Kala Dooro
Tilmaamo tillaabo-tallaabo ah oo loogu dirayo Hailbytes VPN oo wata Firezone GUI ayaa halkan lagu bixiyaa.
Maamulka: Dejinta tusaalaha server-ka waxay si toos ah ula xiriirtaa qaybtan.
Tilmaamaha Isticmaalaha: Dukumeenti waxtar leh oo ku bari kara sida loo isticmaalo Firezone oo u xalliyo dhibaatooyinka caadiga ah. Ka dib markii serverka si guul leh loo geeyo, tixraac qaybtan.
Tunnel Kala Qaybsanaan: Isticmaal VPN-ka si aad kaliya ugu dirto taraafikada noocyada IP-ga gaarka ah.
Liistada caddaynta: Deji ciwaanka IP-ga ee joogtada ah ee server-ka VPN si aad u isticmaasho liiska caddaymaha.
Tunnel-ka gadaale: Samee tunnelyo u dhexeeya dhawr asaagood oo isticmaalaya tunnel-ka gadaale.
Waxaan ku faraxsanahay inaan ku caawino haddii aad u baahan tahay caawimaad ku rakibida, habeynta, ama isticmaalka Hailbytes VPN.
Kahor intaan isticmaalayaashu soo saarin ama soo dejin faylalka qaabeynta aaladda, Firezone waxaa loo habayn karaa si uu u baahdo xaqiijin. Isticmaalayaasha ayaa laga yaabaa inay sidoo kale u baahdaan inay mar mar dib-u-xaqiijiyaan si ay u sii wadaan xidhiidhkooda VPN firfircoon.
In kasta oo habka galitaanka Firezone uu yahay iimaylka maxalliga ah iyo erayga sirta ah, waxa kale oo lagu dari karaa bixiyaha aqoonsiga OpenID Connect (OIDC). Isticmaalayaasha hadda waxay awoodaan inay galaan Firezone iyagoo isticmaalaya Okta, Google, Azure AD, ama aqoonsi bixiye khaas ah.
Isku-dubarid Bixiyaha Guud ee OIDC
Halbeegyada qaabeynta ee ay u baahan tahay Firezone si ay ugu oggolaato SSO adeeg bixiyaha OIDC ayaa lagu muujiyay tusaalaha hoose. At /etc/firezone/firezone.rb, waxaad ka heli kartaa faylka qaabeynta. Orod dib u habeynta firezone-ctl iyo firezone-ctl dib u bilaw si aad u cusboonaysiiso arjiga oo aad u samayso isbedelada.
# Kani waa tusaale adoo isticmaalaya Google iyo Okta sida bixiye aqoonsiga SSO.
# Qaababyo badan oo OIDC ah ayaa lagu dari karaa isla tusaale ahaan Firezone.
# Firezone waxay joojin kartaa adeegsadaha VPN haddii ay jiraan wax qalad ah oo la ogaado iskudayga
# si ay u cusboonaysiiyaan gelitaankooda. Tan waxaa loo xaqiijiyay inay u shaqeyso Google, Okta, iyo
# Azure SSO waxaana loo adeegsadaa in si toos ah looga gooyo adeegsadaha VPN-ka haddii meesha laga saaro
# ka yimid bixiyaha OIDC. Ka tag kan naafada ah haddii bixiyahaaga OIDC
# waxay leedahay arimo soo jiidasho leh calaamadaha gelitaanka maadaama ay si lama filaan ah u joojin karto a
# kalfadhiga isticmaalaha VPN.
default['firezone']['xaqiijinta']['disable_vpn_on_oidc_error'] = been
default['firezone'] ['xaqiijinta']]['oidc'] = {
google: {
discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",
klient_id: " ”,
sirta macmiilka: " ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",
jawaab_nooca: "code",
baaxadda: "profile iimaylka furan",
sumadda: "Google"
},
ok: {
Discovery_document_uri: "https:// /.si fiican loo yaqaan/qaabaynta-furan",
klient_id: " ”,
sirta macmiilka: " ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",
jawaab_nooca: "code",
baaxadda: "profile iimaylka furan offline_access",
sumadda: "Okta"
}
}
Habaynta soo socota ayaa looga baahan yahay is dhexgalka:
Bixiye kasta oo OIDC ah URL qurux badan oo u dhigma ayaa loo sameeyay si loogu jiheeyo URL gelida bixiyaha ee habaysan. Tusaale ahaan qaabka OIDC ee sare, URL-yadu waa:
Bixiyeyaasha waxaan u haynaa dukumeenti:
Haddi bixiyaha aqoonsigaagu leeyahay xidhiidhiyaha guud ee OIDC oo aan kor lagu xusin, fadlan u tag dukumeentiyadooda si aad u hesho macluumaad ku saabsan sida loo soo ceshado habaynta habaynta lagama maarmaanka ah.
Dejinta hoos timaada settings/security waa la bedeli karaa si loogu baahdo dib u xaqiijin xilliyeed. Tan waxaa loo isticmaali karaa in lagu meel mariyo shuruudaha ay isticmaalayaashu u galaan Firezone si joogto ah si ay u sii wataan kalfadhigooda VPN.
Dhererka fadhiga waxa loo habayn karaa inta u dhaxaysa hal saac iyo sagaashan maalmood. Markaad tan u dejiso Marna, waxaad awood u yeelan kartaa fadhiyada VPN wakhti kasta. Tani waa halbeegga.
Isticmaaluhu waa inuu joojiyo kalfadhiga VPN oo uu galo barta Firezone portal si uu dib ugu xaqiijiyo fadhiga VPN dhacay (URL ee la cayimay inta lagu jiro hawlgelinta).
Waxaad dib u xaqiijin kartaa fadhigaaga adiga oo raacaya tilmaamaha saxda ah ee macmiilka ee halkan laga helay.
Heerka Isku xirka VPN
Tiirka miiska isku xirka VPN ee isticmaalayaasha ayaa muujinaya heerka xidhiidhka isticmaale. Kuwani waa heerarka isku xirka:
DAWLAD - Xidhiidhku waa damcay.
Naafada – Xidhiidhku waa naafo maamule ama OIDC dib u cusboonaysiin waa fashilantay.
DHACDAY – Xidhiidhku waa damiyay sababo la xidhiidha xaqiijinta dhicitaanka ama isticmaaluhu ma soo galin markii ugu horaysay.
Iyada oo loo marayo isku xidhaha guud ee OIDC, Firezone waxa ay awood u siinaysaa Single Sign-On (SSO) oo leh Google Workspace iyo Aqoonsiga Cloud. Hagahan ayaa ku tusi doona sidaad u heli lahayd cabirrada qaabaynta ee hoos ku taxan, kuwaas oo lagama maarmaan u ah is dhexgalka:
1. OAuth Config Screen
Haddii tani ay tahay markii ugu horeysay ee aad abuurayso OAuth aqoonsiga macmiilka cusub, waxaa lagu weydiin doonaa inaad habayso shaashadda ogolaanshaha.
* U dooro Gudaha nooca isticmaalaha. Tani waxay hubinaysaa kaliya akoonnada ay leeyihiin isticmaalayaasha Google Workspace Organization inay abuuri karaan habaynta aaladaha. Ha dooran Dibadda ilaa aad rabto inaad awood u siiso qof kasta oo leh Akoon Google oo sax ah si uu u sameeyo habaynta aaladaha.
Shaashada macluumaadka Appka:
2. Samee OAuth Aqoonsiga Macmiilka
Qaybtani waxay ku salaysan tahay dukumentiyada Google u gaar ah dejinta OAuth 2.0.
Booqo Google Cloud Console Bogga aqoonsiga bogga, guji + Abuur Shahaadooyinka oo dooro OAuth aqoonsiga macmiilka.
Shaasha abuurista aqoonsiga macmiilka OAuth:
Kadib abuurista OAuth aqoonsiga macmiilka, waxa lagu siin doonaa aqoonsiga macmiilka iyo sirta macmiilka. Kuwaas waxaa lala isticmaali doonaa URI-ga wareejinta tallaabada xigta.
Edit /etc/firezone/firezone.rb in lagu daro xulashooyinka hoose:
# Isticmaalka Google sida bixiye aqoonsiga SSD
default['firezone'] ['xaqiijinta']]['oidc'] = {
google: {
discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",
klient_id: " ”,
sirta macmiilka: " ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",
jawaab_nooca: "code",
baaxadda: "profile iimaylka furan",
sumadda: "Google"
}
}
Orod dib u habeynta firezone-ctl iyo firezone-ctl dib u bilow si aad u cusboonaysiiso arjiga. Waa inaad hadda ku aragtaa Lo-gal oo leh badhanka Google ee xididka Firezone URL.
Firezone waxay isticmaashaa isku xidhaha guud ee OIDC si ay ugu fududayso Keliya Saxiix (SSO) ee Okta. Tababarkan ayaa ku tusi doona sidaad u heli lahayd cabirrada qaabaynta ee hoos ku taxan, kuwaas oo lagama maarmaan u ah is-dhexgalka:
Qaybtan hagistu waxay ku salaysan tahay Dukumentiyada Okta.
Gudaha Console-ka maamulka, aad Applications> Applications oo dhagsii Abuur Is-dhexgalka App-ka. U deji habka gelitaanka OICD - Furan ID Connect iyo nooca Codsiga codsiga shabakadda.
Habbee dejintan:
Marka dejinta la keydiyo, waxaa lagu siin doonaa Aqoonsiga Macmiilka, Sirta Macmiilka, iyo Okta Domain. 3-dan qiimayood waxaa loo isticmaali doonaa Tallaabada 2 si loo habeeyo Firezone.
Edit /etc/firezone/firezone.rb in lagu daro xulashooyinka hoose. Adiga daahfurka_document_url noqon doonaa /. well-known/openid-configuration ku lifaaqan dhamaadka kaaga okta_domain.
# Isticmaalka Okta sida bixiye aqoonsiga SSD
default['firezone'] ['xaqiijinta']]['oidc'] = {
ok: {
Discovery_document_uri: "https:// /.si fiican loo yaqaan/qaabaynta-furan",
klient_id: " ”,
sirta macmiilka: " ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",
jawaab_nooca: "code",
baaxadda: "profile iimaylka furan offline_access",
sumadda: "Okta"
}
}
Orod dib u habeynta firezone-ctl iyo firezone-ctl dib u bilow si aad u cusboonaysiiso arjiga. Waa inaad hadda ku aragtaa Sign in leh badhanka Okta ee xididka Firezone URL.
Isticmaalayaasha geli kara abka Firezone waxa xaddidi kara Okta. Tag boggaaga is-dhexgalka ee Okta Admin Console's Firezone App ee meelaynta si tan loo fuliyo.
Iyada oo loo marayo isku xidhaha guud ee OIDC, Firezone waxa ay awood u siinaysaa Hal-ku-galka Keliya (SSO) oo leh Tusaha Firfircoon ee Azure. Buug-gacmeedkan ayaa ku tusi doona sida aad u heli lahayd cabbirrada qaabaynta ee hoos ku taxan, kuwaas oo lagama maarmaan u ah is-dhexgalka:
Hagahan waxa laga soo qaatay Dukumentiyada Tusaha Firfircoon ee Azure.
Tag bogga Azure ee Tusaha Firfircoon ee Azure. Dooro ikhtiyaarka Maaree liiska, dooro Diiwaangelinta Cusub, ka dibna isdiiwaangeli adoo siinaya macluumaadka hoose:
Isdiiwaan gelinta ka dib, fur macluumaadka arjiga oo koobi ka samee Aqoonsiga codsiga (macmiilka).. Tani waxay noqon doontaa qiimaha macmiilka_id. Marka xigta, fur menu-dhamaadka si aad u soo ceshato Dukumeentiga xogta badan ee ID Connect. Tani waxay noqon doontaa qiimaha daahfurka_document_uri
Abuur sir cusub oo macmiil ah adiga oo gujinaya ikhtiyaarka Shahaadooyinka & siraha ee hoos yimaada Maaree liiska. Nuqul ka samee sirta macmiilka; Qiimaha sirta ah ee macmiilku wuxuu noqon doonaa kan.
Ugu dambeyntii, dooro isku xirka ogolaanshaha API ee ku hoos jira Maaree liiska, dhagsii Ku dar fasax, oo dooro Microsoft Graph, Add email, furan, offline_helid iyo muuqaal ogolaanshaha loo baahan yahay.
Edit /etc/firezone/firezone.rb in lagu daro xulashooyinka hoose:
Isticmaalka Tusaha Firfircoon ee Azure sida bixiye aqoonsiga SSO
default['firezone'] ['xaqiijinta']]['oidc'] = {
azure: {
discovery_document_uri: "https://login.microsoftonline.com/ /v2.0/.si fiican loo yaqaan/qaabaynta-furan",
klient_id: " ”,
sirta macmiilka: " ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/azure/callback/",
jawaab_nooca: "code",
baaxadda: "profile iimaylka furan offline_access",
sumadda: "Azure"
}
}
Orod dib u habeynta firezone-ctl iyo firezone-ctl dib u bilow si aad u cusboonaysiiso arjiga. Waa inaad hadda ku aragtaa Sign in leh badhanka Azure ee xididka Firezone URL.
Azure AD waxay u saamaxdaa maamulayaasha inay xaddidaan gelitaanka abka koox gaar ah oo isticmaalayaasha gudaha shirkaddaada. Macluumaad dheeraad ah oo ku saabsan sida tan loo sameeyo waxaa laga heli karaa dukumeentiyada Microsoft.
Chef Omnibus waxa adeegsada Firezone si uu u maareeyo hawlaha ay ka mid yihiin baakadaha siidaynta, ilaalinta nidaamka, maamulka logaga, iyo in ka badan.
Koodhka Ruby wuxuu ka kooban yahay faylka qaabeynta aasaasiga ah, kaas oo ku yaal /etc/firezone/firezone.rb. Dib u bilaabista sudo firezone-ctl dib u habaynta ka dib samaynta waxka bedelka faylkan waxay sababtaa Chef inuu aqoonsado isbeddelada oo uu ku dabaqo nidaamka hawlgalka ee hadda jira.
Fiiri tixraaca faylka qaabeynta liis dhamaystiran ee doorsoomayaasha qaabeynta iyo sharraxaaddooda.
Tusaalaha Firezone-kaaga waxaa lagu maamuli karaa iyada oo loo marayo firezone-ctl amarka, sida hoos ku cad. Badi amar-hoosaadyada waxay u baahan yihiin horgaleyaal sudo.
root@demo:~# firezone-ctl
omnibus-ctl: amar (tallaabo hoose)
Talisyada Guud:
nadiifi
Tirtir *dhammaan* xogta aagga dabka, oo ka bilow xoq.
samee-ama-dib-u-dhigid-admin
Waxay dib u dejisaa erayga sirta ah ee maamulaha iimaylka lagu qeexay default['firezone']['admin_email'] ama wuxuu abuuraa maamule cusub haddii iimaylkaasi aanu jirin.
I caawi
Daabac fariintan caawinta
dib-u-habeyn
Dib u habayn codsiga
dib-u-dejinta
Dib u dajiya nftables, WireGuard interface, iyo miiska dajinta oo dib ugu celisa waxyaabaha aan caadiga ahayn ee Firezone.
show-config
Muuji qaabaynta ay dhalin doonto dib u habayn
jeex-jeexid
Ka saara WireGuard interface iyo miiska nftables firezone.
xoog-cert-cusboonaysiin
Ku qas cusboonaysiinta shahaadada hadda xataa haddii aanay dhicin
joojinta-cert-cusboonaysiinta
Waxa uu meesha ka saarayaa shaqo la'aanta oo cusbooneysiisa shahaadooyinka.
uninstall
Dila dhammaan hababka oo ka saar kormeeraha habka (xogta waa la ilaalin doonaa).
version
Muuji nooca hadda ee Firezone
Awaamiirta Maamulka Adeegga:
nimco-dil
Isku day joogsi qurux badan, ka dibna SIGJIL kooxda habka oo dhan.
huf
U dir adeegyada HUP.
INT
U dir adeegyada INT.
dilaan
U dir adeegyada dil.
mar
Bilow adeegyada haddii ay hoos u dhacaan. Dib ha u bilaabin haddii ay joojiyaan.
qeybtii labaad
Jooji adeegyada haddii ay socdaan, ka dibna dib u bilow.
liiska adeegga
Liis garee dhammaan adeegyada (adeegyada karti u leh waxay la muuqdaan *.)
bilow
Bilow adeegyada haddii ay hoos u dhacaan, oo dib u bilow haddii ay joojiyaan.
xaaladda
Muuji heerka ay marayaan dhammaan adeegyada
joojin
Jooji adeegyada, oo dib ha u bilaabin.
daboolka
Daawo diiwaanka adeegga ee dhammaan adeegyada karti u leh.
dheer
U dir adeegyada TERM
usr1
U dir adeegyada USR1.
usr2
U dir adeegyada USR2.
Dhammaan fadhiyada VPN waa in la joojiyaa ka hor inta aan la cusboonaysiin Firezone, kaas oo sidoo kale ku baaqaya in la xiro UI Web. Haddii ay dhacdo in wax qaldamaan inta lagu jiro hagaajinta, waxaan kugula talineynaa inaad meel u dhigto saacad dayactirka.
Si kor loogu qaado Firezone, qaado tallaabooyinka soo socda:
Haddii wax dhibaato ahi timaado, fadlan nala soo socodsii soo gudbinta tigidhka taageerada.
Waxaa jira dhowr isbeddel oo jajab ah iyo wax ka beddelka qaabeynta 0.5.0 kuwaas oo ay tahay in wax laga qabto. Halkan hoose ka dhageyso
Nginx hadda ma taageerto xoogga SSL iyo xuduudaha dekedda aan SSL sida nooca 0.5.0. Sababtoo ah Firezone waxay u baahan tahay SSL si ay u shaqeyso, waxaan kugula talineynaa in meesha laga saaro xirmada adeegga Nginx adigoo dejinaya default['firezone']['nginx']['enabled'] = been ah oo ku hagaya wakiilkaaga dambe ee abka Phoenix ee dekedda 13000 beddelka ).
0.5.0 waxay soo bandhigaysaa taageerada borotokoolka ACME ee si toos ah loogu cusboonaysiinayo shahaadooyinka SSL ee adeega Nginx ee xidhmay. Si aad awood u yeelatid,
Suurtagalnimada in lagu daro xeerar leh meelo nuqul ah ayaa ka baxay Firezone 0.5.0. Qoraalka socdaalkayaga ayaa si toos ah u aqoonsan doona xaaladahan inta lagu jiro kor u qaadida 0.5.0 oo kaliya ilaalin doona sharciyada halka ay u socdaan ay ku jiraan xeerka kale. Ma jiraan wax aad u baahan tahay inaad samayso haddii ay tani caadi tahay.
Haddii kale, ka hor inta aan la cusboonaysiin, waxaan kugula talineynaa inaad bedesho xeerarkaaga si aad uga takhalusto xaaladahan.
Firezone 0.5.0 waxay meesha ka saartaa taageerada qaabkii hore ee Okta iyo Google SSO qaabaynta iyada oo door bidaaya qaabaynta cusub ee ku salaysan OIDC ee dabacsan.
Haddii aad haysatid wax qaabayn ah oo hoos yimaada ['firezone'] ['authentication']['okta'] ama default['firezone']['authentication']['google'] furayaasha, waxaad u baahan tahay inaad kuwan u haajirto OIDC qaabeynta ku salaysan iyadoo la isticmaalayo hagaha hoose.
Isku xidhka Google OAuth ee jira
Ka saar khadadkan ay ku jiraan habayntii hore ee Google OAuth faylkaaga qaabaynta ee ku yaal /etc/firezone/firezone.rb
default['firezone']]['aqoonsiga']]['google']['karti-gal']
default['firezone']]['aqoonsiga']]['google']['client_id']
default['firezone']]['xaqiijinta']['google']['client_secret']
default['firezone']]['xaqiijinta']['google']['redirect_uri']
Kadibna, u habbee Google sidii bixiye OIDC adiga oo raacaya nidaamka halkan.
( Bixi tilmaamaha isku xirka) <<<<<<<<<<<<<<<<<
Habee Google OAuth ee jira
Ka saar khadadkan ay ku jiraan habayntii hore ee Okta OAuth faylkaaga qaabaynta ee ku yaal /etc/firezone/firezone.rb
default['firezone'] ['xaqiijinta']]['okta'] ['karti]]
default['firezone'] ['aqoonsiga']]['okta']['client_id']
default['firezone']['xaqiijinta']['okta']['client_secret']
Default['firezone'] ['xaqiijinta'] ['okta'] ['site']
Kadib, u habbee Okta sidii bixiye OIDC adiga oo raacaya nidaamka halkan.
Iyadoo ku xidhan habayntaada hadda iyo nooca, raac tilmaamaha hoose:
Haddii aad hore u lahayd is-dhexgalka OIDC:
Qaar ka mid ah bixiyeyaasha OIDC, u cusboonaysiinta ilaa >= 0.3.16 waxay u baahan tahay in la helo calaamad cusub oo loogu talagalay baaxadda gelitaanka qad la'aanta. Markaad tan sameyso, waxaa la hubiyaa in Firezone ay cusbooneysiisay bixiyaha aqoonsiga iyo in xiriirka VPN la xiro ka dib marka isticmaaluhu la tirtiro. Ku celcelintii hore ee Firezone ayaa ka maqan sifadan. Xaaladaha qaarkood, isticmaalayaasha laga tirtiray bixiyaha aqoonsiga waxa laga yaabaa inay wali ku xidhan yihiin VPN.
Waa lagama maarmaan in lagu daro gelitaanka khadka tooska ah ee cabbirka cabbirka qaabeynta OIDC ee bixiyeyaasha OIDC ee taageera baaxadda gelitaanka khadka tooska ah. Dib u habeynta Firezone-ctl waa in lafuliyaa si loogu dabaqo isbeddelada faylka qaabeynta Firezone, kaas oo ku yaal /etc/firezone/firezone.rb.
Isticmaalayaasha uu xaqiijiyay bixiyahaaga OIDC, waxaad arki doontaa xidhiidhka OIDC ee ku socda bogga faahfaahinta isticmaalaha ee shabakada UI haddii Firezone ay si guul leh u soo ceshato calaamada dib u soo kicinta.
Haddii tani shaqayn waydo, waxaad u baahan doontaa inaad tirtirto barnaamijkaaga OAuth ee jira oo aad ku celiso talaabooyinka habaynta OIDC si aad samee is dhexgalka abka cusub .
Waxaan haystaa isdhexgalka OAuth jira
Kahor 0.3.11, Firezone waxay adeegsatay bixiyeyaasha OAuth2 horay loo habeeyey.
Raac tilmaamaha halkan si ay ugu haajiraan OIDC.
Anigu iskuma darin bixiye aqoonsi
Wax tallaabo ah looma baahna
Waxaad raaci kartaa tilmaamaha halkan si ay SSO awood ugu siiso bixiyaha OIDC.
Meesheeda, default['firezone'] ['url dibadeed'] waxa ay bedeshay qaabaynta qaabaynta default['firezone']['fqdn'].
Ku dheji URL-kaaga khadka tooska ah ee Firezone kaas oo ay heli karaan dadweynaha guud. Waxay noqon doontaa https:// oo lagu daray FQDN ee server-kaaga haddii aan la qeexin.
Faylka qaabeynta wuxuu ku yaalaa /etc/firezone/firezone.rb. Fiiri tixraaca faylka qaabeynta liis dhamaystiran ee doorsoomayaasha qaabeynta iyo sharraxaaddooda.
Firezone mar dambe kuma sii hayn furayaasha gaarka ah ee aaladda server-ka Firezone sida nooca 0.3.0.
Firezone Web UI ma oggolaan doono inaad dib u soo dejiso ama aragto qaabayntan, laakiin qalab kasta oo jira waa inuu u sii shaqeeyo sidiisa.
Haddii aad ka cusboonaysiinayso Firezone 0.1.x, waxa jira dhawr beddel oo faylka qaabeynta ah oo ay tahay in gacanta lagu qabto.
Si loo sameeyo isbeddellada lagama maarmaanka ah ee faylkaaga /etc/firezone/firezone.rb, ku socodsii amarrada hoose sida xidid.
cp /etc/firezone/firezone.rb /etc/firezone/firezone.rb.bak
sed -i "s / \ ['enable' \] / \ ['enabled'\]/" /etc/firezone/firezone.rb
Echo "default['firezone'] ['connectivity_checks'] ['karti-gal'] = run" >> /etc/firezone/firezone.rb
Echo “default['firezone'] ['isku xidhka_checks'] ['dhexdhexaad'] = 3_600" >> /etc/firezone/firezone.rb
firezone-ctl dib u habeyn
firezone-ctl dib u bilow
Hubinta diiwaannada Firezone waa tallaabada ugu horreysa ee xigmadda leh ee arrimo kasta oo dhici kara.
Orod sudo firezone-ctl dabada si aad u aragto logyada Firezone.
Inta badan dhibaatooyinka isku xirnaanta ee Firezone waxaa keena iptables-ka ama xeerarka nftables-ka ee aan ku haboonayn. Waa inaad hubisaa in sharci kasta oo aad dhaqan geliso aanu ka hor imanayn xeerarka Firezone.
Hubi in silsiladda FORWARD ay u ogolaato xidhmooyinka macaamiishaada WireGuard meelaha aad rabto inaad kaga sii gudubto Firezone haddii isku xidhka internetkaagu xumaado mar kasta oo aad dhaqaajiso tunnelkaaga WireGuard.
Tan waxaa lagu gaari karaa haddii aad isticmaalayso ufw adiga oo hubinaya in siyaasadda dariiqa caadiga ah la oggol yahay:
ubuntu@fz:~$ sudo ufw default allow sahal
Nidaamkii la leexiyay ee caadiga ahaa ayaa loo beddelay 'ogolaan'
(hubi inaad u cusboonaysiiso xeerarkaaga si waafaqsan)
A ufw heerka server-ka caadiga ah ee Firezone wuxuu u ekaan karaa sidan:
ubuntu@fz:~$ sudo ufw status verbose
Xaaladda: firfircoon
Gelida: shid (hoose)
Default: diid (soo galaysa), oggolow ( bixid), oggolow (la wareego)
profiles cusub: ka bood
Talaabo Laga Yimaado
————-
22/tcp ALLOW meelkasta
80/tcp ALLOW meelkasta
443/tcp ALLOW meelkasta
51820/udp ALLOW meelkasta
22/tcp (v6) ALLOW meelkasta (v6)
80/tcp (v6) ALLOW meelkasta (v6)
443/tcp (v6) OGOW meel kasta (v6)
51820/udp (v6) ALLOW meelkasta (v6)
Waxaan kugula talineynaa in la xaddido gelitaanka interneedka shabakadda si aad u xasaasi u ah iyo hawlgalinta wax soo saarka muhiimka ah, sida hoos lagu sharaxay.
Service | Dekadda asalka ah | Ciwaanka Dhagayso | Description |
Nginx | 80, 443 | oo dhan | Dekedda dadweynaha HTTP(S) ee maamulida Firezone iyo fududaynta xaqiijinta. |
Waardiye | 51820 | oo dhan | Dekadda WireGuard dadweynaha ee loo isticmaalo fadhiyada VPN. (UDP) |
postgresql | 15432 | 127.0.0.1 | Deked maxalli ah oo keliya ayaa loo istcimaali jiray server-ka Postgresql. |
Phoenix | 13000 | 127.0.0.1 | Deked maxalli ah oo keliya oo uu isticmaalo adeegaha abka elixir ee sare. |
Waxaan kugula talineynaa inaad ka fikirto xaddidaadda gelitaanka Firezone's shabkada UI ee dadweynaha (sida dekedaha caadiga ah 443/tcp iyo 80/tcp) oo taa beddelkeeda isticmaal tunnelka WireGuard si aad ugu maamusho Firezone wax soo saarka iyo diridda dadweynaha ee soo food saartay halkaas maamule keliya ayaa mas'uul ka noqon doona abuurista iyo qaybinta habaynta aaladaha isticmaalayaasha dhamaadka.
Tusaale ahaan, haddii maamuluhu uu abuuro qaabaynta aaladda oo uu abuuray tunnel leh ciwaanka WireGuard ee maxalliga ah 10.3.2.2, qaabaynta ufw ee soo socota waxay awood u siinaysaa maamulaha inuu galo Firezone web UI ee server-ka wg-firezone interface isagoo isticmaalaya 10.3.2.1. ciwaanka tunnel:
root@demo:~# ufw status verbose
Xaaladda: firfircoon
Gelida: shid (hoose)
Default: diid (soo galaysa), oggolow ( bixid), oggolow (la wareego)
profiles cusub: ka bood
Talaabo Laga Yimaado
————-
22/tcp ALLOW meelkasta
51820/udp ALLOW meelkasta
Meel kasta OGOLOW IN 10.3.2.2
22/tcp (v6) ALLOW meelkasta (v6)
51820/udp (v6) ALLOW meelkasta (v6)
Tani waxay ka tagi lahayd oo kaliya 22/tcp daaha ka qaaday gelitaanka SSH si ay u maamusho serverka (ikhtiyaar), iyo 51820/udp qaawan si loo dhiso tunnel WireGuard.
Firezone waxa ay xidhaa serferka Postgresql iyo isbarbardhiga psql Utility kaas oo loo isticmaali karo qolofka deegaanka sida:
/opt/firezone/ku-xidhan/bin/psql
-Aagga dabka
-d aagga dabka
-h localhost \
-p 15432 \
-c "SQL_STATEMENT"
Tani waxay waxtar u yeelan kartaa ujeedooyinka cilladaha.
Hawlaha Guud:
Liistada dhammaan isticmaalayaasha:
/opt/firezone/ku-xidhan/bin/psql
-Aagga dabka
-d aagga dabka
-h localhost \
-p 15432 \
-c "Dooro * Isticmaalayaasha;"
Liistada dhammaan qalabka:
/opt/firezone/ku-xidhan/bin/psql
-Aagga dabka
-d aagga dabka
-h localhost \
-p 15432 \
-c "Xul * Qalabka;"
Beddel doorka isticmaale:
U deji doorka 'maamulka' ama 'aan mudnaanta lahayn':
/opt/firezone/ku-xidhan/bin/psql
-Aagga dabka
-d aagga dabka
-h localhost \
-p 15432 \
-c "Cusbooneysii isticmaalayaasha SET door = 'admin' HALKEE iimaylka = 'user@example.com';"
Kaydinta xogta xogta:
Intaa waxaa dheer, waxaa ku jira barnaamijka qashin-qubka pg, kaas oo loo isticmaali karo in si joogta ah loogu kaydiyo xogta. Fuli koodka soo socda si aad u daadiso nuqul ka mid ah xogta xogta qaabka guud ee SQL (ku beddel /path/to/backup.sql meesha ay tahay in faylka SQL lagu sameeyo):
/opt/firezone/ku-xidhan/bin/pg_dump \
-Aagga dabka
-d aagga dabka
-h localhost \
-p 15432 > /path/to/backup.sql
Ka dib markii Firezone si guul leh loo geeyo, waa inaad ku darto isticmaalayaasha si aad u siiso marinka shabakadaada. Shabakadda UI ayaa loo istcmaalay in tan lagu sameeyo.
Markaad doorato badhanka "Add User" ee hoostiisa / isticmaalayaasha, waxaad ku dari kartaa isticmaale. Waxaa lagaaga baahan doonaa inaad siiso isticmaalaha ciwaanka iimaylka iyo furaha sirta ah. Si loo oggolaado gelitaanka isticmaalayaasha ururkaaga si toos ah, Firezone waxa kale oo ay isku xidhi kartaa oo la jaan qaadi kartaa bixiyaha aqoonsiga. Faahfaahin dheeraad ah ayaa laga helayaa gudaha Xaqiiji. <Kudar xiriirinta Xaqiijinta
Waxaan kugula talineynaa in aan codsano isticmaalayaasha in ay abuuraan qalabkooda qaabeynta si furaha gaarka ah uu kaliya ugu muuqdo iyaga. Isticmaalayaashu waxay soo saari karaan habaynta qalabkooda iyagoo raacaya tilmaamaha ku yaal Tilmaamaha Macmiilka bogga.
Dhammaan habaynta aaladaha isticmaale waxa abuuri kara maamulayaasha Firezone. Bogga astaanta isticmaalaha ee ku yaal / isticmaalayaasha, dooro ikhtiyaarka "Ku dar Aaladda" si tan loo fuliyo.
[ Geli sawirka ]
Waxaad u diri kartaa isticmaalaha faylka qaabeynta WireGuard ka dib markaad abuurto astaanta qalabka.
Isticmaalayaasha iyo aaladaha ayaa ku xiran. Faahfaahin dheeraad ah oo ku saabsan sida loogu daro isticmaale, arag Ku dar Users.
Iyada oo la adeegsanayo nidaamka kernel's netfilter, Firezone waxay awood u siinaysaa awoodaha shaandhaynta si ay u qeexdo xirmooyinka DROP ama ACCEPT. Dhammaan gaadiidka sida caadiga ah waa la oggol yahay.
IPV4 iyo IPv6 CIDRs iyo cinwaanada IP waxaa lagu taageeraa Liistada Ogolaanshaha iyo Diidmada, siday u kala horreeyaan. Waxa aad dooran kartaa in aad xeerka u xaddiddo adeegsadaha marka aad ku darto, kaas oo xeerka khuseeya dhammaan aaladaha isticmaalahaas.
Ku rakib oo sax
Si aad u samaysato isku xidhka VPN adoo isticmaalaya macmiilka WireGuard, tixraac hagahan.
Macaamiisha WireGuard ee rasmiga ah ee halkan ku yaal waa Firezone waafaqi:
Booqo shabakada WireGuard ee rasmiga ah https://www.wireguard.com/install/ nidaamyada OS ee aan kor lagu xusin.
Maamulahaaga Firezone ama laftaaduba waxay soo saari karaan faylka qaabaynta aaladda iyagoo isticmaalaya bogga Firezone.
Booqo URL-ka maamulaha Firezone-kaagu uu bixiyay si uu iskiis u sameeyo faylka qaabeynta aaladda. Shirkaddaadu waxay tan u yeelan doontaa URL gaar ah; kiiskan, waa https://instance-id.yourfirezone.com.
Soo gal Firezone Okta SSDO
[ Geli Sawir Sawir ]
Soo rar faylka.conf macmiilka WireGuard adigoo furaya. Markaad rogrogto dhaqdhaqaaqa firfircoonida, waxaad bilaabi kartaa fadhiga VPN.
[ Geli Sawir Sawir ]
Raac tilmaamaha hoose haddii maamulaha shabakadu uu amray xaqiijinta soo noqnoqota si xidhiidhkaaga VPN uu u shaqeeyo.
Waxaad u baahan tahay:
Xariirka Firezone URL: Weydii maamulaha shabakadaada xidhiidhka.
Maamulaha shabakadaada waa inuu awoodaa inuu kuu soo bandhigo galidaada iyo eraygaaga sirta ah. Goobta Firezone waxay kugu dhiirigelin doontaa inaad gasho adoo isticmaalaya adeega calaamadaynta kaliya ee loo-shaqeeyahaagu isticmaalo (sida Google ama Okta).
[ Geli Sawir Sawir ]
Aad URL portal-ka Firezone oo gal adiga oo isticmaalaya aqoonsiga maamulaha shabakadu uu bixiyay. Haddii aad hore u soo gashay, dhagsii badhanka Dib u Xaqiiji ka hor inta aanad dib u soo galin.
[ Geli Sawir Sawir ]
[ Geli Sawir Sawir ]
Si aad u soo dejiso astaanta qaabeynta WireGuard adigoo isticmaalaya Maareeyaha Shabakada CLI ee aaladaha Linux, raac tilmaamahan (nmcli).
Haddii profile-ku leeyahay taageerada IPV6 la kartiyeeyay, isku dayga soo dejinta faylka qaabeynta iyadoo la adeegsanayo Maareeyaha Shabakadda GUI waxaa laga yaabaa inay ku guuldareysato qaladka soo socda:
ipv6.hab: Habka "auto" laguma taageero WireGuard
Waa lagama maarmaan in la rakibo utilities-ka isticmaale ee WireGuard. Tani waxay noqon doontaa xirmo la yiraahdo wireguard ama wireguard-tools ee qaybinta Linux.
Loogu talagalay Ubuntu/Debian:
sudo apt install wireguard
Si aad u isticmaasho Fedora:
sudo dnf rakib qalab-ilaaliye
Arch Linux:
sudo pacman -S wireguard-qalabka
Booqo shabakada WireGuard ee rasmiga ah https://www.wireguard.com/install/ qaybinta aan kor lagu xusin.
Ama maamulahaaga Firezone ama iskiis-jiilka ayaa soo saari kara faylka qaabeynta aaladda iyadoo la adeegsanayo marinka Firezone.
Booqo URL-ka maamulaha Firezone-kaagu uu bixiyay si uu iskiis u sameeyo faylka qaabeynta aaladda. Shirkaddaadu waxay tan u yeelan doontaa URL gaar ah; kiiskan, waa https://instance-id.yourfirezone.com.
[ Geli Sawir Sawir ]
Soo deji faylka qaabeynta la keenay iyadoo la adeegsanayo nmcli:
sudo nmcli xiriir soo dejinta nooca wireguard file /path/to/configuration.conf
Magaca faylka qaabeynta wuxuu u dhigmi doonaa isku xirka WireGuard/interface. Soo dejinta ka dib, xidhiidhka waa la bedeli karaa haddii loo baahdo:
nmcli isku xirka wax ka beddel [magaca hore] xidhiidhka.id [magac cusub]
Adigoo adeegsanaya khadka taliska, ku xidh VPN sida soo socota:
nmcli isku xirka [vpn name]
Si loo furo:
nmcli isku xirka hoos [vpn name]
Tufaaxa Maareeyaha Shabakadda ee khuseeya waxa kale oo loo isticmaali karaa si loo maareeyo xidhiidhka haddii la isticmaalayo GUI.
Adoo dooranaya "haa" ikhtiyaarka iswada, isku xirka VPN waxaa loo habeyn karaa inuu si toos ah ugu xirmo:
Xidhiidhka nmcli wax ka beddel [vpn name] xidhiidhka. <<<<<<<<<<<<<<<<<<<<<<<
si toos ah ugu xidh haa
Si loo joojiyo isku xirka tooska ah dib ugu celi maya:
Xidhiidhka nmcli wax ka beddel [vpn name] xidhiidhka.
isku xidhka toosan no
Si aad u hawlgeliso MFA Aad bogga Firezone portal's/account user/diwaangeli mfa page. Isticmaal abkaaga xaqiijinta si aad u sawirto koodka QR ka dib markii la sameeyay, ka dibna geli koodka lixda lambar ah.
La xidhiidh maamulahaaga si aad dib ugu habayso macluumaadka gelitaanka akoonkaaga haddii aad meel-ka-dhigto abkaaga xaqiijinta.
Casharradani waxay ku socon doontaa habka aad u dejinayso muujinta tunnel-ka kala qaybsan ee WireGuard oo leh Firezone si taraafikada kaliya ee IP-yada gaarka ah loo gudbiyo server-ka VPN.
Kala duwanaanshaha IP-ga ee macmiilku u marinayo taraafikada shabakada waxa lagu dejiyay goobta IP-yada La Oggol yahay ee ku yaal bogga /settings/default. Kaliya isku xidhka tunnel-ka WireGuard ee dhawaan la sameeyay ee ay soo saartay Firezone ayaa saamayn doona isbedelada goobtan.
[ Geli Sawir Sawir ]
Qiimaha caadiga ah waa 0.0.0.0/0, ::/0, kaas oo marinaya dhammaan taraafikada shabakada ee macmiilka ilaa serverka VPN.
Tusaalooyinka qiyamka goobtan waxaa ka mid ah:
0.0.0.0/0, ::/0 - Dhammaan taraafikada shabakada waxaa loo wareejin doonaa serverka VPN.
192.0.2.3/32 - kaliya taraafikada hal ciwaanka IP-ga ah ayaa loo wareejin doonaa server-ka VPN.
3.5.140.0/22 - kaliya taraafikada IP-yada ee 3.5.140.1 - 3.5.143.254 ayaa loo wareejin doonaa serverka VPN. Tusaalahan, kala duwanaanshaha CIDR ee gobolka ap-waqooyi-bari-2 AWS ayaa la isticmaalay.
Firezone ayaa marka hore doorta interface-ka egress-ka ee la xiriirta dariiqa ugu saxsan marka hore marka la go'aaminayo halka loo maro xirmo.
Isticmaalayaashu waa inay dib u soo nooleeyaan faylasha qaabeynta oo ay ku daraan macmiilkooda WireGuard si ay u cusboonaysiiyaan aaladaha isticmaale ee jira qaabeynta tunnel-ka cusub.
Tilmaamaha, fiiri ku dar qalab. <<<<<<<<<<<< ku dar linkiga
Buug-gacmeedkani waxa uu tusi doonaa sida loo xidhidhiyo laba qalab iyadoo la isticmaalayo Firezone sida gudbinta. Hal kiis oo caadi ah oo la isticmaalo ayaa ah in awood loo siiyo maamulaha inuu galo server, weel, ama mishiin ay ilaaliso NAT ama firewall.
Sawirkaani wuxuu muujinayaa xaalad toos ah oo Aaladaha A iyo B ay ku dhisayaan tunnel.
[ Geli sawir dhismeedka firezone]
Ku bilow abuurista Aaladda A iyo Aaladda B adiga oo u socda /users/[user_id]/new_device. Dejinta qalab kasta, hubi in cabbirada soo socda loo dejiyay qiyamka hoos ku taxan. Waxaad dejin kartaa dejinta aaladda marka aad abuurayso habaynta aaladda (eeg Aaladaha ku dar). Haddii aad u baahan tahay inaad cusbooneysiiso dejinta qalabka jira, waxaad sidaas samayn kartaa adiga oo soo saaraya habayn qalab cusub.
Ogsoonow in dhammaan aaladaha ay leeyihiin bogga / settings/defaults halkaas oo PersistentKeepalive lagu habayn karo.
AllowedIPs = 10.3.2.2/32
Kani waa IP-ga ama tirada IP-yada ee Aaladda B
Joogtada Keepalive = 25
Haddii qalabku uu ka dambeeyo NAT, tani waxay hubinaysaa in qalabku awood u leeyahay inuu sii noolaado tunnel-ka oo uu sii wado helitaanka xirmooyinka WireGuard interface. Badanaa qiimaha 25 ayaa ku filan, laakiin waxaa laga yaabaa inaad u baahato inaad hoos u dhigto qiimahan iyadoo ku xiran deegaankaaga.
AllowedIPs = 10.3.2.3/32
Kani waa IP-ga ama tirada IP-yada ee Aaladda A
Joogtada Keepalive = 25
Tusaalahani wuxuu muujinayaa xaalad uu Aaladda A kula xidhiidhi karo Aaladaha B ilaa D ee labada dhinacba. Qalabayntani waxay matali kartaa injineer ama maamule gelaya agabyo badan (servers, weelal, ama mashiino) shabakadaha kala duwan.
[Sawirka Architectural]<<<<<<<<<<<<<<<<<<<<<<<<
Hubi in goobahan soo socda lagu sameeyay qalab kasta habayntiisa ilaa qiyamka u dhigma. Markaad abuureyso qaabeynta aaladda, waxaad cayimi kartaa dejinta aaladda (eeg Aaladaha ku dar). Qalab cusub ayaa la samayn karaa haddii habaynta qalabka jira loo baahan yahay in la cusboonaysiiyo.
AllowedIPs = 10.3.2.3/32, 10.3.2.4/32, 10.3.2.5/32
Kani waa IP-ga aaladaha B ilaa D. IP-yada Aaladaha B ilaa D waa in lagu daraa kala duwanaanshaha IP kasta oo aad doorato inaad dejiso.
Joogtada Keepalive = 25
Tani waxay dammaanad qaadaysaa in qalabku sii wadi karo tunnel-ka oo uu sii wado helitaanka xirmooyinka WireGuard interface xitaa haddii ay ilaalinayso NAT. Inta badan, qiimaha 25 ayaa ku filan, si kastaba ha ahaatee, iyadoo ku xiran agagaarkaaga, waxaad u baahan kartaa inaad hoos u dhigto tiradan.
Si aad u bixiso hal, egress IP static ah dhammaan taraafikada kooxdaada si ay uga soo baxaan, Firezone waxaa loo isticmaali karaa albaabka NAT. Xaaladahaan waxay ku lug leeyihiin isticmaalka joogtada ah:
Ka-qaybgalka La-talinta: Codso macmiilkaagu inuu liis gareeyo hal cinwaan oo IP ah halkii uu ka ahaan lahaa mid kasta oo shaqaale ah qalabkiisa gaarka ah ee IP.
Isticmaalka wakiil ama qarinta ishaada IP ee amniga ama ujeedooyinka gaarka ah.
Tusaalaha fudud ee xaddidaya gelitaanka arji iskii isu martigeliyay ee hal IP oo liis gareysan oo taagan Firezone ayaa lagu muujin doonaa qoraalkan. Sawirkan, Firezone iyo kheyraadka la ilaaliyo ayaa ku yaal aagagga VPC ee kala duwan.
Xalkan waxaa inta badan loo adeegsadaa meesha lagu maareeyo liiska cad ee IP-ga ee isticmaalayaasha dhamaadka badan, taas oo waqti qaadan karta marka liiska gelitaanka uu balaadho.
Hadafkayagu waa in aan samayno server-ka Firezone tusaale ahaan EC2 si aan taraafikada VPN ugu jiheyno ilaha xaddidan. Tusaalahan, Firezone waxay u adeegaysaa sidii wakiil shabakad ama albaabka NAT si loo siiyo qalab kasta oo ku xidhan IP gaar ah oo dadweyne.
Xaaladdan oo kale, tusaale EC2 ah oo lagu magacaabo tc2.micro ayaa ku rakibay tusaale ahaan Firezone. Wixii macluumaad ah ee ku saabsan geynta Firezone, tag Hagaha Deployment. Marka la eego AWS, hubi:
Kooxda badbaadada ee Firezone EC2 waxay u ogolaataa taraafikada ka baxsan cinwaanka IP-ga ee ilaha la ilaaliyo.
Tusaalaha Firezone-ka wuxuu la socdaa IP-ga laastikada ah. Taraafikada lagu soo gudbiyo tusaale ahaan Firezone ee meelaha ka baxsan waxay yeelan doonaan kani sida ciwaanka IP-ga. Ciwaanka IP-ga ee su'aashu waxay tahay 52.202.88.54.
[ Geli Sawir Sawir ]<<<<<<<<<<<<<<<<<<<<<<<<<
Codsiga mareegaha iskii u martigeliyay wuxuu u adeegaa sida ilaha la ilaaliyo kiiskan. App-ka shabakada waxa kaliya oo lagu geli karaa codsiyada ka imanaya ciwaanka IP-ga 52.202.88.54. Iyadoo ku xiran kheyraadka, waxaa lagama maarmaan noqon karta in la oggolaado taraafikada gudaha ee dekedaha iyo noocyada taraafikada. Tani kuma jirto buug-gacmeedkan.
[ Geli sawirka ]<<<<<<<<<<<<<<<<<<<<<<<<<
Fadlan u sheeg kooxda saddexaad ee mas'uulka ka ah kheyraadka la ilaaliyo in taraafikada IP-ga ee lagu qeexay Talaabada 1 ay tahay in la ogolaado (xaaladdan 52.202.88.54).
Sida caadiga ah, dhammaan taraafikada isticmaalaha waxay mari doonaan server-ka VPN waxayna ka iman doonaan IP-ga taagan ee lagu habeeyay Tallaabada 1 (xaaladdan 52.202.88.54). Si kastaba ha ahaatee, haddii tunnel-ka kala qaybsan uu karti yeeshay, dejintu waxay noqon kartaa lagama maarmaan si loo hubiyo in ilaha la ilaaliyo ee loo socdo IP-yada ay ku qoran yihiin IP-yada La Ogol yahay.
Hoos waxaa lagu muujiyey liis dhamaystiran oo ah xulashooyinka qaabaynta ee laga heli karo /etc/firezone/firezone.rb.
doorasho | description | qiimaha caadiga ah |
default['firezone']['external_url'] | URL loo isticmaalay in lagu galo marinka shabakada ee tusaale ahaan Firezone. | "https://#{node['fqdn'] || node['hostname']}" |
default['firezone']['config_directory'] | Hagaha heerka sare ee qaabeynta Firezone. | /etc/firezone' |
default['firezone']['install_directory'] | Hagaha heerka sare si loogu rakibo Firezone. | /opt/firezone' |
default['firezone']['app_directory'] | Hagaha heerka sare ah si loo rakibo codsiga shabakada Firezone. | "#{node['firezone']]['install_directory']}/adeeg/firezone" |
default['firezone']['log_directory'] | Hagaha heerka ugu sarreeya ee logs Firezone. | /var/log/firezone' |
default['firezone']['var_directory'] | Hagaha heerka ugu sarreeya ee faylalka runtime Firezone. | /var/opt/firezone' |
default['firezone']['user'] | Magaca isticmaalaha Linux ee aan mudnaanta lahayn badi adeegyada iyo faylalka ayaa iska leh. | aagga dabka' |
default['firezone']['koox'] | Magaca kooxda Linux inta badan adeegyada iyo faylalka ayaa iska leh. | aagga dabka' |
default['firezone']['admin_email'] | Ciwaanka iimaylka ee isticmaale Firezone bilowga ah. | "firezone@localhost" |
default['firezone']['max_devices_per_user'] | Tirada ugu badan ee aaladaha uu isticmaali karo. | 10 |
default['firezone']['allow_unprivileged_device_management'] | U oggolow isticmaalayaasha aan maamulaha ahayn inay abuuraan oo tirtiraan aaladaha. | RUN |
default['firezone']['allow_unprivileged_device_configuration'] | Waxay u ogolaataa isticmaalayaasha aan maamulka ahayn inay wax ka beddelaan isku xidhka qalabka. Marka la naafo, waxay ka ilaalisaa isticmaalayaasha aan mudnaanta lahayn inay beddelaan dhammaan goobaha qalabka marka laga reebo magaca iyo sharraxaadda. | RUN |
default['firezone']]['egress_interface'] | Magaca Interface halka taraafikada tunneled ay ka bixi doonto. Haddii aysan ahayn, interface-ka dariiqa caadiga ah ayaa la isticmaali doonaa. | nil |
default['firezone']['fips_enabled'] | Daar ama dami qaabka FIPs OpenSSL | nil |
default['firezone'] ['logging'] ['firfircooni'] | Daar ama dami gelida Firezone oo dhan. U dhig been-abuur si aad gabi ahaanba u joojiso gooynta | RUN |
default['shirkadda']]['name'] | Magaca uu isticmaalo cunto karinta 'shirkadda' kuugga. | aagga dabka' |
default['firezone']['install_path'] | Ku rakib dariiqa uu isticmaalo Kuug 'ganacsiga' buug-karinta. Waa in lagu dejiyaa la mid ah sida install_directory ee kore. | noode['firezone']]['install_directory'] |
default['firezone']]['sysvinit_id'] | Aqoonsiga lagu isticmaalo /etc/inittab. Waa in uu ahaado taxane gaar ah oo ka kooban 1-4 xaraf. | SUP' |
default['firezone'] ['xaqiijinta']]['maxali ah']['karti ah'] | Daar ama dami imaylka/password xaqiijinta. | RUN |
default['firezone']]['xaqiijinta']['auto_create_oidc_users'] | Si toos ah u samee isticmaalayaasha ka soo galaya OIDC markii ugu horeysay. Dami si aad u oggolaato isticmaalayaasha jira oo keliya inay ku soo galaan OIDC. | RUN |
default['firezone']]['xaqiijinta']['disable_vpn_on_oidc_error'] | Dami VPN adeegsadaha haddii la ogaado qalad isku dayaya inuu dib u cusbooneysiiyo calaamada OIDC. | BEEN |
default['firezone'] ['xaqiijinta'] ['oidc'] | Isku xidhka furaha ID, qaabka {" bixiye" => [config...]} - Eeg FurIDConnect dukumeenti tusaale ahaan qaabeynta. | {} |
default['firezone']]['nginx']['kartida'] | Daar ama dami server-ka nginx | RUN |
default['firezone']['nginx']['ssl_port'] | HTTPS dekeda dhegeysiga. | 443 |
default['firezone']['nginx']['directory'] | Hagaha kaydinta Firezone ee la xidhiidha qaabaynta martigeliyaha farsamada ee nginx. | "#{node['firezone']]['var_directory']}/nginx/iwm" |
default['firezone']['nginx']['log_directory'] | Hagaha lagu kaydiyo faylalka log nginx ee Firezone. | "#{node['firezone']]['log_directory']}/nginx" |
default['firezone']]['nginx']['log_rotation']['file_maxbytes'] | Cabbirka faylka kaas oo lagu beddelayo faylalka log Nginx. | 104857600 |
default['firezone']['nginx']['log_rotation']['num_to_keep'] | Tirada faylalka log ee Firezone nginx ee la hayo ka hor inta aan la tuurin. | 10 |
default['firezone']['nginx']['log_x_forwarded_for'] | Haddii aad gasho Firezone nginx x-horwarded-ee madaxa. | RUN |
default['firezone']]['nginx']['hsts_header']['karti-galiyay'] | RUN | |
default['firezone']]['nginx']['hsts_header']['include_subdomains'] | Daar ama dami waxa ku jira SubDomains ee madaxa HSTS. | RUN |
default['firezone']['nginx']['hsts_header']['max_age'] | Da'da ugu badan ee madaxa HSTS. | 31536000 |
default['firezone']['nginx']['redirect_to_canonical'] | In URL-yada loo jiheeyo FQDN-ga kor ku xusan | BEEN |
default['firezone']]['nginx']['cache'] ['firfircooni]] | Daar ama dami kaydka Firezone nginx. | BEEN |
default['firezone']['nginx']['cache']['directory'] | Hagaha Firezone nginx cache. | "#{node['firezone']]['var_directory']}/nginx/cache" |
default['firezone']['nginx']['user'] | Isticmaalaha Firezone nginx. | noode['firezone'] ['user'] |
default['firezone']['nginx']['koox'] | Kooxda Firezone nginx. | noode['firezone'] ['koox'] |
default['firezone']['nginx']['dir'] | Hagaha qaabeynta nginx heerka sare. | noode['firezone'] ['nginx'] ['directory'] |
default['firezone']['nginx']['log_dir'] | Nginx Log tusaha heerka sare. | noode['firezone']]['nginx']['log_directory'] |
default['firezone']]['nginx']['pid'] | Goobta faylka nginx pid. | "#{node['firezone']]['nginx']['directory']}/nginx.pid" |
default['firezone']['nginx']['daemon_disable'] | Dami qaabka nginx daemon si aan ula socono taa beddelkeeda. | RUN |
default['firezone']]['nginx']['gzip'] | Daar ama dami cadaadiska nginx gzip | on' |
default['firezone']['nginx']['gzip_static'] | Daar ama dami isku-buuqa nginx gzip faylalka taagan | off' |
default['firezone']['nginx']['gzip_http_version'] | Nooca HTTP si loogu adeego faylalka taagan | 1.0 ' |
default['firezone']['nginx']['gzip_comp_level'] | nginx gzip heerka cadaadiska. | 2 ' |
default['firezone']['nginx']['gzip_proxied'] | Waxa ay daarisaa ama damisaa gzipping jawaabaha codsiyada wakiillada ah iyada oo ku xidhan codsiga iyo jawaabta. | mid' |
default['firezone']['nginx']['gzip_vary'] | Waxa ay saamaxdaa ama curyaamisaa gelidda madaxa jawaabta "Vary: Aqbal-Encoding" | off' |
default['firezone']['nginx']['gzip_buffers'] | Dejiya tirada iyo cabbirka kaydiyeyaasha loo isticmaalo in lagu cadaadiyo jawaabta. Haddii nil, nginx default waa la isticmaalay. | nil |
default['firezone']['nginx']['gzip_types'] | Noocyada MIME si ay awood gzip ugu cadaadiso. | ['text/plain', 'text/css','application/x-javascript', 'text/xml', 'application/xml', 'application/rss+xml', 'application/atom+xml',' text/javascript', 'application/javascript', 'application/json'] |
default['firezone']['nginx']['gzip_min_length'] | Dhererka ugu yar ee faylka si loo suurtageliyo isku-buufinta faylka gzip. | 1000 |
default['firezone']['nginx']['gzip_disable'] | Kubbadeeyaha isticmaale-wakiilka si uu u joojiyo riixista gzip ee. | MSIE [1-6] \." |
default['firezone']]['nginx']['keepalive'] | Waxay u shaqeysaa kaydinta ku xidhidhiyaha adeegayaasha sare | on' |
default['firezone']['nginx']['keepalive_timeout'] | Wakhti ku dhamaanaya ilbidhiqsiyo gudahood ee ku xidhidhiyaha joogtada ah ee adeegayaasha sare | 65 |
default['firezone']['nginx']['worker_processes'] | Tirada hababka shaqaalaha nginx. | noode['cpu'] && noode['cpu']['wadarta']? noode['cpu']['wadarta']: 1 |
default['firezone']]['nginx']['shaqaale_isku xidhka'] | Tirada ugu badan ee isku xidhka isku mar ah ee uu furi karo habka shaqaaluhu. | 1024 |
default['firezone']['nginx']['shaqaale_rlimit_nofile'] | Wuxuu beddelaa xadka tirada ugu badan ee faylasha furan ee hababka shaqaalaha. Wuxuu adeegsadaa nginx default haddii nil. | nil |
default['firezone']['nginx']['multi_aqbal'] | Haddii shaqaaluhu ay aqbalaan hal xidhiidh mar ama dhawr. | RUN |
default['firezone']['nginx']['dhacdada'] | Wuxuu qeexayaa habka habaynta isku xirka si loogu isticmaalo gudaha dhacdooyinka nginx. | epoll' |
default['firezone']['nginx']['server_tokens'] | Waxay daarisaa ama joojisaa soo saarista nooca nginx ee boggaga khaladka ah iyo gudaha qaybta jawaabta "Server" | nil |
default['firezone']['nginx']['server_names_hash_bucket_size'] | Dejiya cabbirka baaldiga ee server-yada magacyada xashiishka. | 64 |
default['firezone']['nginx']['sendfile'] | Wuxuu sahlaa ama joojiyo isticmaalka nginx's sendfile(). | on' |
default['firezone']['nginx']['access_log_options'] | Dejiya xulashooyinka gelitaanka nginx | nil |
default['firezone']['nginx']['error_log_options'] | Dejiya ikhtiyaarada diiwaanka khaladka nginx. | nil |
default['firezone']['nginx']['disable_access_log'] | Wuxuu joojiyaa gelitaanka nginx | BEEN |
default['firezone']['nginx']['types_hash_max_size'] | noocyada nginx hash max size. | 2048 |
default['firezone']['nginx']['types_hash_bucket_size'] | nginx nooca baaldiga xashiishka. | 64 |
default['firezone']['nginx']['proxy_read_timeout'] | nginx proxy wax akhrinta waqtigu wuu dhammaaday. U deji nil si aad u isticmaasho nginx default. | nil |
default['firezone']['nginx']['client_body_buffer_size'] | nginx macmiilka cabbirka kaydka. U deji nil si aad u isticmaasho nginx default. | nil |
default['firezone']['nginx']['client_max_body_size'] | nginx macmiilka ugu badnaan cabbirka jirka. | 250m' |
default['firezone']['nginx']['default']['modules'] | Sheeg modules nginx dheeraad ah. | [] |
default['firezone']['nginx']['enable_rate_limiting'] | Daar ama dami xadaynta nginx | RUN |
default['firezone']['nginx']['rate_limiting_zone_name'] | Qiimaha Nginx xaddidaya magaca aagga. | aagga dabka' |
default['firezone']['nginx']['rate_limiting_backoff'] | Heerka Nginx xaddidaya dib u laabashada | 10m' |
default['firezone']['nginx']['rate_limit'] | Xadka heerka Nginx | 10r/s' |
default['firezone']]['nginx']['ipv6'] | Oggolow nginx inuu dhageysto codsiyada HTTP ee IPv6 marka lagu daro IPv4. | RUN |
default['firezone']]['postgresql']['karti-galiyay'] | Daar ama dami Postgresql la isku daray. U dhig mid been abuur ah oo buuxi xulashooyinka xogta ee hoose si aad u isticmaasho tusaalahaaga Postgresql. | RUN |
default['firezone']]['postgresql'] ['username'] | Magaca isticmaalaha ee Postgresql. | noode['firezone'] ['user'] |
default['firezone']['postgresql']['data_directory'] | Tusaha xogta Postgresql. | "#{node['firezone']]['var_directory']}/postgresql/13.3/data" |
default['firezone']['postgresql']['log_directory'] | Tusaha log ee Postgresql. | "#{node['firezone']]['log_directory']}/postgresql" |
default['firezone']]['postgresql']['log_rotation']['file_maxbytes'] | Faylka log ee Postgresql cabbirka ugu badan ka hor inta aan la wareejin. | 104857600 |
default['firezone']['postgresql']['log_rotation']['num_to_keep'] | Tirada faylasha log ee Postgresql ee la hayo. | 10 |
default['firezone']['postgresql']['checkpoint_completion_target'] | Isbaarada Postgresql ee dhamaystirka yoolka | 0.5 |
default['firezone']]['postgresql']['checkpoint_segments'] | Tirada qaybaha isbaarada ee Postgresql | 3 |
default['firezone']['postgresql']['checkpoint_timeout'] | Isbaarada Postgresql ee wakhtiga dhammaatay | 5 daqiiqo' |
default['firezone']['postgresql']['Checkpoint_warning'] | Waqtiga digniinta isbaarada Postgresql ee ilbiriqsiyo gudahood. | 30-kii |
default['firezone']['postgresql']['effective_cache_size'] | Postgresql cabbirka kaydinta waxtarka leh. | 128MB' |
default['firezone']]['postgresql']['ciwaanka_dhegeysiga'] | Ciwaanka dhegeysiga Postgresql. | 127.0.0.1 ' |
default['firezone']['postgresql']['max_connections'] | Isku xirka ugu badan ee Postgresql. | 350 |
default['firezone']['postgresql']['md5_auth_cidr_addresses'] | Postgresql CIDRs si loogu ogolaado md5 auth. | ['127.0.0.1/32','::1/128'] |
default['firezone']]['postgresql']['port'] | Dekadda dhegeysiga Postgresql. | 15432 |
default['firezone']['postgresql']['shared_buffers'] | Postgresql cabbirka kaydka la wadaago. | "#{(node['xusuusta']['wadarta'].to_i / 4) / 1024} MB |
default['firezone']['postgresql']['shmmax'] | Postgresql shmmax ee bytes. | 17179869184 |
default['firezone']['postgresql']['shmall'] | Postgresql shmall ee bytes. | 4194304 |
default['firezone']['postgresql']['work_mem'] | Postgresql cabbirka xusuusta shaqaynaysa. | 8MB' |
default['firezone']['database']['user'] | Wuxuu qeexayaa isticmaaleha Firezone ay isticmaali doonto si loogu xiro DB. | noode['firezone'] ['postgresql'] ['username'] |
default['firezone']]['database']['password'] | Haddii la isticmaalayo DB dibadda ah, waxay qeexaysaa erayga sirta ah ee Firezone u isticmaali doonto in lagu xidho DB-ga. | aniga ii beddel |
default['firezone']]['database']['name'] | Database in Firezone isticmaali doono. Waa la abuuri doonaa haddaanay jirin. | aagga dabka' |
default['firezone']]['database']['host'] | Database host oo Firezone ku xidhi doonto | noode['firezone']]['postgresql']['ciwaanka_dhegeysiga'] |
default['firezone']['database']['port'] | Deked Database ah oo Firezone ku xidhi doonto | noode['firezone'] ['postgresql'] ['dekedda'] |
default['firezone']['database']['pool'] | Cabbirka barkadda xogta ee Firezone ayaa isticmaali doonta. | [10, iwm.nprocessors].max |
default['firezone']['database']['ssl'] | Haddii lagu xidho xogta xogta SSL. | BEEN |
default['firezone']['database']['ssl_opts'] | {} | |
default['firezone']]['database']['parameters'] | {} | |
default['firezone']['database']['extensions'] | Kordhinta kaydka xogta si aad awood ugu yeelato | { 'plpgsql' => run, 'pg_trgm' => run } |
default['firezone']]['phoenix']['karti-galiyay'] | Daar ama dami codsiga shabakada Firezone. | RUN |
default['firezone']]['phoenix']['ciwaanka_dhegeysiga'] | Cinwaanka dhageysiga codsiga webka Firezone Tani waxay noqon doontaa ciwaanka dhegeysiga korka ee nginx proxies. | 127.0.0.1 ' |
default['firezone']]['phoenix']['port'] | Firezone web codsiga dhegayso dekedda. Tani waxay noqon doontaa dekedda korka ee nginx proxies. | 13000 |
default['firezone']['phoenix']['log_directory'] | tusaha diiwaanka codsiga webka Firezone. | "#{node['firezone']]['log_directory']}/phoenix" |
default['firezone']]['phoenix']['log_rotation']['file_maxbytes'] | Cabbirka faylka log codsiga shabakada Firezone. | 104857600 |
default['firezone']['phoenix']['log_rotation']['num_to_keep'] | Tirada faylasha log ee codsiga shabakada Firezone ee la hayo. | 10 |
default['firezone']]['phoenix']['shil_detection'] ['karti-galiyay'] | Daar ama dami soo dejinta arjiga shabakada Firezone marka shil la ogaado. | RUN |
default['firezone']['phoenix']['external_trusted_proxies'] | Liiska wakiillada la aamini karo ee loo qaabeeyey sida Array of IPs iyo/ama CIDRs. | [] |
default['firezone']]['phoenix']['macaamiisha gaarka ah'] | Liiska macaamiisha HTTP ee gaarka ah, oo loo qaabeeyey Array of IPs iyo/ama CIDRs. | [] |
default['firezone']]['wireguard']['karti-galiyay'] | Daar ama dami maamulka WireGuard ee isku xidhan. | RUN |
default['firezone']['wireguard']['log_directory'] | Gelida hagaha maaraynta WireGuard ee isku xidhan. | "#{node['firezone']]['log_directory']}/wireguard |
default['firezone']]['wireguard']['log_rotation']['file_maxbytes'] | WireGuard log file ugu badnaan | 104857600 |
default['firezone']]['wireguard']['log_rotation']['num_to_keep'] | Tirada faylasha log ee WireGuard ee la hayo. | 10 |
default['firezone']]['wireguard']['interface_name'] | Magaca interface WireGuard. Beddelidda cabbirkan waxa laga yaabaa inay keento khasaare ku meel gaadh ah isku xidhka VPN. | wg-firezone' |
default['firezone']]['wireguard']['dekedda'] | WireGuard dhegeysiga dekedda. | 51820 |
default['firezone']['wireguard']['mtu'] | WireGuard interface MTU ee server-kan iyo habaynta qalabka. | 1280 |
default['firezone']]['wireguard'] ['dhammaadka'] | WireGuard Endpoint si loogu isticmaalo abuurista habaynta aaladaha. Haddi aanu ahayn, waxa ay ku dhacaysaa ciwaanka IP-ga ee serferka. | nil |
default['firezone']]['wireguard']['dns'] | WireGuard DNS si loogu isticmaalo habaynta aaladaha la soo saaray. | 1.1.1.1, 1.0.0.1 " |
default['firezone']]['wireguard']['allowed_ips'] | WireGuard AllowedIPs si loogu isticmaalo habaynta aaladaha la soo saaray. | 0.0.0.0/0, ::/0′ |
default['firezone']]['wireguard']['joogtaynta_keepalive'] | Default PersistentKepalive ee habaynta aaladaha la soo saaray. Qiimaha 0 wuu naafo. | 0 |
default['firezone']]['wireguard']['ipv4']['kartida']] | Daar ama dami IPV4 shabakada WireGuard. | RUN |
default['firezone']['wireguard']['ipv4']['masquerade'] | Daar ama dami masquerade xirmooyinka ka tagaya tunnelka IPv4 | RUN |
default['firezone']]['wireguard']['ipv4']['shabakad'] | Barkadda ciwaanka ee shabakadda WireGuard IPV4 | 10.3.2.0/24 ′ |
default['firezone'] ['wireguard'] ['ipv4'] ['cinwaanka'] | WireGuard interface IPV4 ciwaanka Waa inuu ku jiraa barkada ciwaanka ee WireGuard. | 10.3.2.1 ' |
default['firezone']]['wireguard']['ipv6']['kartida']] | Daar ama dami IPV6 shabakada WireGuard. | RUN |
default['firezone']['wireguard']['ipv6']['masquerade'] | Daar ama dami masquerade xirmooyinka ka tagaya tunnelka IPv6 | RUN |
default['firezone']]['wireguard']['ipv6']['shabakad'] | Barkadda ciwaanka ee shabakadda WireGuard IPV6 | fd00::3:2:0/120′ |
default['firezone'] ['wireguard'] ['ipv6'] ['cinwaanka'] | WireGuard interface IPV6 ciwaanka Waa inuu ku jiraa barkada ciwaanka ee IPv6 | fd00:: 3:2:1′′ |
default['firezone']['runit']['svlogd_bin'] | Goobta Runit svlogd bin | "#{node['firezone']]['install_directory']}/embedded/bin/svlogd" |
default['firezone']['ssl']['directory'] | Hagaha SSL ee kaydinta shahaadooyinka la soo saaray. | /var/opt/firezone/ssl' |
default['firezone']['ssl']['email_address'] | Ciwaanka iimaylka si aad ugu isticmaasho shahaadooyin iskiis u saxeexan iyo ogeysiisyada cusboonaysiinta borotokoolka ACME. | you@example.com' |
default['firezone']]['ssl']['acme']['firfircooni]] | U oggolow ACME bixinta shahaado SSL oo toos ah. Dami tan si aad uga ilaaliso Nginx in uu dhegeysto dekedda 80. Fiiri halkan wixii tilmaamo dheeraad ah. | BEEN |
default['firezone']['ssl']['acme']['server'] | bariiscrypt | |
default['firezone']['ssl']['acme']['keylength'] | Sheeg nooca muhiimka ah iyo dhererka shahaadooyinka SSL. Eeg halkan | ec-256 |
default['firezone']['ssl']['shahaadada'] | Jidka loo maro faylka shahaadada FQDN kaaga. Burburiyaa goobta ACME ee sare haddii la cayimo. Haddii labada ACME iyo kani aanay ahayn shahaado is-saxiix ah ayaa la soo saari doonaa. | nil |
default['firezone']['ssl']['certificate_key'] | Jidka loo maro faylka shahaadada | nil |
default['firezone']['ssl']['ssl_dhparam'] | nginx ssl dh_param. | nil |
default['firezone']['ssl']['country_name'] | Magaca dalka ee shahaado iskiis u saxeexay. | Mareykanka |
default['firezone']['ssl']['state_name'] | Magaca gobolka ee shahaado iskiis u saxeexay. | CA ' |
default['firezone']['ssl']['locaity_name'] | Magaca deegaanka ee shahaado iskiis u saxeexay. | San Francisco' |
default['firezone']]['ssl']['company_name'] | Magaca shirkadda shahaado iskeed u saxiixday. | Shirkaddayda' |
default['firezone']['ssl']['organizational_unit_name'] | Magaca unugga ururka ee shahaado iskiis u saxeexay. | Hawlgallada |
default['firezone']['ssl']['ciphers'] | SSL ciphers ee nginx si loo isticmaalo. | ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’ |
default['firezone']['ssl']['fips_ciphers'] | Xirmooyinka SSL ee qaabka FIPs. | FIPS@XOOGGA:!aNULL:!eNULL' |
default['firezone']['ssl']['protocols'] | Nidaamyada TLS ee la isticmaalo. | TLSv1 TLSv1.1 TLSv1.2′ |
default['firezone']['ssl']['session_cache'] | kaydka fadhiga SSL | wadaag:SSL:4m' |
default['firezone']['ssl']['session_timeout'] | Wakhtiga joogitaanka SSL | 5m' |
default['firezone']]['robots_allow'] | robots nginx oggolaadaan. | /' |
default['firezone']]['robots_disallow'] | nginx robots waa diiday | nil |
default['firezone']['outbound_email']['ka yimid'] | Iimayl ka socda ciwaanka | nil |
default['firezone']['outbound_email']['bixiye'] | Bixiyaha adeegga iimaylka dibadda ka ah. | nil |
default['firezone']['outbound_email']['configs'] | Adeeg bixiyaha iimaylka dibadda u habeeya | eeg omnibus/bookbooks/firezone/siffs/default.rb |
default['firezone']]['telemetry']['karti ah'] | Daar ama dami telemetry alaabta aan la magacaabin. | RUN |
default['firezone']]['connectivity_checks']['karti ah'] | Daar ama dami adeega hubinta isku xidhka Firezone. | RUN |
default['firezone']['connectivity_checks']['interval'] | Inta u dhaxaysa hubinta isku xidhka ee ilbidhiqsiyo gudahood. | 3_600 |
________________________________________________________________
Halkan waxaad ka heli doontaa liiska faylasha iyo hagayaasha la xidhiidha rakibaadda Firezone ee caadiga ah. Kuwani way isbedeli karaan iyadoo ku xidhan isbedelada faylkaaga qaabaynta.
wadada | description |
/var/opt/firezone | Hagaha heerka sare ah oo ka kooban xog iyo habaynta la sameeyay ee adeegyada la xidho ee Firezone. |
/opt/firezone | Hagaha heerka sare oo ka kooban maktabado la dhisay, binaries iyo faylasha runtime loo baahan yahay Firezone. |
/usr/bin/firezone-ctl | firezone-ctl utility si aad u maamusho rakibaada Firezone. |
/etc/systemd/system/firezone-runsvdir-start.service | systemd unit file si aad u bilowdo nidaamka kormeeraha ee Firezone runsvdir. |
/etc/firezone | Faylasha qaabeynta Firezone |
__________________________________________________________
Boggani wuxuu ahaa mid madhan dukumeenti
_____________________________________________________________
Qaabka soo socda ee nftables firewall waxa loo isticmaali karaa si loo sugo serferka ku shaqeeya Firezone. Habkani waxa uu sameeyaa malo-awaal; waxaa laga yaabaa inaad u baahato inaad hagaajiso sharciyada si aad u waafajiso kiiskaaga isticmaalka:
Firezone waxay dejisaa shuruucdeeda nftables si ay u oggolaato / u diiddo taraafikada meelaha lagu habeeyey interface-ka webka iyo inay u qabato NAT dibadda ee taraafikada macmiilka.
Dalbashada qaabka dab-damiska hoose ee server-ka hore u shaqaynayay (ma aha wakhtiga boot) waxay keeni doontaa in xeerarka Firezone la nadiifiyo. Tani waxay yeelan kartaa saameyn amni.
Si arrintan looga shaqeeyo dib u bilow adeegga phoenix:
firezone-ctl dib u bilaw phoenix
#!/usr/sbin/nft -f
## Nadiifi/dharka dhammaan sharciyada jira
xeerarka nadiifinta
############################################################################################################################ ############
## Internet/WAN interface name
qeex DEV_WAN = eth0
## Magaca interface WireGuard
qeex DEV_WIREGUARD = wg-firezone
## WireGuard dhageysiga dekeda
qeex WIREGUARD_PORT = 51820
############################################################################### ##########
# Miiska shaandhaynta qoyska innet-ka ugu weyn
filter shaandhada miiska {
# Xeerarka gaadiidka la soo gudbiyo
# Silsiladdan waxa la farsameeyaa ka hor silsiladda hore ee Firezone
silsilad hore {
nooca shaandhada shaandhada hore ee shaandhada mudnaanta - 5; siyaasad aqbali
}
# Xeerarka soo gelinta gaadiidka
galinta silsiladda {
nooca filtarka galinta mudnaanta filtarka; hoos u dhac siyaasadeed
## Oggolow taraafikada gudaha ugu jirta interface loopback
if lo \
aqbal
comment "Oggolow dhammaan taraafikada loopback interface"
## Oggolaanshaha la sameeyay iyo xidhiidhada la xidhiidha
ct gobolka la aasaasay, la xidhiidha \
aqbal
comment "Ogolaanshaha la sameeyay/xidhiidhada la xidhiidha"
## Oggolow socodka WireGuard ee soo galaya
iif $DEV_WAN udp dport $WIREGUARD_PORT \
counter
aqbal
comment "Oggolow socodka WireGuard ee soo galaya"
## Gal oo rid baakooyinka cusub ee TCP ee aan SYN ahayn
tcp calanka != syn ct state new \
xadka xadka 100/daqiiqo dilaacday 150 baakado \
horgalaha log "IN - Cusub !SYN:" \
comment "Qiimaynta xaddidaadda xidhidhka cusub ee aan lahayn calanka SYN TCP"
tcp calanka != syn ct state new \
counter
tuurid \
comment "Dir xiriiryo cusub oo aan lahayn astaanta SYN TCP"
## Gal oo ku rid baakooyinka TCP oo wata calanka fin/syn aan ansax ahayn
tcp & (fin|syn) == (fin|syn) \
xadka xadka 100/daqiiqo dilaacday 150 baakado \
horgalaha log "IN - TCP FIN | SIN:" \
comment "Qiimaha xadka xidhida xirmooyinka TCP ee leh calanka fin/syn aan ansax ahayn"
tcp & (fin|syn) == (fin|syn) \
counter
tuurid \
comment "Ku rid baakooyinka TCP oo wata calanka fin/syn aan sax ahayn"
## Log oo rid baakooyinka TCP oo wata calanka syn/st aan sax ahayn
tcp & (syn|rst) == (syn|rst) \
xadka xadka 100/daqiiqo dilaacday 150 baakado \
horgalaha log "IN - TCP SYN|RST:" \
comment "Qiimaha xadka xidhida xirmooyinka TCP oo leh calankii qadiimka ahaa ee aan ansax ahayn"
tcp & (syn|rst) == (syn|rst) \
counter
tuurid \
comment "Ku rid baakooyinka TCP oo wata calanka syn/st aan sax ahayn"
## Gal oo tuur calamada TCP ee aan ansax ahayn
tcp & (fin|syn|rst|psh|ack|urg) < (fin) \
xadka xadka 100/daqiiqo dilaacday 150 baakado \
horgalaha log "IN - FIN:" \
comment "Qiimaynta xaddidan gelitaanka calamada TCP ee aan ansax ahayn (fin|syn|rst|psh|ack| urg) < (fin)"
tcp & (fin|syn|rst|psh|ack|urg) < (fin) \
counter
tuurid \
comment "Ku rid baakooyinka TCP oo leh calammo ( fin | syn | rst | psh | ack | urg ) < (fin)"
## Gal oo tuur calamada TCP ee aan ansax ahayn
tcp calanka & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
xadka xadka 100/daqiiqo dilaacday 150 baakado \
horgalaha log "IN - FIN|PSH|URG:" \
comment "Qiimeynta xaddidan gelitaanka calamada TCP ee aan ansax ahayn (fin|syn|rst|psh|ack| urg) == (fin|psh| urg)"
tcp calanka & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
counter
tuurid \
comment "Ku rid baakooyinka TCP oo leh calammo (fin| syn|rst|psh|ack| urg) == (fin|psh| urg)"
## Ku rid taraafikada xaalad xiriir aan sax ahayn
ct state waa sax
xadka xadka 100/daqiiqo dilaacday 150 baakado \
Logu wuxuu calaamadeeyaa dhammaan horgalayaasha "IN - Aan sax ahayn:" \
comment "Qiimaynta xaddidan gelitaanka taraafikada ee leh xaalad xiriir aan sax ahayn"
ct state waa sax
counter
tuurid \
comment "Ku rid taraafikada xaalad xiriir aan sax ahayn"
## Oggolaanshaha jawaabaha IPV4 ping/ping laakiin xadka xadka 2000 PPS
ip borotokoolka icmp nooca icmp { jawaab celin jawaab celin ah, codsi codsi} \
xadka xadka 2000/labaad \
counter
aqbal
comment "Ogolaanshaha soo gelitaanka IPV4 echo (ping) oo ku xaddidan 2000 PPS"
## Oggolow dhammaan IPV4 ICMP kale ee soo galaya
ip borotokoolka icmp \
counter
aqbal
comment "Oggolow dhammaan IPV4 ICMP kale"
## Oggolaanshaha jawaabaha IPV6 ping/ping laakiin xadka xadka 2000 PPS
nooca icmpv6 { jawaab celin jawaab celin ah, codsi echo} \
xadka xadka 2000/labaad \
counter
aqbal
comment "Ogolaanshaha soo gelitaanka IPV6 echo (ping) oo ku xaddidan 2000 PPS"
## Oggolow dhammaan IPV6 ICMP kale ee soo galaya
meta l4proto {icmpv6} \
counter
aqbal
comment "Oggolow dhammaan IPV6 ICMP kale"
## Oggolow in soo gelitaanka traceroute dekedaha UDP laakiin ku xaddid 500 PPS
udp dport 33434-33524 \
xadka xadka 500/labaad \
counter
aqbal
comment "Oggolaansho soo galitaanka UDP traceroute ku xaddidan 500 PPS"
## Ogolaansho soo galitaanka SSH
tcp dport ssh ct gobolka cusub \
counter
aqbal
comment "Oggolow xiriirinta SSH ee soo galaya"
## Ogolaan soo gal HTTP iyo HTTPS
tcp dport {http, https } ct cusub
counter
aqbal
comment "Oggolow soo gelitaanka HTTP iyo HTTPS"
## Geli taraafikada kasta oo aan isbarbardhigin laakiin xadka xaddidan gelitaanka ugu badnaan 60 farriimo/daqiiqo
## Nidaamka caadiga ah waxaa lagu dabaqi doonaa taraafikada aan isbarbar dhigin
xadka xadka 60/daqiiqo dilaacday 100 baakado \
horgalaha log "IN - Ku rid:" \
comment "Log gal wixii taraafikada ah ee aan isbarbar dhigin"
## Tiri gaadiidka aan isbarbar dhigin
counter
comment "Tiri taraafikada kasta oo aan isbarbar dhigin"
}
# Xeerarka gaadiidka wax soo saarka
wax soo saarka silsiladda {
nooca shaandhada shaandhada shaandhada mudnaanta leh; hoos u dhac siyaasadeed
## Oggolow taraafikada ka baxsan interface loopback
haddii lo \
aqbal
comment "U oggolow dhammaan taraafikada inay dib u soo celiyaan interface"
## Oggolaanshaha la sameeyay iyo xidhiidhada la xidhiidha
ct gobolka la aasaasay, la xidhiidha \
counter
aqbal
comment "Ogolaanshaha la sameeyay/xidhiidhada la xidhiidha"
## Ogow taraafikada WireGuard ee dibadda ka ah ka hor inta aadan joojin xiriirka xaalad xun
oif $DEV_WAN ciyaaraha udp $WIREGUARD_PORT \
counter
aqbal
comment "Oggolaan WireGuard taraafikada dibadda"
## Ku rid taraafikada xaalad xiriir aan sax ahayn
ct state waa sax
xadka xadka 100/daqiiqo dilaacday 150 baakado \
Logu wuxuu calaamadeeyaa dhammaan horgalayaasha "Bax - Aan sax ahayn:" \
comment "Qiimaynta xaddidan gelitaanka taraafikada ee leh xaalad xiriir aan sax ahayn"
ct state waa sax
counter
tuurid \
comment "Ku rid taraafikada xaalad xiriir aan sax ahayn"
## Oggolow dhammaan IPV4 ICMP dibadda ka baxa
ip borotokoolka icmp \
counter
aqbal
comment "Oggolow dhammaan noocyada IPV4 ICMP"
## Oggolow dhammaan IPV6 ICMP dibadda ka baxa
meta l4proto {icmpv6} \
counter
aqbal
comment "Oggolow dhammaan noocyada IPV6 ICMP"
## Oggolaan in dibadda loo soo baxo dekedaha UDP laakiin ku xaddid 500 PPS
udp dport 33434-33524 \
xadka xadka 500/labaad \
counter
aqbal
comment "Ogolaanshaha ka baxsan UDP traceroute ku xaddidan 500 PPS"
## Oggolow soo bixida HTTP iyo HTTPS isku xirka
tcp dport {http, https } ct cusub
counter
aqbal
comment Oggolow soo bixida HTTP iyo HTTPS isku xirka
## Ogolaansho soo gudbinta SMTP ee dibadda
tcp dport soo gudbinta ct gobolka cusub \
counter
aqbal
comment "Ogolaanshaha soo gudbinta SMTP ee dibadda"
## Oggolow codsiyada DNS ee dibadda ka ah
udp dport 53 \
counter
aqbal
comment "Oggolaan soo bixida codsiyada UDP DNS"
tcp dport 53 \
counter
aqbal
comment "Oggolow dhoofinta TCP codsiyada DNS"
## Ogolaansho codsiyada NTP ee dibadda
udp dport 123 \
counter
aqbal
comment "Ogolaanshaha codsiyada NTP ee dhoofinta"
## Geli taraafikada kasta oo aan isbarbardhigin laakiin xadka xaddidan gelitaanka ugu badnaan 60 farriimo/daqiiqo
## Nidaamka caadiga ah waxaa lagu dabaqi doonaa taraafikada aan isbarbar dhigin
xadka xadka 60/daqiiqo dilaacday 100 baakado \
horgalaha log "Bax - Tuur:" \
comment "Log gal wixii taraafikada ah ee aan isbarbar dhigin"
## Tiri gaadiidka aan isbarbar dhigin
counter
comment "Tiri taraafikada kasta oo aan isbarbar dhigin"
}
}
# Miiska shaandhaynta NAT ee ugu weyn
miiska inet nat {
# Xeerarka NAT taraafikada ka hor marinka
Silsilad horudhac ah {
nooca jillaab nat prerouting mudnaanta dstnat; siyaasad aqbali
}
# Xeerarka NAT taraafikada ka dib marinka
# Jadwalkan waxa la farsameeyaa ka hor silsilada dariiqa ka dambaysa ee Firezone
Silsiladda dib u dhigista {
nooca nat hook postrouting mudnaanta srcnat - 5; siyaasad aqbali
}
}
Dab-damiska waa in lagu kaydiyaa goobta ku habboon qaybinta Linux ee socota. Debian/Ubuntu kani waa /etc/nftables.conf iyo RHEL kani waa /etc/sysconfig/nftables.conf.
nftables.service waxa ay u baahan doontaa in lagu habeeyo si uu bootka ugu bilaabo (haddii aan hore loo dhigin):
systemctl awood nftables.adeegga
Haddii wax isbeddel ah lagu sameeyo qaabka dab-damiska, syntax-ka waxaa lagu ansixin karaa iyada oo la wado amarka jeegga:
nft -f /path/to/nftables.conf -c
Hubi inaad ansixiso firewall-ku wuxuu u shaqeeyaa sida la filayo maadaama astaamaha nftables qaarkood aan la heli karin iyadoo ku xidhan sii daynta ku socota serverka.
_______________________________________________________________
Dukumeentigani waxa uu soo bandhigayaa dulmar guud oo ku saabsan telemetry Firezone ka ururiyo tusaale ahaan aad is-martigeliso iyo sida loo joojiyo.
Dab-damis ku tiirsan dhanka telemetry si aan u kala hormarino khariidadeena dariiqa oo aan u wanaajino agabka injineernimada ee ay tahay in aan uga dhigno Firezone mid u wanaagsan qof walba.
Telemetry-ka aanu ururinayno waxa uu ujeedadiisu tahay in aanu ka jawaabno su'aalaha soo socda:
Waxaa jira saddex meelood oo waaweyn oo telemetry laga soo ururiyo Firezone:
Mid kasta oo ka mid ah saddexdan xaalad, waxaynu qabsanaynaa tirada ugu yar ee xogta lagama maarmaanka ah si looga jawaabo su'aalaha qaybta sare.
Iimayllada maamulaha waxa la ururiyaa oo keliya haddii aad si cad u gasho cusboonaysiinta alaabta. Haddii kale, macluumaadka shakhsi ahaan lagu aqoonsan karo waa marna ururiyey.
Firezone waxay ku kaydisaa telemetry tusaale ahaan is-martigeliyay PostHog oo ku dhex ordaya kooxda Kubernetes ee gaarka ah, oo kaliya ay heli karaan kooxda Firezone. Waa kan tusaale dhacdo telemetry ah oo laga soo diray tusaale ahaan Firezone server-ka telemetry:
{
"Aqoonsi": “0182272d-0b88-0000-d419-7b9a413713f1”,
"timestamp": “2022-07-22T18:30:39.748000+00:00”,
"dhacdo": "fz_http_bilaabay",
"Distinct_id": “1ec2e794-1c3e-43fc-a78f-1db6d1a37f54”,
"hanti":{
"$ geoip_city_name": "Ashburn",
"$ geoip_continent_code": "NA",
"$ geoip_continent_name": "Waqooyiga Ameerika",
"$ geoip_country_code": "US",
"$ geoip_country_name": “Mareykanka”,
"$ geoip_latitude": 39.0469,
"$ geoip_longitude": -77.4903,
"$geoip_postal_code": "20149",
"$geoip_subdivision_1_code": "VA",
"$geoip_subdivision_1_name": "Virginia",
"$geoip_time_zone": "Mareykanka/New_York",
"$ ip": "52.200.241.107",
"$plugins_dib loo dhigay": [],
"$plugins_failed": [],
"$plugins_guuley": [
"GeoIP (3)"
],
"Distinct_id": “1zc2e794-1c3e-43fc-a78f-1db6d1a37f54”,
"fqdn": "awsdemo.firezone.dev",
"nooca_kernel": "Linux 5.13.0",
"nooca": "0.4.6"
},
"silsilad_ elemental": ""
}
FIIRO GAAR AH
Kooxda horumarinta Firezone ku tiirsan ku saabsan falanqaynta alaabta si Firezone looga dhigo mid u fiican qof kasta. Ka tagista telemetry karti waa ta kaliya ee ugu qiimaha badan ee aad ku biirin karto horumarka Firezone. Taasi waxay tidhi, waxaan fahamsanahay in isticmaaleyaasha qaarkood ay leeyihiin sirnimo sare ama shuruudo ammaan waxaana doorbidi lahaa inay gebi ahaanba joojiyaan telemetry. Haddii taasi tahay adiga, sii wad akhrinta.
Telemetry waa la dajiyay. Si aad gebi ahaanba u baabi'iso telemetry alaabta, u deji ikhtiyaarka qaabeynta soo socota si aad been uga dhigto /etc/firezone/firezone.rb oo socodsii sudo firezone-ctl reconfigure si aad u soo qaadato isbeddellada.
default'Firzone']['telemetry']['karti'] = been ah
Taasi waxay gebi ahaanba joojin doontaa dhammaan telemetry alaabta.
Hailbytes
9511 Ilaalada Queens Ct.
Laurel, MD 20723
Phone: (732) 771-9995
Iimayl: info@hailbytes.com
