Ntuziaka nzọụkwụ site na iji bufee Hailbytes VPN na Firezone GUI na-enye ebe a.
Onye nchịkwa: Ịtọlite ihe atụ nkesa na-emetụta akụkụ a kpọmkwem.
Ntuziaka onye ọrụ: Akwụkwọ na-enye aka nke nwere ike ịkụziri gị otu esi eji Firezone ma dozie nsogbu ndị a na-ahụkarị. Mgbe ebufere ihe nkesa nke ọma, rụtụ aka na ngalaba a.
Tunneling gbawara agbawa: Jiri VPN ka iziga naanị okporo ụzọ gaa na ọkwa IP akọwapụtara.
Ndepụta ọcha: Tọọ adreesị IP nke ihe nkesa VPN iji jiri ndenye ọcha.
Ọwara azụ: Mepụta ọwara n'etiti ọtụtụ ndị ọgbọ na-eji ọwara azụ.
Obi dị anyị ụtọ inyere gị aka ma ọ bụrụ na ịchọrọ enyemaka wụnye, hazie ma ọ bụ iji Hailbytes VPN.
Tupu ndị ọrụ nwee ike imepụta ma ọ bụ budata faịlụ nhazi ngwaọrụ, Firezone nwere ike hazie ka ọ chọọ nyocha. Ndị ọrụ nwekwara ike ịdị mkpa ka ha nyochaa oge ụfọdụ iji mee ka njikọ VPN na-arụ ọrụ.
Ọ bụ ezie na ụzọ nbanye nke Firezone ndabara bụ email na paswọọdụ mpaghara, ọ nwekwara ike ijikọ ya na ndị na-eweta njirimara OpenID Connect (OIDC). Ndị ọrụ nwere ike ịbanye ugbu a na Firezone site na iji Okta, Google, Azure AD, ma ọ bụ nzere ndị na-eweta njirimara onwe ha.
Jikọta onye na-eweta OIDC
E gosipụtara usoro nhazi nke Firezone chọrọ iji nye SSO ohere iji onye na-eweta OIDC na ihe atụ dị n'okpuru. Na /etc/firezone/firezone.rb, ị nwere ike ịhụ faịlụ nhazi. Gbaa firezone-ctl reconfigure na firezone-ctl malitegharịa iji melite ngwa ahụ wee mee mgbanwe mgbanwe.
# Nke a bụ ọmụmaatụ iji Google na Okta dị ka onye na-eweta njirimara SSO.
Enwere ike ịgbakwunye ọtụtụ nhazi OIDC n'otu ihe atụ Firezone.
# Firezone nwere ike gbanyụọ VPN onye ọrụ ma ọ bụrụ na enwere njehie ọ bụla achọpụtara na-anwale
# iji nweta ume_token ha. Ekwenyere na nke a ga-arụ ọrụ maka Google, Okta, na
# Azure SSO na-eji ya ewepụ VPN onye ọrụ na-akpaghị aka ma ọ bụrụ na ewepụ ya
# sitere na onye na-eweta OIDC. Hapụ nke a nwere nkwarụ ma ọ bụrụ na onye na-eweta OIDC gị
# nwere nsogbu akara nnweta na-enye ume ọhụrụ n'ihi na ọ nwere ike ịkwụsị na mberede na-atụghị anya ya
# nnọkọ VPN onye ọrụ.
ndabara['firezone']][' nkwenye']['disable_vpn_on_oidc_error'] = ụgha
ndabara['firezone']][' nkwenye ']['oidc'] = {
google: {
discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",
client_id:" ",
nzuzo_client:" ",
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",
nzaghachi_ụdị: "koodu",
oke: "profaịlụ email mepere emepe",
akara: "Google"
},
okta: {
discovery_document_uri: "https:// /.maara nke ọma/openid-configuration”,
client_id:" ",
nzuzo_client:" ",
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",
nzaghachi_ụdị: "koodu",
oke: "profaịlụ email mepere emepe offline_access",
akara: "Okta"
}
}
Achọrọ ntọala nhazi ndị a maka njikọta:
Maka onye na-eweta OIDC ọ bụla, a na-emepụta URL mara mma dabara adaba maka ibugharị gaa na URL nbanye nke onye ọrụ ahaziri. Maka ihe atụ nhazi OIDC dị n'elu, URL ndị a bụ:
Ndị na-enye anyị nwere akwụkwọ maka:
Ọ bụrụ na onye na-ahụ maka njirimara gị nwere njikọ OIDC zuru oke ma edepụtaghị ya n'elu, biko gaa na akwụkwọ ha maka ozi maka otu esi eweghachi ntọala nhazi dị mkpa.
Enwere ike ịgbanwe ntọala dị n'okpuru ntọala/nchekwa ka ọ chọọ nyochagharị oge. Enwere ike iji nke a mee ka ihe ndị ọrụ na-abanye na Firezone oge niile iji gaa n'ihu na nnọkọ VPN ha.
Enwere ike ịhazi ogologo oge ka ọ bụrụ n'etiti otu awa na ụbọchị iri itoolu. Site na ịtọ nke a na Ọ dịghị mgbe, ị nwere ike ịme ka nnọkọ VPN mee ihe n'oge ọ bụla. Nke a bụ ọkọlọtọ.
Onye ọrụ ga-akwụsị nnọkọ VPN ha wee banye na Portal Firezone iji gosipụtaghachi nnọkọ VPN mebiela (URL akọwapụtara n'oge mbugharị).
Ị nwere ike nwetaghachi nnọkọ gị site n'ịgbaso ntụziaka ndị ahịa ziri ezi achọtara ebe a.
Ọnọdụ nke Njikọ VPN
Kọlụm Njikọ Njikọ VPN ibe ndị ọrụ na-egosiputa ọkwa njikọ onye ọrụ. Ndị a bụ ọnọdụ njikọ:
AKWỤKWỌ - Agbanyere njikọ ahụ.
Agbanyụrụ - Onye nchịkwa ma ọ bụ ọdịda ume ọhụrụ OIDC agbanyụrụ njikọ ahụ.
EXPIRED – Akwụsịla njikọ ahụ n'ihi ngafe nyocha ma ọ bụ onye ọrụ abanyebeghị na nke mbụ.
Site na njikọ OIDC izugbe, Firezone na-enyere Single Sign-On (SSO) aka na Google Workspace na Cloud Identity. Ntuziaka a ga-egosi gị otu esi enweta nhazi nhazi nke edepụtara n'okpuru ebe a, nke dị mkpa maka ntinye:
1. OAuth Config ihuenyoNa
Ọ bụrụ na nke a bụ nke mbụ ị na-emepụta NJ ndị ahịa OAuth ọhụrụ, a ga-agwa gị ka ịhazie ihuenyo nkwenye.
* Họrọ Ime maka ụdị onye ọrụ. Nke a na-ahụ na ọ bụ naanị akaụntụ nke ndị ọrụ na Google Workspace Organisation nwere ike ịmepụta nhazi ngwaọrụ. Họtala Mpụga ọ gwụla ma ịchọrọ ime ka onye ọ bụla nwere Akaụntụ Google dị irè mepụta nhazi ngwaọrụ.
N'ihuenyo ozi ngwa:
2. Mepụta NJ ndị ahịa OAuthNa
Akụkụ a gbadoro ụkwụ na akwụkwọ Google nke ya ịtọlite OAuth 2.0.
Gaa na Google Cloud Console Ibe nzere ibe, pịa + Mepụta nzere wee họrọ NJ ndị ahịa OAuth.
Na ihuenyo okike OAuth onye ahịa:
Mgbe ịmepụtachara NJ ndị ahịa OAuth, a ga-enye gị NJ ndị ahịa na Nzuzo ndị ahịa. A ga-eji ihe ndị a yana redirect URI na nzọụkwụ ọzọ.
Dezie /etc/firezone/firezone.rb itinye nhọrọ n'okpuru:
# Iji Google dị ka onye na-eweta njirimara SSD
ndabara['firezone']][' nkwenye ']['oidc'] = {
google: {
discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",
client_id:" ",
nzuzo_client:" ",
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",
nzaghachi_ụdị: "koodu",
oke: "profaịlụ email mepere emepe",
akara: "Google"
}
}
Gbaa firezone-ctl reconfigure na firezone-ctl malitegharịa iji melite ngwa ahụ. Ị ga-ahụ ugbu a nbanye na bọtịnụ Google na mgbọrọgwụ Firezone URL.
Firezone na-eji mkpokọta OIDC njikọ iji kwado otu nbanye (SSO) na Okta. Nkuzi a ga-egosi gị otu esi enweta paramita nhazi nke edepụtara n'okpuru, nke dị mkpa maka ntinye:
Nkebi a nke ntuziaka dabere na Akwụkwọ Okta.
Na njikwa njikwa, gaa na Ngwa> Ngwa wee pịa Mepụta Ngwa Ngwa. Tọọ usoro nbanye na OICD – Mepee ID Jikọọ na ụdị ngwa gaa na ngwa Weebụ.
Hazie ntọala ndị a:
Ozugbo echekwara ntọala, a ga-enye gị NJ Client, Nzuzo ndị ahịa, na ngalaba Okta. A ga-eji ụkpụrụ 3 ndị a na Nzọụkwụ 2 hazie Firezone.
Dezie /etc/firezone/firezone.rb itinye nhọrọ n'okpuru. Gị discovery_document_url ga- /.well-known/openid-configuration agbakwunyere na njedebe nke gị okta_domain.
# Iji Okta dị ka onye na-eweta njirimara SSO
ndabara['firezone']][' nkwenye ']['oidc'] = {
okta: {
discovery_document_uri: "https:// /.maara nke ọma/openid-configuration”,
client_id:" ",
nzuzo_client:" ",
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",
nzaghachi_ụdị: "koodu",
oke: "profaịlụ email mepere emepe offline_access",
akara: "Okta"
}
}
Gbaa firezone-ctl reconfigure na firezone-ctl malitegharịa iji melite ngwa ahụ. Ị ga-ahụ ugbu a nbanye na bọtịnụ Okta na mgbọrọgwụ Firezone URL.
Okta nwere ike igbochi ndị ọrụ nwere ike ịnweta ngwa Firezone. Gaa na ibe ọrụ ntinye aka nke Okta Admin Console's Firezone App iji mezuo nke a.
Site na njikọ OIDC generic, Firezone na-enyere Single Sign-On (SSO) aka na Azure Active Directory. Akwụkwọ ntuziaka a ga-egosi gị otu ị ga-esi nweta nhazi nhazi nke edepụtara n'okpuru ebe a, nke dị mkpa maka ntinye:
E sitere na ntuziaka a Akwụkwọ ndekọ aha Azure Active.
Gaa na ibe akwụkwọ ndekọ aha Azure Active Portal. Họrọ nhọrọ Jikwaa menu, họrọ Ndebanye aha ọhụrụ, wee debanye aha site na ịnye ozi dị n'okpuru:
Mgbe ị debanyere aha, mepee nkọwa nkọwa nke ngwa ahụ ma detuo ya Ngwa (onye ahịa) NJ. Nke a ga-abụ uru client_id. Na-esote, mepee menu njedebe iji weghachite ya Mepee ID Jikọọ akwụkwọ metadata. Nke a ga-abụ uru discovery_document_uri.
Mepụta nzuzo onye ahịa ọhụrụ site na ịpị nhọrọ Asambodo & nzuzo dị n'okpuru Jikwaa menu. Detuo ihe nzuzo onye ahịa; uru nzuzo nke ndị ahịa ga-abụ nke a.
N'ikpeazụ, họrọ njikọ ikike API n'okpuru Jikwaa menu, pịa Tinye ikike, ma họrọ Ihe osise Microsoft, Tinye email, emeghe, offline_access na profaịlụ na ikike achọrọ.
Dezie /etc/firezone/firezone.rb itinye nhọrọ n'okpuru:
# Iji Azure Active Directory dị ka onye na-eweta njirimara SSO
ndabara['firezone']][' nkwenye ']['oidc'] = {
izu: {
discovery_document_uri: "https://login.microsoftonline.com/ /v2.0/.well-known/openid-configuration",
client_id:" ",
nzuzo_client:" ",
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/azure/callback/",
nzaghachi_ụdị: "koodu",
oke: "profaịlụ email mepere emepe offline_access",
akara: "Azure"
}
}
Gbaa firezone-ctl reconfigure na firezone-ctl malitegharịa iji melite ngwa ahụ. Ị ga-ahụ ugbu a nbanye na bọtịnụ Azure na mgbọrọgwụ Firezone URL.
Azure AD na-enyere ndị nchịkwa aka igbochi ohere ịnweta otu ndị ọrụ n'ime ụlọ ọrụ gị. Enwere ike ịhụ ozi ndị ọzọ gbasara otu esi eme nke a na akwụkwọ Microsoft.
Firezone na-eji Chef Omnibus jikwaa ọrụ gụnyere ngwugwu ntọhapụ, nleba anya usoro, njikwa ndekọ, na ndị ọzọ.
Koodu Ruby mejupụtara faịlụ nhazi bụ isi, nke dị na /etc/firezone/firezone.rb. Malitegharịa sudo firezone-ctl reconfigure mgbe emezigharị na faịlụ a na-eme ka Chef mata mgbanwe ndị ahụ ma tinye ha na sistemụ arụmọrụ ugbu a.
Hụ ntụnye aka faịlụ nhazi maka ndepụta mgbanwe nhazi zuru oke yana nkọwa ha.
Enwere ike ijikwa ihe atụ Firezone gị site na ya firezone-ctl iwu, dị ka egosiri n'okpuru. Ọtụtụ subcommand chọrọ prefixing na sudo.
mgbọrọgwụ @demo: ~# firezone-ctl
omnibus-ctl: iwu (okpuru iwu)
Iwu izugbe:
sacha
Hichapụ *niile* data firezone, wee malite site na ọkọ.
mepụta-ma ọ bụ-tọgharịa-admin
Tọgharịa okwuntughe maka onye nchịkwa na email akọwapụtara na ndabara['firezone']['admin_email'] ma ọ bụ mepụta onye nchịkwa ọhụrụ ma ọ bụrụ na email ahụ adịghị.
Enyemaka
Bipụta ozi enyemaka a.
regharia
Hagharịa ngwa ahụ.
nrụpụta netwọk
Na-atọgharịa nftables, WireGuard interface, na tebụl ntụgharị azụ na ndabara Firezone.
show-config
Gosi nhazi nke a ga-emepụta site na nhazigharị.
teardown-netwọk
Na-ewepụ WireGuard interface na table nftables firezone.
ike-cert-mmeghari ohuru
Kwado mmeghari akwụkwọ ikike ugbu a ọbụlagodi na o kubiela.
nkwụsị-cert-mmeghari ohuru
Na-ewepụ cronjob na-emelite asambodo.
wepu
Gbuo usoro niile ma wepụ onye nlekọta usoro (data ga-echekwaba).
version
Gosipụta ụdị Firezone dị ugbu a
Iwu njikwa ọrụ:
amara-egbu
Nwaa nkwụsị nke ọma, wee SIGKILL otu usoro niile.
hup
Zipu ọrụ a HUP.
Int
Ziga ọrụ ndị a INT.
igbu
Ziga ọrụ ndị a igbu.
ozugbo
Malite ọrụ ma ọ bụrụ na ha dara. Malitegharịa ekwentị ha ma ọ bụrụ na ha akwụsị.
Malitegharịa ekwentị
Kwụsị ọrụ ndị ahụ ma ọ bụrụ na ha na-agba ọsọ, wee malite ha ọzọ.
ndepụta ọrụ
Depụta ọrụ niile (ọrụ agbanyere na-egosi na *.)
mmalite
Malite ọrụ ma ọ bụrụ na ha dara, ma malitegharịa ha ma ọ bụrụ na ha akwụsị.
ọnọdụ
Gosi ọkwa nke ọrụ niile.
Kwụsị
Kwụsị ọrụ ndị ahụ, ma malitegharịa ha.
ọdụ
Lelee ndekọ ọrụ nke ọrụ niile enyere.
okwu
Zipu ọrụ a TERM.
usr1
Zipu ọrụ a USR1.
usr2
Zipu ọrụ a USR2.
A ga-akwụsịrịrị nnọkọ VPN niile tupu ịkwalite Firezone, nke na-akpọkwa maka imechi UI Weebụ. Ọ bụrụ na ihe na-aga n'ihu n'oge nkwalite, anyị na-enye ndụmọdụ ịwepụta otu awa maka mmezi.
Iji kwalite Firezone, mee ihe ndị a:
Ọ bụrụ na nsogbu ọ bụla bilitere, biko mee ka anyị mara site na na-enyefe tiketi nkwado.
Enwere mgbanwe ole na ole na-agbaji na nhazi nhazi na 0.5.0 nke a ga-edozirịrị. Chọpụta ihe ndị ọzọ n'okpuru.
Nginx anaghị akwado ike SSL yana paramita ọdụ ụgbọ mmiri na-abụghị SSL dị ka ụdị 0.5.0. N'ihi na Firezone chọrọ SSL ka ọ rụọ ọrụ, anyị na-adụ ọdụ ka iwepu ngwugwu Nginx ọrụ site na ịtọ ntọala ['firezone']]['nginx']['enabled'] = ụgha na iduzi proxy gị na ngwa Phoenix na ọdụ ụgbọ mmiri 13000 kama (site na ndabara). ).
0.5.0 na-ewebata nkwado protocol ACME maka ịmeghachi asambodo SSL ozugbo yana ọrụ Nginx jikọtara. Iji mee ka,
Enwere ike itinye iwu nwere ebe oyiri agaala na Firezone 0.5.0. Edemede mbata anyị ga-amata ọnọdụ ndị a ozugbo n'oge nkwalite gaa na 0.5.0 ma debe iwu naanị ebe ebe ya gụnyere iwu nke ọzọ. Ọ nweghị ihe ị ga-eme ma ọ bụrụ na nke a dị mma.
Ma ọ bụghị ya, tupu ịkwalite, anyị na-adụ ọdụ ka ị gbanwee usoro iwu gị iji kpochapụ ọnọdụ ndị a.
Firezone 0.5.0 na-ewepụ nkwado maka nhazi Okta ochie na Google SSO na-akwado nhazi ọhụrụ nke OIDC na-agbanwe agbanwe.
Ọ bụrụ na ị nwere nhazi ọ bụla n'okpuru ndabara['firezone']['authentication']['okta'] ma ọ bụ ndabara['firezone']['authentication']['google'] igodo, ị ga-ebuga ndị a na OIDC anyị. Nhazi dabere na iji ntuziaka dị n'okpuru.
Nhazi Google OAuth dị
Wepu ahịrị ndị a nwere nhazi Google OAuth ochie na faịlụ nhazi gị dị na /etc/firezone/firezone.rb
ndabara['firezone'] ['nkwalite']]['google'] ['emenyere']
ndabara ['firezone'] [' nkwenye' ['google'] ['client_id']
ndabara['firezone']][' nkwenye ']['google'] ['client_secret']
ndabara ['firezone'] [' nkwenye' ['google'] ['redirect_uri']
Mgbe ahụ, hazie Google ka ọ bụrụ onye na-eweta OIDC site na ịgbaso usoro ebe a.
(Nye ntuziaka njikọ) <<<<<<<<<<<<<<<<<
Hazie Google OAuth dị adị
Wepu ahịrị ndị a nwere nhazi Okta OAuth ochie na faịlụ nhazi gị dị na /etc/firezone/firezone.rb
ndabara['firezone'] ['nkwalite'] ['okta'] ['enyere aka']
ndabara ['firezone'] [' nkwenye' ['okta'] ['client_id']
ndabara['firezone'][' nkwenye']['okta']['client_secret']
Ndi an-kpọ ['firezone'] ['nkwalite']]['okta']['saịtị']
Mgbe ahụ, hazie Okta dị ka onye na-eweta OIDC site na ịgbaso usoro ebe a.
Dabere na ntọlite na ụdị gị ugbu a, soro ntuziaka dị n'okpuru:
Ọ bụrụ na ịnweelarị njikọ OIDC:
Maka ụfọdụ ndị na-eweta OIDC, ịkwalite ka ọ bụrụ>= 0.3.16 chọrọ inweta akara ume ọhụrụ maka ohere ịnweta offline. Site n'ime nke a, a na-ahụta na mmelite Firezone na onye na-eweta njirimara yana njikọ VPN kwụsịrị mgbe ehichapụchara onye ọrụ. Nrụgharị nke Firezone na mbụ enweghị njirimara a. N'ụfọdụ oge, ndị ọrụ ehichapụrụ n'aka ndị na-eweta njirimara gị ka nwere ike jikọọ na VPN.
Ọ dị mkpa itinye ohere na-anọghị n'ịntanetị na oke nhazi nke OIDC gị maka ndị na-eweta OIDC na-akwado ohere ịnweta offline. Firezone-ctl reconfigure ga-egburịrị iji tinye mgbanwe na faịlụ nhazi Firezone, nke dị na /etc/firezone/firezone.rb.
Maka ndị ọrụ nke ndị na-eweta OIDC gị kwadoro, ị ga-ahụ njikọ njikọ OIDC na-aga na ibe nkọwa onye ọrụ nke webụ UI ma ọ bụrụ na Firezone nwere ike weghachite akara ngosi ume ọhụrụ ahụ nke ọma.
Ọ bụrụ na nke a anaghị arụ ọrụ, ị ga-achọ ihichapụ ngwa OAuth gị dị ma megharịa usoro nhazi OIDC ka mepụta mgbakwunye ngwa ọhụrụ .
Enwere m njikọ OAuth dị
Tupu 0.3.11, Firezone jiri ndị na-eweta OAuth2 ahaziburu ya.
Soro ntuziaka Ebe a ịkwaga OIDC.
Ejikọtabeghị m onye na-eweta njirimara
Ọ nweghị ihe achọrọ.
Ị nwere ike iso ntuziaka Ebe a iji nyere SSO aka site na onye na-eweta OIDC.
N'ebe ya, ndabara['firezone']['external url'] edochila nhazi nhọrọ ndabara['firezone']['fqdn'].
Tọọ nke a na URL nke ebe nrụọrụ weebụ Firezone gị nke ọha na eze na-enweta. Ọ ga-adabara na https:// gbakwunyere FQDN nke ihe nkesa gị ma ọ bụrụ na akọwapụtaghị ya.
Faịlụ nhazi dị na /etc/firezone/firezone.rb. Hụ ntụnye aka faịlụ nhazi maka ndepụta mgbanwe nhazi zuru oke yana nkọwa ha.
Firezone anaghị edebe igodo nzuzo ngwaọrụ na sava Firezone dịka ụdị 0.3.0.
Firezone Web UI agaghị ekwe ka ị budata ma ọ bụ hụ nhazi ndị a, mana ngwaọrụ ọ bụla dị adị kwesịrị ịga n'ihu na-arụ ọrụ dịka ọ dị.
Ọ bụrụ na ị na-emelite site na Firezone 0.1.x, enwere mgbanwe nhazi faịlụ ole na ole nke a ga-eji aka dozie ya.
Iji mee mgbanwe ndị dị mkpa na faịlụ /etc/firezone/firezone.rb gị, mee iwu ndị dị n'okpuru dị ka mgbọrọgwụ.
cp /etc/firezone/firezone.rb /etc/firezone/firezone.rb.bak
sed -i “s/\['enable'\]/\['enabled'\]/” /etc/firezone/firezone.rb
ikwughachi “ndabara['firezone'] ['connectivity_checks'] ['enyere aka] = eziokwu" >> /etc/firezone/firezone.rb
Echo “ndabere['firezone'] ['connectivity_checks'] ['n'etiti'] = 3_600" >> /etc/firezone/firezone.rb
firezone-ctl reconfigure
firezone-ctl malitegharịa
Ịlele ndekọ ndekọ Firezone bụ nzọụkwụ mbụ amamihe dị na ya maka nsogbu ọ bụla nwere ike ime.
Gbaa ọdụ sudo firezone-ctl iji lelee ndekọ Firezone.
Ọtụtụ nsogbu njikọta na Firezone na-ebute site na iwu iptables ma ọ bụ nftables na-adabaghị adaba. Ị ghaghị ijide n'aka na iwu ọ bụla ị nwere na-emegideghị iwu Firezone.
Jide n'aka na yinye FORWARD na-enye ikike ngwungwu sitere n'aka ndị ahịa WireGuard gaa na ebe ịchọrọ ịhapụ site na Firezone ma ọ bụrụ na njikọ ịntanetị gị na-akawanye njọ oge ọ bụla ị na-arụ ọrụ ọwara WireGuard gị.
Enwere ike nweta nke a ma ọ bụrụ na ị na-eji ufw site n'ịhụ na anabatara ụkpụrụ ndabara:
ubuntu@fz:~$ sudo ufw ndabara ekwe ka emebie
Atụmanya achụpụrụ agbanwere ka ọ bụrụ 'ekwe'
(jide n'aka na imelite iwu gị nke ọma)
A Chaị Ọkwa maka sava Firezone nwere ike ịdị ka nke a:
ubuntu@fz:~$ sudo ufw status verbose
Ọnọdụ: arụ ọrụ
Nbanye: na (ala)
Ndi an-kpọ: gọnarị (na-abata), kwe (ọpụpụ), kwe (na-ebugharị)
Profaịlụ ọhụrụ: wụpụ
Iji mee ihe Site na
————-
22/tcp Kwe ka n'ebe ọ bụla
80/tcp Kwe ka n'ebe ọ bụla
443/tcp Kwe ka n'ebe ọ bụla
51820/udp KWURU N'ebe ọ bụla
22/tcp (v6) Kwe ka n'ebe ọ bụla (v6)
80/tcp (v6) Kwe ka n'ebe ọ bụla (v6)
443/tcp (v6) Kwe ka n'ebe ọ bụla (v6)
51820/udp (v6) Kwe ka n'ebe ọ bụla (v6)
Anyị na-adụ ọdụ ka amachi ohere ịbanye na webụsaịtị maka mbugharị mmepụta ihe dị oke mkpa na nke dị mkpa, dịka akọwara n'okpuru.
Service | Ọdụ ụgbọ mmiri mbụ | Adreesị gee ntị | Description |
Nginx | 80, 443 | niile | Ọhaneze HTTP(S) ọdụ ụgbọ mmiri maka ijikwa Firezone na ịkwado nkwenye. |
Onye nkenke | 51820 | niile | A na-eji ọdụ ụgbọ mmiri WireGuard ọha maka nnọkọ VPN. (UDP) |
postgresql | 15432 | 127.0.0.1 | Ọdụ ụgbọ mmiri naanị mpaghara ejiri maka nkesa Postgresql jikọtara ọnụ. |
Phoenix | 13000 | 127.0.0.1 | Ọdụ ụgbọ mmiri naanị mpaghara nke sava ngwa elixir na-eji. |
Anyị na-adụ ọdụ ka ị chee echiche maka igbochi ohere ịnweta UI webụ ekpughere ọha na eze Firezone (site na ọdụ ụgbọ mmiri 443/tcp na 80/tcp) kama jiri ọwara WireGuard jikwaa Firezone maka mmepụta na mbugharị ihu ọha ebe otu onye nchịkwa ga-elekọta. nke ịmepụta na ikesa nhazi ngwaọrụ maka ndị ọrụ njedebe.
Dịka ọmụmaatụ, ọ bụrụ na onye nchịkwa mepụtara nhazi ngwaọrụ wee mepụta ọwara na adreesị WireGuard mpaghara 10.3.2.2, nhazi ufw na-esote ga-enyere onye nchịkwa aka ịnweta Firezone web UI na wg-firezone interface nkesa site na iji ndabara 10.3.2.1. adreesị ọwara:
mgbọrọgwụ@demo:~# ufw ọnọdụ verbose
Ọnọdụ: arụ ọrụ
Nbanye: na (ala)
Ndi an-kpọ: gọnarị (na-abata), kwe (ọpụpụ), kwe (na-ebugharị)
Profaịlụ ọhụrụ: wụpụ
Iji mee ihe Site na
————-
22/tcp Kwe ka n'ebe ọ bụla
51820/udp KWURU N'ebe ọ bụla
Ebe ọ bụla ekwe ka na 10.3.2.2
22/tcp (v6) Kwe ka n'ebe ọ bụla (v6)
51820/udp (v6) Kwe ka n'ebe ọ bụla (v6)
Nke a ga-ahapụ naanị 22/tcp kpughere maka ohere SSH iji jikwaa ihe nkesa (nhọrọ), na 51820/dp ekpughere iji guzobe ọwara WireGuard.
Firezone jikọtara ihe nkesa Postgresql yana dakọtara psql uru nke enwere ike iji site na shei mpaghara dịka:
/ họrọ / firezone / agbakwunyere / bin / psql \
-U firezone \
-d firezone \
-h localhost \
- nke 15432
-c "SQL_STATEMENT"
Nke a nwere ike inye aka maka ebumnuche ndozi.
Ọrụ Ndị Ọrụ:
Na-edepụta ndị ọrụ niile:
/ họrọ / firezone / agbakwunyere / bin / psql \
-U firezone \
-d firezone \
-h localhost \
- nke 15432
-c "Họrọ * SITE ndị ọrụ;"
Na-edepụta ngwaọrụ niile:
/ họrọ / firezone / agbakwunyere / bin / psql \
-U firezone \
-d firezone \
-h localhost \
- nke 15432
-c "Họrọ * SITE na ngwaọrụ;"
Gbanwee ọrụ onye ọrụ:
Tọọ ọrụ ahụ na 'admin' ma ọ bụ 'enweghị ohere':
/ họrọ / firezone / agbakwunyere / bin / psql \
-U firezone \
-d firezone \
-h localhost \
- nke 15432
-c "Ndị ọrụ emelitere SET ọrụ = 'admin' Ebe email = 'user@example.com';"
Na-akwado nchekwa data:
Ọzọkwa, agụnyere bụ mmemme mkpofu pg, nke enwere ike iji na-echekwa nchekwa data oge niile. Mezue koodu na-esonụ iji tufuo otu nchekwa data n'ụdị ajụjụ SQL nkịtị (dochie /path/to/backup.sql na ọnọdụ ebe ekwesịrị ịmepụta faịlụ SQL):
/opt/firezone/agbakwunyere/bin/pg_dump \
-U firezone \
-d firezone \
-h localhost \
-p 15432> /path/to/backup.sql
Mgbe etinyere Firezone nke ọma, ị ga-agbakwunye ndị ọrụ iji nye ha ohere na netwọkụ gị. A na-eji UI webụ eme nke a.
Site na ịhọrọ bọtịnụ "Tinye onye ọrụ" n'okpuru / ndị ọrụ, ị nwere ike itinye onye ọrụ. A ga-achọrọ ịnye onye ọrụ adreesị ozi-e na paswọọdụ. Iji nye ohere ịnweta ndị ọrụ na nzukọ gị na-akpaghị aka, Firezone nwekwara ike imekọrịta na onye na-eweta njirimara. Nkọwa ndị ọzọ dị na Nyochaa. < Tinye njikọ iji chọpụta
Anyị na-adụ ọdụ ịrịọ ka ndị ọrụ mepụta nhazi ngwaọrụ nke ha ka igodo nzuzo wee hụ naanị ha. Ndị ọrụ nwere ike ịmepụta nhazi ngwaọrụ nke ha site na isoro ntuziaka dị na Ntuziaka ndị ahịa ibe.
Ndị nchịkwa Firezone nwere ike ịmepụta nhazi ngwaọrụ onye ọrụ niile. Na ibe profaịlụ onye ọrụ dị na / ndị ọrụ, họrọ nhọrọ “Tinye ngwaọrụ” iji mezuo nke a.
[Tinye nseta ihuenyo]
Ị nwere ike izipu onye ọrụ faịlụ nhazi WireGuard ka emechara profaịlụ ngwaọrụ.
Ejikọtara ndị ọrụ na ngwaọrụ. Maka nkọwa ndị ọzọ gbasara otu esi etinye onye ọrụ, hụ Tinye Ọrụ.
Site na iji sistemu netfilter nke kernel, Firezone na-enyere ike nzacha egress kọwaa ngwugwu DROP ma ọ bụ ACCEPT. A na-anabatakarị okporo ụzọ niile.
A na-akwado IPv4 na IPv6 CIDRs na adreesị IP site na Allowlist na Denylist, n'otu n'otu. Ị nwere ike ịhọrọ ịgbasa iwu nye onye ọrụ mgbe ị na-agbakwunye ya, nke na-emetụta iwu na ngwaọrụ onye ọrụ ahụ niile.
Wụnye ma hazie
Iji guzobe njikọ VPN site na iji onye ahịa WireGuard, rụtụ aka na ntuziaka a.
Ndị ahịa WireGuard Official dị ebe a bụ Firezone dakọtara:
Gaa na webụsaịtị WireGuard gọọmentị na https://www.wireguard.com/install/ maka sistemụ OS ekwughị n'elu.
Ma onye nchịkwa Firezone gị ma ọ bụ onwe gị nwere ike ịmepụta faịlụ nhazi ngwaọrụ site na iji Portal Firezone.
Gaa na URL nke onye nchịkwa Firezone gị nyere iji wepụta faịlụ nhazi ngwaọrụ n'onwe ya. Ụlọ ọrụ gị ga-enwe URL pụrụ iche maka nke a; N'okwu a, ọ bụ https://instance-id.yourfirezone.com.
Banye na Firezone Okta SSO
[Tinye nseta ihuenyo]
Bubata faịlụ.conf n'ime onye ahịa WireGuard site na imepe ya. Site n'ịtụgharị mgba ọkụ rụọ ọrụ, ị nwere ike ịmalite nnọkọ VPN.
[Tinye nseta ihuenyo]
Soro ntuziaka dị n'okpuru ma ọ bụrụ na onye nchịkwa netwọk gị enyela iwu ka nyocha ugboro ugboro ka njikọ VPN gị na-arụ ọrụ.
Need chọrọ:
URL Portal Firezone: Jụọ onye nchịkwa netwọk gị maka njikọ ahụ.
Onye nchịkwa netwọk gị kwesịrị inwe ike ịnye nbanye na paswọọdụ gị. Saịtị Firezone ga-akpali gị ịbanye site na iji otu ọrụ ntinye aka onye were gị n'ọrụ na-eji (dị ka Google ma ọ bụ Okta).
[Tinye nseta ihuenyo]
Gaa na URL Portal Firezone wee banye na iji nzere onye nchịkwa netwọk gị nyere. Ọ bụrụ na ịbanyelarị, pịa bọtịnụ Reauthenticate tupu ịbanye azụ.
[Tinye nseta ihuenyo]
[Tinye nseta ihuenyo]
Iji bubata profaịlụ nhazi WireGuard site na iji Network Manager CLI na ngwaọrụ Linux, soro ntuziaka ndị a (nmcli).
Ọ bụrụ na profaịlụ nwere nkwado IPv6, ịgbalị ibubata faịlụ nhazi site na iji Network Manager GUI nwere ike ịda na njehie a:
ipv6.usoro: anaghị akwado usoro “akpaaka” maka WireGuard
Ọ dị mkpa iji wụnye WireGuard userspace utilities. Nke a ga-abụ ngwugwu akpọrọ wireguard ma ọ bụ wireguard-tools maka nkesa Linux.
Maka Ubuntu/Debian:
sudo apt wụnye wireguard
Iji Fedora:
sudo dnf wụnye wireguard-ngwaọrụ
Arch Linux:
sudo pacman -S wireguard-ngwaọrụ
Gaa na webụsaịtị WireGuard gọọmentị na https://www.wireguard.com/install/ maka nkesa na-ekwughị n'elu.
Ma onye nchịkwa Firezone gị ma ọ bụ ọgbọ nke onwe gị nwere ike ịmepụta faịlụ nhazi ngwaọrụ site na iji ọnụ ụzọ Firezone.
Gaa na URL nke onye nchịkwa Firezone gị nyere iji wepụta faịlụ nhazi ngwaọrụ n'onwe ya. Ụlọ ọrụ gị ga-enwe URL pụrụ iche maka nke a; N'okwu a, ọ bụ https://instance-id.yourfirezone.com.
[Tinye nseta ihuenyo]
Jiri nmcli bubata faịlụ nhazi ewepụtara:
sudo nmcli njikọ mbubata ụdị wireguard faịlụ /path/to/configuration.conf
Aha faịlụ nhazi ga-adaba na njikọ WireGuard / interface. Mgbe mbubata, enwere ike ịnyegharị njikọ ahụ ma ọ bụrụ na ọ dị mkpa:
njikọ nmcli gbanwee [aha ochie] njikọ.id [aha ọhụrụ]
Site na ahịrị iwu, jikọọ na VPN dị ka ndị a:
nmcli njikọ elu [vpn aha]
Kwụpụ:
nmcli njikọ ala [vpn aha]
Enwere ike iji applet Manager Network dị na ya jikwaa njikọ ahụ ma ọ bụrụ na ị na-eji GUI.
Site na ịhọrọ "ee" maka nhọrọ njikọ akpaaka, enwere ike ịhazi njikọ VPN ka ọ jikọọ na-akpaghị aka:
njikọ nmcli gbanwee njikọ [vpn aha]. <<<<<<<<<<<<<<<<<<<<<<
jikọọ akpaaka ee
Iji gbanyụọ njikọ akpaaka tọgharịa ya na mba:
njikọ nmcli gbanwee njikọ [vpn aha].
njikọ akpaaka mba
Iji mee ka MFA rụọ ọrụ Gaa na akaụntụ / njirimara/ndebanye aha mfa portal nke Firezone. Jiri ngwa nyocha gị nyocha koodu QR ka emechara ya, wee tinye koodu ọnụọgụ isii.
Kpọtụrụ Admin gị ka ịtọgharịa ozi ịnweta akaụntụ gị ma ọ bụrụ na i dobere ngwa nyocha gị.
Nkuzi a ga-ejegharị gị na usoro nke ịtọlite njirimara ọwara WireGuard na Firezone ka ọ bụrụ naanị okporo ụzọ gaa na ọkwa IP ka a na-ebuga site na sava VPN.
A na-edobere mpaghara IP nke onye ahịa ga-eji agafe okporo ụzọ netwọkụ na mpaghara IP anabatara dị na ibe / ntọala/ndabere. Naanị nhazi ọwara WireGuard emepụtara ọhụrụ nke Firezone mepụtara ga-emetụta mgbanwe na mpaghara a.
[Tinye nseta ihuenyo]
Uru ndabara bụ 0.0.0.0/0, ::/0, nke na-eduga okporo ụzọ netwọkụ niile site na onye ahịa gaa na sava VPN.
Ọmụmaatụ nke ụkpụrụ dị na ngalaba a gụnyere:
0.0.0.0/0, ::/0 - a ga-ebugharị okporo ụzọ netwọkụ niile na sava VPN.
192.0.2.3/32 - naanị okporo ụzọ gaa na otu adreesị IP ka a ga-ebugharị na sava VPN.
3.5.140.0/22 - naanị okporo ụzọ gaa na IP na 3.5.140.1 - 3.5.143.254 ga-ebuga na sava VPN. N'ihe atụ a, ejiri CIDR nso maka mpaghara ap-northeast-2 AWS mee ihe.
Firezone na-ebu ụzọ họrọ egress interface jikọtara ya na ụzọ ziri ezi mgbe ị na-achọpụta ebe aga-esi na ngwugwu.
Ndị ọrụ ga-emegharị faịlụ nhazi ahụ wee tinye ha na ndị ahịa WireGuard ha ka ha wee melite ngwaọrụ ndị ọrụ dị ugbu a site na nhazi ọwara nkewa ọhụrụ.
Maka ntuziaka, lee tinye ngwaọrụ. <<<<<<<<<<< Tinye njikọ
Akwụkwọ ntuziaka a ga-egosi otu esi ejikọta ngwaọrụ abụọ site na iji Firezone dị ka relay. Otu ihe eji eme ihe bụ ime ka onye nchịkwa nwee ike ịnweta sava, akpa, ma ọ bụ igwe nke NAT ma ọ bụ firewall chekwara.
Ihe atụ a na-egosi ọnọdụ kwụ ọtọ ebe Ngwaọrụ A na B na-arụ ọwara.
[Tinye foto ụkpụrụ ụlọ ọkụ mpaghara]
Malite site na ịmepụta Ngwaọrụ A na Ngwaọrụ B site na ịgagharị na /users/[user_id]/new_device. Na ntọala maka ngwaọrụ ọ bụla, hụ na edobere paramita ndị a na ụkpụrụ edepụtara n'okpuru. Ị nwere ike ịtọ ntọala ngwaọrụ mgbe ị na-emepụta nhazi ngwaọrụ (lee Tinye Ngwaọrụ). Ọ bụrụ na ịchọrọ imelite ntọala na ngwaọrụ dị, ị nwere ike ime ya site na ịmepụta nhazi ngwaọrụ ọhụrụ.
Rịba ama na ngwaọrụ niile nwere ibe / ntọala/ndabara ebe enwere ike ịhazi PersistentKeepalive.
AllowedIPs = 10.3.2.2/32
Nke a bụ IP ma ọ bụ nso IP nke ngwaọrụ B
PersistentKeepalive = 25
Ọ bụrụ na ngwaọrụ ahụ dị n'azụ NAT, nke a na-eme ka ngwaọrụ ahụ nwee ike idobe ọwara ndụ wee gaa n'ihu na-enweta ngwugwu site na WireGuard interface. Ọtụtụ mgbe, uru nke 25 zuru ezu, mana ị nwere ike ịbelata uru a dabere na gburugburu gị.
AllowedIPs = 10.3.2.3/32
Nke a bụ IP ma ọ bụ nso IP nke ngwaọrụ A
PersistentKeepalive = 25
Ihe atụ a na-egosi ọnọdụ ebe Ngwaọrụ A nwere ike ịkọrọ ngwaọrụ B site na D n'akụkụ abụọ ahụ. Ntọlite a nwere ike ịnọchite anya onye injinia ma ọ bụ onye nchịkwa na-enweta ọtụtụ akụrụngwa (sava, akpa, ma ọ bụ igwe) n'ofe netwọkụ dị iche iche.
[Architectural Eserese]<<<<<<<<<<<<<<<<<<<<<<<
Gbaa mbọ hụ na emebere ntọala ndị a na ntọala ngwaọrụ ọ bụla na ụkpụrụ kwekọrọ. Mgbe ị na-eke nhazi ngwaọrụ, ị nwere ike ịkọwa ntọala ngwaọrụ (lee Tinye Ngwaọrụ). Enwere ike ịmepụta nhazi ngwaọrụ ọhụrụ ma ọ bụrụ na ekwesịrị imelite ntọala dị na ngwaọrụ dị adị.
AllowedIPs = 10.3.2.3/32, 10.3.2.4/32, 10.3.2.5/32
Nke a bụ IP nke ngwaọrụ B site na D. A ga-etinyerịrị IP nke ngwaọrụ B site na D na mpaghara IP ọ bụla ịhọrọ ịtọ.
PersistentKeepalive = 25
Nke a na-ekwe nkwa na ngwaọrụ ahụ nwere ike idowe ọwara ma gaa n'ihu na-anata ngwugwu site na WireGuard interface ọbụlagodi na NAT na-echekwa ya. N'ọtụtụ ọnọdụ, uru nke 25 zuru oke, agbanyeghị dabere na gburugburu gị, ịnwere ike iwetu ọnụ ọgụgụ a.
Iji nye otu, static egress IP maka okporo ụzọ otu gị niile ga-esi na ya pụta, enwere ike iji Firezone dị ka ọnụ ụzọ NAT. Ọnọdụ ndị a gụnyere iji ya eme ihe mgbe niile:
Mmekọrịta ndụmọdụ: Rịọ ka onye ahịa gị depụta otu adreesị IP static karịa IP ngwaọrụ pụrụ iche nke onye ọrụ ọ bụla.
Iji proxy ma ọ bụ ikpuchi isi iyi IP gị maka nchekwa ma ọ bụ ebumnuche nzuzo.
A ga-egosipụta ihe atụ dị mfe nke ịmachi ịnweta ngwa webụ nke nwere onwe ya na otu IP static static na-agba ọsọ Firezone ga-egosipụta na post a. N'ihe atụ a, Firezone na ihe nchekwa echekwara dị na mpaghara VPC dị iche iche.
A na-ejikarị ihe ngwọta a eme ihe n'ọnọdụ ijikwa IP whitelist maka ọtụtụ ndị ọrụ njedebe, nke nwere ike na-ewe oge ka ndepụta nnweta na-agbasawanye.
Ebumnuche anyị bụ ịtọlite sava Firezone na ihe atụ EC2 iji bugharịa okporo ụzọ VPN gaa na akụrụngwa amachibidoro. N'ihe atụ a, Firezone na-eje ozi dị ka onye nnọchiteanya netwọk ma ọ bụ ọnụ ụzọ NAT iji nye ngwaọrụ ọ bụla ejikọrọ IP egress ọha pụrụ iche.
N'okwu a, ihe atụ EC2 aha ya bụ tc2.micro nwere ihe atụ Firezone arụnyere na ya. Maka ozi gbasara ibunye Firezone, gaa na ntuziaka ntinye. N'ihe gbasara AWS, jide n'aka:
Otu nchekwa ihe atụ Firezone EC2 na-enye ohere ịpụ apụ gaa na adreesị IP nke akụrụngwa echekwara.
Ihe atụ Firezone na-abịa na IP na-agbanwe agbanwe. Okporo ụzọ a na-ebuga site na ihe atụ Firezone gaa na mpụga ebe ga-enwe nke a dị ka adreesị IP isi mmalite ya. Adreesị IP a jụrụ ajụjụ bụ 52.202.88.54.
[Tinye nseta ihuenyo]<<<<<<<<<<<<<<<<<<<<<<<<
Ngwa webụ na-akwado onwe ya na-eje ozi dị ka ihe eji echekwabara na nke a. Enwere ike ịnweta ngwa weebụ naanị site na arịrịọ sitere na adreesị IP 52.202.88.54. Dabere na akụrụngwa, ọ nwere ike ịdị mkpa ikwe ka okporo ụzọ mbata na ọdụ ụgbọ mmiri dị iche iche na ụdị okporo ụzọ. Ekpuchighị nke a n'akwụkwọ ntuziaka a.
[Tinye nseta ihuenyo]<<<<<<<<<<<<<<<<<<<<<<<<
Biko gwa onye nke atọ na-ahụ maka akụrụngwa echedoro na a ga-anabatarịrị okporo ụzọ si na IP static akọwapụtara na Nzọụkwụ 1 (na nke a 52.202.88.54).
Site na ndabara, okporo ụzọ ndị ọrụ niile ga-agafe na sava VPN wee si na IP static nke ahaziri na Nzọụkwụ 1 (na nke a 52.202.88.54). Otú ọ dị, ọ bụrụ na agbanyere ọwara nkewa, ntọala nwere ike ịdị mkpa iji hụ na ebe ebe nchekwa IP dị n'etiti IP ndị anabatara.
Egosiri n'okpuru bụ ndepụta nhọrọ nhazi dị na ya /etc/firezone/firezone.rb.
nhọrọ | nkọwa | ndabara uru |
ndabara['firezone']]['external_url'] | URL na-eji iji nweta ọnụ ụzọ webụ nke ihe atụ Firezone a. | "https://#{node['fqdn'] || ọnụ['aha nnabata']}" |
ndabara['firezone']['config_directory'] | Akwụkwọ ndekọ aha kacha elu maka nhazi Firezone. | /etc/fizone' |
ndabara['firezone']]['install_directory'] | Ndekọ ọkwa dị elu iji wụnye Firezone na. | /opt/fizone' |
ndabara['firezone']['app_directory'] | Akwụkwọ ndekọ aha dị elu iji wụnye ngwa webụ Firezone. | "#{ọnụ['firezone']]['install_directory']}/embedded/service/firezone" |
ndabara['firezone']['log_directory'] | Akwụkwọ ndekọ aha dị elu maka ndekọ Firezone. | /var/log/fizone' |
ndabara['firezone']['var_directory'] | Akwụkwọ ndekọ aha kacha elu maka faịlụ oge ọhụhụ Firezone. | /var/opt/fizone' |
ndabara['firezone']['onye ọrụ'] | Aha onye ọrụ Linux na-enweghị ohere ọtụtụ ọrụ na faịlụ ga-abụ nke. | firezone' |
ndabara['firezone']['otu'] | Aha otu Linux ọtụtụ ọrụ na faịlụ ga-abụ nke. | firezone' |
ndabara['firezone']['admin_email'] | Adreesị ozi-e maka onye ọrụ Firezone mbụ. | "firezone@localhost" |
ndabara['firezone']['max_devices_per_user'] | Ọnụọgụ ngwaọrụ ndị ọrụ nwere ike ịnwe. | 10 |
ndabara['firezone']['allow_unprivileged_device_management'] | Na-enye ndị ọrụ na-abụghị ndị nchịkwa ohere ịmepụta na ihichapụ ngwaọrụ. | EZI |
ndabara['firezone']['allow_unprivileged_device_configuration'] | Na-enye ndị ọrụ na-abụghị onye nchịkwa ohere gbanwee nhazi ngwaọrụ. Mgbe enwere nkwarụ, na-egbochi ndị ọrụ enweghị ohere ịgbanwe mpaghara ngwaọrụ niile ewezuga aha na nkọwa. | EZI |
ndabara ['firezone']]['egress_interface'] | Aha interface ebe okporo ụzọ ọwara ga-apụ apụ. Ọ bụrụ na ọ bụghị, a ga-eji interface ụzọ ndabara. | nil |
ndabara['firezone']['fips_enabled'] | Kwado ma ọ bụ gbanyụọ ụdị FIP OpenSSL. | nil |
ndabara['firezone'] ['ịbanye'] ['enyere aka'] | Kwado ma ọ bụ gbanyụọ ịbanye n'ofe Firezone. Tọọ ụgha ka ị gbanyụọ ịkụ osisi kpamkpam. | EZI |
ndabara['ụlọ ọrụ'] ['aha'] | Aha nke Chef 'enterprise' akwụkwọ nri ji. | firezone' |
ndabara ['firezone']['install_path'] | Wụnye ụzọ akwụkwọ nri 'ụlọ ọrụ' Chef na-eji. Ekwesịrị ịtọ ya ka ọ dị ka install_directory dị n'elu. | ọnụ['firezone']['install_directory'] |
ndabara['firezone']]['sysvinit_id'] | Ihe nchọpụta ejiri na /etc/inittab. Ga-abụrịrị usoro pụrụ iche nke mkpụrụedemede 1-4. | SUP' |
ndabara['firezone'] ['nkwalite']]['mpaghara']['nyeere'] | Kwado ma ọ bụ gbanyụọ njirimara email/paswọọdụ mpaghara. | EZI |
ndabara['firezone']][' nkwenye']['auto_create_oidc_users'] | Mepụta ndị ọrụ na-abanye na OIDC na-akpaghị aka na nke mbụ. Gbanyụọ ikwe ka naanị ndị ọrụ dị ugbu a banye site na OIDC. | EZI |
ndabara ['firezone']][' nkwenye']['disable_vpn_on_oidc_error'] | Gbanyụọ VPN onye ọrụ ma ọ bụrụ na achọpụtara mperi na-agbalị ime ka akara OIDC ha dị ọhụrụ. | FALSE |
ndabara ['firezone'] [' nkwenye' ['oidc'] | OpenID Connect config, n'ụdị {"onye na-eweta" => [config…]} - Lee Mepee IDConnect akwụkwọ maka ihe atụ config. | {} |
ndabara['firezone']]['nginx'] ['ekwanyere'] | Kwado ma ọ bụ gbanyụọ sava nginx ekpokọtara. | EZI |
ndabara['firezone']]['nginx']['ssl_port'] | HTTPS ọdụ ụgbọ mmiri. | 443 |
ndabara ['firezone']]['nginx'] ['akwụkwọ ndekọ aha'] | Akwụkwọ ndekọ iji chekwaa nginx mebere nhazi nhazi nke metụtara Firezone. | "#{node['firezone']]['var_directory']}/nginx/etc" |
ndabara['firezone']]['nginx']['log_directory'] | Akwụkwọ ndekọ iji chekwaa faịlụ nginx metụtara Firezone. | "#{node['firezone']]['log_directory']}/nginx" |
ndabara['firezone']]['nginx']]['log_rotation']['file_maxbytes'] | Nha faịlụ nke a ga-atụgharị faịlụ ndekọ Nginx. | 104857600 |
ndabara['firezone']]['nginx']]['log_rotation']['num_to_keep'] | Ọnụọgụ nke Firezone nginx faịlụ ndekọ ka idobe tupu atụfuo. | 10 |
ndabara['firezone']['nginx']]['log_x_forwarded_for'] | Ma ịbanye Firezone nginx x-forwarded-maka nkụnye eji isi mee. | EZI |
ndabara['firezone']['nginx']]['hsts_header'] ['enyere ya'] | EZI | |
ndabara['firezone']['nginx']]['hsts_header'] ['gụnyere_subdomains'] | Kwado ma ọ bụ gbanyụọ gụnyere SubDomains maka nkụnye eji isi mee HSTS. | EZI |
ndabara['firezone']]['nginx']]['hsts_header']['max_age'] | Oke afọ maka nkụnye eji isi mee HSTS. | 31536000 |
ndabara ['firezone']]['nginx']['redirect_to_canonical'] | Ma ọ ga-atụgharị URL gaa na FQDN nke akọwara n'elu | FALSE |
ndabara['firezone']]['nginx'] ['cache'] ['enyere aka'] | Kwado ma ọ bụ gbanyụọ nginx cache Firezone. | FALSE |
ndabara['firezone']]['nginx'] ['cache'] ['akwụkwọ ndekọ aha'] | Akwụkwọ ndekọ maka Firezone nginx cache. | "#{node['firezone']]['var_directory']}/nginx/cache" |
ndabara['firezone']]['nginx'] ['onye ọrụ'] | Onye ọrụ Firezone nginx. | node['firezone'] ['onye ọrụ'] |
ndabara['firezone']]['nginx']['otu'] | Firezone nginx otu. | ọnụ['firezone']['otu'] |
ndabara['firezone']]['nginx']['dir'] | Ndekọ nhazi nginx dị elu. | ọnụ['firezone'] ['nginx'] ['akwụkwọ ndekọ aha'] |
ndabara ['firezone']]['nginx']]['log_dir'] | Ndekọ ndekọ nginx dị elu. | ọnụ['firezone']]['nginx']['log_directory'] |
ndabara['firezone']]['nginx']['pid'] | Ebe maka nginx pid faịlụ. | "#{node['firezone']]['nginx']['directory']}/nginx.pid" |
ndabara['firezone']['nginx']]['daemon_disable'] | Gbanyụọ nginx daemon mode ka anyị nwee ike nyochaa ya kama. | EZI |
ndabara['firezone']]['nginx']['gzip'] | Gbanyụọ ma ọ bụ gbanyụọ nginx gzip mkpakọ. | na' |
ndabara ['firezone']]['nginx']['gzip_static'] | Gbanyụọ ma ọ bụ gbanyụọ nginx gzip mkpakọ maka faịlụ static. | gbanyụọ' |
ndabara['firezone']['nginx']]['gzip_http_version'] | Ụdị HTTP a ga-eji maka faịlụ static. | 1.0 ' |
ndabara ['firezone']]['nginx']['gzip_comp_level'] | nginx gzip mkpakọ ọkwa. | 2 ' |
ndabara['firezone']['nginx']]['gzip_proxied'] | Na-akwado ma ọ bụ gbanyụọ gzipping nke nzaghachi maka arịrịọ proxied dabere na arịrịọ na nzaghachi. | nke ọ bụla' |
ndabara['firezone']]['nginx']['gzip_vary'] | Na-akwado ma ọ bụ gbanyụọ ntinye "Vary: Anabata-Encoding" nkụnye eji isi mee. | gbanyụọ' |
ndabara['firezone']['nginx']]['gzip_buffers'] | Na-edobe ọnụọgụ na nha nke ihe nchekwa ejiri iji mpikota nzaghachi. Ọ bụrụ nil, a na-eji ndabara nginx. | nil |
ndabara['firezone']]['nginx']['gzip_types'] | Ụdị MIME iji mee ka mpịakọta gzip maka. | ['ederede/plain', 'text/css','application/x-javascript', 'text/xml', 'application/xml', 'application/rss+xml', 'application/atom+xml',' ederede/javascript', 'ngwa/javascript', 'ngwa/json'] |
ndabara['firezone']['nginx']]['gzip_min_length'] | Ogologo faịlụ kacha nta iji mee ka mkpakọ gzip faịlụ maka. | 1000 |
ndabara['firezone']]['nginx']['gzip_disable'] | Onye nnọchite anya ihe egwuregwu iji gbanyụọ mkpakọ gzip maka. | MSIE [1-6] \.' |
ndabara['firezone']]['nginx'] ['keepalive'] | Na-arụ ọrụ cache maka njikọ na sava dị elu. | na' |
ndabara ['firezone']]['nginx']['keepalive_timeout'] | Oge agwụla n'ime sekọnd maka njikọ dị ndụ na sava dị elu. | 65 |
ndabara['firezone']['nginx']]['ọrụ_processes'] | Ọnụọgụ nke usoro ndị ọrụ nginx. | node['cpu'] && node['cpu']['mkpokọta']? node['cpu']['mkpokọta']: 1 |
ndabara['firezone']['nginx']]['njikọ_onye ọrụ'] | Ọnụ ọgụgụ kacha elu nke njikọ otu oge nke usoro onye ọrụ nwere ike imeghe. | 1024 |
ndabara ['firezone']]['nginx']['worker_rlimit_nofile'] | Na-agbanwe oke na ọnụọgụ kacha nke faịlụ mepere emepe maka usoro ndị ọrụ. Na-eji ndabara nginx ma ọ bụrụ nil. | nil |
ndabara['firezone']]['nginx']['multi_accept'] | Ma ndị ọrụ kwesịrị ịnakwere otu njikọ n'otu oge ma ọ bụ ọtụtụ. | EZI |
ndabara['firezone']]['nginx'] ['omume'] | Na-akọwapụta usoro nhazi njikọ iji n'ime ọnọdụ mmemme nginx. | epoll' |
ndabara['firezone']]['nginx']['server_tokens'] | Na-akwado ma ọ bụ gbanyụọ nginx ụdị nginx na ibe mperi yana n'ọhịa nzaghachi nzaghachi "Server". | nil |
ndabara ['firezone']]['nginx']['server_names_hash_bucket_size'] | Na-edobe nha ịwụ maka tebụl hash aha nkesa. | 64 |
ndabara['firezone']]['nginx'] ['sendfile'] | Na-akwado ma ọ bụ gbanyụọ iji nginx's sendfile(). | na' |
ndabara['firezone']['nginx']]['access_log_options'] | Na-edozi nhọrọ ntinye nginx. | nil |
ndabara['firezone']['nginx']['error_log_options'] | Na-edozi nhọrọ ndekọ njehie nginx. | nil |
ndabara['firezone']['nginx']]['disable_access_log'] | Gbanyụọ ndekọ ohere nginx. | FALSE |
ndabara['firezone']['nginx']]['types_hash_max_size'] | ụdị nginx hash max size. | 2048 |
ndabara['firezone']]['nginx']['types_hash_bucket_size'] | nginx ụdị hash ịwụ nha. | 64 |
ndabara['firezone']['nginx']['proxy_read_timeout'] | nginx proxy gụchara oge agwụla. Tọọ na nil ka iji ndabara nginx. | nil |
ndabara['firezone']['nginx']]['client_body_buffer_size'] | nginx ahịa ihe nchekwa nha. Tọọ na nil ka iji ndabara nginx. | nil |
ndabara['firezone']['nginx']]['client_max_body_size'] | nginx ahịa max ahu size. | 250m' |
ndabara['firezone']]['nginx'] ['ndabere'] ['modul'] | Ezipụta modul nginx agbakwunyere. | [] |
ndabara ['firezone']]['nginx']['enable_rate_limiting'] | Kwado ma ọ bụ gbanyụọ mmachi ọnụego nginx. | EZI |
ndabara['firezone']['nginx']]['rate_limiting_zone_name'] | Nginx ọnụego na-amachi aha mpaghara. | firezone' |
ndabara ['firezone']]['nginx']['rate_limiting_backoff'] | Ọnụego Nginx na-amachi azụ azụ. | 10m' |
ndabara ['firezone']]['nginx'] ['rate_limit'] | Oke ọnụego Nginx. | 10r/s |
ndabara ['firezone']]['nginx']['ipv6'] | Kwe ka nginx gee ntị maka arịrịọ HTTP maka IPv6 na mgbakwunye na IPv4. | EZI |
ndabara['firezone']]['postgresql'] ['ekwanyere'] | Kwado ma ọ bụ gbanyụọ Postgresql ekpokọtara. Tọọ ụgha ma dejupụta nhọrọ nchekwa data dị n'okpuru iji jiri ihe atụ Postgresql nke gị. | EZI |
ndabara['firezone']]['postgresql'] ['aha njirimara'] | Aha njirimara maka Postgresql. | node['firezone'] ['onye ọrụ'] |
ndabara ['firezone']['postgresql']['data_directory'] | Akwụkwọ ndekọ data Postgresql. | "#{node['firezone']]['var_directory']}/postgresql/13.3/data" |
ndabara ['firezone']]['postgresql']['log_directory'] | Postgresql ndekọ ndekọ. | "#{node['firezone']]['log_directory']}/postgresql" |
ndabara ['firezone']]['postgresql']]['log_rotation']['file_maxbytes'] | Faịlụ ndekọ Postgresql kacha nha tupu agbagharịa ya. | 104857600 |
ndabara ['firezone']]['postgresql']]['log_rotation']['num_to_keep'] | Ọnụọgụ faịlụ ndekọ Postgresql ka idowe. | 10 |
ndabara['firezone']]['postgresql']['checkpoint_completion_target'] | Ebumnuche mmecha ebe nlele Postgresql. | 0.5 |
ndabara['firezone']]['postgresql']['checkpoint_segments'] | Ọnụọgụ nke ngalaba nlele Postgresql. | 3 |
ndabara['firezone']]['postgresql']['checkpoint_timeout'] | Oge nlele Postgresql. | Nkeji 5' |
ndabara ['firezone']]['postgresql']['checkpoint_warning'] | Oge ịdọ aka na ntị Postgresql na sekọnd. | 30s' |
ndabara ['firezone']]['postgresql']['effective_cache_size'] | Ogo cache dị irè Postgresql. | 128MB' |
ndabara['firezone']]['postgresql']['adreesị ntị'] | Adreesị gee postgresql. | 127.0.0.1 ' |
ndabara ['firezone']]['postgresql']['max_connections'] | Njikọ Postgresql max. | 350 |
ndabara['firezone']]['postgresql']['md5_auth_cidr_addresses'] | Postgresql CIDRs inye ohere maka md5 auth. | ['127.0.0.1/32','::1/128'] |
ndabara ['firezone']]['postgresql']['ọdụ ụgbọ mmiri'] | Postgresql n'ọdụ ụgbọ mmiri. | 15432 |
ndabara['firezone']]['postgresql']['shared_buffers'] | Postgresql na-ekekọrịta nha ihe nchekwa. | "#{(ọnụ['memory']['total'].to_i / 4) / 1024}MB" |
ndabara['firezone']]['postgresql']['shmmax'] | Postgresql shmmax na bytes. | 17179869184 |
ndabara['firezone']]['postgresql']['shmall'] | Postgresql shmall na bytes. | 4194304 |
ndabara ['firezone']]['postgresql']['work_mem'] | Ogo ebe nchekwa Postgresql na-arụ ọrụ. | 8MB' |
ndabara ['firezone'] ['database'] ['onye ọrụ'] | Na-akọwapụta aha njirimara Firezone ga-eji jikọọ na DB. | node['firezone'] ['postgresql'] ['aha njirimara'] |
ndabara ['firezone'] ['database'] ['password'] | Ọ bụrụ na ị na-eji DB mpụga, ezipụta paswọọdụ Firezone ga-eji jikọọ na DB. | gbanwee_m' |
ndabara ['firezone'] ['database'] ['aha'] | Database nke Firezone ga-eji. A ga-emepụta ma ọ bụrụ na ọ dịghị. | firezone' |
ndabara ['firezone'] ['database'] ['onye ọbịa'] | Onye nnabata data nke Firezone ga-ejikọ na ya. | ọnụ['firezone'] ['postgresql'] ['adreesị gee ntị'] |
ndabara['firezone']]['database']['ọdụ ụgbọ mmiri'] | Ọdụ ụgbọ mmiri nke Firezone ga-ejikọta. | ọnụ['firezone'] ['postgresql'] ['ọdụ ụgbọ mmiri'] |
ndabara['firezone']]['database']['pool'] | Ogo ọdọ mmiri nchekwa data Firezone ga-eji. | [10, wdg.nprocessors].max |
ndabara['firezone']]['database']['ssl'] | Ma jikọọ na nchekwa data n'elu SSL. | FALSE |
ndabara['firezone']]['database']['ssl_opts'] | Hash nke nhọrọ iziga na nhọrọ:ssl_opts mgbe ị na-ejikọ n'elu SSL. Lee Akwụkwọ Ecto.Adapters.Postgres. | {} |
ndabara ['firezone'] ['database'] ['parameters'] | {} | |
ndabara['firezone']]['database']['extensions'] | Mgbatị nchekwa data iji mee ya. | { 'plpgsql' => eziokwu, 'pg_trgm' => ezi } |
ndabara['firezone']]['phoenix'] ['ekwanyere'] | Kwado ma ọ bụ gbanyụọ ngwa weebụ Firezone. | EZI |
ndabara['firezone']]['phoenix'] ['ige ntị_address'] | Adrees webụ ngwa Firezone gee ntị. Nke a ga-abụ adreesị ntị nke nginx proxies. | 127.0.0.1 ' |
ndabara ['firezone'] ['phoenix'] ['ọdụ ụgbọ mmiri'] | Firezone webụ ngwa ntị ọdụ ụgbọ mmiri. Nke a ga-abụ ọdụ ụgbọ mmiri nke nginx proxies. | 13000 |
ndabara ['firezone']]['phoenix']['log_directory'] | Firezone ndekọ ndekọ ndekọ. | "#{node['firezone']]['log_directory']}/phoenix" |
ndabara ['firezone']]['phoenix']]['log_rotation']['file_maxbytes'] | Ogo faịlụ ndekọ ngwa weebụ Firezone. | 104857600 |
ndabara['firezone']]['phoenix']]['log_rotation']['num_to_keep'] | Ọnụọgụ faịlụ ndekọ ndekọ ngwa weebụ Firezone ka idowe ya. | 10 |
ndabara['firezone']]['phoenix'] ['crash_detection'] ['enyere aka'] | Kwado ma ọ bụ gbanyụọ iweda ngwa weebụ Firezone mgbe achọpụtara ihe mberede. | EZI |
ndabara['firezone']]['phoenix']['external_trusted_proxies'] | Ndepụta proxies tụkwasara ntụkwasị obi ahaziri dị ka Array nke IP na/ma ọ bụ CIDR. | [] |
ndabara['firezone']]['phoenix']['private_clients'] | Ndepụta nke ndị ahịa HTTP netwọkụ nkeonwe, haziri ọtụtụ IP na/ma ọ bụ CIDR. | [] |
ndabara ['firezone'] ['wireguard'] ['enyere aka'] | Kwado ma ọ bụ gbanyụọ njikwa WireGuard ekpokọtara. | EZI |
ndabara ['firezone']]['wireguard']['log_directory'] | Ndekọ ndekọ maka njikwa WireGuard jikọtara ọnụ. | "#{ọnụ['firezone'] ['log_directory']}/wireguard" |
ndabara['firezone']]['wireguard']]['log_rotation']['file_maxbytes'] | Ihe ndekọ ndekọ WireGuard kacha. | 104857600 |
ndabara['firezone']]['wireguard']]['log_rotation']['num_to_keep'] | Ọnụọgụ faịlụ ndekọ WireGuard ka idowe ya. | 10 |
ndabara['firezone']]['wireguard']['interface_name'] | WireGuard interface aha. Ịgbanwe oke a nwere ike bute mfu nwa oge na njikọ VPN. | wg-fizone' |
ndabara ['firezone'] ['wireguard'] ['ọdụ ụgbọ mmiri'] | WireGuard ọdụ ụgbọ mmiri. | 51820 |
ndabara ['firezone'] ['wireguard'] ['mtu'] | WireGuard interface MTU maka ihe nkesa a yana maka nhazi ngwaọrụ. | 1280 |
ndabara ['firezone'] ['wireguard'] ['endpoint'] | Ebe njedebe WireGuard ga-eji maka ịmepụta nhazi ngwaọrụ. Ọ bụrụ na ọ bụghị, ọ ga-adaba na adreesị IP ọha nke sava ahụ. | nil |
ndabara ['firezone'] ['wireguard'] ['dns'] | WireGuard DNS iji maka nhazi ngwaọrụ ewepụtara. | 1.1.1.1, 1.0.0.1 ′ |
ndabara['firezone']]['wireguard']['allowed_ips'] | WireGuard AllowedIPs iji maka nhazi ngwaọrụ ewepụtara. | 0.0.0.0/0, ::/0′ |
ndabara['firezone']]['wireguard']['na-adịgide adịgide_keepalive'] | Ntọala PersistentKeepalive nke an-kpọ maka nhazi ngwaọrụ ewepụtara. Uru nke 0 gbanyụọ. | 0 |
ndabara ['firezone'] ['wireguard'] ['ipv4'] ['enyere aka'] | Kwado ma ọ bụ gbanyụọ IPv4 maka netwọk WireGuard. | EZI |
ndabara ['firezone'] ['wireguard'] ['ipv4'] ['masquerade'] | Kwado ma ọ bụ gbanyụọ masquerade maka ngwugwu na-ahapụ ọwara IPv4. | EZI |
ndabara ['firezone'] ['wireguard'] ['ipv4'] ['netwọk'] | WireGuard netwọk IPv4 adreesị ọdọ mmiri. | 10.3.2.0/24 ′ |
ndabara ['firezone'] ['wireguard'] ['ipv4'] ['adreesị'] | WireGuard interface IPv4 adreesị. Ga-abụrịrị n'ime ọdọ mmiri adreesị WireGuard. | 10.3.2.1 ' |
ndabara ['firezone'] ['wireguard'] ['ipv6'] ['enyere aka'] | Kwado ma ọ bụ gbanyụọ IPv6 maka netwọk WireGuard. | EZI |
ndabara ['firezone'] ['wireguard'] ['ipv6'] ['masquerade'] | Kwado ma ọ bụ gbanyụọ masquerade maka ngwugwu na-ahapụ ọwara IPv6. | EZI |
ndabara ['firezone'] ['wireguard'] ['ipv6'] ['netwọk'] | WireGuard netwọk IPv6 adreesị ọdọ mmiri. | fd00::3:2:0/120′ |
ndabara ['firezone'] ['wireguard'] ['ipv6'] ['adreesị'] | WireGuard interface IPv6 adreesị. Ga-abụrịrị n'ime ọdọ mmiri adreesị IPv6. | fd00:: 3:2:1 ′ |
ndabara ['firezone']]['runit']['svlogd_bin'] | Ọnọdụ Runit svlogd bin. | "#{ọnụ['firezone']]['install_directory']}/embedded/bin/svlogd" |
ndabara['firezone']]['ssl']['directory'] | Akwụkwọ ndekọ aha SSL maka ịchekwa asambodo emepụtara. | /var/opt/fizone/ssl' |
ndabara['firezone']]['ssl']['email_address'] | Adreesị ozi-e ị ga-eji maka asambodo ejiri aka ya na ọkwa mmeghari protocol ACME. | ị @example.com' |
ndabara['firezone']]['ssl'] ['acme'] ['enyere aka'] | Kwado ACME maka inye asambodo SSL akpaaka. Gbanyụọ nke a iji gbochie Nginx ịge ntị na ọdụ ụgbọ mmiri 80. Lee Ebe a maka ntuziaka ndị ọzọ. | FALSE |
ndabara['firezone']]['ssl'] ['acme'] ['ihe nkesa'] | mkpọtu | |
ndabara['firezone']]['ssl'] ['acme'] ['keylength'] | ec-256 | |
ndabara['firezone']]['ssl'] ['akwụkwọ nkwado'] | Ụzọ na faịlụ akwụkwọ maka FQDN gị. Na-ewepụ ntọala ACME n'elu ma ọ bụrụ na akọwapụtara ya. Ọ bụrụ na ma ACME na nke a abaghị uru, a ga-ewepụta asambodo ejiri aka ya bịa. | nil |
ndabara['firezone']['ssl']['certificate_key'] | Ụzọ na faịlụ asambodo. | nil |
ndabara['firezone']]['ssl']['ssl_dhparam'] | nginx ssl dh_param. | nil |
ndabara['firezone']]['ssl']['country_name'] | Aha obodo maka asambodo ejiri aka ya bịa. | US' |
ndabara['firezone']['ssl']['state_name'] | Aha steeti maka asambodo ejiri aka ya bịanye aka na ya. | CA ' |
ndabara['firezone']['ssl']['locaity_name'] | Aha mpaghara maka asambodo ejiri aka ya bịanye aka na ya. | San Francisco' |
ndabara['firezone']]['ssl']['aha ụlọ ọrụ'] | Asambodo ejiri aka ya bịanye aka n'aha ụlọ ọrụ. | Ụlọ ọrụ m' |
ndabara['firezone']['ssl']]['organizational_unit_name'] | Aha ngalaba nhazi maka asambodo ejiri aka ya bịanye aka na ya. | Arụ ọrụ' |
ndabara['firezone']]['ssl']['ciphers'] | SSL ciphers maka nginx iji. | ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’ |
ndabara['firezone']['ssl']['fips_ciphers'] | SSL ciphers maka ọnọdụ FIP. | FIPS @ IKE:!aNULL:!eNULL' |
ndabara['firezone']]['ssl']['protocols'] | Usoro TLS iji. | TLSv1 TLSv1.1 TLSv1.2′ |
ndabara['firezone']]['ssl']['session_cache'] | cache nke oge SSL. | òkè:SSL:4m' |
ndabara['firezone']['ssl']['session_timeout'] | Oge ngwụcha nke oge SSL. | 5m' |
ndabara['firezone']['robots_allow'] | nginx robots ekwe. | /' |
ndabara['firezone']]['robots_disallow'] | nginx robots ekwetaghị. | nil |
ndabara['firezone']]['outbound_email']['si'] | Ozi email sitere na adreesị. | nil |
ndabara['firezone']['outbound_email']['onye na-eweta'] | Onye na-eweta email na-apụ apụ. | nil |
ndabara['firezone']]['outbound_email']['configs'] | Nhazi ndị na-eweta email na-apụ apụ. | hụ omnibus/bookbooks/firezone/attributes/default.rb |
ndabara ['firezone'] ['telemetry'] ['enyere aka'] | Kwado ma ọ bụ gbanyụọ telemetry ngwaahịa ahaghị aha. | EZI |
ndabara['firezone']]['connectivity_checks']['agbanyere'] | Kwado ma ọ bụ gbanyụọ ọrụ nlele njikọ njikọ Firezone. | EZI |
ndabara['firezone']]['connectivity_checks']['nterval'] | Oghere n'etiti nlele njikọ na sekọnd. | 3_600 |
________________________________________________________________
N'ebe a, ị ga-ahụ ndepụta faịlụ na akwụkwọ ndekọ aha metụtara nrụnye Firezone. Ndị a nwere ike ịgbanwe dabere na mgbanwe na faịlụ nhazi gị.
ụzọ | nkọwa |
/var/opt/firezone | Akwụkwọ ndekọ aha dị elu nwere data yana nhazi ewepụtara maka ọrụ chịkọtara Firezone. |
/opt/firezone | Ndekọ ọkwa dị elu nwere ọba akwụkwọ arụrụ, ọnụọgụ abụọ na faịlụ oge ọgbaghara nke Firezone chọrọ. |
/usr/bin/firezone-ctl | firezone-ctl maka ijikwa nrụnye Firezone gị. |
/etc/systemd/system/firezone-runsvdir-start.service | systemd unit faịlụ maka ịmalite Firezone runsvdir usoro nlekọta. |
/etc/fizone | Faịlụ nhazi nke Firezone. |
__________________________________________________________
Ibe a tọgbọrọ chakoo na doc
_____________________________________________________________
Enwere ike iji template nftables firewall ndị a iji chekwaa ihe nkesa na-agba ọsọ Firezone. The template na-eme ka ụfọdụ echiche; ị nwere ike ịhazigharị iwu ka ọ dabara maka ojiji gị:
Firezone na-ahazi iwu nftables nke ya iji kwe / jụ okporo ụzọ gaa ebe ahazibere na interface weebụ yana ijikwa NAT na-apụ apụ maka okporo ụzọ ndị ahịa.
Itinye template firewall n'okpuru na ihe nkesa na-agba ọsọ (ọ bụghị n'oge buut) ga-eme ka a kpochapụ iwu Firezone. Nke a nwere ike inwe mmetụta nchekwa.
Iji rụọ ọrụ na nke a malitegharịa ọrụ phoenix:
firezone-ctl malitegharịa phoenix
#!/usr/sbin/nft -f
## Kpochapụ / kpochapụ iwu niile dị
ikpochapu iwu
############################################################################################################################# ###########
## Internet/WAN interface aha
kọwaa DEV_WAN = eth0
## WireGuard interface aha
kọwaa DEV_WIREGUARD = wg-fizone
## WireGuard ọdụ ụgbọ mmiri
kọwaa WIREGUARD_PORT = 51820
######################################################################################### ##########
Tebụl nzacha ezinụlọ nke isi inet
table inet filter {
# Iwu maka okporo ụzọ ebugharị
# A na-ahazi ụdọ a tupu yinye mbugharị Firezone
yinye n'ihu {
ụdị nko ntugharị mkpa nzacha - 5; amụma nabata
}
# Iwu maka ntinye okporo ụzọ
ntinye yinye {
ụdị nko ntinye ntinye mkpa nzacha; dobe amụma
## Nyefee okporo ụzọ mbata ka ọ bụrụ interface loopback
if lo \
nabata \
comment Kwee ka okporo ụzọ si na loopback interface bata
## Ikike emebere yana njikọ ndị metụtara ya
ct steeti guzosie ike, metụtara \
nabata \
comment "Nkwenye na njikọ agbakwunyere"
## Nyefee okporo ụzọ WireGuard inbound
iif $DEV_WAN udp dport $WIREGUARD_PORT \
counter \
nabata \
comment Kwee ka okporo ụzọ WireGuard mbata
## Banye ma dobe ngwugwu TCP ọhụrụ na-abụghị SYN
tcp flags != syn ct state ọhụrụ \
oke ọnụego 100/nkeji gbawara 150 ngwugwu \
prefix log "IN - Ọhụrụ !SYN:" \
comment "Ntinye njedebe ọnụego maka njikọ ọhụrụ na-enweghị ọkọlọtọ SYN TCP"
tcp flags != syn ct state ọhụrụ \
counter \
dobe \
comment "Wepụ njikọ ọhụrụ na-enweghị ọkọlọtọ SYN TCP"
## Banye ma dobe ngwugwu TCP nwere ọkọlọtọ fin/sync na-ezighi ezi
tcp & (fin | syn) == (fin | syn) \
oke ọnụego 100/nkeji gbawara 150 ngwugwu \
prefix log "IN - TCP FIN | Mmehie:" \
comment "Ntinye oke ọnụ maka ngwugwu TCP nwere ọkọlọtọ fin/sync na-ezighi ezi"
tcp & (fin | syn) == (fin | syn) \
counter \
dobe \
comment "Tụfuo ngwugwu TCP nwere ọkọlọtọ fin/sync na-ezighi ezi"
## Banye ma dobe ngwugwu TCP nwere ọkọlọtọ syn/ rst na-ezighi ezi
tcp flags & (syn | nke mbụ) == (syn | nke mbụ) \
oke ọnụego 100/nkeji gbawara 150 ngwugwu \
prefix log "IN - TCP SYN|RST:" \
comment "Ntinye njedebe ọnụego maka ngwugwu TCP nwere ọkọlọtọ syn/ nke mbụ na-ezighi ezi"
tcp flags & (syn | nke mbụ) == (syn | nke mbụ) \
counter \
dobe \
comment "Tụfuo ngwugwu TCP nwere ọkọlọtọ syn/ rst na-ezighi ezi"
## Banye ma dobe ọkọlọtọ TCP na-ezighi ezi
tcp flags & (fin | syn | rst | psh | ack | urg) < (fin) \
oke ọnụego 100/nkeji gbawara 150 ngwugwu \
prefix log "IN - FIN:" \
comment "Ntinye oke ọnụ maka ọkọlọtọ TCP na-ezighi ezi (fin|syn|rst|psh|ack|urg) <(fin)"
tcp flags & (fin | syn | rst | psh | ack | urg) < (fin) \
counter \
dobe \
comment "Tụfuo ngwugwu TCP nwere ọkọlọtọ (fin | syn | rst | psh | ack | ume) <(fin)"
## Banye ma dobe ọkọlọtọ TCP na-ezighi ezi
tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
oke ọnụego 100/nkeji gbawara 150 ngwugwu \
prefix log "IN - FIN | PSH | URG:" \
comment "Ntinye oke ọnụ maka ọkọlọtọ TCP na-ezighi ezi (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)"
tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
counter \
dobe \
comment "Tụfuo ngwugwu TCP nwere ọkọlọtọ (fin | syn | rst | psh | ack | ume) == (fin | psh | ume)"
## Wepu okporo ụzọ na steeti njikọ ezighi ezi
ct steeti ezighi ezi \
oke ọnụego 100/nkeji gbawara 150 ngwugwu \
log flags niile prefix "IN - ezighi ezi:" \
comment "Ntinye oke ọnụ maka okporo ụzọ nwere ọnọdụ njikọ na-ezighi ezi"
ct steeti ezighi ezi \
counter \
dobe \
comment "Wepụ okporo ụzọ na steeti njikọ ezighi ezi"
## Nyefee nzaghachi IPv4 ping/ping mana oke ọnụego na 2000 PPS
ip protocol icmp ụdị icmp {echo-aza, arịrịọ arịrịọ} \
oke ọnụego 2000/ nke abụọ \
counter \
nabata \
comment Kwee ka inbound IPv4 echo (ping) nwere oke na 2000 PPS
## Kwe ka ndị ọzọ inbound IPv4 ICMP
ip protocol icmp \
counter \
nabata \
comment Kwee ka ndị ọzọ niile IPv4 ICMP
## Nyefee nzaghachi IPv6 ping/ping mana oke ọnụego na 2000 PPS
ụdị icmpv6 {echo-azịza, arịrịọ arịrịọ} \
oke ọnụego 2000/ nke abụọ \
counter \
nabata \
comment Kwee ka inbound IPv6 echo (ping) nwere oke na 2000 PPS
## Kwe ka ndị ọzọ inbound IPv6 ICMP
meta l4proto {icmpv6} \
counter \
nabata \
comment Kwee ka ndị ọzọ niile IPv6 ICMP
## Nyefee inbound traceroute UDP ọdụ ụgbọ mmiri mana njedebe na 500 PPS
udp dport 33434-33524 \
oke ọnụego 500/ nke abụọ \
counter \
nabata \
comment Kweere inbound UDP traceroute naanị na 500 PPS
## Kwe ka ịbata SSH
tcp dport ssh ct steeti ọhụrụ \
counter \
nabata \
comment Kweere njikọ SSH mbata
## Nyefee nnabata HTTP na HTTPS
tcp dport {http, https } ct steeti ọhụrụ \
counter \
nabata \
comment Kwee ka njikọ HTTP na HTTPS banye
## Debanye aha n'okporo ụzọ ọ bụla na-enweghị atụ mana ọnụ ahịa ịdebanye aha kacha nke ozi 60 / nkeji
## A ga-etinye ụkpụrụ ndabara na okporo ụzọ na-enweghị atụ
oke ọnụego 60/nkeji gbawara 100 ngwugwu \
prefix log "IN - dobe:" \
comment "Tinye okporo ụzọ ọ bụla na-enweghị atụ"
## Gụọ okporo ụzọ na-enweghị atụ
counter \
comment "Gụọ okporo ụzọ ọ bụla na-enweghị atụ"
}
# Iwu maka okporo ụzọ mmepụta
mmepụta yinye {
ụdị nyo nko mmepụta mkpa nzacha; dobe amụma
## Kwe ka okporo ụzọ pụọ na interface loopback
ọ bụrụ na \
nabata \
comment "Kwe ka okporo ụzọ niile gaa na interface loopback"
## Ikike emebere yana njikọ ndị metụtara ya
ct steeti guzosie ike, metụtara \
counter \
nabata \
comment "Nkwenye na njikọ agbakwunyere"
## Nyefee okporo ụzọ WireGuard pụọ tupu ịhapụ njikọ na steeti ọjọọ
ma ọ bụ $DEV_WAN udp egwuregwu $WIREGUARD_PORT \
counter \
nabata \
comment Kwee ka okporo ụzọ ọpụpụ WireGuard
## Wepu okporo ụzọ na steeti njikọ ezighi ezi
ct steeti ezighi ezi \
oke ọnụego 100/nkeji gbawara 150 ngwugwu \
log flags niile prefix "Ọpụpụ - adịghị mma:" \
comment "Ntinye oke ọnụ maka okporo ụzọ nwere ọnọdụ njikọ na-ezighi ezi"
ct steeti ezighi ezi \
counter \
dobe \
comment "Wepụ okporo ụzọ na steeti njikọ ezighi ezi"
## Nyefee ikike IPv4 ICMP ndị ọzọ na-apụ apụ
ip protocol icmp \
counter \
nabata \
comment Kweere ụdị IPv4 ICMP niile.
## Nyefee ikike IPv6 ICMP ndị ọzọ na-apụ apụ
meta l4proto {icmpv6} \
counter \
nabata \
comment Kweere ụdị IPv6 ICMP niile.
## Kwe ka ịpụ traceroute UDP ọdụ ụgbọ mmiri mana njedebe na 500 PPS
udp dport 33434-33524 \
oke ọnụego 500/ nke abụọ \
counter \
nabata \
comment "Nkwenye ọpụpụ UDP traceroute naanị na 500 PPS"
## Nyefee njikọ HTTP na HTTPS ọpụpụ
tcp dport {http, https } ct steeti ọhụrụ \
counter \
nabata \
comment Kwee ka njikọ HTTP na HTTPS pụọ
## Nyefee ikike mbupu SMTP
tcp dport nrubeisi ct steeti ọhụrụ \
counter \
nabata \
comment "Kwepu mbupu SMTP"
## Nyefee arịrịọ DNS ọpụpụ
udp dport 53 \
counter \
nabata \
comment Kwee ka ọpụpụ UDP DNS arịrịọ
tcp dport 53 \
counter \
nabata \
comment Kwee ka ọpụpụ TCP DNS arịrịọ
## Nyefee arịrịọ NTP ọpụpụ
udp dport 123 \
counter \
nabata \
comment "Kwepu arịrịọ NTP ọpụpụ"
## Debanye aha n'okporo ụzọ ọ bụla na-enweghị atụ mana ọnụ ahịa ịdebanye aha kacha nke ozi 60 / nkeji
## A ga-etinye ụkpụrụ ndabara na okporo ụzọ na-enweghị atụ
oke ọnụego 60/nkeji gbawara 100 ngwugwu \
prefix log "Ọpụpụ - tufuo:" \
comment "Tinye okporo ụzọ ọ bụla na-enweghị atụ"
## Gụọ okporo ụzọ na-enweghị atụ
counter \
comment "Gụọ okporo ụzọ ọ bụla na-enweghị atụ"
}
}
# Tebụl nzacha isi NAT
table inet nat {
# Iwu maka ụzọ okporo ụzọ NAT
yinye tupu emee {
ụdị nat nko prerouting mkpa dstnat; amụma nabata
}
# Iwu maka NAT okporo ụzọ post-routing
# A na-ahazi tebụl a n'ihu agbụ ọkụ na-esote Firezone
yinye ibigharịa {
ụdị nat nko postrouting prior srcnat - 5; amụma nabata
}
}
Ekwesịrị ịchekwa firewall na ebe dị mkpa maka nkesa Linux na-agba ọsọ. Maka Debian/Ubuntu nke a bụ /etc/nftables.conf yana maka RHEL nke a bụ /etc/sysconfig/nftables.conf.
nftables.service ga-adị mkpa ka ahazi ya ka ịmalite na buut (ma ọ bụrụ na ọ bụghị ugbua) ịtọ:
systemctl nyere nftables.service
Ọ bụrụ na ị na-eme mgbanwe ọ bụla na template firewall, syntax nwere ike ịkwado site na iji iwu nlele:
nft -f /path/to/nftables.conf -c
Jide n'aka na ị kwadoro firewall na-arụ ọrụ dịka a tụrụ anya n'ihi na ụfọdụ nftables atụmatụ nwere ike ọ gaghị adị dabere na ntọhapụ na-agba ọsọ na ihe nkesa.
_______________________________________________________________
Akwụkwọ a na-enye nkọwapụta nke telemetry Firezone na-anakọta site na ihe atụ nke onwe gị yana otu esi gbanyụọ ya.
Ogwe ọkụ kwenyere na telemetry iji dobe map ụzọ anyị ụzọ ma kwalite akụrụngwa injinia anyị nwere iji mee ka Firezone dị mma maka onye ọ bụla.
Telemetry anyị na-anakọta bu n'obi ịza ajụjụ ndị a:
Enwere isi ebe atọ a na-anakọta telemetry na Firezone:
Na nke ọ bụla n'ime ihe atọ ndị a, anyị na-ejide ntakịrị data dị mkpa iji zaa ajụjụ ndị dị na ngalaba dị n'elu.
A na-anakọta ozi-e onye nchịkwa naanị ma ọ bụrụ na ị banye n'ụzọ doro anya na mmelite ngwaahịa. Ma ọ bụghị ya, ozi nwere ike ịmata onwe ya bụ mgbe anakọtara.
Firezone na-echekwa telemetry na ihe atụ nke PostHog na-agba ọsọ na ụyọkọ Kubernetes nkeonwe, naanị ndị otu Firezone na-enweta. Nke a bụ ọmụmaatụ ihe omume telemetry ezitere site na ihe atụ nke Firezone gị na sava telemetry anyị:
{
gawa: “0182272d-0b88-0000-d419-7b9a413713f1”,
"oge stampụ": “2022-07-22T18:30:39.748000+00:00”,
"mmemme": "fz_http_bilitere",
"iche_id": “1ec2e794-1c3e-43fc-a78f-1db6d1a37f54”,
"ihe onwunwe":{
"$ geoip_city_aha": "Ashburn",
"$ geoip_continent_code": "NA",
"$ geoip_continent_name": "North America",
"$ geoip_country_code": "US",
"$ geoip_country_aha": "United States",
"$ geoip_latitude": 39.0469,
"$ geoip_longitude": -77.4903,
"$ geoip_postal_code": "20149",
"$ geoip_subdivision_1_code": "VA",
"$ geoip_subdivision_1_aha": "Virginia",
"$ geoip_time_zone": "America/New_York",
"$ ip": "52.200.241.107",
"$ plugins_deferred":[],
"$plugins_emeghị":[],
"$ plugins_aga nke ọma": [[
"GeoIP (3)"
],
"iche_id": “1zc2e794-1c3e-43fc-a78f-1db6d1a37f54”,
"fqdn": "awsdemo.firezone.dev",
"ụdị kernel": "Linux 5.13.0",
"ụdị": "0.4.6"
},
"ihe_chain": ""
}
IHE
Otu mmepe Firezone kwenyere na nchịkọta ngwaahịa iji mee ka Firezone dị mma maka onye ọ bụla. Ịhapụ telemetry agbanyere bụ otu enyemaka kacha baa uru ị nwere ike inye na mmepe Firezone. Nke ahụ kwuru, anyị ghọtara na ụfọdụ ndị ọrụ nwere nzuzo dị elu ma ọ bụ ihe nchekwa ha ga-ahọrọ ị gbanyụọ telemetry kpamkpam. Ọ bụrụ na ọ bụ gị, nọgide na-agụ.
Agbanyere telemetry na ndabara. Iji gbanyụọ telemetry ngwaahịa kpamkpam, tọọ nhọrọ nhazi ndị a ka ọ bụrụ ụgha na /etc/firezone/firezone.rb wee mee sudo firezone-ctl reconfigure iji bulie mgbanwe.
ndabara['fizone']['telemetry']['gbanyere'] = ụgha
Nke ahụ ga-agbanyụrịrị telemetry ngwaahịa niile.
Hailbytes
9511 Queens Guard Ct.
Laurel, MD 20723
Ekwentị: (732) 771-9995
Email: info@hailbytes.com
Nweta ozi cybersecurity kacha ọhụrụ ozugbo n'ime igbe mbata gị.