Ana ba da umarnin mataki-mataki don tura Hailbytes VPN tare da Firezone GUI anan.
Mai gudanarwa: Saita misalin uwar garken yana da alaƙa kai tsaye da wannan ɓangaren.
Jagorar mai amfani: Takaddun bayanai masu taimako waɗanda zasu iya koya muku yadda ake amfani da Firezone da magance matsalolin yau da kullun. Bayan an yi nasarar tura uwar garken, koma zuwa wannan sashe.
Rarraba Tunneling: Yi amfani da VPN don aika zirga-zirga zuwa takamaiman kewayon IP kawai.
Lissafin Bada: Saita adreshin IP na uwar garken VPN don amfani da jerin abubuwan da aka ba da izini.
Reverse Tunnels: Ƙirƙiri ramuka tsakanin takwarorinsu da yawa ta amfani da ramukan baya.
Mun yi farin cikin taimaka muku idan kuna buƙatar taimako don shigarwa, daidaitawa, ko amfani da Hailbytes VPN.
Kafin masu amfani su iya samarwa ko zazzage fayilolin sanyi na na'ura, ana iya saita Firezone don buƙatar tantancewa. Masu amfani na iya buƙatar sake tabbatarwa lokaci-lokaci don ci gaba da haɗin yanar gizon su ta VPN aiki.
Kodayake hanyar shigar da tsoho ta Firezone imel ne na gida da kalmar sirri, ana iya haɗa shi tare da kowane daidaitaccen mai ba da shaidar OpenID Connect (OIDC). Masu amfani yanzu suna iya shiga Firezone ta amfani da Okta, Google, Azure AD, ko masu ba da shaidar shaidar sirri.
Haɗa Babban Mai Ba da Bayar da OIDC
Siffofin daidaitawa da Firezone ke buƙata don ba da damar SSO ta amfani da mai bada OIDC ana nuna su a misalin da ke ƙasa. A /etc/firezone/firezone.rb, zaku iya samun fayil ɗin sanyi. Run firezone-ctl sake saitawa kuma firezone-ctl zata sake farawa don sabunta aikace-aikacen kuma ɗaukar tasirin canje-canje.
# Wannan misali ne ta amfani da Google da Okta a matsayin mai ba da shaidar SSO.
# Ana iya ƙara saitin OIDC da yawa zuwa misalin Firezone iri ɗaya.
# Firezone na iya kashe VPN na mai amfani idan akwai wani kuskure da aka gano ƙoƙarin
# don sabunta damar_alamar su. An tabbatar da wannan don yin aiki don Google, Okta, da
# Azure SSO kuma ana amfani dashi don cire haɗin VPN na mai amfani ta atomatik idan an cire su
# daga mai bada OIDC. Ka bar wannan naƙasasshe idan mai baka OIDC
# yana da al'amurra masu wartsake alamun samun dama kamar yadda zai iya katsewa ba zato ba tsammani
# zaman VPN mai amfani.
tsoho ['firezone'] ['tabbatar da hankali']]['disable_vpn_on_oidc_error'] = ƙarya
tsoho ['firezone'] ['tabbatacce'] ['oidc'] = {
google: {
discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",
client_id:" ”,
sirrin abokin ciniki: " ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",
amsa_type: "code",
iyaka: "buɗewar bayanin martaba na imel",
Tag: "Google"
},
ok: {
discovery_document_uri: "https:// /.sanannen/buɗe-tsari”,
client_id:" ”,
sirrin abokin ciniki: " ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",
amsa_type: "code",
iyaka: "buɗaɗɗen bayanin martabar imel offline_access",
Tag: "Okta"
}
}
Ana buƙatar saitunan saiti masu zuwa don haɗin kai:
Ga kowane mai ba da OIDC an ƙirƙiri kyakkyawar URL mai dacewa don turawa zuwa URL ɗin shigar da aka saita. Misalin tsarin OIDC na sama, URLs sune:
Masu bayarwa muna da takaddun shaida don:
Idan mai ba da shaidar ku yana da babban haɗin OIDC kuma ba a jera su a sama ba, da fatan za a je zuwa takaddun su don bayani kan yadda ake dawo da saitunan daidaitawa masu dacewa.
Za'a iya canza saitin ƙarƙashin saitunan/tsaro don buƙatar sake tabbatarwa lokaci-lokaci. Ana iya amfani da wannan don aiwatar da buƙatun da masu amfani ke shiga cikin Firezone akai-akai don ci gaba da zaman VPN ɗin su.
Za a iya daidaita tsawon zaman ya kasance tsakanin sa'a daya da kwanaki casa'in. Ta hanyar saita wannan zuwa Taba, zaku iya kunna zaman VPN a kowane lokaci. Wannan shine ma'auni.
Dole ne mai amfani ya ƙare zaman VPN ɗin su kuma ya shiga tashar Firezone don sake tabbatar da zaman VPN da ya ƙare (URL da aka ƙayyade yayin turawa).
Kuna iya sake tabbatar da zamanku ta bin takamaiman umarnin abokin ciniki da aka samu anan.
Matsayin Haɗin VPN
Shagon tebur na Haɗin VPN na shafin Masu amfani yana nuna halin haɗin mai amfani. Waɗannan su ne matakan haɗin kai:
AN SANYA – An kunna haɗin.
RASHE – An kashe haɗin haɗin ta hanyar mai gudanarwa ko gazawar wartsakewar OIDC.
EXPIRED – An kashe haɗin haɗin gwiwa saboda ƙarewar tantancewa ko mai amfani bai shiga ba a karon farko.
Ta hanyar haɗin OIDC na gabaɗaya, Firezone yana ba da damar Sa hannu guda ɗaya (SSO) tare da Google Workspace da Identity Cloud. Wannan jagorar zai nuna muku yadda ake samun sigogin daidaitawa da aka jera a ƙasa, waɗanda suka zama dole don haɗawa:
1. OAuth Config Screen
Idan wannan shine karo na farko da kuke ƙirƙirar sabon ID na abokin ciniki na OAuth, za a umarce ku don saita allon yarda.
* Zaɓi na ciki don nau'in mai amfani. Wannan yana tabbatar da asusun masu amfani kawai a cikin Ƙungiyar Ƙwararru ta Google za su iya ƙirƙirar saitin na'ura. KAR KA zaɓi Waje sai dai idan kana son baiwa duk wanda ke da ingantaccen Asusun Google don ƙirƙirar saitunan na'ura.
Akan allon bayanin App:
2. Ƙirƙiri ID na Abokin Ciniki na OAuth
Wannan sashe ya dogara ne akan takaddun na Google akan kafa OAuth 2.0.
Ziyarci Google Cloud Console Shafi na takaddun shaida shafi, danna + Ƙirƙiri Takaddun shaida kuma zaɓi ID abokin ciniki OAuth.
A kan allon ƙirƙirar ID abokin ciniki na OAuth:
Bayan ƙirƙirar ID na abokin ciniki na OAuth, za a ba ku ID ɗin abokin ciniki da Sirrin Abokin ciniki. Za a yi amfani da waɗannan tare da turawa URI a mataki na gaba.
Shirya /etc/firezone/firezone.rb don haɗa zaɓuɓɓukan da ke ƙasa:
# Amfani da Google azaman mai ba da shaidar SSO
tsoho ['firezone'] ['tabbatacce'] ['oidc'] = {
google: {
discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",
client_id:" ”,
sirrin abokin ciniki: " ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",
amsa_type: "code",
iyaka: "buɗewar bayanin martaba na imel",
Tag: "Google"
}
}
Run firezone-ctl sake saitawa kuma firezone-ctl zata sake farawa don sabunta aikace-aikacen. Ya kamata ku ga yanzu shiga tare da maɓallin Google a tushen URL na Firezone.
Firezone yana amfani da mahaɗin OIDC na gabaɗaya don sauƙaƙe Single Sign-On (SSO) tare da Okta. Wannan koyawa za ta nuna muku yadda ake samun sigogin daidaitawa da aka jera a ƙasa, waɗanda suka zama dole don haɗin kai:
Wannan sashe na jagorar ya dogara ne akan Takardun Okta.
A cikin Admin Console, je zuwa Aikace-aikace> Aikace-aikace kuma danna Ƙirƙiri Haɗin App. Saita hanyar shiga zuwa OICD – OpenID Connect da nau'in aikace-aikace zuwa aikace-aikacen Yanar gizo.
Sanya waɗannan saitunan:
Da zarar an adana saituna, za a ba ku ID na Abokin ciniki, Sirrin Abokin ciniki, da Domain Okta. Za a yi amfani da waɗannan ƙimar guda 3 a Mataki na 2 don saita Firezone.
Shirya /etc/firezone/firezone.rb don haɗa da zaɓuɓɓukan da ke ƙasa. Naku gano_document_url zai zama /.well-known/bude-configuration haɗe zuwa ƙarshen ku okta_domain.
# Amfani da Okta azaman mai bada shaidar SSO
tsoho ['firezone'] ['tabbatacce'] ['oidc'] = {
ok: {
discovery_document_uri: "https:// /.sanannen/buɗe-tsari”,
client_id:" ”,
sirrin abokin ciniki: " ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",
amsa_type: "code",
iyaka: "buɗaɗɗen bayanin martabar imel offline_access",
Tag: "Okta"
}
}
Run firezone-ctl sake saitawa kuma firezone-ctl zata sake farawa don sabunta aikace-aikacen. Ya kamata ku ga yanzu shiga tare da maɓallin Okta a tushen URL na Firezone.
Okta na iya ƙuntata masu amfani waɗanda za su iya shiga app ɗin Firezone. Jeka shafin Ayyukan Haɗin kai na Okta Admin Console's Firezone App don cim ma wannan.
Ta hanyar haɗin OIDC na gabaɗaya, Firezone yana ba da damar Sa hannu guda ɗaya (SSO) tare da Directory Active Azure. Wannan jagorar zai nuna muku yadda ake samun sigogin daidaitawa da aka jera a ƙasa, waɗanda suke da mahimmanci don haɗawa:
An zana wannan jagorar daga Azure Active Directory Docs.
Jeka shafin Azure Active Directory na Azure portal. Zaɓi zaɓin Sarrafa menu, zaɓi Sabuwar Rajista, sannan yin rijista ta samar da bayanin da ke ƙasa:
Bayan yin rijista, buɗe cikakkun bayanai game da aikace-aikacen kuma kwafi ID na aikace-aikacen (abokin ciniki).. Wannan zai zama ƙimar abokin ciniki_id. Na gaba, buɗe menu na ƙarshen don dawo da Buɗe ID Haɗa daftarin bayanan metadata. Wannan zai zama ƙimar discovery_document_uri.
Ƙirƙiri sabon sirrin abokin ciniki ta danna Takaddun shaida & zaɓin sirrin ƙarƙashin Sarrafa menu. Kwafi sirrin abokin ciniki; darajar sirrin abokin ciniki zai zama wannan.
A ƙarshe, zaɓi hanyar haɗin izini na API a ƙarƙashin Sarrafa menu, danna Ƙara izini, kuma zaɓi Microsoft Graph, Add email, bude, offline_access da kuma Cikakken Bayani zuwa izini da ake buƙata.
Shirya /etc/firezone/firezone.rb don haɗa zaɓuɓɓukan da ke ƙasa:
# Amfani da Azure Active Directory azaman mai ba da shaidar SSO
tsoho ['firezone'] ['tabbatacce'] ['oidc'] = {
azumi: {
discovery_document_uri: "https://login.microsoftonline.com/ /v2.0/.sanannen/buɗe-tsari",
client_id:" ”,
sirrin abokin ciniki: " ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/azure/callback/",
amsa_type: "code",
iyaka: "buɗaɗɗen bayanin martabar imel offline_access",
Tag: "Azure"
}
}
Run firezone-ctl sake saitawa kuma firezone-ctl zata sake farawa don sabunta aikace-aikacen. Ya kamata ku ga yanzu shiga tare da maɓallin Azure a tushen URL na Firezone.
Azure AD yana bawa masu gudanarwa damar iyakance damar app zuwa takamaiman rukunin masu amfani a cikin kamfanin ku. Ana iya samun ƙarin bayani kan yadda ake yin hakan a cikin takaddun Microsoft.
Firezone yana amfani da Chef Omnibus don sarrafa ayyuka da suka haɗa da fakitin saki, kulawar tsari, sarrafa loggu, da ƙari.
Lambar Ruby ta ƙunshi babban fayil ɗin sanyi, wanda yake a /etc/firezone/firezone.rb. Sake kunna sudo firezone-ctl sake saitawa bayan yin gyare-gyare ga wannan fayil yana sa Chef ya gane canje-canje kuma ya yi amfani da su zuwa tsarin aiki na yanzu.
Duba bayanin fayil ɗin sanyi don cikakken jerin masu canjin sanyi da kwatancensu.
Ana iya sarrafa misalin ku ta Firezone ta hanyar firezone-ctl umarni, kamar yadda aka nuna a kasa. Yawancin ƙananan umarni suna buƙatar prefixing tare da sudo.
tushen @demo: ~# firezone-ctl
omnibus-ctl: umarni (babban umarni)
Gabaɗaya Umarni:
tsarkake
Share *duk* bayanan wuta, kuma farawa daga karce.
ƙirƙirar-ko-sake saitin-admin
Yana sake saita kalmar sirri don mai gudanarwa tare da imel da aka ƙayyade ta tsohuwa['firezone']['admin_email'] ko ƙirƙirar sabon admin idan wannan imel ɗin babu shi.
taimaka
Buga wannan saƙon taimako.
sake shiryawa
Sake saita aikace-aikacen.
sake saitin hanyar sadarwa
Yana sake saita nftables, WireGuard interface, da tebur mai tuƙi a baya zuwa ɓangarorin Firezone.
nuna-config
Nuna saitin da za'a haifar ta hanyar sake saitawa.
teardown-cibiyar sadarwa
Yana cire WireGuard interface da tebur nftables na wuta.
tilasta-cert-sabuntawa
Tilasta sabunta takardar shaidar yanzu ko da bai ƙare ba.
dakatar-cert-sabuntawa
Yana cire cronjob wanda ke sabunta takaddun shaida.
uninstall
Kashe duk matakai kuma cire mai kula da tsari (za a adana bayanai).
version
Nuna sigar Firezone na yanzu
Umarnin Gudanar da Sabis:
m-kisa
Ƙoƙarin tsayawa mai kyau, sannan SIGKILL duk rukunin tsari.
hup
Aika sabis ɗin HUP.
int
Aika ayyukan INT.
kashe
Aika sabis ɗin KILL.
da zarar
Fara ayyukan idan sun kasa. Kar a sake kunna su idan sun tsaya.
sake kunnawa
Dakatar da ayyukan idan suna gudana, sannan sake kunna su.
jerin sabis
Lissafin duk ayyukan (ayyukan da aka kunna suna bayyana tare da *.)
farko
Fara ayyuka idan sun kasa, kuma sake kunna su idan sun tsaya.
status
Nuna matsayin duk ayyukan.
Tsaya
Dakatar da ayyukan, kuma kar a sake kunna su.
wutsiya
Duba rajistan ayyukan sabis na duk ayyukan da aka kunna.
lokaci
Aika ayyukan a TERM.
usr1
Aika sabis ɗin USR1.
usr2
Aika sabis ɗin USR2.
Duk zaman VPN dole ne a ƙare kafin haɓaka Firezone, wanda kuma yayi kira don rufe UI na Yanar Gizo. Idan wani abu ya yi kuskure yayin haɓakawa, muna ba da shawarar ware awa guda don kulawa.
Don haɓaka Firezone, ɗauki ayyuka masu zuwa:
Idan wata matsala ta taso, da fatan za a sanar da mu ta ƙaddamar da tikitin tallafi.
Akwai ƴan sauye-sauye masu warwarewa da gyare-gyare na tsari a cikin 0.5.0 waɗanda dole ne a magance su. Nemo ƙarin a ƙasa.
Nginx baya goyan bayan ƙarfin SSL da sigogin tashar jiragen ruwa marasa SSL kamar sigar 0.5.0. Saboda Firezone yana buƙatar SSL don aiki, muna ba da shawarar cire gunkin sabis na Nginx ta hanyar saita tsoho['firezone']['nginx']['an kunna'] = ƙarya da jagorantar wakilin ku na baya zuwa aikace-aikacen Phoenix akan tashar jiragen ruwa 13000 maimakon (ta tsohuwa). ).
0.5.0 yana gabatar da tallafin yarjejeniya na ACME don sabunta takaddun shaida ta SSL ta atomatik tare da haɗaɗɗen sabis na Nginx. Don kunna,
Yiwuwar ƙara ƙa'idodi tare da wuraren kwafin ya tafi a cikin Firezone 0.5.0. Rubutun ƙaura ɗinmu zai gane waɗannan yanayi ta atomatik yayin haɓakawa zuwa 0.5.0 kuma kawai kiyaye ƙa'idodin waɗanda makomarsu ta haɗa da ɗayan dokar. Babu wani abu da kuke buƙatar yi idan wannan yayi daidai.
In ba haka ba, kafin haɓakawa, muna ba da shawarar canza ƙa'idodin ku don kawar da waɗannan yanayi.
Firezone 0.5.0 yana cire goyan baya don tsarin Okta na tsohon-style da Google SSO don goyon bayan sabon, mafi sassaucin tsarin tushen OIDC.
Idan kuna da kowane tsari a ƙarƙashin tsoho ['firezone'] ['tabbatacce']]['okta'] ko tsoho['firezone'] ['tabbatacce'] ['google'] maɓallan, kuna buƙatar ƙaura waɗannan zuwa OIDC namu. -tushen sanyi ta amfani da jagorar da ke ƙasa.
Saitin Google OAuth mai wanzuwa
Cire waɗannan layukan da ke ɗauke da tsoffin saitunan Google OAuth daga fayil ɗin daidaitawar ku dake a /etc/firezone/firezone.rb
tsoho['firezone'] ['tabbatar da] ['google'] ['an kunnawa']
tsoho ['firezone'] ['tabbatar da] ['google'] ['client_id']
tsoho ['firezone'] ['tabbatar da hankali']]['google']['client_secret']
tsoho ['firezone'] ['tabbatar da hankali']]['google']['redirect_uri']
Sannan, saita Google azaman mai bada OIDC ta bin hanyoyin nan.
(Samar da umarnin hanyar haɗi) <<<<<<<<<<<<<<<<<
Sanya Google OAuth da ke da
Cire waɗannan layukan da ke ɗauke da tsoffin saitunan Okta OAuth daga fayil ɗin daidaitawa da ke a /etc/firezone/firezone.rb
tsoho ['firezone'] ['tabbatar da] ['okta'] ['an kunnawa']
tsoho ['firezone'] ['tabbatacce'] ['okta'] ['client_id']
tsoho ['firezone'] ['tabbatar da hankali']]['okta']['client_secret']
Default['firezone'] ['tabbatar da] ['okta'] ['site']
Sannan, saita Okta azaman mai bada OIDC ta bin hanyoyin nan.
Dangane da saitin ku na yanzu da sigar ku, bi umarnin da ke ƙasa:
Idan kun riga kuna da haɗin OIDC:
Ga wasu masu samar da OIDC, haɓakawa zuwa>= 0.3.16 yana buƙatar samun alamar wartsakewa don iyakar samun damar layi. Ta yin wannan, an tabbatar da cewa Firezone ya sabunta tare da mai ba da shaida kuma an kashe haɗin VPN bayan an share mai amfani. Ayyukan Firezone a baya sun rasa wannan fasalin. A wasu lokuta, masu amfani waɗanda aka goge daga mai ba da shaidar ku ƙila har yanzu ana haɗa su zuwa VPN.
Ya wajaba a haɗa shiga layi a cikin madaidaicin ma'aunin tsarin OIDC ɗin ku don masu samar da OIDC waɗanda ke goyan bayan ikon isa ga layi. Firezone-ctl sake saitawa dole ne a aiwatar da canje-canje zuwa fayil ɗin sanyi na Firezone, wanda yake a /etc/firezone/firezone.rb.
Ga masu amfani waɗanda masu samar da OIDC ɗin ku suka inganta, zaku ga Haɗin OIDC suna kan gaba a cikin bayanan bayanan mai amfani na UI ɗin yanar gizo idan Firezone ya sami nasarar dawo da alamar wartsakewa.
Idan wannan bai yi aiki ba, kuna buƙatar share aikace-aikacen OAuth ɗinku na yanzu kuma ku maimaita matakan saitin OIDC zuwa ƙirƙirar sabon haɗin kai app .
Ina da haɗin kai na OAuth
Kafin 0.3.11, Firezone yayi amfani da masu samar da OAuth2 da aka riga aka tsara.
Bi umarnin nan yin hijira zuwa OIDC.
Ban haɗa mai bada shaida ba
Babu wani mataki da ake bukata.
Kuna iya bin umarnin nan don kunna SSO ta hanyar mai ba da OIDC.
A wurin sa, tsoho['firezone']]['external url'] ya maye gurbin tsohowar zaɓin daidaitawa['firezone']['fqdn'].
Saita wannan zuwa URL ɗin tashar yanar gizon ku ta Firezone akan layi wanda ke isa ga jama'a. Zai tsohuwa zuwa https:// tare da FQDN na uwar garken ku idan ba a bayyana ba.
Fayil ɗin daidaitawa yana a /etc/firezone/firezone.rb. Duba bayanin fayil ɗin sanyi don cikakken jerin masu canjin sanyi da kwatancensu.
Firezone baya kiyaye maɓallan sirri na na'ura akan sabar Firezone kamar sigar 0.3.0.
Wurin Yanar Gizon Yanar Gizo na Firezone ba zai ƙyale ka sake saukewa ko ganin waɗannan saitunan ba, amma duk na'urorin da ke da su ya kamata su ci gaba da aiki kamar yadda suke.
Idan kuna haɓakawa daga Firezone 0.1.x, akwai ƴan canje-canjen fayil ɗin sanyi waɗanda dole ne a magance su da hannu.
Don yin gyare-gyare masu mahimmanci zuwa fayil ɗin /etc/firezone/firezone.rb, gudanar da umarnin da ke ƙasa azaman tushen.
cp /etc/firezone/firezone.rb /etc/firezone/firezone.rb.bak
sed -i "s / \ ['enable'\]/ \ ['an kunna'\]/" /etc/firezone/firezone.rb
echo "default['firezone'] ['connectivity_checks'] ['an kunna'] = gaskiya" >> /etc/firezone/firezone.rb
echo "default['firezone'] ['connectivity_checks'] ['tazara'] = 3_600" >> /etc/firezone/firezone.rb
firezone-ctl sake saitawa
firezone-ctl sake kunnawa
Duba rajistan ayyukan Firezone mataki ne na farko na hikima don duk wani matsala da zai iya faruwa.
Gudu sudo firezone-ctl wutsiya don duba rajistan ayyukan Firezone.
Yawancin matsalolin haɗin haɗi tare da Firezone ana kawo su ta hanyar iptables marasa jituwa ko ƙa'idodin nftables. Dole ne ku tabbatar da cewa duk wasu ƙa'idodin da kuke aiki da su ba su ci karo da ƙa'idodin Firezone ba.
Tabbatar cewa sarkar FORWARD ta ba da izinin fakiti daga abokan cinikin ku na WireGuard zuwa wuraren da kuke son bari ta hanyar Firezone idan haɗin Intanet ɗin ku ya lalace duk lokacin da kuka kunna rami na WireGuard.
Ana iya samun wannan idan kuna amfani da ufw ta hanyar tabbatar da cewa an ba da izinin tsarin tafiyar da tsoho:
ubuntu@fz:~$ sudo ufw tsoho ba da izini
Manufofin da aka yi watsi da su sun canza zuwa 'ba da izini'
(tabbatar da sabunta dokokin ku daidai)
A ƴan Matsayi don sabawar Firezone na yau da kullun na iya yin kama da wannan:
ubuntu@fz:~$ sudo ufw status verbose
Matsayi: mai aiki
Shiga: a kan (ƙasa)
Default: ƙaryatãwa (mai shigowa), ba da izini (mai fita), ba da izini (gudanarwa)
Sabbin bayanan martaba: tsallake
Zuwa Aiki Daga
————-
22/tcp BAYAR A Ko'ina
80/tcp BAYAR A Ko'ina
443/tcp BAYAR A Ko'ina
51820/udp ALLOW IN Anywhere
22/tcp (v6) KYAUTA A Ko'ina (v6)
80/tcp (v6) KYAUTA A Ko'ina (v6)
443/tcp (v6) KYAUTA A Ko'ina (v6)
51820/udp (v6) KYAUTA A Ko'ina (v6)
Muna ba da shawarar iyakance damar yin amfani da mu'amalar yanar gizo don ƙaddamar da samarwa mai mahimmanci da manufa, kamar yadda aka bayyana a ƙasa.
Service | Default Port | Saurari Adireshin | description |
Nginx | 80, 443 | dukan | Jama'a HTTP(S) tashar jiragen ruwa don gudanar da Firezone da sauƙaƙe tabbatarwa. |
Waya tsaro | 51820 | dukan | Ana amfani da tashar WireGuard ta Jama'a don zaman VPN. (UDP) |
postgresql | 15432 | 127.0.0.1 | tashar jiragen ruwa na gida kawai da ake amfani da ita don haɗakar uwar garken Postgresql. |
Phoenix | 13000 | 127.0.0.1 | Tashar jiragen ruwa na gida kawai da uwar garken elixir ke amfani da shi. |
Muna ba ku shawara ku yi tunani game da ƙuntata damar shiga yanar gizo na Firezone da aka fallasa a bainar jama'a UI (ta tsohuwar tashar jiragen ruwa 443/tcp da 80/tcp) kuma a maimakon haka yi amfani da ramin WireGuard don sarrafa Firezone don samarwa da jigilar jama'a inda mai gudanarwa ɗaya zai kasance mai kula da shi. na ƙirƙira da rarraba saitunan na'ura zuwa ƙarshen masu amfani.
Misali, idan mai gudanarwa ya ƙirƙira tsarin na'urar kuma ya ƙirƙiri rami tare da adireshin WireGuard na gida 10.3.2.2, saitin ufw mai zuwa zai baiwa mai gudanarwa damar shiga UI na gidan yanar gizo na Firezone akan mahallin wg-firezone na uwar garken ta amfani da tsoho 10.3.2.1 adireshin rami:
tushen @demo:~# ufw matsayi verbose
Matsayi: mai aiki
Shiga: a kan (ƙasa)
Default: ƙaryatãwa (mai shigowa), ba da izini (mai fita), ba da izini (gudanarwa)
Sabbin bayanan martaba: tsallake
Zuwa Aiki Daga
————-
22/tcp BAYAR A Ko'ina
51820/udp ALLOW IN Anywhere
Ko'ina YARDA CIKIN 10.3.2.2
22/tcp (v6) KYAUTA A Ko'ina (v6)
51820/udp (v6) KYAUTA A Ko'ina (v6)
Wannan zai bar kawai 22/tcp fallasa don samun damar SSH don sarrafa uwar garken (na zaɓi), kuma 51820/dp fallasa domin kafa WireGuard tunnels.
Firezone ya haɗa sabar Postgresql da daidaitawa psql Za'a iya amfani da kayan aiki na gida daga harsashi kamar haka:
/ opt / firezone / saka / bin / psql \
-U firezone \
-d firezone \
-h localhost \
- shafi na 15432
-c "SQL_STATEMENT"
Wannan na iya zama taimako don dalilai na gyara kuskure.
Ayyuka gama gari:
Jerin duk masu amfani:
/ opt / firezone / saka / bin / psql \
-U firezone \
-d firezone \
-h localhost \
- shafi na 15432
-c "Zabi * DAGA masu amfani;"
Jerin duk na'urori:
/ opt / firezone / saka / bin / psql \
-U firezone \
-d firezone \
-h localhost \
- shafi na 15432
-c "Zabi * DAGA na'urori;"
Canja rawar mai amfani:
Saita rawar zuwa 'admin' ko 'marasa gata':
/ opt / firezone / saka / bin / psql \
-U firezone \
-d firezone \
-h localhost \
- shafi na 15432
-c "Masu amfani da UPDATE SET rawar = 'admin' INA imel = 'user@example.com';"
Ajiye bayanan bayanai:
Bugu da ƙari, an haɗa shi da shirin jujjuya pg, wanda za a iya amfani da shi don ɗaukar madaidaitan bayanai na yau da kullun. Yi wannan lambar don zubar da kwafin bayanan a cikin tsarin tambaya na SQL na gama gari (maye gurbin / hanya/to/backup.sql tare da wurin da ya kamata a ƙirƙiri fayil ɗin SQL):
/opt/firezone/sake/bin/pg_dump \
-U firezone \
-d firezone \
-h localhost \
-p 15432> /path/to/backup.sql
Bayan an yi nasarar tura Firezone, dole ne ka ƙara masu amfani don samar musu da hanyar sadarwarka. Ana amfani da UI na Yanar Gizo don yin wannan.
Ta zaɓi maɓallin "Ƙara Mai amfani" a ƙarƙashin / masu amfani, za ku iya ƙara mai amfani. Za a buƙaci ka samar wa mai amfani da adireshin imel da kalmar sirri. Domin ba da damar samun dama ga masu amfani a cikin ƙungiyar ku ta atomatik, Firezone kuma yana iya yin mu'amala da aiki tare da mai ba da shaida. Ana samun ƙarin cikakkun bayanai a ciki Tabbatar. < Ƙara hanyar haɗi don Tabbatarwa
Muna ba da shawara cewa masu amfani su ƙirƙiri saitunan na'urar tasu ta yadda maɓallin keɓaɓɓen ke bayyane gare su kawai. Masu amfani za su iya samar da tsarin na'urar nasu ta bin kwatancen kan Umarnin Abokin ciniki shafi.
Duk saitin na'urar mai amfani za a iya ƙirƙira ta masu gudanarwa na Firezone. A shafin bayanin martabar mai amfani dake a/masu amfani, zaɓi zaɓin "Ƙara Na'ura" don cim ma wannan.
[Saka hoton allo]
Kuna iya imel ga mai amfani da fayil ɗin sanyi na WireGuard bayan ƙirƙirar bayanan na'urar.
An haɗa masu amfani da na'urori. Don ƙarin cikakkun bayanai kan yadda ake ƙara mai amfani, duba Usara Masu amfani.
Ta hanyar amfani da tsarin netfilter na kernel, Firezone yana ba da damar tacewa egress don tantance fakitin DROP ko ACCEPT. Ana ba da izinin duk zirga-zirga kullum.
IPv4 da IPv6 CIDRs da adiresoshin IP ana goyan bayan ta hanyar Lissafin Bada izini da Denylist, bi da bi. Za ka iya zaɓar keɓance ƙa'ida ga mai amfani lokacin ƙara ta, wanda ya shafi ƙa'idar ga duk na'urorin mai amfani.
Shigar da saita
Don kafa haɗin VPN ta amfani da abokin ciniki na WireGuard na asali, koma zuwa wannan jagorar.
Abokan ciniki na WireGuard na hukuma dake nan sun dace da Firezone:
Ziyarci gidan yanar gizon WireGuard na hukuma a https://www.wireguard.com/install/ don tsarin OS da ba a ambata a sama ba.
Ko dai mai kula da Firezone ɗin ku ko kanku na iya samar da fayil ɗin daidaitawar na'urar ta amfani da tashar Firezone.
Ziyarci URL ɗin da mai gudanarwa na Firezone ya bayar don ƙirƙirar fayil ɗin daidaitawar na'ura. Kamfanin ku zai sami URL na musamman don wannan; a wannan yanayin, shine https://instance-id.yourfirezone.com.
Shiga zuwa Firezone Okta SSO
[Saka Screenshot]
Shigo fayil ɗin.conf cikin abokin ciniki na WireGuard ta buɗe shi. Ta hanyar jujjuya maɓallin Kunnawa, zaku iya fara zaman VPN.
[Saka Screenshot]
Bi umarnin da ke ƙasa idan mai gudanar da cibiyar sadarwar ku ya ba da umarnin tabbatar da maimaitawa don ci gaba da haɗin VPN ɗin ku.
Kana bukatar:
URL ɗin tashar Firezone: Tambayi mai gudanar da cibiyar sadarwar ku don haɗin.
Ya kamata mai gudanar da hanyar sadarwar ku ya iya ba da izinin shiga da kalmar wucewa. Wurin Firezone zai sa ka shiga ta amfani da sabis ɗin sa hannu guda ɗaya da mai aikinka ke amfani da shi (kamar Google ko Okta).
[Saka Screenshot]
Jeka URL ɗin tashar Firezone kuma shiga ta amfani da takaddun shaidar mai gudanarwa na cibiyar sadarwar ku ya bayar. Idan kun riga kun shiga, danna maɓallin Sake tabbatarwa kafin shiga baya.
[Saka Screenshot]
[Saka Screenshot]
Don shigo da bayanin martabar WireGuard ta amfani da Network Manager CLI akan na'urorin Linux, bi waɗannan umarnin (nmcli).
Idan bayanin martaba yana da goyon bayan IPv6, ƙoƙarin shigo da fayil ɗin sanyi ta amfani da GUI Manager Manager na iya gazawa tare da kuskure mai zuwa:
Hanyar ipv6: Hanyar “auto” ba ta da tallafi don WireGuard
Wajibi ne a shigar da kayan aikin sararin mai amfani na WireGuard. Wannan zai zama fakitin da ake kira wireguard ko kayan aikin waya don rarraba Linux.
Don Ubuntu/Debian:
sudo dace shigar da waya guard
Don amfani da Fedora:
sudo dnf shigar wireguard-kayan aikin
Arch Linux:
sudo pacman -S wireguard-kayan aikin
Ziyarci gidan yanar gizon WireGuard na hukuma a https://www.wireguard.com/install/ don rarrabawar da ba a ambata a sama ba.
Ko dai mai kula da Firezone ɗinku ko tsararrakin kansa zai iya samar da tsarin tsarin na'urar ta amfani da tashar Firezone.
Ziyarci URL ɗin da mai gudanarwa na Firezone ya bayar don ƙirƙirar fayil ɗin daidaitawar na'ura. Kamfanin ku zai sami URL na musamman don wannan; a wannan yanayin, shine https://instance-id.yourfirezone.com.
[Saka Screenshot]
Shigo fayil ɗin sanyi da aka kawo ta amfani da nmcli:
sudo nmcli haɗin shigo da nau'in fayil ɗin wayaguard /path/to/configuration.conf
Sunan fayil ɗin daidaitawa zai dace da haɗin WireGuard / mu'amala. Bayan shigo da, haɗin za a iya sake suna idan ya cancanta:
nmcli haɗin haɗin haɗin haɗin [tsohon suna].id [sabon suna]
Ta hanyar layin umarni, haɗa zuwa VPN kamar haka:
nmcli haɗi sama [sunan vpn]
Don cire haɗin:
nmcli haɗin ƙasa [sunan vpn]
Hakanan ana iya amfani da applet Manager Network wanda ya dace don gudanar da haɗin gwiwa idan ana amfani da GUI.
Ta zaɓar "eh" don zaɓin haɗin kai, ana iya saita haɗin VPN don haɗawa ta atomatik:
nmcli haɗin haɗin haɗin [vpn name]. <<<<<<<<<<<<<<<<<<<<<<
autoconnect da
Don kashe haɗin kai tsaye saita shi zuwa a'a:
nmcli haɗin haɗin haɗin [vpn name].
autoconnect no
Don kunna MFA Jeka tashar tashar Firezone's/asusun mai amfani/yi rijista shafin mfa. Yi amfani da app ɗin mai tabbatarwa don bincika lambar QR bayan an ƙirƙira ta, sannan shigar da lambar lambobi shida.
Tuntuɓi Admin ɗin ku don sake saita bayanan samun damar asusunku idan kun ɓata ƙa'idar tantancewar ku.
Wannan koyawa za ta bi ku ta hanyar saita fasalin rabe-raben rami na WireGuard tare da Firezone don kawai ana tura zirga-zirga zuwa takamaiman kewayon IP ta hanyar sabar VPN.
An saita kewayon IP ɗin da abokin ciniki zai bi da zirga-zirgar hanyar sadarwa a cikin filin IPs da aka Izinin dake kan / saituna/default shafi. Sabbin saitunan ramin WireGuard da aka kirkira ta Firezone ne kawai canje-canje ga wannan filin zai shafa.
[Saka Screenshot]
Tsohuwar ƙimar ita ce 0.0.0.0/0, ::/0, wanda ke tafiyar da duk zirga-zirgar hanyar sadarwa daga abokin ciniki zuwa uwar garken VPN.
Misalai na ƙima a cikin wannan filin sun haɗa da:
0.0.0.0/0, ::/0 - duk zirga-zirgar hanyar sadarwa za a tura su zuwa uwar garken VPN.
192.0.2.3/32 - kawai zirga-zirga zuwa adireshin IP guda ɗaya za a tura zuwa uwar garken VPN.
3.5.140.0/22 - kawai zirga-zirga zuwa IPs a cikin 3.5.140.1 - 3.5.143.254 kewayon za a tura zuwa uwar garken VPN. A cikin wannan misali, an yi amfani da kewayon CIDR don yankin ap-arewa-gabas-2 AWS.
Firezone yana zaɓar ƙa'idar egress da ke da alaƙa da mafi daidaitaccen hanya da farko lokacin da za a tantance inda za a bi fakiti.
Dole ne masu amfani su sake sabunta fayilolin sanyi kuma su ƙara su zuwa abokin cinikin WireGuard na asali don sabunta na'urorin mai amfani da ke akwai tare da sabon tsarin tsagawar rami.
Don umarni, duba ƙara na'urar. <<<< Barcelona Barcelona
Wannan jagorar zai nuna yadda ake haɗa na'urori biyu ta amfani da Firezone azaman gudun ba da sanda. Ɗayan yanayin amfani na yau da kullun shine don baiwa mai gudanarwa damar samun damar sabar, kwantena, ko injin da ke da kariya ta NAT ko Tacewar zaɓi.
Wannan kwatancin yana nuna yanayin madaidaiciyar yanayin inda Na'urori A da B ke gina rami.
[Saka hoton gine-ginen firezone]
Fara da ƙirƙirar Na'ura A da Na'ura B ta kewaya zuwa /users/[user_id]/new_device. A cikin saitunan kowace na'ura, tabbatar an saita sigogi masu zuwa zuwa ƙimar da aka lissafa a ƙasa. Kuna iya saita saitunan na'ura lokacin ƙirƙirar saitin na'urar (duba Ƙara na'urori). Idan kana buƙatar sabunta saituna akan na'urar data kasance, zaka iya yin haka ta hanyar samar da sabon saitin na'urar.
Lura cewa duk na'urori suna da / saituna/shafi na asali inda za'a iya daidaita PersistentKeepalive.
Izinin Izala = 10.3.2.2/32
Wannan shine IP ko kewayon IPs na Na'ura B
DagewaKeepalive = 25
Idan na'urar tana bayan NAT, wannan yana tabbatar da cewa na'urar zata iya kiyaye rami da rai kuma ta ci gaba da karɓar fakiti daga WireGuard interface. Yawanci darajar 25 ta isa, amma kuna iya buƙatar rage wannan ƙimar dangane da yanayin ku.
Izinin Izala = 10.3.2.3/32
Wannan shine IP ko kewayon IPs na Na'ura A
DagewaKeepalive = 25
Wannan misalin yana nuna yanayin da Na'ura A zata iya sadarwa tare da na'urorin B ta D a duka kwatance. Wannan saitin na iya wakiltar injiniya ko mai gudanarwa don samun dama ga albarkatu masu yawa (sabar, kwantena, ko inji) a kan cibiyoyin sadarwa daban-daban.
[Tsarin Architectural] <<<<<<<<<<<<<<<<<<<<<<
Tabbatar cewa an yi waɗannan saitunan a cikin saitunan kowace na'ura zuwa daidaitattun ƙimar. Lokacin ƙirƙirar saitin na'urar, zaku iya saka saitunan na'ura (duba Ƙara na'urori). Ana iya ƙirƙirar sabon tsarin na'ura idan ana buƙatar sabunta saituna akan na'urar data kasance.
Izinin Izala = 10.3.2.3/32, 10.3.2.4/32, 10.3.2.5/32
Wannan shine IP na na'urorin B ta hanyar D. Dole ne a haɗa IPs na na'urorin B zuwa D a cikin kowane kewayon IP da kuka zaɓa don saitawa.
DagewaKeepalive = 25
Wannan yana ba da tabbacin cewa na'urar zata iya kula da rami kuma ta ci gaba da karɓar fakiti daga WireGuard interface koda kuwa NAT tana kiyaye ta. A mafi yawan lokuta, ƙimar 25 ta isa, amma ya danganta da kewayen ku, kuna iya buƙatar rage wannan adadi.
Don ba da IP guda ɗaya, madaidaiciyar egress IP don duk zirga-zirgar ƙungiyar ku don gudana daga, Firezone za a iya amfani da shi azaman ƙofar NAT. Wadannan yanayi sun haɗa da amfani da shi akai-akai:
Tuntuɓar Haɗin kai: Nemi abokin cinikin ku ya ba da izinin jera adireshin IP guda ɗaya maimakon na kowane ma'aikaci na musamman na IP.
Amfani da wakili ko rufe tushen IP don tsaro ko dalilai na keɓancewa.
Misali mai sauƙi na iyakance damar yin amfani da aikace-aikacen gidan yanar gizo mai ɗaukar nauyin kai zuwa tsayayyen IP guda ɗaya mai gudana Firezone za a nuna shi a cikin wannan post ɗin. A cikin wannan kwatancin, Firezone da albarkatun da aka kare suna cikin yankuna VPC daban-daban.
Ana amfani da wannan maganin akai-akai a maimakon sarrafa jerin abubuwan da aka ba da izini na IP don yawancin masu amfani da ƙarshen, wanda zai iya ɗaukar lokaci yayin da lissafin shiga ya faɗaɗa.
Manufarmu ita ce saita sabar Firezone akan misalin EC2 don karkatar da zirga-zirgar VPN zuwa ƙayyadaddun albarkatu. A cikin wannan misalin, Firezone yana aiki azaman wakili na cibiyar sadarwa ko ƙofar NAT don baiwa kowace na'urar da aka haɗa ta keɓantaccen IP na jama'a.
A wannan yanayin, misalin EC2 mai suna tc2.micro yana da misalin Firezone da aka shigar akansa. Don bayani game da tura Firezone, je zuwa Jagorar Aiwatarwa. Dangane da AWS, tabbata:
Ƙungiyar tsaro ta Firezone EC2 ta ba da izinin zirga-zirga mai fita zuwa adireshin IP mai kariya.
Misalin Firezone ya zo tare da IP na roba. Traffic ɗin da aka tura ta misalin Firezone zuwa wuraren da ke waje zai sami wannan azaman adireshin IP ɗin sa. Adireshin IP ɗin da ake tambaya shine 52.202.88.54.
[Saka Screenshot]<<<<<<<<<<<<<<<<<<<<<<<<
Aikace-aikacen gidan yanar gizo mai sarrafa kansa yana aiki azaman tushen kariya a wannan yanayin. Ana iya samun dama ga ƙa'idar yanar gizon ta buƙatun da ke zuwa daga adireshin IP 52.202.88.54. Dangane da albarkatun, yana iya zama dole don ba da izinin zirga-zirga mai shigowa akan tashoshin jiragen ruwa da nau'ikan zirga-zirga. Ba a rufe wannan a cikin wannan littafin.
[Saka hoton allo]<<<<<<<<<<<<<<<<<<<<<<<<
Da fatan za a gaya wa ɓangare na uku da ke kula da albarkatun da aka kare cewa dole ne a ba da izinin zirga-zirga daga tsayayyen IP da aka ayyana a Mataki na 1 (a wannan yanayin 52.202.88.54).
Ta hanyar tsoho, duk zirga-zirgar mai amfani zai bi ta uwar garken VPN kuma ya fito daga tsayayyen IP wanda aka saita a Mataki na 1 (a cikin wannan yanayin 52.202.88.54). Koyaya, idan an kunna rabe-raben rami, saituna na iya zama dole don tabbatar da cewa an jera adireshin IP ɗin da aka keɓe a cikin IPs da aka Izinin.
An nuna a ƙasa cikakken jerin zaɓuɓɓukan daidaitawa da ake samu a ciki /etc/firezone/firezone.rb.
wani zaɓi | description | tsoho darajar |
tsoho['firezone']['external_url'] | URL da aka yi amfani da shi don isa ga tashar yanar gizo na wannan misalin Firezone. | "https://#{node['fqdn'] || node['hostname']}" |
tsoho['firezone']]['config_directory'] | Babban jagorar matakin don daidaitawar Firezone. | /etc/firezone' |
tsoho['firezone']]['install_directory'] | Babban jagorar mataki don shigar da Firezone zuwa. | /opt/firezone' |
tsoho['firezone']]['app_directory'] | Babban jagorar mataki don shigar da aikace-aikacen gidan yanar gizo na Firezone. | "#{node['firezone']]['install_directory']}/sabis/firezone" |
tsoho['firezone']]['log_directory'] | Babban kundin adireshi don rajistan ayyukan Firezone. | /var/log/firezone' |
tsoho['firezone']]['var_directory'] | Babban jagorar matakin don fayilolin lokacin gudu na Firezone. | /var/opt/firezone' |
tsoho ['firezone'] ['mai amfani'] | Sunan mara amfani na Linux mafi yawan ayyuka da fayiloli zasu kasance nasu. | firezone' |
tsoho['firezone']['ƙungiyar'] | Sunan rukunin Linux galibin ayyuka da fayiloli zasu kasance nasu. | firezone' |
tsoho['firezone']['admin_email'] | Adireshin imel don mai amfani da Firezone na farko. | "firezone@localhost" |
tsoho['firezone']['max_devices_per_user'] | Matsakaicin adadin na'urorin da mai amfani zai iya samu. | 10 |
tsoho['firezone']['allow_unprivileged_device_management'] | Yana ba masu amfani da ba admin damar ƙirƙira da share na'urori. | GASKIYA |
tsoho['firezone']['allow_unprivileged_device_configuration'] | Yana ba wa masu amfani da ba admin damar canza saitunan na'ura. Lokacin da aka kashe, yana hana masu amfani marasa gata canza duk filayen na'urar banda suna da kwatance. | GASKIYA |
tsoho['firezone']]['egress_interface'] | Sunan hanyar sadarwa inda zirga-zirgar ramuka zata fita. Idan ba haka ba, za a yi amfani da tsohowar hanyar sadarwa. | nil |
tsoho['firezone']]['fips_enabled'] | Kunna ko kashe yanayin FIPs na OpenSSL. | nil |
tsoho ['firezone'] ['shigi] ['an kunna'] | Kunna ko kashe shiga cikin Firezone. Saita zuwa karya don kashe shiga gaba ɗaya. | GASKIYA |
tsoho['kasuwanci'] ['suna'] | Sunan da Chef 'kasuwanci' littafin dafa abinci ke amfani dashi. | firezone' |
tsoho ['firezone']['install_path'] | Sanya hanyar da Chef 'kasuwanci' littafin dafa abinci ke amfani dashi. Ya kamata a saita zuwa iri ɗaya da install_directory na sama. | node['firezone']['install_directory'] |
tsoho['firezone']]['sysvinit_id'] | Mai ganowa da aka yi amfani da shi a /etc/inittab. Dole ne ya zama jeri na musamman na haruffa 1-4. | SUP' |
tsoho['firezone'] ['tabbatar da] ['na gida'] ['an kunnawa'] | Kunna ko kashe amincin imel/kalmar sirri na gida. | GASKIYA |
tsoho ['firezone']]['tabbatacce']]['auto_create_oidc_users'] | Ƙirƙiri masu amfani ta atomatik shiga daga OIDC a karon farko. Kashe don ƙyale masu amfani da ke wanzu kawai su shiga ta OIDC. | GASKIYA |
tsoho ['firezone']]['tabbatar da hankali']['disable_vpn_on_oidc_error'] | Kashe VPN na mai amfani idan an gano kuskure ƙoƙarin sabunta alamar OIDC ɗin su. | KARYA |
tsoho ['firezone'] ['tabbatar da] ['oidc'] | Bude ID Connect saitin, a cikin tsarin {"mai bayarwa" => [config…]} - Duba BudeIDConnect takaddun shaida don misalan daidaitawa. | {} |
tsoho ['firezone']]['nginx']['an kunna'] | Kunna ko kashe uwar garken nginx da aka haɗe. | GASKIYA |
tsoho ['firezone']]['nginx']['ssl_port'] | HTTPS tashar jiragen ruwa. | 443 |
tsoho['firezone']]['nginx'] ['directory'] | Littafin jagora don adana saitin mai watsa shiri na nginx mai alaƙa da Firezone. | "#{node['firezone']]['var_directory']}/nginx/etc" |
tsoho ['firezone']]['nginx']['log_directory'] | Jagora don adana fayilolin log nginx masu alaƙa da Firezone. | "#{node['firezone']]['log_directory']}/nginx" |
tsoho ['firezone']['nginx']]['log_rotation'] ['file_maxbytes'] | Girman fayil inda za a juya fayilolin log Nginx. | 104857600 |
tsoho ['firezone']]['nginx']]['log_rotation']['num_to_keep'] | Adadin fayilolin log na Firezone nginx don kiyayewa kafin zubar. | 10 |
tsoho['firezone']['nginx']]['log_x_forwarded_for'] | Ko don shiga Firezone nginx x-forwarded-don header. | GASKIYA |
tsoho['firezone']['nginx']]['hsts_header']['an kunna'] | GASKIYA | |
tsoho['firezone']['nginx']]['hsts_header'] ['include_subdomains'] | Kunna ko kashe sun haɗa daSubDomains don taken HSTS. | GASKIYA |
tsoho ['firezone']]['nginx']]['hsts_header']['max_age'] | Matsakaicin shekarun shugaban HSTS. | 31536000 |
tsoho['firezone']]['nginx']['redirect_to_canonical'] | Ko don tura URLs zuwa FQDN na canonical da aka ƙayyade a sama | KARYA |
tsoho['firezone']]['nginx'] ['cache'] ['an kunna'] | Kunna ko kashe ma'ajin nginx na Firezone. | KARYA |
tsoho ['firezone'] ['nginx'] ['cache'] ['directory'] | Directory na Firezone nginx cache. | "#{node['firezone']]['var_directory']}/nginx/cache" |
tsoho ['firezone']]['nginx'] ['mai amfani'] | Firezone nginx mai amfani. | node['firezone'] ['mai amfani'] |
tsoho['firezone']]['nginx'] ['ƙungiyar'] | Firezone nginx group. | node['firezone'] ['ƙungiyar'] |
tsoho ['firezone']]['nginx']['dir'] | Babban-matakin nginx saitin directory. | node ['firezone'] ['nginx'] ['directory'] |
tsoho ['firezone']]['nginx']['log_dir'] | Babban matakin nginx log directory. | node['firezone']]['nginx']['log_directory'] |
tsoho['firezone']]['nginx']['pid'] | Wuri don fayil nginx pid. | "#{node['firezone']['nginx']['directory']}/nginx.pid" |
tsoho ['firezone']]['nginx']['daemon_disable'] | Kashe yanayin nginx daemon don mu iya saka idanu a maimakon haka. | GASKIYA |
tsoho ['firezone']]['nginx']['gzip'] | Kunna ko kashe matsawar nginx gzip. | a kan ' |
tsoho['firezone']]['nginx']['gzip_static'] | Kunna ko kashe matsawar nginx gzip don fayilolin tsaye. | kashe' |
tsoho ['firezone']]['nginx']['gzip_http_version'] | Sigar HTTP don amfani da ita don ba da fayiloli a tsaye. | 1.0 ' |
tsoho ['firezone']]['nginx']['gzip_comp_level'] | nginx gzip matsa lamba. | 2 ' |
tsoho['firezone']]['nginx']['gzip_proxied'] | Yana kunna ko yana hana gzipping na martani don buƙatun masu wakilci dangane da buƙata da amsawa. | kowa' |
tsoho['firezone']]['nginx']['gzip_vary'] | Yana ba da damar ko yana hana shigar da taken amsa "Vary: Accept-Encoding". | kashe' |
tsoho['firezone']]['nginx']['gzip_buffers'] | Yana saita lamba da girman buffers da ake amfani da su don damfara amsa. Idan nil, ana amfani da tsoho na nginx. | nil |
tsoho ['firezone']]['nginx']['gzip_types'] | Nau'ikan MIME don kunna gzip matsawa don. | ['rubutu/bayani','rubutu/css','application/x-javascript', 'rubutu/xml', 'application/xml', 'application/rss+xml', 'application/atom+xml',' rubutu/javascript', 'application/javascript', 'application/json'] |
tsoho ['firezone']]['nginx']['gzip_min_length'] | Mafi ƙarancin tsawon fayil don kunna fayilolin gzip ɗin don. | 1000 |
tsoho ['firezone']]['nginx']['gzip_disable'] | Wakilin mai amfani don musaki matsawar gzip don. | MSIE [1-6]\.' |
tsoho ['firezone']]['nginx'] ['keepalive'] | Yana kunna cache don haɗi zuwa sabobin sama. | a kan ' |
tsoho['firezone']]['nginx']['keepalive_timeout'] | Ƙayyadaddun lokaci a cikin daƙiƙa don haɗi mai rai zuwa sabobin sama. | 65 |
tsoho['firezone']['nginx']]['ma'aikata_processes'] | Yawan tafiyar matakai na nginx. | node['cpu'] && node['cpu']['total']? node['cpu']['total']: 1 |
tsoho['firezone']['nginx']]['ma'aikata_connections'] | Matsakaicin adadin haɗin haɗin gwiwa tare wanda tsarin ma'aikaci zai iya buɗewa. | 1024 |
tsoho ['firezone']]['nginx']['ma'aikacin_rlimit_nofile'] | Yana canza iyaka akan iyakar adadin buɗaɗɗen fayiloli don tafiyar da ma'aikaci. Yana amfani da tsoho na nginx idan nil. | nil |
tsoho ['firezone']]['nginx']['multi_accept'] | Ko ya kamata ma'aikata su karɓi haɗin kai ɗaya a lokaci ɗaya ko da yawa. | GASKIYA |
tsoho['firezone']]['nginx'] ['event'] | Yana ƙayyade hanyar sarrafa haɗin haɗin don amfani da mahallin abubuwan nginx a ciki. | epoll' |
tsoho['firezone']['nginx']]['server_tokens'] | Yana kunna ko yana hana fitar da sigar nginx akan shafukan kuskure kuma a cikin filin taken amsa "Server". | nil |
tsoho['firezone']['nginx']]['server_names_hash_bucket_size'] | Yana saita girman guga don sunan uwar garken tebur hash. | 64 |
tsoho['firezone']]['nginx'] ['sendfile'] | Yana kunna ko hana amfani da nginx's sendfile(). | a kan ' |
tsoho['firezone']['nginx']['access_log_options'] | Yana saita zaɓuɓɓukan shiga nginx. | nil |
tsoho['firezone']['nginx']]['error_log_options'] | Yana saita zaɓuɓɓukan log ɗin kuskuren nginx. | nil |
tsoho['firezone']['nginx']['disable_access_log'] | Yana kashe rajistan shiga nginx. | KARYA |
tsoho['firezone']['nginx']]['types_hash_max_size'] | nginx iri hash max size. | 2048 |
tsoho['firezone']['nginx']]['types_hash_bucket_size'] | nginx iri girman guga hash. | 64 |
tsoho['firezone']['nginx']['proxy_read_timeout'] | nginx proxy lokacin karantawa. Saita zuwa nil don amfani da tsohowar nginx. | nil |
tsoho['firezone']['nginx']]['client_body_buffer_size'] | nginx abokin ciniki girman buffer jiki. Saita zuwa nil don amfani da tsohowar nginx. | nil |
tsoho ['firezone']]['nginx']['client_max_body_size'] | nginx abokin ciniki max girman jiki. | 250m' |
tsoho ['firezone']]['nginx'] ['default'] ['modules'] | Ƙayyade ƙarin kayan aikin nginx. | [] |
tsoho['firezone']['nginx']['enable_rate_limiting'] | Kunna ko kashe iyakance ƙimar nginx. | GASKIYA |
tsoho ['firezone']['nginx']['rate_limiting_zone_name'] | Nginx ƙimar iyakance sunan yanki. | firezone' |
tsoho ['firezone']['nginx']['rate_limiting_backoff'] | Nginx yana iyakance koma baya. | 10m' |
tsoho ['firezone']]['nginx']['rate_limit'] | Nginx ƙimar iyaka. | 10r/s |
tsoho ['firezone']]['nginx']['ipv6'] | Bada nginx damar sauraron buƙatun HTTP don IPv6 ban da IPv4. | GASKIYA |
tsoho['firezone']]['postgresql']['an kunna'] | Kunna ko kashe Postgresql da aka haɗa. Saita zuwa karya kuma cika zaɓuɓɓukan bayanan da ke ƙasa don amfani da naku misalin Postgresql. | GASKIYA |
tsoho ['firezone'] ['postgresql'] ['sunan mai amfani'] | Sunan mai amfani don Postgresql. | node['firezone'] ['mai amfani'] |
tsoho ['firezone']]['postgresql']['data_directory'] | Bayanan bayanan Postgresql. | "#{node['firezone']]['var_directory']}/postgresql/13.3/data" |
tsoho ['firezone']]['postgresql']['log_directory'] | Postgresql log directory. | "#{node['firezone']]['log_directory']}/postgresql" |
tsoho ['firezone']]['postgresql']['log_rotation']['file_maxbytes'] | Babban fayil ɗin log ɗin Postgresql kafin a juya shi. | 104857600 |
tsoho ['firezone']]['postgresql']['log_rotation']['num_to_keep'] | Adadin fayilolin log ɗin Postgresql don kiyayewa. | 10 |
tsoho['firezone']]['postgresql']['checkpoint_completion_target'] | Maƙasudin kammala binciken wuraren bincike na Postgresql. | 0.5 |
tsoho['firezone']]['postgresql']['checkpoint_segments'] | Adadin sassan wuraren bincike na Postgresql. | 3 |
tsoho['firezone']]['postgresql']['checkpoint_timeout'] | Lokacin dubawar Postgresql. | 5 min' |
tsoho['firezone']]['postgresql']['checkpoint_warning'] | Lokacin gargaɗin wurin bincike na Postgresql a cikin daƙiƙa. | shekarun 30' |
tsoho ['firezone']]['postgresql']['effective_cache_size'] | Postgresql ingantaccen girman cache. | 128MB' |
tsoho['firezone']]['postgresql']['saurari_adireshin'] | Adireshin sauraron Postgresql. | 127.0.0.1 ' |
tsoho['firezone']]['postgresql']['max_connections'] | Postgresql max haɗin gwiwa. | 350 |
tsoho['firezone']]['postgresql']['md5_auth_cidr_addresses'] | Postgresql CIDRs don ba da izini ga md5 auth. | ['127.0.0.1/32',':: 1/128'] |
tsoho ['firezone'] ['postgresql'] ['tashar jiragen ruwa'] | Postgresql tashar saurara. | 15432 |
tsoho['firezone']]['postgresql']['shared_buffers'] | Postgresql raba girman buffers. | "#{(kumburi['memory']['total'].to_i / 4) / 1024}MB" |
tsoho['firezone']]['postgresql']['shmmax'] | Postgresql shmmax a cikin bytes. | 17179869184 |
tsoho['firezone']]['postgresql']['shmall'] | Postgresql shmall a cikin bytes. | 4194304 |
tsoho ['firezone']]['postgresql']['work_mem'] | Girman ƙwaƙwalwar aiki na Postgresql. | 8MB' |
tsoho ['firezone'] ['database'] ['mai amfani'] | Yana ƙayyade sunan mai amfani Firezone zai yi amfani da shi don haɗawa zuwa DB. | node['firezone'] ['postgresql'] ['sunan mai amfani'] |
tsoho['firezone']]['database']]['password'] | Idan amfani da DB na waje, yana ƙayyade kalmar sirri Firezone zai yi amfani da shi don haɗawa zuwa DB. | canza_ni' |
tsoho ['firezone'] ['database'] ['suna'] | Database wanda Firezone zai yi amfani da shi. Za a ƙirƙira idan babu shi. | firezone' |
tsoho ['firezone'] ['database'] ['host'] | Mai watsa shiri na Database wanda Firezone zai haɗa zuwa. | node['firezone']]['postgresql']['adireshin_sauraro'] |
tsoho ['firezone'] ['database'] ['tashar jiragen ruwa'] | Database tashar jiragen ruwa wanda Firezone zai haɗi zuwa. | node ['firezone'] ['postgresql'] ['tashar jiragen ruwa'] |
tsoho['firezone']]['database']['pool'] | Girman wurin ajiyar bayanai Firezone zai yi amfani da shi. | [10, Da dai sauransu.nprocessors].max |
tsoho['firezone']]['database']['ssl'] | Ko don haɗawa da bayanan bayanai akan SSL. | KARYA |
tsoho['firezone']]['database']]['ssl_opts'] | {} | |
tsoho ['firezone'] ['database'] ['parameters'] | {} | |
tsoho['firezone']]['database'] ['extensions'] | Karin bayanai don kunnawa. | {'plpgsql' => gaskiya, 'pg_trgm' => gaskiya } |
tsoho['firezone']]['phoenix']['an kunna'] | Kunna ko kashe aikace-aikacen gidan yanar gizo na Firezone. | GASKIYA |
tsoho ['firezone']]['phoenix']['listen_address'] | Firezone gidan yanar gizon saurara adireshin. Wannan zai zama adreshin saurare na sama wanda nginx proxies. | 127.0.0.1 ' |
tsoho ['firezone'] ['phoenix'] ['tashar jiragen ruwa'] | Firezone yanar gizo aikace-aikace sauraron tashar jiragen ruwa. Wannan zai zama tashar jiragen ruwa na sama wanda nginx proxies. | 13000 |
tsoho ['firezone']]['phoenix']['log_directory'] | Wurin Wutar Yanar Gizo log directory. | "#{node['firezone']]['log_directory']}/phoenix" |
tsoho ['firezone']]['phoenix']['log_rotation']['file_maxbytes'] | Girman fayil ɗin log ɗin aikace-aikacen gidan yanar gizo na Firezone. | 104857600 |
tsoho ['firezone']]['phoenix']['log_rotation']['num_to_keep'] | Adadin fayilolin log ɗin aikace-aikacen yanar gizo na Firezone don kiyayewa. | 10 |
tsoho['firezone']]['phoenix']['crash_detection']['an kunna'] | Kunna ko kashe saukar da aikace-aikacen gidan yanar gizo na Firezone lokacin da aka gano karo. | GASKIYA |
tsoho['firezone']]['phoenix']['external_trusted_proxies'] | Jerin amintattun wakilai na baya da aka tsara azaman Tsarin IPs da/ko CIDRs. | [] |
tsoho['firezone']]['phoenix']['private_clients'] | Jerin abokan cinikin HTTP masu zaman kansu na cibiyar sadarwa, da aka tsara tsararrun IPs da/ko CIDRs. | [] |
tsoho ['firezone'] ['wireguard'] ['an kunna'] | Kunna ko kashe sarrafa WireGuard mai tararwa. | GASKIYA |
tsoho ['firezone']]['wireguard']['log_directory'] | Littafin rajista don sarrafa WireGuard mai haɗe. | "#{node['firezone']]['log_directory']}/wireguard" |
tsoho ['firezone'] ['wireguard'] ['log_rotation'] ['file_maxbytes'] | girman fayil ɗin log na WireGuard. | 104857600 |
tsoho ['firezone']]['wireguard']]['log_rotation']['num_to_keep'] | Adadin fayilolin log ɗin WireGuard don kiyayewa. | 10 |
tsoho ['firezone']]['wireguard']['interface_name'] | Sunan dubawar WireGuard. Canza wannan siga na iya haifar da asarar ɗan lokaci a haɗin VPN. | wg-firezone' |
tsoho ['firezone'] ['wireguard'] ['tashar jiragen ruwa'] | WireGuard sauraron tashar jiragen ruwa. | 51820 |
tsoho ['firezone'] ['wireguard'] ['mtu'] | WireGuard dubawa MTU don wannan uwar garken da kuma don daidaitawar na'ura. | 1280 |
tsoho ['firezone'] ['wireguard'] ['karshen'] | Ƙarshen Ƙarshen WireGuard don amfani don ƙirƙirar saitin na'ura. Idan ba shi da kyau, rashin kuskure ga adireshin IP na jama'a na uwar garken. | nil |
tsoho ['firezone'] ['wireguard'] ['dns'] | WireGuard DNS don amfani don daidaitawar na'ura. | 1.1.1.1, 1.0.0.1' |
tsoho ['firezone'] ['wireguard'] ['allowed_ips'] | WireGuard AllowedIPs don amfani don daidaitawar na'ura. | 0.0.0.0/0, ::/0′ |
tsoho['firezone']]['wireguard']]['naci_keepalive'] | Saitin PersistentKeepalive na asali don daidaitawar na'ura. Ƙimar 0 tana kashewa. | 0 |
tsoho ['firezone'] ['wireguard'] ['ipv4'] ['an kunnawa'] | Kunna ko kashe IPv4 don cibiyar sadarwar WireGuard. | GASKIYA |
tsoho ['firezone'] ['wireguard'] ['ipv4'] ['masquerade'] | Kunna ko musaki masquerade don fakitin barin rami IPv4. | GASKIYA |
tsoho ['firezone'] ['wireguard'] ['ipv4'] ['cibiyar sadarwa'] | WireGuard cibiyar sadarwa IPv4 adireshin wurin waha. | 10.3.2.0/24 ′ |
tsoho ['firezone'] ['wireguard'] ['ipv4'] ['adireshi'] | WireGuard dubawa IPv4 adireshin. Dole ne ya kasance a cikin tafkin adireshin WireGuard. | 10.3.2.1 ' |
tsoho ['firezone'] ['wireguard'] ['ipv6'] ['an kunnawa'] | Kunna ko kashe IPv6 don cibiyar sadarwar WireGuard. | GASKIYA |
tsoho ['firezone'] ['wireguard'] ['ipv6'] ['masquerade'] | Kunna ko musaki masquerade don fakitin barin rami IPv6. | GASKIYA |
tsoho ['firezone'] ['wireguard'] ['ipv6'] ['cibiyar sadarwa'] | WireGuard cibiyar sadarwa IPv6 adireshin wurin waha. | fd00::3:2:0/120′ |
tsoho ['firezone'] ['wireguard'] ['ipv6'] ['adireshi'] | WireGuard dubawa IPv6 adireshin. Dole ne ya kasance a cikin adireshin IPv6. | fd00:3:2:1" |
tsoho['firezone']]['runit']['svlogd_bin'] | Runit svlogd bin wurin. | "#{node['firezone']]['install_directory']}/embedded/bin/svlogd" |
tsoho['firezone']]['ssl']['directory'] | Jagorar SSL don adana takaddun shaida da aka samar. | /var/opt/firezone/ssl' |
tsoho['firezone']]['ssl']['email_address'] | Adireshin imel don amfani don sa hannu kan takaddun shaida da sanarwar sabunta yarjejeniya ta ACME. | ka @example.com' |
tsoho['firezone']]['ssl']['acme']['an kunna'] | Kunna ACME don samar da takaddun SSL ta atomatik. Kashe wannan don hana Nginx sauraron tashar tashar jiragen ruwa 80. Duba nan don ƙarin umarni. | KARYA |
tsoho['firezone']]['ssl']['acme']['uwar garken'] | letsencrypt | |
tsoho['firezone']]['ssl'] ['acme'] ['keylength'] | Ƙayyade nau'in maɓalli da tsayi don takaddun shaida na SSL. Duba nan | ec-256 |
tsoho['firezone']]['ssl'] ['takardar shaida'] | Hanyar zuwa fayil ɗin takaddun shaida don FQDN ɗinku. Yana soke saitin ACME na sama idan an ƙayyade. Idan duka ACME da wannan ba su ne za a samar da takardar shedar sa hannun kan kai. | nil |
tsoho['firezone']['ssl']['certificate_key'] | Hanyar zuwa fayil ɗin takaddun shaida. | nil |
tsoho ['firezone']]['ssl']['ssl_dhparam'] | nginx ssl dh_param. | nil |
tsoho['firezone']]['ssl']['country_name'] | Sunan ƙasa don takardar shedar sa hannu. | Amurka' |
tsoho ['firezone']]['ssl']['state_name'] | Sunan jihar don takardar shedar sa hannu. | CA ' |
tsoho['firezone']['ssl']['locaity_name'] | Sunan yanki don takardar shedar sa hannu. | San Francisco' |
tsoho['firezone']['ssl']['kamfanin_name'] | Takaddun shaida mai sanya hannu kan sunan kamfani. | Kamfanina' |
tsoho['firezone']['ssl']['organizational_unit_name'] | Sunan ƙungiyar ƙungiya don takardar shedar sa hannu. | Ayyuka' |
tsoho['firezone']]['ssl']['ciphers'] | Siffar SSL don nginx don amfani. | ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’ |
tsoho['firezone']['ssl']['fips_ciphers'] | Siffofin SSL don yanayin FIPs. | FIPS@KARFIN:!aNULL:!eNULL' |
tsoho['firezone']]['ssl'] ['protocols'] | Ka'idojin TLS don amfani. | TLSv1 TLSv1.1 TLSv1.2' |
tsoho ['firezone']]['ssl']['session_cache'] | SSL cache zaman. | share:SSL:4m' |
tsoho['firezone']['ssl']['session_timeout'] | Lokacin zaman SSL ya ƙare. | 5m' |
tsoho['firezone']]['robots_allow'] | nginx mutummutumi damar. | /' |
tsoho['firezone']]['robots_disallow'] | nginx robots sun ƙi. | nil |
tsoho['firezone']]['outbound_email']['daga'] | Imel mai fita daga adireshi. | nil |
tsoho['firezone']]['outbound_email']['mai bayarwa'] | Mai bada sabis na imel mai fita. | nil |
tsoho['firezone']]['outbound_email'] ['configs'] | Saitin mai bada imel mai fita. | duba omnibus/bookbooks/firezone/attributes/default.rb |
tsoho ['firezone'] ['telemetry'] ['an kunnawa'] | Kunna ko kashe telemetry samfurin da ba a bayyana sunansa ba. | GASKIYA |
tsoho['firezone']]['connectivity_checks']['an kunna'] | Kunna ko kashe sabis ɗin duba haɗin haɗin Firezone. | GASKIYA |
tsoho['firezone']]['connectivity_checks']['tazara'] | Tazara tsakanin duban haɗin kai cikin daƙiƙa. | 3_600 |
________________________________________________________________
Anan zaku sami jeri na fayiloli da kundayen adireshi masu alaƙa da shigarwa na Firezone na yau da kullun. Waɗannan na iya canzawa dangane da canje-canje ga fayil ɗin daidaitawar ku.
hanya | description |
/var/opt/firezone | Babban kundin adireshi mai ƙunshe da bayanai da ƙayyadaddun tsari don haɗakar ayyukan Firezone. |
/opt/firezone | Babban kundin adireshi mai ƙunshe da ginanniyar ɗakunan karatu, binaries da fayilolin runtime da Firezone ke buƙata. |
/usr/bin/firezone-ctl | firezone-ctl mai amfani don sarrafa shigarwar Firezone ku. |
/etc/systemd/system/firezone-runsvdir-start.service | systemd naúrar fayil don fara aikin mai kula da Firezone runsvdir. |
/etc/firezone | Fayilolin daidaitawar Firezone. |
__________________________________________________________
Wannan shafin babu komai a cikin takardu
Jumma'a
Za'a iya amfani da samfur ɗin tacewar zaɓin nftables masu zuwa don amintar uwar garken da ke aiki da Firezone. Samfurin yana yin wasu zato; ƙila kuna buƙatar daidaita ƙa'idodi don dacewa da yanayin amfanin ku:
Firezone yana tsara nasa ƙa'idodin nftables don ba da izinin / ƙin zirga-zirga zuwa wuraren da aka saita a cikin mahaɗin yanar gizo da kuma sarrafa NAT mai fita don zirga-zirgar abokin ciniki.
Aiwatar da samfurin Tacewar zaɓi na ƙasa akan sabar da ta riga ta gudana (ba a lokacin taya ba) zai haifar da share dokokin Firezone. Wannan na iya samun tasirin tsaro.
Don aiki a kusa da wannan sake kunna sabis na phoenix:
firezone-ctl sake kunna phoenix
#!/usr/sbin/nft -f
## Share / goge duk ƙa'idodin da ke akwai
sharuɗɗan dokoki
###################################################################################### ############
## Internet/WAN interface sunan
ayyana DEV_WAN = eth0
## Sunan dubawar WireGuard
ayyana DEV_WIREGUARD = wg-firezone
## WireGuard sauraron tashar jiragen ruwa
ayyana WIREGUARD_PORT = 51820
#################################### KARSHEN bambance-bambancen ################# #########
# Babban teburin tace iyali
tace inet table {
# Dokokin don zirga-zirgar ababen hawa
# Ana sarrafa wannan sarkar kafin sarkar gaba ta Firezone
sarkar gaba {
irin tace ƙugiya gaba fifiko tace – 5; manufofin yarda
}
# Dokokin shigar da zirga-zirga
shigar sarka {
nau'in shigarwar ƙugiya mai mahimmanci tace; faduwa siyasa
## Izinin zirga-zirga mai shigowa zuwa madaidaicin madogara
idan lo \
karba \
comment "Ba da izinin shiga duk zirga-zirga daga loopback interface"
## Izin kafa da alaƙa masu alaƙa
ct jihar kafa, mai alaƙa \
karba \
comment "Izinin kafa / alaƙa masu alaƙa"
## Izinin zirga-zirgar WireGuard mai shigowa
iif $DEV_WAN udp dport $WIREGUARD_PORT \
counter \
karba \
comment "Ba da izinin zirga-zirgar WireGuard mai shigowa"
## Shiga da sauke sabbin fakitin TCP marasa SYN
tcp tutoci != sync ct state sabuwa \
iyaka iyaka 100/minti ya fashe 150 fakiti \
log prefix "IN - New !SYN:" \
comment "Iyakar ƙididdige ƙididdiga don sababbin hanyoyin haɗin gwiwa waɗanda ba su da saitin tutar SYN TCP"
tcp tutoci != sync ct state sabuwa \
counter \
sauke \
comment "A sauke sabbin hanyoyin haɗin gwiwa waɗanda ba su da saitin tutar SYN TCP"
## Shiga da sauke fakitin TCP tare da saitin fin/sync mara inganci
tcp tutoci & (fin | syn) == (fin | syn) \
iyaka iyaka 100/minti ya fashe 150 fakiti \
log prefix "IN - TCP FIN | ZUNUBI:" \
comment "Iyakar ƙididdige ƙididdiga don fakitin TCP tare da saitin fin/sin tuta mara inganci"
tcp tutoci & (fin | syn) == (fin | syn) \
counter \
sauke \
comment "A sauke fakitin TCP tare da saitin fin/sync mara inganci"
## Shiga da sauke fakitin TCP tare da saitunan syn/na farko mara inganci
tcp tutoci & (syn|rst) == (syn|rst) \
iyaka iyaka 100/minti ya fashe 150 fakiti \
log prefix "IN - TCP SYN | RST:" \
comment "Iyakar ƙididdige ƙididdiga don fakitin TCP tare da saitunan syn/na farko mara inganci"
tcp tutoci & (syn|rst) == (syn|rst) \
counter \
sauke \
comment "A sauke fakitin TCP tare da saitunan syn/ rst mara inganci"
## Shiga ku jefa tutocin TCP mara inganci
tcp & (fin | syn | rst | psh | ack | urg) < (fin) \
iyaka iyaka 100/minti ya fashe 150 fakiti \
log prefix "IN-FIN:" \
comment "Ƙimar ƙididdige ƙididdiga don tutocin TCP mara inganci (fin | syn | rst | psh | ack | urg) < (fin)"
tcp & (fin | syn | rst | psh | ack | urg) < (fin) \
counter \
sauke \
comment "Dauke fakitin TCP tare da tutoci (fin | syn | rst | psh | ack | urg) < (fin)"
## Shiga ku jefa tutocin TCP mara inganci
tcp flags & (fin | syn | rst | psh | ack | urg) == (fin | psh | urg) \
iyaka iyaka 100/minti ya fashe 150 fakiti \
log prefix "IN - FIN|PSH|URG:" \
comment "Iyakar ƙididdige rajista don tutocin TCP mara inganci (fin | syn | rst | psh | ack | urg) == (fin | psh | urg)"
tcp flags & (fin | syn | rst | psh | ack | urg) == (fin | psh | urg) \
counter \
sauke \
comment "Dauke fakitin TCP tare da tutoci (fin | syn | rst | psh | ack | urg) == (fin | psh | urg)"
## Rage zirga-zirga tare da yanayin haɗin mara inganci
Jihar ct ba daidai ba \
iyaka iyaka 100/minti ya fashe 150 fakiti \
log flags duk prefix "IN - Ba daidai ba:" \
comment "Iyakar ƙimar shiga don zirga-zirga tare da yanayin haɗin da mara inganci"
Jihar ct ba daidai ba \
counter \
sauke \
comment "Ajiye zirga-zirga tare da yanayin haɗi mara inganci"
## Izinin IPV4 ping/ping martani amma iyaka iyaka zuwa 2000 PPS
ip nau'in icmp icmp yarjejeniya {echo-reply, echo-request} \
iyaka iyaka 2000/ na biyu \
counter \
karba \
comment "Izinin inbound IPv4 echo (ping) iyakance ga 2000 PPS"
## Izinin duk sauran inbound IPv4 ICMP
ip yarjejeniya icmp \
counter \
karba \
comment "Izinin duk sauran IPv4 ICMP"
## Izinin IPV6 ping/ping martani amma iyaka iyaka zuwa 2000 PPS
nau'in icmpv6 {echo-reply, echo-request} \
iyaka iyaka 2000/ na biyu \
counter \
karba \
comment "Izinin inbound IPv6 echo (ping) iyakance ga 2000 PPS"
## Izinin duk sauran inbound IPv6 ICMP
meta l4proto {icmpv6} \
counter \
karba \
comment "Izinin duk sauran IPv6 ICMP"
## Bada izinin shigar da tashoshin UDP na traceroute amma iyakance zuwa 500 PPS
udp dport 33434-33524
iyaka iyaka 500/ na biyu \
counter \
karba \
comment "Izinin inbound UDP traceroute iyaka zuwa 500 PPS"
## Izinin shigowar SSH
tcp dport ssh ct state sabuwa \
counter \
karba \
comment "Ba da izinin haɗin SSH mai shigowa"
## Izinin shigar HTTP da HTTPS
tcp dport {http, https } ct sabuwar jiha \
counter \
karba \
comment "Ba da izinin shiga HTTP da HTTPS haɗin gwiwa"
## Shiga duk wani zirga-zirgar da bai dace da shi ba amma iyakancin shiga zuwa iyakar saƙo 60/minti
## Za a yi amfani da ƙa'idar da ta dace ga zirga-zirgar da ba ta dace ba
iyaka iyaka 60/minti ya fashe 100 fakiti \
log prefix "IN - Drop:" \
comment "Shiga duk wani zirga-zirgar da bai dace ba"
## Ƙidaya yawan zirga-zirgar da bai dace ba
counter \
comment "Kidaya duk wani zirga-zirgar da bai dace ba"
}
# Dokokin don zirga-zirgar fitarwa
fitarwa sarkar {
nau'in tace ƙugiya fitarwa fifiko tace; faduwa siyasa
## Bada izinin zirga-zirga mai fita zuwa madaidaicin madogara
idan zo \
karba \
comment "Ba da izinin duk zirga-zirga zuwa ga hanyar dawowa"
## Izin kafa da alaƙa masu alaƙa
ct jihar kafa, mai alaƙa \
counter \
karba \
comment "Izinin kafa / alaƙa masu alaƙa"
## Bada izinin zirga-zirgar WireGuard mai fita kafin barin haɗin gwiwa tare da mummunan yanayi
oif $DEV_WAN wasanni udp $WIREGUARD_PORT \
counter \
karba \
comment "Ba da izinin zirga-zirgar waje na WireGuard"
## Rage zirga-zirga tare da yanayin haɗin mara inganci
Jihar ct ba daidai ba \
iyaka iyaka 100/minti ya fashe 150 fakiti \
log flags duk prefix "FITA - Ba daidai ba:" \
comment "Iyakar ƙimar shiga don zirga-zirga tare da yanayin haɗin da mara inganci"
Jihar ct ba daidai ba \
counter \
sauke \
comment "Ajiye zirga-zirga tare da yanayin haɗi mara inganci"
## Izinin duk sauran masu fita IPv4 ICMP
ip yarjejeniya icmp \
counter \
karba \
comment "Ba da izinin kowane nau'in IPv4 ICMP"
## Izinin duk sauran masu fita IPv6 ICMP
meta l4proto {icmpv6} \
counter \
karba \
comment "Ba da izinin kowane nau'in IPv6 ICMP"
## Bada izinin fita zuwa tashar jiragen ruwa ta UDP amma iyakance zuwa 500 PPS
udp dport 33434-33524
iyaka iyaka 500/ na biyu \
counter \
karba \
comment "Izinin fita UDP traceroute iyaka zuwa 500 PPS"
## Bada izinin haɗin HTTP da HTTPS masu fita
tcp dport {http, https } ct sabuwar jiha \
counter \
karba \
comment "Ba da izinin haɗin HTTP da HTTPS masu fita"
## Bada izinin fita waje SMTP
tcp dport ƙaddamarwa ct sabuwar jiha \
counter \
karba \
comment "Izinin fitarwa SMTP ƙaddamarwa"
## Bada izinin buƙatun DNS mai fita
udp dport 53 \
counter \
karba \
comment "Ba da izinin fita UDP DNS buƙatun"
tcp dport 53 \
counter \
karba \
comment "Ba da izinin fita TCP DNS buƙatun"
## Izinin fitar da buƙatun NTP
udp dport 123 \
counter \
karba \
comment "Izinin fitar da buƙatun NTP"
## Shiga duk wani zirga-zirgar da bai dace da shi ba amma iyakancin shiga zuwa iyakar saƙo 60/minti
## Za a yi amfani da ƙa'idar da ta dace ga zirga-zirgar da ba ta dace ba
iyaka iyaka 60/minti ya fashe 100 fakiti \
log prefix "FITA - Sauke:" \
comment "Shiga duk wani zirga-zirgar da bai dace ba"
## Ƙidaya yawan zirga-zirgar da bai dace ba
counter \
comment "Kidaya duk wani zirga-zirgar da bai dace ba"
}
}
# Babban teburin tacewa NAT
table inet nat {
# Dokokin don zirga-zirgar ababen hawa na NAT
sarkar prerouting {
rubuta nat ƙugiya prerouting fifiko dstnat; manufofin yarda
}
# Dokokin don zirga-zirgar zirga-zirgar NAT bayan hanyar hanya
# Ana sarrafa wannan tebur a gaban sarkar da ke gaba ta Firezone
sarkar postrouting {
rubuta nat ƙugiya postrouting fifiko srcnat - 5; manufofin yarda
}
}
Ya kamata a adana tacewar wuta a wurin da ya dace don rarraba Linux da ke gudana. Don Debian/Ubuntu wannan shine /etc/nftables.conf kuma don RHEL wannan shine /etc/sysconfig/nftables.conf.
nftables.service zai buƙaci a daidaita shi don farawa akan taya (idan ba a rigaya ba) saita:
systemctl kunna nftables.service
Idan yin kowane canje-canje ga samfurin Tacewar zaɓi za'a iya tabbatar da haɗin gwiwar ta hanyar gudanar da umarnin duba:
nft -f /hanya/to/nftables.conf -c
Tabbatar tabbatar da aikin Tacewar zaɓi kamar yadda ake tsammani saboda wasu fasalulluka na nftables bazai samuwa dangane da sakin da ke gudana akan sabar.
_______________________________________________________________
Wannan daftarin aiki yana gabatar da bayyani na telemetry Firezone yana tattarawa daga misalin da kuke ɗaukar nauyi da yadda ake kashe shi.
Wutar wuta dogara akan na'urar sadarwa don ba da fifikon taswirar hanyarmu da haɓaka albarkatun injiniya da muke da shi don sanya Firezone mafi kyau ga kowa.
The telemetry da muke tattara yana da nufin amsa tambayoyi masu zuwa:
Akwai manyan wurare guda uku da ake tattara telemetry a cikin Firezone:
A cikin kowane ɗayan waɗannan mahallin guda uku, muna ɗaukar mafi ƙarancin adadin bayanan da ake buƙata don amsa tambayoyin da ke cikin sashin da ke sama.
Ana karɓar imel ɗin mai gudanarwa kawai idan kun fito fili ga sabunta samfur. In ba haka ba, bayanin da za a iya gane kansa shine faufau tattara.
Firezone yana adana telemetry a cikin misali mai ɗaukar nauyi na PostHog yana gudana a cikin gungu na Kubernetes mai zaman kansa, ƙungiyar Firezone kawai ke samun damar shiga. Anan akwai misalin taron wayar hannu wanda aka aiko daga misalin ku na Firezone zuwa sabar wayar mu:
{
"Id": “0182272d-0b88-0000-d419-7b9a413713f1”,
"timestamp": “2022-07-22T18:30:39.748000+00:00”,
"matsala": "fz_http_farawa",
"distinct_id": “1ec2e794-1c3e-43fc-a78f-1db6d1a37f54”,
"dukiya":{
"$ geoip_city_name": "Ashburn",
"$ geoip_continent_code": "NA",
"$ geoip_continent_name": "Amirka ta Arewa",
"$ geoip_country_code": "Amurka",
"$ geoip_country_name": "Amurka",
"$ geoip_latitude": 39.0469,
"$ geoip_longitude": -77.4903,
"$geoip_postal_code": "20149",
"$geoip_subdivision_1_code": "VA",
"$geoip_subdivision_1_name": "Virginia",
"$geoip_time_zone": "Amurka/New_York",
"$ ip": "52.200.241.107",
"$plugins_deferred": [],
"$plugins_failed": [],
"$ plugins_yi nasara": [
"GeoIP (3)"
],
"distinct_id": “1zc2e794-1c3e-43fc-a78f-1db6d1a37f54”,
"fqdn": "awsdemo.firezone.dev",
"Sigar_kernel": "Linux 5.13.0",
"version": "0.4.6"
},
"elements_chain": ""
}
NOTE
Ƙungiyar ci gaban Firezone dogara akan nazarin samfuran don sanya Firezone mafi kyau ga kowa da kowa. Barin na'urar sadarwa da ke kunna ita ita ce gudunmawa mafi mahimmanci guda ɗaya da za ku iya bayarwa ga ci gaban Firezone. Wannan ya ce, mun fahimci wasu masu amfani suna da babban sirri ko buƙatun tsaro kuma za su gwammace su kashe na'urar sadarwa gaba ɗaya. Idan kai ne, ci gaba da karantawa.
Ana kunna telemetry ta tsohuwa. Don musaki samfurin telemetry gaba ɗaya, saita zaɓin sanyi mai zuwa zuwa ƙarya a /etc/firezone/firezone.rb kuma gudanar da sudo firezone-ctl sake saitawa don ɗaukar canje-canje.
tsoho['firezone']['Telemetry']['an kunna'] = arya
Wannan zai musaki duk na'urorin na'urorin samfurin gaba ɗaya.
Hailbytes
9511 Queens Guard Ct.
Laurel, MD 20723
Phone: (732) 771-9995
Imel: info@hailbytes.com
Karɓi sabbin labaran tsaro ta yanar gizo kai tsaye a cikin akwatin saƙo naka.
