Category: Research and development

Secure SSH with Yubikey

https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html
  • Install OpenSSH
  • ssh-keygen -t ed25519-sk -O resident -O verify-required -C "Your Comment"

– t : Specifies the type of key to create. We are using ed25519-sk

– 0 : Specify a key/value option.

resident : Indicate that the key handle should be stored on the FIDO authenticator itself.

verify-required : Indicate that this private key should require user verification for each signature.

  • Copy public key ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user@host
  • And finally update SSH server
# Support public key cryptography (includes FIDO2)
PubkeyAuthentication yes
# Enforce User Verification
PubkeyAuthOptions verify-required
# Public keys location
AuthorizedKeysFile .ssh/authorized_keys
# Allow root only with MFA
PermitRootLogin prohibit-password
# Disable password authentication
PasswordAuthentication no
PermitEmptyPasswords no

Laravel – Different between instance vs bind

use ->bind() when you want to provide just a FQCN (full-qualified class name), or a factory closure, to instruct the container on how to lazily build an instance only when needed.
use ->instance()` when you already have an constructed instance and want to instruct the container to provide that particular instance when required.

Simple Bindings

We can register a binding using the bind method, passing the class or interface name that we wish to register along with a closure that returns an instance of the class

Binding Instances

You may also bind an existing object instance into the container using the instance method. The given instance will always be returned on subsequent calls into the container

Grafana – Install Loki

A Loki-based logging stack consists of 3 components:

  • Promtail is the agent, responsible for gathering logs and sending them to Loki.
  • Loki is the main server, responsible for storing logs and processing queries.
  • Grafana for querying and displaying the logs.
wget https://github.com/grafana/loki/releases/download/v2.9.8/loki-linux-amd64.zip
chmod a+x loki-linux-amd64
sudo cp loki-linux-amd64 /usr/local/bin/loki
loki --version
  • Create Systemd service
sudo nano /etc/systemd/system/loki.service
[Unit]
Description=Loki is a log aggregation system designed to store and query logs from all your applications and infrastructure.
Document=https://github.com/grafana/loki/releases
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/loki -config.file /mnt/data/loki/loki-config.yaml
Restart=on-failure
RestartSec=10
StandardOutput=append:/mnt/data/loki/logs/loki.log
StandardError=append:/mnt/data/loki/logs/loki.log

[Install]
WantedBy=multi-user.target

# This is a complete configuration to deploy Loki backed by the filesystem.
# The index will be shipped to the storage via tsdb-shipper.

auth_enabled: false

server:
  http_listen_port: 3100

common:
  ring:
    instance_addr: 127.0.0.1
    kvstore:
      store: inmemory
  replication_factor: 1
  path_prefix: /mnt/data/loki
  storage:
    filesystem:
      chunks_directory: /mnt/data/loki/chunks
      rules_directory: /mnt/data/loki/rules

schema_config:
  configs:
  - from: 2020-05-15
    store: tsdb
    object_store: filesystem
    schema: v13
    index:
      prefix: index_
      period: 24h

storage_config:
  filesystem:
    directory: /mnt/data/loki/chunks

Grafana – Monitor các thiết bị

Ở các bài trước ta đã setup được cơ bản server cho web hosting, gatekeeper. Vậy post này ta setup Grafana trên `gatekeeper` để monitor các server(s).

Đầu tiên là install Grafana . Cái này quite simple chỉ cần follow up guide trên website của hãng là okay. By default Grafana sử dụng port 3000

Sau đó install Prometheus

  • Setup Group & User
sudo groupadd prometheus
sudo useradd -s /sbin/nologin --system -g prometheus prometheus
  • Setup các directories cần thiết
sudo mkdir /etc/prometheus
sudo mkdir /var/lib/prometheus

Directory “““/var/lib/prometheus sẽ dùng chứa data do đó suggest store trên HDD thay vì SSD chính để bảo toàn tuổi thọ cho SSD, cũng như không làm ảnh hưởng performance của SSD cho các việc khác liên quan tới OS.

Do đó trong case này mình chuyển về /mnt/data

sudo mkdir /mnt/data/prometheus

Latest version hiện tại là 2.52.02 / 2024-05-07

mkdir -p /tmp/prometheus
cd /tmp/prometheus
curl -s https://api.github.com/repos/prometheus/prometheus/releases/latest | grep browser_download_url | grep linux-amd64 | cut -d '"' -f 4 | wget -qi -
tar xvf prometheus*.tar.gz
cd prometheus*/

Tiếp theo là cd vào directory vừa unzip ra và move binaries về “`/usr/local/bin

sudo mv prometheus /usr/local/bin
sudo mv promtool /usr/local/bin
sudo chown prometheus:prometheus /usr/local/bin/prometheus
sudo chown prometheus:prometheus /usr/local/bin/promtool

Sau đó tạo file config ( ở directory song song với data )

sudo mv consoles /etc/prometheus
sudo mv console_libraries /etc/prometheus
sudo mv prometheus.yml /etc/prometheus
  • Tạo Systemd Service
[Unit]
Description=Power your metrics and alerting with the leading open-source monitoring solution
Documentation=https://prometheus.io/
Wants=network-online.target
After=network-online.target

[Service]
User=prometheus
Group=prometheus
Type=simple
Restart=on-failure
RestartSec=5s
ExecStart=/usr/local/bin/prometheus \
    --config.file=/etc/prometheus/prometheus.yml \
    --storage.tsdb.path=/mnt/data/prometheus/ \
    --web.console.templates=/etc/prometheus/consoles \
    --web.console.libraries=/etc/prometheus/console_libraries \
    --web.listen-address=0.0.0.0:9090 \
    --web.enable-lifecycle \
    --log.level=info

[Install]
WantedBy=multi-user.target

https://prometheus.io/docs/prometheus/latest/command-line/prometheus

Chú ý thay đổi path phù hợp

Enable service khi boot và start

sudo systemctl daemon-reload
sudo systemctl enable prometheus.service
sudo systemctl start prometheus.service
sudo systemctl status prometheus.service

Như vậy là xong. Prometheus sẽ chạy ở port 9090

Thực tế https://prometheus.jooservices.com

Ở các bài tiếp theo sẽ setup tiếp các exporters / loki

HAProxy server

Ở bài trước mình đã có 1 con server selfhosted dành cho web server. Tuy nhiên homelab này mình sẽ có nhiều server do đó sẽ cần 1 em đóng vai trò gateway ( cũng như monitoring )

  • i5-8700
  • 32GB RAM – 2666Mhz
  • SSD NVme Gen3 x4 : 256GB
  • HDD Sata : 1TB

Sau khi setup xong Ubuntu server như ở bài trước ( không cần Virtualmin ) thì ở server này sẽ cần HAProxy

HAProxy is a free, very fast and reliable reverse-proxy offering high availabilityload balancing, and proxying for TCP and HTTP-based applications.

Mục đích sử dụng HAProxy để forward request về các servers / services cần thiết. Ví dụ

  • https://selfhosted.jooservices.com/ sẽ được forward về Virtualmin ( port 10000 ) ở server selfhosted ta vừa installed trước.
  • https://jooservices.com sẽ forward về port 443 ( SSL ) của Virtualmin và load website

Cấu hình HAProxy

# HAProxy Stats
listen  stats
        bind *:1936
        log global

        maxconn 10

        stats enable
        stats show-node

        http-request use-service prometheus-exporter if { path /metrics }
        stats uri  /stats

Bật HAProxy stats để quản lý

Tạm gác qua Sentry & Grafana ta sẽ nói sau. Thì ta có FE SSL cho các services

  • cnmatrix.jooservices.com : Trỏ về Core switch port 443
  • gatekeeper.jooservices.com : Trỏ về con server này với Webmin ( không phải Virtualmin ) trên port 10000
  • jooservices.com && xcrawler.net cùng nằm trên selfhosted server với port 443

Và sau đó là config BE để forward về server / port tương tứng với từng FE

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

    # Newly added timeouts
    timeout http-request 10s
    timeout http-keep-alive 2s
    timeout queue 5s
    timeout tunnel 2m
    timeout client-fin 1s
    timeout server-fin 1s

# Caching
cache hosting
    total-max-size 4095   # MB
    max-object-size 10000 # bytes
    max-age 3600            # seconds

cache general
    total-max-size 4095   # MB
    max-object-size 10000 # bytes
    max-age 3600            # seconds

# HAProxy Stats
listen  stats
        bind *:1936
        log global

        maxconn 10

        stats enable
        stats show-node

        http-request use-service prometheus-exporter if { path /metrics }
        stats uri  /stats

userlist basic_auth_logins
        user <username> insecure-password <password>


# Frontend HTTP
frontend http
    bind :80
    mode http
    compression algo gzip

    acl acl_grafana hdr(host) -i grafana.jooservices.com
    acl acl_sentry hdr(host) -i sentry.jooservices.com

    use_backend be_grafana if acl_grafana
    #default_backend be_http

backend be_grafana
        mode http
        balance roundrobin
        server gatekeeper 192.168.1.5:3000 check

backend be_sentry
        mode http
        balance roundrobin
        server gitlab 192.168.1.5:9000 check

## Frontend SSL
frontend ssl
        bind :443
        mode tcp
        option tcplog

        # Wait for a client hello for at most 5 seconds
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

        ## 192.168.1.2
        use_backend be_ssl_cnmatrix if { req_ssl_sni -i cnmatrix.jooservices.com }

        ## 192.168.1.3
        # use_backend be_ssl_unifi if { req_ssl_sni -i unifi.jooservices.com }

	## 192.168.1.5
	use_backend be_ssl_webmin_gatekeeper if { req_ssl_sni -m end gatekeeper.jooservices.com }

        ## 192.168.1.6
        use_backend be_ssl_selfhosted if { req_ssl_sni -i jooservices.com }
	use_backend be_ssl_virtualmin_selfhosted if { req_ssl_sni -m end selfhosted.jooservices.com }
	#### XCrawler
        use_backend be_ssl_selfhosted if { req_ssl_sni -i xcrawler.net }
        use_backend be_ssl_selfhosted if { req_ssl_sni -m end .xcrawler.net }

        ## 192.168.1.8
        use_backend be_ssl_nas if { req_ssl_sni -i nas.jooservices.com }

        ## 192.168.1.10
        #use_backend be_ssl_esxi if { req_ssl_sni -i esxi.jooservices.com }

        ## 192.168.1.24
        #use_backend be_ssl_gitlab if { req_ssl_sni -i gitlab.jooservices.com }

        ## Virtualmin / Webmin
        #use_backend be_ssl_hosting_virtualmin if { req_ssl_sni -i virtualmin.jooservices.com }
        #use_backend be_ssl_gatekeeper_webmin if { req_ssl_sni -i gatekeeper.jooservices.com }
        #use_backend be_ssl_smb_webmin if { req_ssl_sni -i smb.jooservices.com }

        ## Hosting
        ## 192.168.1.20
        #use_backend be_ssl_hosting if { req_ssl_sni -i jooservices.com }       

        ## XCrawler
        ## 192.168.1.30
        #use_backend be_ssl_xcrawler if { req_ssl_sni -i xcrawler.net }
        #use_backend be_ssl_xcrawler if { req_ssl_sni -m end .xcrawler.net }

        #default_backend be_ssl_hosting

## Backend SSL
### CnMatrix
backend be_ssl_cnmatrix
        mode tcp
        balance roundrobin
        server cnmatrix 192.168.1.2:443 check

### Gatekeeper
backend be_ssl_webmin_gatekeeper
        mode tcp
        balance roundrobin
        server selfhosted 192.168.1.5:10000 check

### NAS
backend be_ssl_nas
        mode tcp
        balance roundrobin
        server nas 192.168.1.8:443 check

## Selfhosted
backend be_ssl_selfhosted
        mode tcp
        balance roundrobin
        server selfhosted 192.168.1.6:443 check
backend be_ssl_virtualmin_selfhosted
        mode tcp
        balance roundrobin
        server selfhosted 192.168.1.6:10000 check

My HAProxy configuration

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
    log global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000

    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

    # Newly added timeouts
    timeout http-request 10s
    timeout http-keep-alive 2s
    timeout queue 5s
    timeout tunnel 2m
    timeout client-fin 1s
    timeout server-fin 1s

# Caching
cache hosting
    total-max-size 4095   # MB
    max-object-size 10000 # bytes
    max-age 3600            # seconds

cache general
    total-max-size 4095   # MB
    max-object-size 10000 # bytes
    max-age 3600            # seconds

# HAProxy Stats
listen  stats
        bind *:1936
        log global

        maxconn 10

        stats enable
        stats show-node

        http-request use-service prometheus-exporter if { path /metrics }
        stats uri  /stats

userlist basic_auth_logins
        user <your_username_here> insecure-password <your_password_here>

# Frontend HTTP
frontend http
    bind :80
    mode http
    compression algo gzip

    acl acl_sentry hdr(host) -i sentry.jooservices.com
    acl acl_grafana hdr(host) -i grafana.jooservices.com
    
    use_backend be_sentry if acl_sentry
    use_backend be_grafana if acl_grafana
    #default_backend be_http

backend be_sentry
        mode http
        balance roundrobin
        server gitlab 192.168.1.12:9000 check

backend be_grafana
        mode http
        balance roundrobin
        server gitlab 192.168.1.12:3000 check


## Frontend SSL
frontend ssl
        bind :443
        mode tcp
        option tcplog

        # Wait for a client hello for at most 5 seconds
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

        ## 192.168.1.2
        use_backend be_ssl_cnmatrix if { req_ssl_sni -i cnmatrix.jooservices.com }

        ## 192.168.1.3
        # use_backend be_ssl_unifi if { req_ssl_sni -i unifi.jooservices.com }

        ## 192.168.1.8
        use_backend be_ssl_nas if { req_ssl_sni -i nas.jooservices.com }

        ## 192.168.1.10
        use_backend be_ssl_esxi if { req_ssl_sni -i esxi.jooservices.com }

        ## 192.168.1.24
        use_backend be_ssl_gitlab if { req_ssl_sni -i gitlab.jooservices.com }
        
        ## Virtualmin / Webmin
        use_backend be_ssl_hosting_virtualmin if { req_ssl_sni -i virtualmin.jooservices.com }
        use_backend be_ssl_gatekeeper_webmin if { req_ssl_sni -i gatekeeper.jooservices.com }
        use_backend be_ssl_smb_webmin if { req_ssl_sni -i smb.jooservices.com }
        
        ## Hosting
        ## 192.168.1.20
        use_backend be_ssl_hosting if { req_ssl_sni -i jooservices.com } 
        use_backend be_ssl_hosting if { req_ssl_sni -m end tpbeauty.art baristaschool.vn .baristaschool.vn phongcachxanh.vn }
        #use_backend be_ssl_develop if { req_ssl_sni -m end coffeeschool.vn .coffeeschool.vn }

        ## XCrawler
        ## 192.168.1.30
        use_backend be_ssl_xcrawler if { req_ssl_sni -i xcrawler.net }
        use_backend be_ssl_xcrawler if { req_ssl_sni -m end .xcrawler.net }

        default_backend be_ssl_hosting


### CnMatrix
backend be_ssl_cnmatrix
        mode tcp
        balance roundrobin
        server cnmatrix 192.168.1.2:443 check

### Unifi
#backend be_ssl_unifi
#        mode tcp
#        balance roundrobin
#        server gatekeeper 192.168.1.3:443 check

# BEGIN Monitor
# END Monitor

# NAS
backend be_ssl_nas
        mode tcp
        balance roundrobin
        server smb 192.168.1.8:443 check

### BEGIN ESXi
        #### Gatekeeper
        backend be_ssl_gatekeeper_webmin
                mode tcp
                balance roundrobin
                server gatekeeper 192.168.1.9:10000 check

        #### ESXi
        backend be_ssl_esxi
                mode tcp
                balance roundrobin
                server esxi 192.168.1.10:443 check

        #### BEGIN Hosting
        backend be_ssl_hosting_virtualmin
                mode tcp
                balance roundrobin
                server hosting 192.168.1.20:10000 check

        backend be_ssl_hosting
                mode tcp
                balance roundrobin
                server hosting 192.168.1.20:443 check

        #backend be_ssl_develop
        #        mode tcp
        #        balance roundrobin
        #        server develop 192.168.1.12:443 check

        backend be_ssl_smb_webmin
                mode tcp
                balance roundrobin
                server smb 192.168.1.14:10000 check

        backend be_ssl_gitlab
                mode tcp
                balance roundrobin
                server hosting 192.168.1.24:443 check
          
# END Hosting


# BEGIN XCrawler
backend be_ssl_xcrawler
        mode tcp
        balance roundrobin
        server xcrawler 192.168.1.13:443 check
# END XCrawler