mo se lisi atoa o fesuiaiga fa'aopoopo ma latou fa'amatalaga.
E le o toe teuina e le Firezone ki fa'apitoa masini ile server Firezone ile version 0.3.0.
E le fa'atagaina oe e le Firezone Web UI e toe la'u mai pe va'ai i nei fa'atonuga, ae o so'o se masini o lo'o i ai e tatau ona fa'aauau pea ona fa'agaoioia.
Afai o loʻo e faʻaleleia mai le Firezone 0.1.x, o loʻo i ai nai suiga o faila faila e tatau ona faʻaogaina ma le lima.
Ina ia faia suiga talafeagai i lau /etc/firezone/firezone.rb faila, faʻataʻitaʻi tulafono o loʻo i lalo o le aʻa.
cp /etc/firezone/firezone.rb /etc/firezone/firezone.rb.bak
sed -i “s/\['enable'\]/\['enabled'\]/” /etc/firezone/firezone.rb
si'uleo “fa'aletonu['firezone']['connectivity_checks']['enabled'] = moni” >> /etc/firezone/firezone.rb
si'uleo “fa'aleaogaina['firezone']['connectivity_checks']['ava'] = 3_600” >> /etc/firezone/firezone.rb
firezone-ctl toe fetuunai
toe amata le firezone-ctl
O le siakiina o ogalaau o le Firezone o se laasaga poto muamua mo soʻo se faʻafitauli e mafai ona tupu.
Fa'asolo sudo firezone-ctl si'usi'u e va'ai i fa'amaumauga o le Firezone.
O le tele o fa'afitauli feso'ota'iga ma Firezone e fa'atupu e ala iptables po'o tulafono nftables e le fetaui. E tatau ona e fa'amautinoa o so'o se tulafono o lo'o ia te oe e le fetaui ma tulafono a le Firezone.
Ia mautinoa e fa'atagaina e le filifili FORWARD afifi mai au tagata fa'atau WireGuard i nofoaga e te mana'o e tu'uina atu i le Firezone pe a fa'aletonu lau feso'ota'iga Initaneti i taimi uma e te fa'agaoioi ai lau alavai WireGuard.
E mafai ona ausia lenei mea pe afai o loʻo e faʻaogaina le ufw e ala i le faʻamautinoa o loʻo faʻatagaina le faʻaogaina o faiga faʻavae:
ubuntu@fz:~$ sudo ufw fa'ataga ona fa'ataga
Ua suia le faiga fa'atulafonoina e 'fa'ataga'
(ia mautinoa e faafou au tulafono e tusa ai)
A talofa tulaga mo se server Firezone masani atonu e foliga faapenei:
ubuntu@fz:~$ sudo ufw tulaga verbose
Tulaga: toaga
Fa'amauina: luga (maulalo)
Fa'aletonu: fa'afitia (ulufale mai), fa'ataga (alu i fafo), fa'ataga (fa'aala)
Fa'amatalaga fou: faamisi
Ia Fa'atino Mai
————-
22/tcp FA'AALIGA I So'o se mea
80/tcp FA'AALIGA I So'o se mea
443/tcp FA'AVAE I So'o se mea
51820/udp FA'AVAE I So'o se mea
22/tcp (v6) FA'AALIGA I So'o se mea (v6)
80/tcp (v6) FA'AALIGA I So'o se mea (v6)
443/tcp (v6) FA'AALIGA I So'o se mea (v6)
51820/udp (v6) FA'AALIGA I So'o se mea (v6)
Matou te fautuaina le faʻatapulaʻaina o le avanoa i luga o le upega tafaʻilagi mo le faʻaogaina o le gaosiga e sili ona maaleale ma faʻataʻitaʻiga, e pei ona faʻamatalaina i lalo.
tautua | Taulaga masani | Faalogo Lauga | faʻamatalaga |
Nginx | 80, 443 | uma | Public HTTP(S) uafu mo le fa'afoeina o le Firezone ma fa'afaigofie le fa'amaoni. |
Faʻamasinoga | 51820 | uma | Public WireGuard uafu fa'aaoga mo sauniga VPN. (UDP) |
postgresql | 15432 | 127.0.0.1 | Fa'alotoifale na'o le taulaga na fa'aogaina mo fa'apipi'i Postgresql server. |
Phoenix | 13000 | 127.0.0.1 | Fa'alotoifale na'o le taulaga e fa'aogaina e le upstream elixir app server. |
Matou te fautuaina oe e mafaufau e uiga i le faʻatapulaʻaina o le avanoa i le UI faʻasalalau lautele a le Firezone (e ala i ports le faʻaogaina 443 / tcp ma 80 / tcp) ae faʻaaoga le WireGuard tunnel e pulea ai le Firezone mo le gaosiga ma faʻapipiʻi faʻasaga i tagata lautele lea o le a pule ai se tasi pule. o le fatuina ma le tufatufaina atu o fa'atonuga o masini i tagata fa'au'uga.
Mo se faʻataʻitaʻiga, afai na faia e le pule se faʻapipiʻi masini ma fatuina se alalaupapa ma le tuatusi WireGuard i le lotoifale 10.3.2.2, o le faʻaogaina o le ufw o loʻo i lalo e mafai ai e le pule ona faʻaogaina le UI web Firezone i luga o le wg-firezone interface a le server e faʻaaoga ai le faaletonu 10.3.2.1. tuatusi tunnel:
root@demo:~# ufw tulaga verbose
Tulaga: toaga
Fa'amauina: luga (maulalo)
Fa'aletonu: fa'afitia (ulufale mai), fa'ataga (alu i fafo), fa'ataga (fa'aala)
Fa'amatalaga fou: faamisi
Ia Fa'atino Mai
————-
22/tcp FA'AALIGA I So'o se mea
51820/udp FA'AVAE I So'o se mea
So'o se mea FA'AALIGA I 10.3.2.2
22/tcp (v6) FA'AALIGA I So'o se mea (v6)
51820/udp (v6) FA'AALIGA I So'o se mea (v6)
O le a alu ai na'o 22/tcp fa'aalia mo SSH avanoa e pulea ai le 'au'aunaga (filifiliga), ma 51820/udp fa'aalia ina ia mafai ona fa'atuina alavai WireGuard.
Firezone faʻapipiʻi se Postgresql server ma faʻafetaui psql aoga e mafai ona faʻaaogaina mai le atigi faʻapitonuʻu e pei o:
/opt/firezone/embedded/bin/psql \
-U sone afi \
-d sone afi \
-h localhost \
-p 15432 \
-c “SQL_STATEMENT”
E mafai ona fesoasoani lenei mea mo le faʻaogaina o faʻamoemoega.
Galuega masani:
Lisi tagata fa'aoga uma:
/opt/firezone/embedded/bin/psql \
-U sone afi \
-d sone afi \
-h localhost \
-p 15432 \
-c "FILIFILI * MAI tagata faʻaoga;"
Lisi o masini uma:
/opt/firezone/embedded/bin/psql \
-U sone afi \
-d sone afi \
-h localhost \
-p 15432 \
-c “FILIFILI * MAI masini;”
Suia se matafaioi a le tagata fa'aoga:
Seti le matafaioi i le 'admin' po'o le 'unprivileged':
/opt/firezone/embedded/bin/psql \
-U sone afi \
-d sone afi \
-h localhost \
-p 15432 \
-c “FA'AVAE tagata fa'aoga SET matafaioi = 'admin' WHERE imeli = 'user@example.com';”
Fa'asaoina o fa'amaumauga:
E le gata i lea, o loʻo aofia ai le pg dump program, lea e mafai ona faʻaaogaina e ave ai faʻamaumauga masani o faʻamaumauga. Fa'atino le tulafono lenei e lafoa'i ai se kopi o le fa'amaumauga i le fa'asologa masani o fesili SQL (sui /path/to/backup.sql i le nofoaga e tatau ona fai ai le faila SQL):
/opt/firezone/embedded/bin/pg_dump \
-U sone afi \
-d sone afi \
-h localhost \
-p 15432 > /path/to/backup.sql
A maeʻa ona faʻaogaina lelei le Firezone, e tatau ona e faʻaopoopo tagata faʻaoga e tuʻuina atu ia i latou le avanoa i lau fesoʻotaʻiga. O le Web UI e faʻaaogaina e fai ai lenei mea.
I le filifilia o le "Add User" button i lalo o /users, e mafai ona e faʻaopoopoina se tagata faʻaoga. O le a manaʻomia oe e tuʻuina atu i le tagata faʻaoga se tuatusi imeli ma se faʻaupuga. Ina ia mafai ona faʻatagaina avanoa i tagata faʻaoga i lau faʻalapotopotoga, e mafai foi e le Firezone ona faʻafesoʻotaʻi ma faʻatasi ma se tagata e tuʻuina atu faʻamatalaga. E maua nisi fa'amatalaga i totonu Faamaoni. < Fa'aopoopo se so'oga i le Authenticate
Matou te fautuaina le talosagaina o tagata faʻaoga e fai a latou lava masini faʻapipiʻi ina ia naʻo latou iloa le ki patino. E mafai e tagata fa'aoga ona fa'atupuina a latou lava fa'atonuga masini e ala i le mulimuli i fa'atonuga i luga o le Client Faatonuga itulau.
O fetuutuunaiga uma o masini e mafai ona faia e le pulega o le Firezone. I luga o le itulau faʻamatalaga faʻaoga o loʻo i / tagata faʻaoga, filifili le "Add Device" filifiliga e ausia ai lenei mea.
[Fa'aofi ata]
E mafai ona e imeli i le tagata faʻaoga le WireGuard configuration file pe a uma ona fatuina le faʻamatalaga masini.
E feso'ota'i tagata fa'aoga ma masini. Mo nisi fa'amatalaga ile fa'aopoopoina o se tagata fa'aoga, va'ai Faʻaopopo Tagata Faʻaoga.
E ala i le fa'aogaina o le kernel's netfilter system, o le Firezone e mafai ai ona fa'amama le agava'a e fa'ama'oti ai DROP po'o ACCEPT pepa. E masani ona fa'atagaina feoaiga uma.
IPv4 ma IPv6 CIDRs ma tuatusi IP e lagolagoina e ala i le Allowlist ma Denylist, faasologa. E mafai ona e filifili e fa'alautele se tulafono i se tagata fa'aoga pe a fa'aopoopoina, lea e fa'aoga le tulafono i masini uma a lena tagata fa'aoga.
Faʻatonu ma faʻatautaia
Ina ia fa'atuina se feso'ota'iga VPN e fa'aaoga ai le tagata fa'atau WireGuard, va'ai i le ta'iala lenei.
O tagata fa'atau WireGuard aloa'ia o lo'o iai iinei e fetaui ma Firezone:
Asiasi i le upega tafaʻilagi aloaia a WireGuard i le https://www.wireguard.com/install/ mo OS e leʻi taʻua i luga.
Po'o lau pule o le Firezone po'o oe lava e mafai ona fa'atupuina le faila fa'atulagaina o masini e fa'aaoga ai le faitotoa o le Firezone.
Asiasi i le URL na tu'uina atu e lau pule o le Firezone e fa'atupu e oe lava se faila fa'atulagaina o masini. O lau kamupani o le ai ai se URL tulaga ese mo lenei; i lenei tulaga, o le https://instance-id.yourfirezone.com.
Ulufale ile Firezone Okta SSO
[Fa'aofi ata ata]
Fa'aulufale mai le.conf faila ile WireGuard client ile tatalaina. E ala i le feliuliuai o le ki Faagaoioia, e mafai ona e amataina se sauniga VPN.
[Fa'aofi ata ata]
Mulimuli i faʻatonuga o loʻo i lalo pe afai na faʻatonuina e lau pule o fesoʻotaʻiga le faʻamaoniga faifaipea e faʻatumauina ai lau fesoʻotaʻiga VPN.
Oe manaʻomia:
Firezone portal's URL: Fesili i lau pule o feso'otaiga mo le feso'ota'iga.
E tatau ona mafai e lau pule o feso'ota'iga ona ofo atu lau saini ma lau fa'aupuga. O le 'upega tafa'ilagi a le Firezone o le a fa'aosofia oe e te ulufale i totonu e fa'aaoga ai le tautua saini e tasi e fa'aogaina e lou fale faigaluega (pei o Google po'o Okta).
[Fa'aofi ata ata]
Alu i le Firezone portal's URL ma saini i totonu e fa'aaoga ai fa'amaoniga na saunia e lau pule o feso'otaiga. Afai ua uma ona e saini i totonu, kiliki i le Reauthenticate faamau ae le'i toe saini i totonu.
[Fa'aofi ata ata]
[Fa'aofi ata ata]
Ina ia faʻaulufale mai le WireGuard faʻasologa faʻamatalaga faʻaoga Network Manager CLI i luga o masini Linux, mulimuli i nei faatonuga (nmcli).
Afai e mafai e le talaaga otooto le IPv6 lagolago, o le taumafai e faʻaulufale mai le faila faʻatulagaina e faʻaaoga ai le Network Manager GUI atonu e le manuia i le mea sese:
ipv6.method: auala "auto" e le lagolagoina mo WireGuard
E manaʻomia le faʻapipiʻiina o le WireGuard userspace utilities. O le a avea lea ma se afifi e taʻua o wireguard poʻo wireguard-tools mo faʻasalalauga Linux.
Mo Ubuntu/Debian:
sudo apt faʻapipiʻi wireguard
Faʻaaoga Fedora:
sudo dnf faʻapipiʻi wireguard-meafaigaluega
Arch Linux:
sudo pacman -S wireguard-meafaigaluega
Asiasi i le 'upega tafaʻilagi aloaia a WireGuard i https://www.wireguard.com/install/ mo tufatufaga e le o taʻua i luga.
Po'o lau pule o le Firezone po'o le fa'atupuina e oe lava e mafai ona fa'atupuina le faila fa'atulagaina o masini e fa'aaoga ai le faitotoa o le Firezone.
Asiasi i le URL na tu'uina atu e lau pule o le Firezone e fa'atupu e oe lava se faila fa'atulagaina o masini. O lau kamupani o le ai ai se URL tulaga ese mo lenei; i lenei tulaga, o le https://instance-id.yourfirezone.com.
[Fa'aofi ata ata]
Faʻaulufale mai le faila faʻapipiʻi tuʻuina atu e faʻaaoga ai le nmcli:
sudo nmcli sootaga faaulufale mai ituaiga wireguard faila /path/to/configuration.conf
O le igoa o le faila faʻatulagaina o le a fetaui ma le WireGuard fesoʻotaʻiga / fesoʻotaʻiga. A maeʻa le faʻaulufale mai, e mafai ona toe faʻaigoaina le fesoʻotaʻiga pe a manaʻomia:
feso'ota'iga nmcli suia [igoa tuai] connection.id [igoa fou]
E ala i le laina faʻatonu, faʻafesoʻotaʻi i le VPN e pei ona taua i lalo:
feso'ota'iga nmcli [igoa vpn]
Ina ia motusia:
nmcli sootaga i lalo [igoa vpn]
E mafai foi ona fa'aoga le applet Network Manager talafeagai e pulea ai le feso'ota'iga pe a fa'aaogaina se GUI.
E ala i le filifilia o le "ioe" mo le autoconnect option, e mafai ona faʻapipiʻi le VPN fesoʻotaʻiga e fesoʻotaʻi aunoa:
fa'afeso'ota'i nmcli fesuia'i [igoa vpn] feso'ota'iga. <<<<<<<<<<<<<<<<<<<<<<
autoconnect ioe
Ina ia tape le feso'ota'iga otometi toe seti i le leai:
fa'afeso'ota'i nmcli fesuia'i [igoa vpn] feso'ota'iga.
autoconnect nu
Ina ia fa'agaoioi le MFA Alu i le Firezone portal's/user account/register mfa page. Fa'aoga lau app fa'amaoni e su'e le QR code pe a uma ona fa'atupu, ona fa'aofi lea i le numera ono numera.
Fa'afeso'ota'i lau Pule e toe fa'afo'i fa'amatalaga avanoa o lau teugatupe pe a e tu'u sese lau app authenticator.
O lenei aʻoaʻoga o le a savalia oe i le faʻagasologa o le faʻatulagaina o le WireGuard's split tunneling feature ma Firezone ina ia naʻo fefaʻatauaiga i vaega IP patino e tuʻuina atu e ala i le VPN server.
O laina IP o lo'o fa'aogaina e le tagata fa'atau feso'ota'iga feso'ota'iga o lo'o tu'uina atu i totonu o le fa'ataga IPs fanua o lo'o i luga o le /seti/itulau fa'aletonu. E na'o le fa'ato'a fa'atupuina o fa'alava o le WireGuard na gaosia e le Firezone o le a a'afia i suiga i lenei fanua.
[Fa'aofi ata ata]
O le tau fa'aletonu o le 0.0.0.0/0, ::/0, lea e ta'avale uma ai fe'au feso'ota'iga mai le kalani i le VPN server.
O fa'ata'ita'iga o fa'atauga i lenei vaega e aofia ai:
0.0.0.0/0, ::/0 – o fefa'ataua'iga uma o feso'ota'iga o le a fa'asalalau atu i le VPN server.
192.0.2.3/32 – na'o le felauaiga i se tuatusi IP e tasi o le a fa'asalalauina ile server VPN.
3.5.140.0/22 - na'o le felauaiga i IP i le 3.5.140.1 - 3.5.143.254 laina o le a fa'afeiloa'i i le VPN server. I lenei faʻataʻitaʻiga, na faʻaogaina le CIDR mo le ap-matū-sasaʻe-2 AWS itulagi.
E filifilia e le Firezone le feso'ota'iga e alu i fafo e feso'ota'i ma le auala sili ona sa'o muamua pe a fuafua po'o fea e ave ai se afifi.
E tatau i tagata faʻaoga ona toe faʻafouina faila faʻapipiʻi ma faʻaopopo i latou tagata WireGuard client ina ia faʻafouina masini faʻaoga o loʻo i ai nei ma le fetuutuunaiga tunnel fou.
Mo faʻatonuga, vaʻai faʻaopopo masini. <<<<<<<<<< Faaopoopo le sootaga
O lenei tusi lesona o le a fa'aalia ai pe fa'afefea ona fa'afeso'ota'i masini e lua e fa'aaoga ai le Firezone e fai ma ta'avale. O se tasi o fa'aoga masani o le mafai lea e le pule ona fa'aogaina se 'au'aunaga, pusa, po'o se masini e puipuia e se NAT po'o se pa puipui.
O lenei fa'ata'ita'iga o lo'o fa'aalia ai se fa'ata'ita'iga tuusa'o lea e fau ai e Meafaigaluega A ma le B se alavai.
[Fa'aofi ata faufale o le sone afi]
Amata i le fatuina o le masini A ma le masini B e ala i le suʻeina i /users/[user_id]/new_device. I fa'atulagaga mo masini ta'itasi, fa'amautinoa o lo'o fa'atulaga fa'asologa o lo'o i lalo i tau o lo'o lisi atu i lalo. E mafai ona e setiina le faʻaogaina o masini pe a fatuina le masini faʻapipiʻi (silasila i le Add Devices). Afai e te manaʻomia le faʻafouina o tulaga i luga o se masini o loʻo i ai, e mafai ona e faia e ala i le fausiaina o se masini fou config.
Manatua o masini uma o loʻo i ai se itulau / seti / faʻaletonu itulau e mafai ona faʻapipiʻi ai PersistentKeepalive.
Fa'atagainaIPs = 10.3.2.2/32
Ole IP lea po'o le tele ole IP ole Device B
TumauKeepalive = 25
Afai o le masini o loʻo i tua o le NAT, e faʻamautinoa ai e mafai e le masini ona faʻatumauina le alavai ma faʻaauau pea ona maua mai pepa mai le WireGuard interface. E masani lava o le tau o le 25 e lava, ae atonu e te manaʻomia le faʻaititia o lenei tau e faʻatatau i lou siosiomaga.
Fa'atagainaIPs = 10.3.2.3/32
Ole IP lea po'o le tele ole IP ole Device A
TumauKeepalive = 25
O lenei fa'ata'ita'iga o lo'o fa'aalia ai se tulaga e mafai ona feso'ota'i ai le Device A ma le Device B e o'o i le D i itu uma e lua. O lenei seti e mafai ona fai ma sui o se inisinia poʻo se pule o loʻo mauaina le tele o punaoa (servers, containers, poʻo masini) i luga o fesoʻotaʻiga eseese.
[Tata Faufale]<<<<<<<<<<<<<<<<<<<<<<<<
Ia mautinoa o lo'o faia fa'atonuga o lo'o i lalo i fa'atonuga o masini ta'itasi i tulaga fa'atatau. Pe a fatuina le faʻatulagaina o masini, e mafai ona e faʻamaonia tulaga o masini (silasila i le Add Devices). E mafai ona fa'atupuina se fa'aoga fou o masini pe a mana'omia le fa'afouina o fa'atulagaga i se masini o iai.
Fa'atagainaIPs = 10.3.2.3/32, 10.3.2.4/32, 10.3.2.5/32
O le IP lea o masini B e oo i le D. O IP o masini B e oo i le D e tatau ona aofia i soʻo se IP laina e te filifili e seti.
TumauKeepalive = 25
O lenei mea e faʻamautinoa ai e mafai e le masini ona tausia le alavai ma faʻaauau pea ona maua pepa mai le WireGuard interface tusa lava pe puipuia e se NAT. I le tele o tulaga, o le tau o le 25 e lava, peitaʻi e faʻatatau i lou siʻosiʻomaga, atonu e te manaʻomia le faʻaititia o lenei fuainumera.
Ina ia ofoina atu se IP e tasi e alu ese mo lau 'au uma e tafe mai, e mafai ona fa'aogaina le Firezone e fai ma faitotoa NAT. O tulaga nei e aofia ai lona faʻaaogaina soo:
Feso'ota'iga Feso'ota'iga: Talosaga e fa'amae'aina e lau tagata fa'atau se tuatusi IP e tasi nai lo le IP masini tulaga ese a tagata faigaluega ta'itasi.
Fa'aaogāina o se sui po'o le ufiufi o lau puna IP mo le saogalemu po'o le fa'alilolilo.
O se faʻataʻitaʻiga faigofie o le faʻatapulaʻaina o le avanoa i se 'upega tafaʻilagi faʻafeiloaʻi e le tagata lava ia i se IP paʻepaʻe paʻepaʻe e tasi o loʻo faʻaogaina Firezone o le a faʻaalia i lenei pou. I lenei faʻataʻitaʻiga, Firezone ma le punaoa puipuia o loʻo i totonu o vaega VPC eseese.
O lenei fofo e masani ona faʻaaogaina e sui ai le puleaina o se IP paʻepaʻe mo le tele o tagata faʻaoga, e mafai ona faʻaalu le taimi aʻo faʻalauteleina le lisi avanoa.
O la matou fa'amoemoe o le fa'atūina lea o se 'au'aunaga Firezone i luga o se fa'ata'ita'iga EC2 e toe fa'afo'i ai fe'avea'i VPN i le puna'oa fa'atapula'aina. I lenei tulaga, o loʻo galue le Firezone o se sui fesoʻotaʻiga poʻo le NAT faitotoa e tuʻuina atu i masini fesoʻotaʻi taʻitasi se IP faʻapitoa e alu ese ai tagata lautele.
I lenei tulaga, o le EC2 instance e igoa i le tc2.micro o lo'o i ai se afi afi fa'apipi'i i luga. Mo faʻamatalaga e uiga i le faʻaogaina o le Firezone, alu i le Taʻiala Faʻatulagaina. E tusa ai ma le AWS, ia mautinoa:
Ole vaega ole puipuiga ole Firezone EC2 e fa'atagaina feoaiga i fafo ile tuatusi IP ole puna'oa puipuia.
O le Firezone fa'ata'ita'iga e sau fa'atasi ma se IP fa'amau. O ta'avale e lafo atu i le Firezone fa'ata'ita'iga i nofoaga i fafo o le a avea lea ma tuatusi IP fa'apogai. Ole tuatusi IP ole fesili ole 52.202.88.54.
[Fa'aofi ata ata]<<<<<<<<<<<<<<<<<<<<<<<<
O se 'upega tafaʻilagi e faʻapipiʻiina e le tagata lava ia e avea ma punaoa puipuia i lenei tulaga. E na'o talosaga e sau mai le tuatusi IP 52.202.88.54 e mafai ona maua i le upega tafailagi. Fa'alagolago i le alagaoa, e mafai ona mana'omia le fa'ataga o femalagaiga i totonu o taulaga eseese ma ituaiga ta'avale. E le o aofia ai i lenei tusi lesona.
[Fa'aofi ata]<<<<<<<<<<<<<<<<<<<<<<<<
Fa'amolemole ta'u atu i le vaega lona tolu o lo'o pulea le puna'oa puipuia e tatau ona fa'atagaina le fe'avea'i mai le IP fa'amautu o lo'o fa'amatalaina i le Laasaga 1 (i le tulaga lea 52.202.88.54).
Ona o le le mafai, o fefaʻatauaiga uma a tagata faʻaoga o le a alu i le VPN server ma sau mai le IP faʻamautu lea na faʻatulagaina i le Laasaga 1 (i lenei tulaga 52.202.88.54). Ae peita'i, afai ua fa'agaoioi le tunneling vaeluaga, e ono mana'omia ni fa'atonuga e fa'amautinoa ai o lo'o lisiina atu le IP taunu'u a le puna'oa puipuia i totonu o IP Fa'ataga.
O loʻo faʻaalia i lalo se lisi atoa o filifiliga faʻatulagaina o loʻo avanoa i totonu /etc/firezone/firezone.rb.
filifiliga | faʻamatalaga | le aoga le aoga |
faaletonu['firezone']['external_url'] | URL fa'aaoga e fa'aoga ai le upegatafa'ilagi o lenei fa'ata'ita'iga Firezone. | “https://#{node['fqdn'] || node ['igoa talimalo']}” |
faaletonu['firezone']['config_directory'] | Fa'atonu pito i luga mo le fa'atulagaina o Firezone. | /etc/firezone' |
faaletonu['firezone']['install_directory'] | Fa'atonu pito i luga e fa'apipi'i ai le Firezone i. | /opt/firezone' |
faaletonu['firezone']['app_directory'] | Fa'atonuga pito i luga e fa'apipi'i ai le Firezone web application. | “#{node['firezone']['install_directory']}/embedded/service/firezone” |
faaletonu['firezone']['log_directory'] | Fa'ailoga pito i luga mo fa'amaumauga o Firezone. | /var/log/firezone' |
faaletonu['firezone']['var_directory'] | Fa'atonuga pito i luga mo faila ta'avale Firezone. | /var/opt/firezone' |
faaletonu['firezone']['user'] | Igoa ole fa'aoga Linux ole tele o au'aunaga ma faila ole a iai. | sone afi' |
faaletonu['firezone']['group'] | Igoa ole kulupu Linux ole tele o au'aunaga ma faila ole a iai. | sone afi' |
faaletonu['firezone']['admin_email'] | tuatusi imeli mo le tagata muamua o le Firezone. | “firezone@localhost” |
faaletonu['firezone']['max_devices_per_user'] | Ole numera maualuga o masini e mafai ona maua e le tagata fa'aoga. | 10 |
faaletonu['firezone']['allow_unprivileged_device_management'] | Fa'ataga tagata e le o ni pule e fai ma tape masini. | MONI |
faaletonu['firezone']['allow_unprivileged_device_configuration'] | Fa'ataga tagata e le o ni fa'atonu e sui fa'atonuga o masini. Pe a fa'aletonu, puipuia tagata fa'atauva'a mai le suia o vaega uma o masini se'i vagana le igoa ma fa'amatalaga. | MONI |
faaletonu['firezone']['egress_interface'] | Igoa fa'afeso'ota'i o le a alu ese ai fe'avea'i. Afai e leai, o le a fa'aogaina le fa'aogaina o le auala fa'aletonu. | nil |
faaletonu['firezone']['fips_enabled'] | Fa'amalo pe fa'amalo le OpenSSL FIPs mode. | nil |
faaletonu ['firezone']['logging']['enabled'] | Fa'amalo pe fa'amalo le fa'ailoga i luga ole Firezone. Seti i le pepelo e fa'amalo atoa ai le fa'amau. | MONI |
faaletonu['enterprise']['igoa'] | Igoa o lo'o fa'aaoga e le Chef 'enterprise' tusi kuka. | sone afi' |
faaletonu['firezone']['install_path'] | Fa'apipi'i le ala na fa'aaogaina e le tusi kuka 'aufaigaluega' a Chef. E tatau ona seti tutusa ma le install_directory i luga. | node['firezone']['install_directory'] |
faaletonu['firezone']['sysvinit_id'] | O se faʻamatalaga faʻaaogaina i /etc/inittab. E tatau ona avea ma se faasologa tulaga ese o 1-4 mataitusi. | SUP' |
default['firezone']['fa'amaoni']['local']['enabled'] | Fa'amalo pe fa'amalo le fa'amaoni imeli/fa'aupuga fa'alotoifale. | MONI |
faaletonu['firezone']['authentication']['auto_create_oidc_users'] | Faia otometi tagata e saini mai le OIDC mo le taimi muamua. Fa'agata e fa'ataga na'o tagata o lo'o iai nei e saini ile OIDC. | MONI |
faaletonu['firezone']['authentication']['disable_vpn_on_oidc_error'] | Fa'agata le VPN a le tagata fa'aoga pe a iloa se mea sese e taumafai e fa'afou a latou fa'ailoga OIDC. | SESE |
faaletonu['firezone']['fa'amaoni']['oidc'] | OpenID Connect config, i le faatulagaga o {“provider” => [config…]} – Vaai OpenIDConnect pepa aloaia mo config faataitaiga. | {} |
faaletonu['firezone']['nginx']['enabled'] | Fa'amalo pe fa'amalo le fa'apipi'i nginx server. | MONI |
faaletonu ['firezone']['nginx']['ssl_port'] | HTTPS fa'alogo uafu. | 443 |
faaletonu ['firezone']['nginx']['directory'] | Fa'atonuga e teu ai le Firezone-related nginx virtual host configuration. | “#{node['firezone']['var_directory']}/nginx/etc” |
faaletonu['firezone']['nginx']['log_directory'] | Fa'atonuga e teu ai faila faila nginx e feso'ota'i ma Firezone. | “#{node['firezone']['log_directory']}/nginx” |
faaletonu['firezone']['nginx']['log_rotation']['file_maxbytes'] | Tele faila e sui ai faila faila Nginx. | 104857600 |
faaletonu['firezone']['nginx']['log_rotation']['num_to_keep'] | Numera o faila faila nginx Firezone e teu a'o le'i tia'i. | 10 |
faaletonu['firezone']['nginx']['log_x_forwarded_for'] | Pe e fa'amauina le Firezone nginx x-forwarded-for header. | MONI |
faaletonu['firezone']['nginx']['hsts_header']['enabled'] | MONI | |
faaletonu['firezone']['nginx']['hsts_header']['include_subdomains'] | Fa'amalo pe fa'amalo e aofia aiSubDomains mo le ulutala HSTS. | MONI |
faaletonu['firezone']['nginx']['hsts_header']['max_age'] | Tausaga maualuga mo le ulutala HSTS. | 31536000 |
faaletonu['firezone']['nginx']['redirect_to_canonical'] | Pe toe fa'asa'o URL ile canonical FQDN o lo'o ta'ua i luga | SESE |
faaletonu['firezone']['nginx']['cache']['enabled'] | Fa'amalo pe fa'amalo le Firezone nginx cache. | SESE |
faaletonu['firezone']['nginx']['cache']['directory'] | Fa'atonu mo le Firezone nginx cache. | “#{node['firezone']['var_directory']}/nginx/cache” |
faaletonu ['firezone']['nginx']['user'] | Firezone nginx fa'aoga. | node['firezone']['tagata fa'aoga'] |
faaletonu['firezone']['nginx']['group'] | Firezone nginx vaega. | node['firezone']['group'] |
faaletonu ['firezone']['nginx']['dir'] | Fa'atonuga o fa'atonuga o le nginx pito i luga. | node['firezone']['nginx']['directory'] |
faaletonu ['firezone']['nginx']['log_dir'] | Tulaga pito i luga o le log directory nginx. | node['firezone']['nginx']['log_directory'] |
faaletonu ['firezone']['nginx']['pid'] | Nofoaga mo faila nginx pid. | “#{node['firezone']['nginx']['directory']}/nginx.pid” |
faaletonu ['firezone']['nginx']['daemon_disable'] | Taofi le nginx daemon mode ina ia mafai ona tatou mataʻituina. | MONI |
faaletonu ['firezone']['nginx']['gzip'] | Liliu le nginx gzip compression i luga pe tape. | i luga' |
faaletonu ['firezone']['nginx']['gzip_static'] | Liliu le nginx gzip compression i luga pe tape mo faila tumau. | alu ese' |
faaletonu['firezone']['nginx']['gzip_http_version'] | HTTP version e fa'aoga mo le tautuaina o faila fa'amau. | 1.0 ' |
faaletonu['firezone']['nginx']['gzip_comp_level'] | nginx gzip compression tulaga. | 2 ' |
faaletonu['firezone']['nginx']['gzip_proxied'] | Fa'aagaoi pe fa'amalo le gzipping o tali mo talosaga sui fa'atatau ile talosaga ma tali. | soo se' |
faaletonu['firezone']['nginx']['gzip_vary'] | Fa'aagaoi pe fa'agata le fa'aofiina o le ulutala tali "Vary: Accept-encoding". | alu ese' |
faaletonu['firezone']['nginx']['gzip_buffers'] | Seti le numera ma le lapopoa o pa'u e fa'aoga e fa'apipi'i ai se tali. Afai e leai, o le nginx default e faʻaaogaina. | nil |
faaletonu['firezone']['nginx']['gzip_types'] | ituaiga MIME e mafai ai le gzip compression mo. | ['text/plain', 'text/css','application/x-javascript', 'text/xml', 'application/xml', 'application/rss+xml', 'application/atom+xml', ' text/javascript', 'application/javascript', 'application/json'] |
faaletonu['firezone']['nginx']['gzip_min_length'] | La'ititi le umi ole faila e mafai ai ona fa'apipi'i faila gzip mo. | 1000 |
faaletonu['firezone']['nginx']['gzip_disable'] | Tagata fa'aoga sui sui e fa'amalo le gzip compression mo. | MSIE [1-6]\.' |
faaletonu ['firezone']['nginx']['keepalive'] | Fa'aagaoioia le fa'aoga mo feso'ota'iga i luga o sapalai. | i luga' |
faaletonu['firezone']['nginx']['keepalive_timeout'] | Taimi fa'agata i sekone mo feso'ota'iga olaola i luga o 'au'aunaga. | 65 |
faaletonu['firezone']['nginx']['worker_processes'] | Numera o faiga faigaluega nginx. | node['cpu'] && node['cpu']['total'] ? node['cpu']['total'] : 1 |
faaletonu['firezone']['nginx']['worker_connections'] | Ole numera maualuga ole feso'ota'iga fa'atasi e mafai ona tatalaina ile fa'agasologa ole tagata faigaluega. | 1024 |
faaletonu['firezone']['nginx']['worker_rlimit_nofile'] | Suia le tapula'a i luga ole numera maualuga o faila tatala mo faiga faigaluega. Fa'aaoga le nginx default pe a leai. | nil |
faaletonu['firezone']['nginx']['multi_accept'] | Pe e tatau i tagata faigaluega ona talia le tasi feso'ota'iga i le taimi po'o le tele. | MONI |
faaletonu['firezone']['nginx']['mea na tupu'] | Fa'amaoti le auala e fa'aogaina ai feso'ota'iga e fa'aoga i totonu o le fa'asologa o mea na tutupu i le nginx. | epoll' |
faaletonu['firezone']['nginx']['server_tokens'] | Fa'atagaina pe fa'amalo le fa'auluina o le nginx version i luga o itulau sese ma i totonu o le "Server" tali fa'aulutala. | nil |
faaletonu ['firezone']['nginx']['server_names_hash_bucket_size'] | Seti le tele o pakete mo le server igoa hash tables. | 64 |
faaletonu ['firezone']['nginx']['sendfile'] | Fa'atagaina pe fa'agata le fa'aogaina o le sendfile a nginx(). | i luga' |
faaletonu['firezone']['nginx']['access_log_options'] | Seti le nginx access log options. | nil |
faaletonu['firezone']['nginx']['error_log_options'] | Seti le nginx error log options. | nil |
faaletonu['firezone']['nginx']['disable_access_log'] | Fa'agata le ogalaau avanoa o le nginx. | SESE |
faaletonu['firezone']['nginx']['types_hash_max_size'] | ituaiga nginx hash max tele. | 2048 |
faaletonu['firezone']['nginx']['types_hash_bucket_size'] | nginx ituaiga hash pakete lapoa. | 64 |
faaletonu['firezone']['nginx']['proxy_read_time out'] | o le sui o le nginx faitau taimi malolo. Seti i le nil e fa'aoga ai le nginx default. | nil |
faaletonu ['firezone']['nginx']['client_body_buffer_size'] | nginx tagata o tausia tino pa'u tele. Seti i le nil e fa'aoga ai le nginx default. | nil |
faaletonu['firezone']['nginx']['client_max_body_size'] | nginx tagata o tausia le tele o le tino. | 250m' |
faaletonu['firezone']['nginx']['default']['modules'] | Fa'ailoa isi modules nginx. | [] |
faaletonu['firezone']['nginx']['enable_rate_limiting'] | Fa'amalo pe fa'amalo le fa'atapula'aina o fua faatatau o le nginx. | MONI |
faaletonu['firezone']['nginx']['rate_limiting_zone_name'] | Nginx fa'atapula'aina igoa sone. | sone afi' |
faaletonu['firezone']['nginx']['rate_limiting_backoff'] | Nginx fua fa'atapula'a fa'agata tua. | 10m' |
faaletonu ['firezone']['nginx']['rate_limit'] | Nginx fua fa'atapula'a. | 10r/s' |
faaletonu ['firezone']['nginx']['ipv6'] | Fa'ataga le nginx e fa'alogo mo talosaga HTTP mo IPv6 fa'aopoopo i le IPv4. | MONI |
faaletonu ['firezone']['postgresql']['enabled'] | Fa'amalo pe tape le fa'aputuga Postgresql. Seti i le sese ma faʻatumu filifiliga faʻamaumauga i lalo e faʻaoga ai lau oe Postgresql faʻataʻitaʻiga. | MONI |
faaletonu ['firezone']['postgresql']['igoa'i igoa'] | Username mo Postgresql. | node['firezone']['tagata fa'aoga'] |
faaletonu ['firezone']['postgresql']['data_directory'] | Postgresql fa'amaumauga fa'amaumauga. | “#{node['firezone']['var_directory']}/postgresql/13.3/data” |
faaletonu ['firezone']['postgresql']['log_directory'] | Postgresql log directory. | “#{node['firezone']['log_directory']}/postgresql” |
faaletonu ['firezone']['postgresql']['log_rotation']['file_maxbytes'] | Postgresql log file le tele o le tele a'o le'i suia. | 104857600 |
faaletonu ['firezone']['postgresql']['log_rotation']['num_to_keep'] | Numera o faila faila a le Postgresql e teu. | 10 |
faaletonu ['firezone']['postgresql']['checkpoint_completion_target'] | Postgresql siaki mae'a sini. | 0.5 |
faaletonu ['firezone']['postgresql']['checkpoint_segments'] | Numera o vaega siaki siaki Postgresql. | 3 |
faaletonu ['firezone']['postgresql']['checkpoint_time out'] | Postgresql taimi siaki siaki. | 5min' |
faaletonu ['firezone']['postgresql']['checkpoint_warning'] | Postgresql siaki siaki taimi lapatai i sekone. | 30s' |
faaletonu ['firezone']['postgresql']['effective_cache_size'] | Postgresql aoga tele cache. | 128MB' |
faaletonu ['firezone']['postgresql']['listen_address'] | Postgresql fa'alogo tuatusi. | 127.0.0.1 ' |
faaletonu ['firezone']['postgresql']['max_connections'] | Postgresql max so'oga. | 350 |
faaletonu ['firezone']['postgresql']['md5_auth_cidr_addresses'] | Postgresql CIDRs e faʻatagaina mo md5 auth. | ['127.0.0.1/32', '::1/128'] |
faaletonu ['firezone']['postgresql']['port'] | Postgresql fa'alogo taulaga. | 15432 |
faaletonu ['firezone']['postgresql']['shared_buffers'] | Postgresql fa'asoa fa'atasi le lapo'a. | “#{(node['memory']['total'].to_i / 4) / 1024}MB” |
faaletonu ['firezone']['postgresql']['shmmax'] | Postgresql shmmax i bytes. | 17179869184 |
faaletonu ['firezone']['postgresql']['shmall'] | Postgresql shmall i bytes. | 4194304 |
faaletonu ['firezone']['postgresql']['work_mem'] | Postgresql galue manatua tele. | 8MB' |
fa'aletonu['firezone']['basebase']['user'] | Fa'ailoa le igoa ole igoa ole Firezone ole a fa'aoga e fa'afeso'ota'i ile DB. | node['firezone']['postgresql']['username'] |
fa'aletonu['firezone']['database']['password'] | Afai e fa'aoga se DB i fafo, fa'amaoti mai le upu fa'aigoa o le a fa'aoga e Firezone e fa'afeso'ota'i ai i le DB. | sui_a'u' |
fa'aletonu['firezone']['database']['igoa'] | Fa'amaumauga o le a fa'aogaina e le Firezone. O le a faia pe a leai. | sone afi' |
fa'aletonu['firezone']['database']['host'] | Fa'amaumauga o fa'amaumauga e feso'ota'i iai Firezone. | node['firezone']['postgresql']['listen_address'] |
fa'aletonu['firezone']['database']['port'] | Taulaga fa'amaumauga e feso'ota'i iai Firezone. | node['firezone']['postgresql']['port'] |
fa'aletonu['firezone']['basebase']['pool'] | Fa'amatalaga vaitaele tele o le a fa'aogaina e Firezone. | [10, Etc.nprocessors].max |
fa'aletonu['firezone']['database']['ssl'] | Pe fa'afeso'ota'i ile fa'amaumauga ile SSL. | SESE |
faaletonu['firezone']['database']['ssl_opts'] | {} | |
faaletonu['firezone']['database']['parameters'] | {} | |
faaletonu['firezone']['database']['extensions'] | Fa'aopoopo fa'amaumauga e mafai ai. | { 'plpgsql' => moni, 'pg_trgm' => moni } |
faaletonu['firezone']['phoenix']['enabled'] | Fa'amalo pe fa'amalo le talosaga a le Firezone. | MONI |
faaletonu['firezone']['phoenix']['listen_address'] | Firezone web application fa'alogo tuatusi. O le a avea lea ma tuatusi faʻalogo i luga o le nginx proxies. | 127.0.0.1 ' |
faaletonu ['firezone']['phoenix']['port'] | Firezone web application listen port. O le a avea lea ma taulaga i luga o le nginx proxies. | 13000 |
faaletonu['firezone']['phoenix']['log_directory'] | Firezone web application log directory. | “#{node['firezone']['log_directory']}/phoenix” |
faaletonu['firezone']['phoenix']['log_rotation']['file_maxbytes'] | Firezone web application log file size. | 104857600 |
faaletonu['firezone']['phoenix']['log_rotation']['num_to_keep'] | Numera o faila fa'amaumauga a le upegatafa'ilagi a le Firezone e teu. | 10 |
faaletonu['firezone']['phoenix']['crash_detection']['enabled'] | Fa'amalo pe fa'amalo le tu'u i lalo o le Firezone web application pe a iloa se fa'alavelave. | MONI |
faaletonu['firezone']['phoenix']['external_trusted_proxies'] | Lisi o sui sui fa'atuatuaina ua fa'atulagaina o se Fa'asologa o IP ma/po'o CIDR. | [] |
faaletonu['firezone']['phoenix']['private_clients'] | Lisi o tagata fa'atau HTTP feso'ota'iga tuma'oti, fa'atulagaina se Fa'asologa o IP ma/po'o CIDR. | [] |
faaletonu ['firezone']['wireguard']['enabled'] | Fa'amalo pe fa'amalo le fa'afoega o le WireGuard. | MONI |
faaletonu['firezone']['wireguard']['log_directory'] | Fa'amaumauga o fa'amaumauga mo le fa'apipi'iina o le WireGuard pulega. | “#{node['firezone']['log_directory']}/wireguard” |
faaletonu ['firezone']['wireguard']['log_rotation']['file_maxbytes'] | Ole tele ole faila ole faila ole WireGuard. | 104857600 |
faaletonu['firezone']['wireguard']['log_rotation']['num_to_keep'] | Numera o faila ogalaau a le WireGuard e teu. | 10 |
faaletonu['firezone']['wireguard']['interface_name'] | WireGuard igoa fa'aoga. O le suia o lenei fa'amaufa'ailoga e ono mafua ai le leiloa le tumau i le feso'ota'iga VPN. | wg-firezone' |
faaletonu ['firezone']['wireguard']['port'] | WireGuard faalogo uafu. | 51820 |
faaletonu ['firezone']['wireguard']['mtu'] | WireGuard interface MTU mo lenei 'au'aunaga ma mo fa'aoga masini. | 1280 |
faaletonu['firezone']['wireguard']['endpoint'] | WireGuard Endpoint e fa'aoga mo le fa'atupuina o fa'atonuga o masini. Afai e leai, e faaletonu ile tuatusi IP lautele ole server. | nil |
faaletonu['firezone']['wireguard']['dns'] | WireGuard DNS e fa'aoga mo fa'atonuga masini. | 1.1.1.1′ |
faaletonu ['firezone']['wireguard']['allowed_ips'] | WireGuard AllowedIPs e fa'aoga mo fa'atonuga masini. | 0.0.0.0/0, ::/0′ |
faaletonu['firezone']['wireguard']['persistent_keepalive'] | Default PersistentKeepalive seti mo fetuutuunaiga masini gaosia. O se tau o le 0 fa'agata. | 0 |
faaletonu['firezone']['wireguard']['ipv4']['enabled'] | Fa'amalo pe tape le IPv4 mo feso'ota'iga WireGuard. | MONI |
faaletonu['firezone']['wireguard']['ipv4']['masquerade'] | Fa'amalo pe fa'amalo le fa'afoliga mo pepa o lo'o alu ese mai le alavai IPv4. | MONI |
faaletonu['firezone']['wireguard']['ipv4']['network'] | WireGuard upegatafa'ilagi IPv4 vaitusi tuatusi. | 10.3.2.0/24 ′ |
faaletonu['firezone']['wireguard']['ipv4']['tuatusi'] | WireGuard interface IPv4 tuatusi. E tatau ona i totonu o le vaitaele tuatusi WireGuard. | 10.3.2.1 ' |
faaletonu['firezone']['wireguard']['ipv6']['enabled'] | Fa'amalo pe tape le IPv6 mo feso'ota'iga WireGuard. | MONI |
faaletonu['firezone']['wireguard']['ipv6']['masquerade'] | Fa'amalo pe fa'amalo le fa'afoliga mo pepa o lo'o alu ese mai le alavai IPv6. | MONI |
faaletonu['firezone']['wireguard']['ipv6']['network'] | WireGuard upegatafa'ilagi IPv6 vaitusi tuatusi. | fd00::3:2:0/120′ |
faaletonu['firezone']['wireguard']['ipv6']['tuatusi'] | WireGuard interface IPv6 tuatusi. E tatau ona i totonu o le IPv6 tuatusi pool. | fd00::3:2:1′ |
faaletonu ['firezone']['runit']['svlogd_bin'] | Runit svlogd bin nofoaga. | “#{node['firezone']['install_directory']}/embedded/bin/svlogd” |
faaletonu['firezone']['ssl']['directory'] | SSL directory mo le teuina o tusi faamaonia. | /var/opt/firezone/ssl' |
faaletonu['firezone']['ssl']['imeli_address'] | Tulaga imeli e fa'aoga mo tusi pasi saini a le tagata lava ia ma fa'asilasilaga fa'afouina o le fa'afouga a le ACME. | oe@example.com' |
faaletonu ['firezone']['ssl']['acme']['enabled'] | Fa'aagaoi le ACME mo le tu'uina atu otometi SSL tusipasi. Fa'agata lenei mea e taofia ai Nginx mai le fa'alogo i luga o le taulaga 80. Va'ai iinei mo nisi faʻatonuga. | SESE |
faaletonu ['firezone']['ssl']['acme']['server'] | ACME server e fa'aoga mo le tu'uina atu/fa'afouga. E mafai ona iai aoga acme.sh server | letsencrypt |
faaletonu ['firezone']['ssl']['acme']['keylength'] | Fa'ailoa le ituaiga autu ma le umi mo tusi faamaonia SSL. Vaai iinei | ec-256 |
faaletonu['firezone']['ssl']['tusitusi'] | Auala i le faila faila mo lau FQDN. Aveese le ACME seti i luga pe a faʻamaonia. Afai ole ACME ma e leai se tusi saini a le tagata lava ia o le a faia. | nil |
faaletonu ['firezone']['ssl']['certificate_key'] | Auala i le faila tusi faamaonia. | nil |
faaletonu ['firezone']['ssl']['ssl_dhparam'] | nginx ssl dh_param. | nil |
faaletonu ['firezone']['ssl']['country_name'] | Igoa o le atunuu mo le tusipasi saini e le tagata lava ia. | US' |
faaletonu ['firezone']['ssl']['state_name'] | Igoa o le setete mo le tusipasi saini. | CA ' |
faaletonu['firezone']['ssl']['locality_name'] | Igoa o le nu'u mo tusi pasi saini. | San Francisco' |
faaletonu ['firezone']['ssl']['company_name'] | Fa'ailoga saini a le kamupani. | La'u Kamupani' |
faaletonu ['firezone']['ssl']['organizational_unit_name'] | Igoa iunite fa'alapotopotoga mo tusi pasi saini a le tagata lava ia. | Galuega' |
faaletonu['firezone']['ssl']['ciphers'] | SSL ciphers mo nginx e faʻaaoga. | ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’ |
faaletonu['firezone']['ssl']['fips_ciphers'] | SSL ciphers mo le FIPs mode. | FIPS@malosi:!aNULL:!eNULL' |
faaletonu['firezone']['ssl']['protocols'] | TLS protocols e fa'aoga. | TLSv1 TLSv1.1 TLSv1.2′ |
faaletonu['firezone']['ssl']['session_cache'] | SSL session cache. | faasoa:SSL:4m' |
faaletonu['firezone']['ssl']['session_time out'] | Taimi o le sauniga SSL. | 5m' |
faaletonu['firezone']['robots_allow'] | e mafai e robots nginx. | /' |
faaletonu['firezone']['robots_disallow'] | e le faatagaina e robots nginx. | nil |
faaletonu['firezone']['imeli_i fafo']['mai'] | imeli mai fafo mai tuatusi. | nil |
faaletonu['firezone']['outbound_email']['provider'] | Tuuina atu auaunaga imeli i fafo. | nil |
faaletonu ['firezone']['outbound_email']['configs'] | Configs e tuuina atu imeli i fafo. | tagai i le omnibus/kukabooks/firezone/attributes/default.rb |
faaletonu['firezone']['telemetry']['enabled'] | Fa'amalo pe tape le telemetry o oloa e le o ta'ua. | MONI |
faaletonu['firezone']['connectivity_checks']['enabled'] | Fa'amalo pe tape le auaunaga siaki feso'ota'iga a le Firezone. | MONI |
faaletonu['firezone']['connectivity_checks']['ava'] | Vaeluaga ile va o siaki feso'ota'iga ile sekone. | 3_600 |
________________________________________________________________
O iinei e te maua ai se lisi o faila ma faʻatonuga e fesoʻotaʻi ma se faʻapipiʻi masani Firezone. E mafai ona suia nei mea e fa'atatau i suiga i lau faila faila.
Ala | faʻamatalaga |
/var/opt/firezone | Fa'atonuga pito i luga o lo'o iai fa'amaumauga ma fa'atupuina le fa'atulagaina mo auaunaga tu'ufa'atasia Firezone. |
/opt/firezone | Fa'atonuga pito i luga o lo'o iai faletusi fau, binaries ma faila ta'avale e mana'omia e Firezone. |
/usr/bin/firezone-ctl | firezone-ctl aoga mo le puleaina o lau faʻapipiʻi Firezone. |
/etc/systemd/system/firezone-runsvdir-start.service | systemd unit file mo le amataina o le Firezone runsvdir supervisor process. |
/etc/firezone | Fa'atonu faila o le Firezone. |
__________________________________________________________
O lenei itulau sa gaogao i docs
_____________________________________________________________
E mafai ona fa'aoga le fa'ata'ita'iga o le pa puipui o le nftables e fa'amautu ai le server o lo'o fa'agaoioia Firezone. E faia e le mamanu ni manatu; atonu e te manaʻomia le fetuunaʻi o tulafono e fetaui ma lau faʻaoga tulaga:
O le Firezone e fa'atulaga ana lava tulafono nftables e fa'ataga/te'ena fe'avea'i i taunu'uga ua fa'atulagaina i totonu o le 'upega tafa'ilagi ma fa'atautaia le NAT i fafo mo fefa'atauaiga o tagata.
O le fa'aogaina o le fa'ata'ita'iga o le pa puipui o lo'o i lalo i luga o se 'au'aunaga o lo'o fa'agaoioia (e le'o le taimi fa'a ta'avale) o le a i'u ai i le kilia o tulafono Firezone. Atonu e iai ni a'afiaga o le saogalemu.
Ina ia galue i lenei mea, toe amata le auaunaga phoenix:
firezone-ctl toe amata le phoenix
#!/usr/sbin/nft -f
## Fa'amama/fa'amama uma tulafono o iai
fua tulafono
################################ FUAFUAGA ################## ##############
## igoa ole Initaneti/WAN
fa'amatala DEV_WAN = eth0
## WireGuard igoa fa'aoga
fa'amatala DEV_WIREGUARD = wg-firezone
## WireGuard faalogo uafu
fa'amatala WIREGUARD_PORT = 51820
############################## FUAFUAGA FAAMAU #################### ############
# Laulau fa'amama a aiga inet autu
faamama inet laulau {
# Tulafono mo felauaiga lafo
# O lenei filifili o loʻo faʻagasolo aʻo leʻi oʻo i le filifili i luma o le Firezone
filifili i luma {
fa'aigoa fa'amama fa'amata'u fa'amuamua faamama - 5; talia faiga faavae
}
# Tulafono mo fefaʻatauaʻiga ulufale
filifili fa'aoga {
fa'amama fa'aigoa fa'aulu fa'amuamua faamama; pa'u o faiga faavae
## Fa'ataga fe'avea'i i totonu e fa'asolo i tua
afai o lea \
talia \
manatu “Faataga uma feoaiga i totonu mai le loopback interface”
## Fa'atagaga fa'atuina ma feso'ota'iga
ct setete faatuina, fesootai \
talia \
manatu “Pemita fa’amauina/feso’ota’i”
## Fa'ataga feoaiga i totonu o le WireGuard
iifai $DEV_WAN udp dport $WIREGUARD_PORT \
fa'atau \
talia \
manatu “Fa’amata’u i totonu o le WireGuard feoaiga”
## Fa'amau ma tu'u ese pusa fou TCP non-SYN
tcp fu'a != syn ct state new \
fua faatatau 100/ minute pa 150 afifi \
ogalaau prefix “IN – Fou !SYN: “ \
manatu "Fa'atapula'a le fa'amauina o fa'amaumauga mo feso'ota'iga fou e le'o iai le fu'a SYN TCP seti"
tcp fu'a != syn ct state new \
fa'atau \
pa'u \
manatu "Tu'u'ese feso'ota'iga fou e leai se seti fu'a SYN TCP"
## Fa'amau ma tu'u pepa TCP fa'atasi ai ma le fu'a fa'ama'i/syn fu'a
tcp fu'a & (fin|syn) == (fin|syn) \
fua faatatau 100/ minute pa 150 afifi \
ogalaau prefix “IN – TCP FIN|SALA: “ \
manatu “Tatala fa'atapula'a o fa'amaumauga mo pepa TCP fa'atasi ai ma le fu'a fa'aui/syn fu'a le aoga”
tcp fu'a & (fin|syn) == (fin|syn) \
fa'atau \
pa'u \
manatu "Tu'u'u pepa TCP ma le seti o le fu'a fin/syn"
## Fa'amau ma tu'u pepa TCP fa'atasi ai ma le syn/muamua fu'a seti
tcp fu'a & (syn|muamua) == (syn|muamua) \
fua faatatau 100/ minute pa 150 afifi \
ogalaau prefix “IN – TCP SYN|RST: “ \
manatu “Fa'atapula'a le fa'amauina o fa'amaumauga mo pa'u TCP fa'atasi ai ma le fa'aogaina o le syn/muamua fu'a seti”
tcp fu'a & (syn|muamua) == (syn|muamua) \
fa'atau \
pa'u \
manatu “Tu’u’u pepa TCP ma le seti o le syn/muamua fu’a”
## Fa'amau ma lafo fu'a TCP le aoga
tcp fu'a & (fin|syn|muamua|psh|ack|urg) < (fin) \
fua faatatau 100/ minute pa 150 afifi \
ogalaau prefix “IN – FIN:” \
manatu “Fa'agata tapula'a fa'amauina mo fu'a TCP le aoga (fin|syn|rst|psh|ack|urg) < (fin)”
tcp fu'a & (fin|syn|muamua|psh|ack|urg) < (fin) \
fa'atau \
pa'u \
manatu “Tu'u'u pepa TCP ma fu'a (fin|syn|rst|psh|ack|urg) < (fin)”
## Fa'amau ma lafo fu'a TCP le aoga
tcp fu'a & (fin|syn|muamua|psh|ack|urg) == (fin|psh|urg) \
fua faatatau 100/ minute pa 150 afifi \
ogalaau prefix “IN – FIN|PSH|URG:” \
manatu “Tulaga fa'atapula'a o fa'amaumauga mo fu'a TCP le aoga (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)”
tcp fu'a & (fin|syn|muamua|psh|ack|urg) == (fin|psh|urg) \
fa'atau \
pa'u \
manatu “Tuu ese pusa TCP ma fuʻa (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)”
## Pa'u le ta'avale ma le tulaga le aoga o feso'ota'iga
ct tulaga le aoga \
fua faatatau 100/ minute pa 150 afifi \
ogalaau fu'a prefix uma “IN – Le aoga:” \
manatu “Tulaga fa'atapula'a o fa'amaumauga mo feoaiga ma le tulaga le lelei o feso'ota'iga”
ct tulaga le aoga \
fa'atau \
pa'u \
manatu “Tuu ese feoaiga ma le tulaga le aoga o fesootaiga”
## Fa'ataga IPv4 ping/ping tali ae fa'atapula'a fua ile 2000 PPS
ip protocol icmp icmp type {echo-reply, echo-request} \
fua faatatau 2000/tulaga lua \
fa'atau \
talia \
manatu “Pemita i totonu IPv4 echo (ping) faatapulaaina i le 2000 PPS”
## Fa'ataga uma isi IPv4 ICMP
ip protocol icmp \
fa'atau \
talia \
manatu “Faataga uma isi IPv4 ICMP”
## Fa'ataga IPv6 ping/ping tali ae fa'atapula'a fua ile 2000 PPS
icmpv6 ituaiga {echo-tali, echo-request} \
fua faatatau 2000/tulaga lua \
fa'atau \
talia \
manatu “Pemita i totonu IPv6 echo (ping) faatapulaaina i le 2000 PPS”
## Fa'ataga uma isi IPv6 ICMP
meta l4proto { icmpv6 } \
fa'atau \
talia \
manatu “Faataga uma isi IPv6 ICMP”
## Fa'ataga uafu UDP traceroute i totonu ae fa'atapula'a ile 500 PPS
udp dport 33434-33524 \
fua faatatau 500/tulaga lua \
fa'atau \
talia \
manatu “Pemita i totonu UDP traceroute fa'atapula'a ile 500 PPS”
## Fa'ataga SSH ulufale
tcp dport ssh ct setete fou \
fa'atau \
talia \
manatu “Pemita so’oga SSH i totonu”
## Fa'ataga HTTP ma HTTPS i totonu
tcp dport {http, https }ct state new \
fa'atau \
talia \
manatu “Fa'ataga feso'ota'iga HTTP ma HTTPS"
## Fa'amau so'o se fe'avea'i e le'i fa'atusaina ae fa'atapula'aina le fa'amauina i le maualuga o le 60 fe'au/minute
## O le a fa'aoga le faiga fa'avae i femalagaiga e le fa'atusalia
fua faatatau 60/ minute pa 100 afifi \
ogalaau prefix “I totonu – Fa’atu’u:” \
manatu “Fa'amau so'o se ta'avale e le mafaatusalia”
## Faitau le feoaiga e le mafaatusalia
fa'atau \
manatu “Faitau soo se feoaiga e le mafaatusalia”
}
# Tulafono mo fefaʻatauaiga o galuega
filifili filifili {
fa'amama fa'aigoa mea fa'amuamua fa'amama; pa'u o faiga faavae
## Fa'ataga femalagaiga i fafo i le fa'aoga fa'asaga i tua
oi lo \
talia \
manatu “Fa'ataga fe'avea'i uma e alu atu i tua i tua”
## Fa'atagaga fa'atuina ma feso'ota'iga
ct setete faatuina, fesootai \
fa'atau \
talia \
manatu “Pemita fa’amauina/feso’ota’i”
## Fa'ataga le ta'avale a le WireGuard i fafo a'o le'i tu'u le feso'ota'iga ma tulaga leaga
oif $DEV_WAN udp taaloga $WIREGUARD_PORT \
fa'atau \
talia \
manatu “Pemita WireGuard feoaiga i fafo”
## Pa'u le ta'avale ma le tulaga le aoga o feso'ota'iga
ct tulaga le aoga \
fua faatatau 100/ minute pa 150 afifi \
ogalaau fu'a prefix uma “FAFO – Le aoga:” \
manatu “Tulaga fa'atapula'a o fa'amaumauga mo feoaiga ma le tulaga le lelei o feso'ota'iga”
ct tulaga le aoga \
fa'atau \
pa'u \
manatu “Tuu ese feoaiga ma le tulaga le aoga o fesootaiga”
## Fa'ataga uma isi IPv4 ICMP i fafo
ip protocol icmp \
fa'atau \
talia \
manatu “Faataga uma ituaiga IPv4 ICMP”
## Fa'ataga uma isi IPv6 ICMP i fafo
meta l4proto { icmpv6 } \
fa'atau \
talia \
manatu “Faataga uma ituaiga IPv6 ICMP”
## Fa'ataga i fafo traceroute ports UDP ae fa'atapula'a ile 500 PPS
udp dport 33434-33524 \
fua faatatau 500/tulaga lua \
fa'atau \
talia \
manatu “Pemita i fafo UDP traceroute faatapulaaina i le 500 PPS”
## Fa'ataga feso'ota'iga HTTP ma HTTPS i fafo
tcp dport {http, https }ct state new \
fa'atau \
talia \
manatu “Fa'ataga feso'ota'iga HTTP ma HTTPS i fafo"
## Fa'ataga le tu'uina atu o le SMTP i fafo
tcp dport tu'uina atu ct setete fou \
fa'atau \
talia \
manatu “Fa’atagaga le tu’uina atu o le SMTP i fafo”
## Fa'ataga talosaga DNS i fafo
udp dport 53 \
fa'atau \
talia \
manatu “Faatagaga talosaga UDP DNS i fafo”
tcp dport 53 \
fa'atau \
talia \
manatu “Fa'ataga talosaga TCP DNS i fafo"
## Fa'ataga talosaga NTP i fafo
udp dport 123 \
fa'atau \
talia \
manatu “Fa'ataga talosaga a le NTP i fafo”
## Fa'amau so'o se fe'avea'i e le'i fa'atusaina ae fa'atapula'aina le fa'amauina i le maualuga o le 60 fe'au/minute
## O le a fa'aoga le faiga fa'avae i femalagaiga e le fa'atusalia
fua faatatau 60/ minute pa 100 afifi \
ogalaau prefix “IFO – Fa’atu’u:” \
manatu “Fa'amau so'o se ta'avale e le mafaatusalia”
## Faitau le feoaiga e le mafaatusalia
fa'atau \
manatu “Faitau soo se feoaiga e le mafaatusalia”
}
}
# Laulau a le NAT fa'amama
laulau inet nat {
# Tulafono mo le NAT felauaiga muamua
filifili muamua {
type nat hook prerouting priority dstnat; talia faiga faavae
}
# Tulafono mo le NAT felauaiga pe a uma le auala
# O lenei laulau o lo'o fa'agasolo a'o le'i o'o i le Firezone post-routing chain
filifili poupou {
type nat hook postrouting priority srcnat – 5; talia faiga faavae
}
}
E tatau ona teuina le firewall i le nofoaga talafeagai mo le tufatufaina atu o Linux o loʻo tamoʻe. Mo Debian/Ubuntu o le /etc/nftables.conf ma mo RHEL o le /etc/sysconfig/nftables.conf.
nftables.service o le a manaʻomia le faʻatulagaina e amata i luga o le taʻavale (pe afai e leʻi uma) seti:
systemctl mafai ai le nftables.service
Afai e faia soʻo se suiga i le faʻataʻitaʻiga firewall e mafai ona faʻamaonia le syntax e ala i le faʻatinoina o le siaki siaki:
nft -f /path/to/nftables.conf -c
Ia mautinoa e faʻamaonia le faʻaogaina o le firewall e pei ona faʻamoemoeina ona o nisi vaega o le nftables atonu e le maua e fuafua i le tatalaina o loʻo faʻaogaina i luga o le server.
_______________________________________________________________
O lenei pepa o loʻo tuʻuina atu ai se faʻamatalaga lautele o le telemetry Firezone e aoina mai lau lava faʻafeiloaʻi ma pe faʻafefea ona faʻamalo.
Afi afi faalagolago i luga ole telemetry e fa'amuamua ai la tatou fa'afanua auala ma fa'amalieina alagaoa fa'ainisinia o lo'o ia i tatou e fa'aleleia atili ai le Firezone mo tagata uma.
Ole telemetry matou te aoina e faʻamoemoe e tali fesili nei:
E tolu nofoaga autu e aoina ai telemetry i Firezone:
I totonu o nei tulaga e tolu, matou te puʻeina le aofaʻi aupito maualalo o faʻamaumauga e manaʻomia e tali ai fesili i le vaega o loʻo i luga.
E na'o le aoina mai o imeli a le pulega pe afai e te sa'o sa'o ile fa'afouga o oloa. A leai, o fa'amatalaga e iloagofie ai le tagata lava ia aua lava nei aoina
O lo'o teuina e le Firezone le telemetry i se fa'ata'ita'iga a le tagata lava ia o le PostHog o lo'o tamo'e i totonu o se vaega Kubernetes tumaoti, e na'o le 'au a le Firezone e mafai ona maua. O se faʻataʻitaʻiga lea o se faʻaaliga telemetry na lafoina mai lau faʻataʻitaʻiga o Firezone i la matou 'auʻaunaga telemetry:
{
alu: “0182272d-0b88-0000-d419-7b9a413713f1”,
“taimi taimi”: “2022-07-22T18:30:39.748000+00:00”,
“mea na tupu”: “fz_http_amata”,
“distinct_id”: “1ec2e794-1c3e-43fc-a78f-1db6d1a37f54”,
“meatotino”:{
“$geoip_city_name”: “Ashburn”,
“$geoip_continent_code”: “NA”,
“$geoip_continent_name”: “Amerika i Matu”,
“$geoip_country_code”: “US”,
“$geoip_country_name”: "Amerika Tele",
“$geoip_latitude”: 39.0469,
“$geoip_longitude”: -77.4903,
“$geoip_postal_code”: "20149",
“$geoip_subdivision_1_code”: “VA”,
“$geoip_subdivision_1_name”: “Virginia”,
“$geoip_time_zone”: “Amerika/New_York”,
“$ip”: "52.200.241.107",
“$plugins_deferred”: [],
“$plugins_failed”: [],
“$plugins_succeeded”: [
“GeoIP (3)”
],
“distinct_id”: “1zc2e794-1c3e-43fc-a78f-1db6d1a37f54”,
“fqdn”: “awsdemo.firezone.dev”,
“kernel_version”: “linux 5.13.0”,
“faiga”: "0.4.6"
},
“elements_chain”: ""
}
FAAMATALAGA
Le 'au atina'e Firezone faalagolago i luga o auiliiliga o oloa ina ia sili atu le lelei o le Firezone mo tagata uma. O le tu'ua o le telemetry e fa'aagaina o le sao sili lea e tasi e mafai ona e faia i le atina'eina o Firezone. O lena tala, matou te malamalama o nisi tagata faʻaoga e maualuga atu le tulaga faalilolilo poʻo le saogalemu ma e manaʻo e tape atoa le telemetry. Afai o oe lena, faitau pea.
Telemetry e mafai ona fa'aletonu. Ina ia faʻamalo atoatoa le telemetry o oloa, seti le filifiliga faʻatulagaina o loʻo i lalo i le sese /etc/firezone/firezone.rb ma faʻagasolo sudo firezone-ctl reconfigure e piki ai suiga.
faaletonu['firezone']['telemetry']['mafai'] = sese
O lena mea o le a fa'amalo uma ai le telemetry o oloa.
Hailbytes
9511 Queens Guard Ct.
Lora, MD 20723
Telefoni: (732) 771-9995
Imeli: info@hailbytes.com
