Nginx

Nginx with Client Certificate

OpenBSD, Security

NGINX with Client Certificates

root@debian:/etc/nginx/sites-available#
server {
  listen 80;
  listen [::]:80;

  server_name host198.planet;
  root /var/www/host198.planet;

  access_log /var/log/nginx/host198.planet;
  index index.html;

  location / {
    try_files $uri $uri/ =404;
  }
}

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name host198.planet;
  root /var/www/host198.planet;

  ssl_certificate /etc/ssl/private/fullchain.crt;
  ssl_certificate_key /etc/ssl/private/host198.planet.key;

  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!MD5;

  ssl_client_certificate /etc/ssl/private/ca.crt;
  ssl_verify_client optional;

  access_log /var/log/nginx/host198.planet;
  index index.html;

  #location / {
  #        try_files $uri $uri/ =404;
  #}
  location / {
    # if the client-side certificate failed to authenticate, show a 403
    # message to the client
    if ($ssl_client_verify != SUCCESS) {
      return 403;
    }
  }
}
Any Comments ?

sha256: dbf64919ee3864f77b78f71f2b4b70d6794d96dd3dbbe1ae9ce3442cda571c26

BasicAuthentication with Nginx

Web

NOT YET WORKING …

Install NGINX

pkg_add -v nginx

rcctl enable nginx
rcctl restart nginx

Enable BasicAuth

server {
    ...
    auth_basic           "Administrator’s Area";
    auth_basic_user_file conf/htpasswd;

    location /public/ {
        auth_basic off;
    }
}

Create File and User

htpasswd -c /etc/apache2/.htpasswd user1

Restart Service

rcctl restart nginx

Source

https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/

Any Comments ?

sha256: b0311dad9186b4e2f8cd9730688c8e75c09a3ff687259cccc132810a706cb2f6

Netbox

Network

How to Install Netbox on Debian 10.1

URL: https://github.com/netbox-community/netbox

install postgresql

apt-get install -y postgresql libpq-dev sudo
pg_ctlcluster 11 main start

create database

# sudo -u postgres psql
psql (9.4.5)
Type "help" for help.

postgres=# CREATE DATABASE netbox;
CREATE DATABASE
postgres=# CREATE USER netbox WITH PASSWORD 'streng-geheim-und-so';
CREATE ROLE
postgres=# GRANT ALL PRIVILEGES ON DATABASE netbox TO netbox;
GRANT
postgres=# \q

psql -U netbox -W -h localhost netbox
streng-geheim-und-so
netbox=> quit

install application

apt-get install -y python3 python3-pip python3-dev build-essential libxml2-dev libxslt1-dev libffi-dev graphviz libpq-dev libssl-dev redis-server zlib1g-dev git

install a release (we skip that)

# wget https://github.com/netbox-community/netbox/archive/vX.Y.Z.tar.gz
# tar -xzf vX.Y.Z.tar.gz -C /opt
# cd /opt/
# ln -s netbox-X.Y.Z/ netbox
# cd /opt/netbox/

install via github

mkdir -p /opt/netbox/ && cd /opt/netbox/
git clone -b master https://github.com/netbox-community/netbox.git .

set permission

chown -R netbox:netbox /opt/netbox/netbox/media/

install python packages

pip3 install -r requirements.txt
pip3 install napalm

configure netbox

cd netbox/netbox/
cp configuration.example.py configuration.py

vim configuration.py
#ALLOWED_HOSTS = ['netbox.example.com', '192.0.2.123']
ALLOWED_HOSTS = ['*']

DATABASE = {
    'NAME': 'netbox',                   # Database name
    'USER': 'netbox',                   # PostgreSQL username
    'PASSWORD': 'streng-geheim-und-so', # PostgreSQL password
    'HOST': 'localhost',                # Database server
    'PORT': '',                         # Database port (leave blank for default)
}

SECRET_KEY = 'a+V4_H@O0U9GYz#E(IB5csp8CJNide^lMyZgj)1rqRLf*&WSQ$'

generate secret key

netbox/generate_secret_key.py

database migration

cd /opt/netbox/netbox/
python3 manage.py migrate
Operations to perform:
  Apply all migrations: dcim, sessions, admin, ipam, utilities, auth, circuits, contenttypes, extras, secrets, users
Running migrations:
  Rendering model states... DONE
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
  Applying admin.0001_initial... OK
  ...

create superuser

# python3 manage.py createsuperuser
Username: admin
Email address: mail@gott.welt
Password: 12345678
Password (again): 12345678
Superuser created successfully.

Collect Static Files

python3 manage.py collectstatic --no-input

You have requested to collect static files at the destination
location as specified in your settings:

    /opt/netbox/netbox/static

This will overwrite existing files!
Are you sure you want to do this?

Type 'yes' to continue, or 'no' to cancel: yes

Load Initial Data (Optional)

python3 manage.py loaddata initial_data

Test the Application

python3 manage.py runserver 0.0.0.0:8000 --insecure
Performing system checks...

System check identified no issues (0 silenced).
November 28, 2018 - 09:33:45
Django version 2.0.9, using settings 'netbox.settings'
Starting development server at http://0.0.0.0:8000/
Quit the server with CONTROL-C.

install nginx

apt-get install -y nginx

vim /etc/nginx/sites-available/netbox
server {
    listen 80;
    listen [::]:80;

    server_name netbox.example.com;

    client_max_body_size 25m;

    location /static/ {
        alias /opt/netbox/netbox/static/;
    }

    location / {
        proxy_pass http://127.0.0.1:8001;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
    }
}

cd /etc/nginx/sites-enabled/
rm default
ln -s /etc/nginx/sites-available/netbox

service nginx restart

Install gunicorn

pip3 install gunicorn

vim /opt/netbox/gunicorn_config.py
command = '/usr/bin/gunicorn'
pythonpath = '/opt/netbox/netbox'
bind = '127.0.0.1:8001'
workers = 3
user = 'www-data'

install supervision

apt-get install -y supervisor

vim /etc/supervisor/conf.d/netbox.conf
[program:netbox]
command = gunicorn -c /opt/netbox/gunicorn_config.py netbox.wsgi
directory = /opt/netbox/netbox/
user = www-data

[program:netbox-rqworker]
command = python3 /opt/netbox/netbox/manage.py rqworker
directory = /opt/netbox/netbox/
user = www-data

restart server and test

http://ip.addr.of.server