Cov lus qhia ib ntus rau kev xa tawm Halbytes VPN nrog Firezone GUI tau muab ntawm no.
Administer: Kev teeb tsa tus neeg rau zaub mov piv txwv yog ncaj qha ntsig txog qhov no.
Cov Lus Qhia Cov Neeg Siv: Cov ntaub ntawv muaj txiaj ntsig uas tuaj yeem qhia koj siv Firezone thiab daws teeb meem ib txwm. Tom qab lub server tau ua tiav tiav, xa mus rau ntu no.
Split Tunneling: Siv lub VPN tsuas yog xa cov tsheb mus rau cov IP tshwj xeeb.
Whitelisting: Teem lub VPN server tus IP chaw nyob zoo li qub txhawm rau siv whitelisting.
Reverse Tunnels: Tsim qhov tunnels ntawm ob peb cov phooj ywg siv rov qab tunnels.
Peb txaus siab los pab koj yog tias koj xav tau kev pab txhim kho, kho, lossis siv Hailbytes VPN.
Ua ntej cov neeg siv tuaj yeem tsim lossis rub tawm cov ntaub ntawv teeb tsa lub cuab yeej, Firezone tuaj yeem teeb tsa kom tau txais kev lees paub. Cov neeg siv kuj tseem yuav tsum tau rov txheeb xyuas dua ib ntus txhawm rau txhawm rau ua kom lawv cov kev sib txuas VPN nquag.
Txawm hais tias Firezone txoj kev nkag mus rau hauv lub neej yog email hauv zos thiab tus password, nws tuaj yeem ua ke nrog txhua tus txheej txheem OpenID Connect (ODC) tus neeg muab kev pabcuam. Cov neeg siv tam sim no tuaj yeem nkag mus rau hauv Firezone siv lawv Okta, Google, Azure AD, lossis cov ntaub ntawv pov thawj ntiag tug.
Kev koom ua ke Ib Tus Muab Kev Pabcuam ODC
Cov kev teeb tsa uas xav tau los ntawm Firezone tso cai rau SSO siv tus kws kho mob ODDC tau qhia hauv qhov piv txwv hauv qab no. Ntawm /etc/firezone/firezone.rb, koj tuaj yeem pom cov ntaub ntawv teeb tsa. Khiav firezone-ctl reconfigure thiab firezone-ctl rov pib dua los hloov kho daim ntawv thov thiab siv cov kev hloov pauv.
# Qhov no yog piv txwv siv Google thiab Okta ua tus muab SSO tus kheej.
# Ntau yam ODC configs tuaj yeem ntxiv rau tib qhov Firezone piv txwv.
# Firezone tuaj yeem lov tes taw tus neeg siv lub VPN yog tias muaj qhov yuam kev kuaj pom sim
# txhawm rau kho lawv cov access_token. Qhov no tau txheeb xyuas los ua haujlwm rau Google, Okta, thiab
# Azure SSO thiab yog siv los txiav tawm tus neeg siv lub VPN yog tias lawv raug tshem tawm
# los ntawm ODDC tus muab kev pabcuam. Cia qhov no tsis ua haujlwm yog tias koj tus kws kho mob ODC
# muaj teeb meem refreshing access tokens raws li nws yuav poob nthav cuam tshuam ib
# tus neeg siv lub sijhawm VPN.
default['firezone']['authentication']['disable_vpn_on_oidc_error'] = cuav
default['firezone']['authentication']['oidc'] = {
google: {
discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",
client_id: " ”,
client_secret: " ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",
response_type: "code",
Scope: "qhib email profile",
Tag: "Google"
},
ua: {
discovery_document_uri: "https:// /.well-known/openid-configuration",
client_id: " ”,
client_secret: " ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",
response_type: "code",
Scope: "qhib email profile offline_access",
Tag: "Okta"
}
}
Cov kev teeb tsa hauv qab no yuav tsum muaj rau kev sib koom ua ke:
Rau txhua tus neeg muab kev pabcuam ODC ib qhov URL zoo sib xws yog tsim los rau kev xa rov qab mus rau tus kws kho mob qhov kev kos npe nkag URL. Piv txwv li ODDC config saum toj no, cov URLs yog:
Cov kws kho mob peb muaj cov ntaub ntawv rau:
Yog tias koj tus kws kho mob tus kheej muaj cov khoom sib txuas ntawm OIDC thiab tsis tau teev tseg saum toj no, thov mus rau lawv cov ntaub ntawv kom paub txog yuav ua li cas thiaj li rov qab tau cov kev teeb tsa tsim nyog.
Qhov kev teeb tsa hauv qab qhov chaw / kev ruaj ntseg tuaj yeem hloov pauv kom tau txais kev lees paub rov ua dua ib ntus. Qhov no tuaj yeem siv los tswj cov kev xav tau uas cov neeg siv nkag mus rau hauv Firezone tsis tu ncua txhawm rau txhawm rau txuas ntxiv lawv qhov kev sib tham VPN.
Lub sijhawm kev sib kho tuaj yeem tsim tau los ntawm ib teev thiab cuaj caum hnub. Los ntawm kev teeb tsa qhov no rau Tsis yog, koj tuaj yeem qhib VPN ntu txhua lub sijhawm. Qhov no yog tus qauv.
Ib tus neeg siv yuav tsum tau txiav lawv qhov kev sib tham VPN thiab nkag mus rau hauv Firezone portal txhawm rau rov ua pov thawj qhov kev sib ntsib VPN uas tas sij hawm (URL teev thaum xa tawm).
Koj tuaj yeem rov txheeb xyuas koj qhov kev sib tham los ntawm kev ua raws li cov lus qhia meej cov neeg siv khoom pom ntawm no.
Qhov xwm txheej ntawm kev sib txuas VPN
Cov neeg siv nplooj ntawv lub rooj sib txuas VPN kab lus qhia txog tus neeg siv txoj kev sib txuas. Cov no yog cov xwm txheej kev sib txuas:
ENABLED - Kev sib txuas tau qhib.
DISABLED - Qhov kev sib txuas yog xiam oob qhab los ntawm tus thawj tswj hwm lossis ODDC refresh tsis ua haujlwm.
EXPIRED - Qhov kev sib txuas raug kaw vim qhov kev lees paub tas sij hawm lossis tus neeg siv tsis tau kos npe rau thawj zaug.
Los ntawm kev sib txuas ntawm ODDC, Firezone ua rau Ib Leeg Kos Npe (SSO) nrog Google Workspace thiab Cloud Identity. Phau ntawv qhia no yuav qhia koj yuav ua li cas kom tau txais cov kev teeb tsa tsis muaj npe hauv qab no, uas tsim nyog rau kev sib koom ua ke:
1. OAuth Config Screen
Yog tias qhov no yog thawj zaug koj tab tom tsim OAuth tus neeg siv ID tshiab, koj yuav raug nug kom teeb tsa lub vijtsam pom zoo.
* Xaiv Sab Hauv rau hom neeg siv. Qhov no ua kom ntseeg tau tias tsuas yog cov nyiaj koom nrog rau cov neeg siv hauv koj lub koom haum Google Workspace tuaj yeem tsim cov khoom teeb tsa. TSIS TXHOB xaiv Sab Nraud tshwj tsis yog tias koj xav ua kom ib tus neeg siv tau Google Account los tsim cov khoom teeb tsa.
Hauv App cov ntaub ntawv screen:
2. Tsim OAuth Client IDs
Tshooj lus no yog ua raws li Google tus kheej cov ntaub ntawv ntawm teeb tsa OAuth 2.0.
Mus saib Google Cloud Console Nplooj ntawv pov thawj nplooj ntawv, nyem + Tsim Daim Ntawv Pov Thawj thiab xaiv OAuth tus neeg siv ID.
Ntawm OAuth tus neeg siv khoom ID tsim tshuaj ntsuam:
Tom qab tsim OAuth tus neeg siv ID, koj yuav tau txais Client ID thiab Client Secret. Cov no yuav raug siv ua ke nrog kev hloov pauv URI hauv cov kauj ruam tom ntej.
Kho kom raug neeg /etc/firezone/firezone.rb kom suav nrog cov kev xaiv hauv qab no:
# Siv Google ua tus muab SSO tus kheej
default['firezone']['authentication']['oidc'] = {
google: {
discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",
client_id: " ”,
client_secret: " ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",
response_type: "code",
Scope: "qhib email profile",
Tag: "Google"
}
}
Khiav firezone-ctl reconfigure thiab firezone-ctl restart los hloov kho daim ntawv thov. Tam sim no koj yuav tsum pom Kos Npe nrog Google ntawm lub hauv paus Firezone URL.
Firezone siv lub generic ODC connector los pab txhawb Single Sign-On (SSO) nrog Okta. Qhov kev qhia no yuav qhia koj yuav ua li cas kom tau txais cov txheej txheem teeb tsa hauv qab no, uas tsim nyog rau kev sib koom ua ke:
Tshooj lus ntawm phau ntawv qhia no yog nyob ntawm Okta cov ntaub ntawv.
Hauv Admin Console, mus rau Daim Ntawv Thov> Daim Ntawv Thov thiab nyem Tsim App Kev koom ua ke. Teem txoj hauv kev nkag mus rau OICD - OpenID Txuas thiab Daim Ntawv Thov hom rau Web application.
Configure cov kev teeb tsa no:
Thaum cov chaw tau txais kev cawmdim, koj yuav tau txais ib tus Client ID, Client Secret, thiab Okta Domain. Cov 3 qhov tseem ceeb no yuav raug siv hauv Kauj Ruam 2 los teeb tsa Firezone.
Kho kom raug neeg /etc/firezone/firezone.rb kom suav nrog cov kev xaiv hauv qab no. Koj discovery_document_url yuav tsum /.well-known/openid-configuration appended rau qhov kawg ntawm koj okta_domain.
# Siv Okta ua tus muab SSO tus kheej
default['firezone']['authentication']['oidc'] = {
ua: {
discovery_document_uri: "https:// /.well-known/openid-configuration",
client_id: " ”,
client_secret: " ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",
response_type: "code",
Scope: "qhib email profile offline_access",
Tag: "Okta"
}
}
Khiav firezone-ctl reconfigure thiab firezone-ctl restart los hloov kho daim ntawv thov. Tam sim no koj yuav tsum pom Kos Npe nrog Okta khawm ntawm lub hauv paus Firezone URL.
Cov neeg siv uas tuaj yeem nkag mus rau Firezone app tuaj yeem raug txwv los ntawm Okta. Mus rau koj Okta Admin Console's Firezone App Integration's Assignments nplooj ntawv kom ua tiav qhov no.
Los ntawm cov generic ODC connector, Firezone enables Single Sign-On (SSO) nrog Azure Active Directory. Phau ntawv no yuav qhia koj yuav ua li cas kom tau txais cov kev teeb tsa tsis tau teev tseg hauv qab no, uas tsim nyog rau kev sib koom ua ke:
Phau ntawv no yog kos los ntawm lub Azure Active Directory Docs.
Mus rau Azure portal's Azure Active Directory nplooj ntawv. Xaiv qhov Manage menu option, xaiv New Registration, ces sau npe los ntawm kev muab cov ntaub ntawv hauv qab no:
Tom qab sau npe, qhib cov ntsiab lus saib ntawm daim ntawv thov thiab luam cov ntawv Daim ntawv thov (tus neeg siv) ID. Qhov no yuav yog tus nqi client_id. Tom ntej no, qhib cov ntawv qhia zaub mov kawg kom rov qab tau OpenID Txuas cov ntaub ntawv metadata. Qhov no yuav yog tus nqi discovery_document_uri.
Tsim ib tus neeg siv khoom tshiab zais cia los ntawm nyem qhov Certificate & secrets xaiv hauv qab Tswj zaub mov. Luam tus neeg siv khoom zais cia; tus neeg siv khoom zais tus nqi yuav yog qhov no.
Thaum kawg, xaiv qhov API tso cai txuas hauv qab Tswj zaub mov, nyem Ntxiv kev tso cai, thiab xaiv Microsoft Graph, Ntxiv email, qhib, offline_access thiab profile mus rau qhov xav tau kev tso cai.
Kho kom raug neeg /etc/firezone/firezone.rb kom suav nrog cov kev xaiv hauv qab no:
# Siv Azure Active Directory ua tus muab SSO tus kheej
default['firezone']['authentication']['oidc'] = {
azure: {
discovery_document_uri: “https://login.microsoftonline.com/ /v2.0/.well-known/openid-configuration",
client_id: " ”,
client_secret: " ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/azure/callback/",
response_type: "code",
Scope: "qhib email profile offline_access",
Tag: "Azure"
}
}
Khiav firezone-ctl reconfigure thiab firezone-ctl restart los hloov kho daim ntawv thov. Tam sim no koj yuav tsum pom qhov Sign in nrog Azure khawm ntawm lub hauv paus Firezone URL.
Azure AD tso cai rau cov thawj coj txwv tsis pub nkag mus rau ib pawg neeg siv hauv koj lub tuam txhab. Xav paub ntau ntxiv txog yuav ua li cas thiaj nrhiav tau hauv Microsoft cov ntaub ntawv.
Tus kws ua zaub mov Omnibus siv los ntawm Firezone los tswj cov haujlwm xws li tso tawm ntim, kev saib xyuas cov txheej txheem, kev tswj xyuas lub cav, thiab lwm yam.
Ruby code ua rau cov ntaub ntawv teeb tsa tseem ceeb, uas nyob ntawm /etc/firezone/firezone.rb. Restarting sudo firezone-ctl reconfigure tom qab hloov kho cov ntaub ntawv no ua rau tus kws ua zaub mov paub txog cov kev hloov pauv thiab siv lawv rau qhov kev ua haujlwm tam sim no.
Saib cov ntaub ntawv configuration siv rau ib daim ntawv teev tag nrho ntawm configuration variables thiab lawv cov lus piav qhia.
Koj qhov xwm txheej Firezone tuaj yeem tswj hwm los ntawm firezone-ctl command, raws li qhia hauv qab no. Feem ntau cov lus txib yuav tsum prefixing nrog sudo.
root@demo:~# firezone-ctl
omnibus-ctl: hais kom ua (subcommand)
General Commands:
ntxuav
Rho tawm * tag nrho * firezone cov ntaub ntawv, thiab pib los ntawm kos.
tsim-los-reset-admin
Resets tus password rau tus admin nrog email uas tau teev tseg los ntawm lub neej ntawd ['firezone']['admin_email'] lossis tsim tus thawj tswj hwm tshiab yog tias email tsis muaj.
pab
Sau cov lus pab no.
rov kho dua
Reconfigure daim ntawv thov.
rov pib dua-network
Resets nftables, WireGuard interface, thiab routing rooj rov qab mus rau Firezone defaults.
show-config
Qhia cov configuration uas yuav raug generated los ntawm reconfigure.
tsim tawm-network
Tshem tawm WireGuard interface thiab firezone nftables rooj.
force-cert-renewal
quab yuam daim ntawv pov thawj txuas ntxiv tam sim no txawm tias nws tsis tau tas sijhawm.
nres-cert-renewal
Tshem tawm cronjob uas txuas ntxiv daim ntawv pov thawj.
uninstall
Tua tag nrho cov txheej txheem thiab tshem tawm cov txheej txheem tus saib xyuas (cov ntaub ntawv yuav khaws cia).
version
Tso saib tam sim no version ntawm Firezone
Service Management Commands:
zoo-tua
Sim ua kom zoo nres, ces SIGKILL tag nrho cov txheej txheem pab pawg.
hup
Xa cov kev pabcuam rau HUP.
rau cov menyuam
Xa cov kev pabcuam rau INT.
tua
Xa cov kev pabcuam KILL.
ib zaug
Pib cov kev pabcuam yog tias lawv poob qis. Tsis txhob rov pib dua yog tias lawv nres.
pib dua
Nres cov kev pabcuam yog tias lawv tab tom khiav, ces pib dua.
service-list
Sau tag nrho cov kev pabcuam (cov kev pabcuam qhib tau tshwm sim nrog *.)
pib
Pib cov kev pabcuam yog tias lawv poob qis, thiab rov pib dua yog tias lawv nres.
raws li txoj cai
Qhia cov xwm txheej ntawm txhua qhov kev pabcuam.
nres
Nres cov kev pabcuam, thiab tsis txhob rov pib dua.
Tail
Saib daim ntawv teev cov kev pabcuam ntawm txhua qhov kev pabcuam tau qhib.
lub sij hawm
Xa cov kev pabcuam TERM.
usr1 ua
Xa cov kev pabcuam rau USR1.
usr2 ua
Xa cov kev pabcuam rau USR2.
Txhua qhov kev sib tham VPN yuav tsum raug txiav ua ntej hloov kho Firezone, uas tseem hu kom kaw lub Web UI. Nyob rau hauv cov ntaub ntawv uas muaj ib yam dab tsi mus tsis ncaj ncees lawm thaum lub sij hawm hloov kho, peb qhia kom teem ib teev rau kev saib xyuas.
Txhawm rau txhim kho Firezone, ua cov haujlwm hauv qab no:
Yog tias muaj teeb meem tshwm sim, thov qhia rau peb paub los ntawm xa daim pib them nyiaj yug.
Muaj qee qhov kev hloov pauv thiab kev hloov kho hauv 0.5.0 uas yuav tsum tau hais. Xav paub ntau ntxiv hauv qab no.
Nginx tsis txhawb nqa lub zog SSL thiab tsis yog-SSL chaw nres nkoj tsis raws li version 0.5.0. Vim tias Firezone xav tau SSL ua haujlwm, peb qhia kom tshem tawm cov kev pabcuam Nginx los ntawm kev teeb tsa lub neej ntawd ['firezone']['nginx']['enabled'] = cuav thiab coj koj lub npe rov qab mus rau Phoenix app ntawm chaw nres nkoj 13000 hloov (los ntawm lub neej ntawd ).
0.5.0 qhia txog ACME raws tu qauv kev txhawb nqa rau rov ua dua SSL daim ntawv pov thawj nrog cov kev pabcuam Nginx. Kom pab tau,
Qhov muaj peev xwm ntxiv cov cai nrog qhov chaw duplicate yog ploj mus hauv Firezone 0.5.0. Peb tsab ntawv tsiv teb tsaws chaw yuav cia li paub txog cov xwm txheej no thaum hloov kho mus rau 0.5.0 thiab tsuas yog khaws cov cai uas nws lub hom phiaj suav nrog lwm txoj cai. Tsis muaj ib yam dab tsi uas koj yuav tsum ua yog tias qhov no tsis ua li cas.
Txwv tsis pub, ua ntej hloov kho, peb qhia kom hloov koj cov cai kom tshem tawm cov xwm txheej no.
Firezone 0.5.0 tshem tawm kev txhawb nqa rau Okta qub thiab Google SSO teeb tsa hauv kev pom zoo ntawm qhov tshiab, hloov tau yooj yim dua ODC-raws li kev teeb tsa.
Yog tias koj muaj kev teeb tsa nyob rau hauv lub neej ntawd ['firezone']['authentication']['okta'] lossis default ['firezone']['authentication']['google'] cov yawm sij, koj yuav tsum tau hloov cov no rau peb ODC -based configuration siv cov lus qhia hauv qab no.
Google OAuth configuration uas twb muaj lawm
Tshem tawm cov kab no uas muaj cov qub Google OAuth configs los ntawm koj cov ntaub ntawv teeb tsa nyob ntawm /etc/firezone/firezone.rb
default['firezone']['authentication']['google']['enabled']
default['firezone']['authentication']['google']['client_id']
default['firezone']['authentication']['google']['client_secret']
default['firezone']['authentication']['google']['redirect_uri']
Tom qab ntawd, teeb tsa Google ua tus pabcuam ODDC los ntawm kev ua raws li cov txheej txheem ntawm no.
(Muab cov lus qhia txuas)<<<<<<<<<<<<<<<<
Configure Existing Google OAuth
Tshem tawm cov kab no uas muaj cov qub Okta OAuth configs los ntawm koj cov ntaub ntawv teeb tsa nyob ntawm /etc/firezone/firezone.rb
default['firezone']['authentication']['okta']['enabled']
default['firezone']['authentication']['okta']['client_id']
default['firezone']['authentication']['okta']['client_secret']
Default['firezone']['authentication']['okta']['site']
Tom qab ntawd, teeb tsa Okta ua tus muab kev pabcuam ODDC los ntawm kev ua raws li cov txheej txheem ntawm no.
Nyob ntawm koj qhov kev teeb tsa tam sim no thiab version, ua raws li cov lus qhia hauv qab no:
Yog tias koj twb muaj ODDC kev koom ua ke:
Rau qee tus neeg muab kev pabcuam ODC, hloov kho mus rau>= 0.3.16 yuav tsum tau txais lub cim tshiab tshiab rau qhov kev nkag mus rau offline. Los ntawm kev ua qhov no, nws tau ua kom paub tseeb tias Firezone hloov kho nrog tus neeg muab khoom ntiag tug thiab qhov kev sib txuas VPN raug kaw tom qab tus neeg siv raug tshem tawm. Firezone qhov kev rov ua ntej dhau los tsis muaj qhov tshwj xeeb no. Qee qhov xwm txheej, cov neeg siv uas raug tshem tawm ntawm koj tus kws kho mob kuj tseem tuaj yeem txuas nrog VPN.
Nws yog ib qho tsim nyog kom suav nrog kev nkag mus rau offline hauv qhov ntsuas qhov ntsuas ntawm koj qhov kev teeb tsa ODC rau ODC cov chaw muab kev pabcuam uas txhawb nqa kev nkag mus offline. Firezone-ctl reconfigure yuav tsum raug tua kom siv cov kev hloov pauv rau Firezone configuration file, uas nyob ntawm /etc/firezone/firezone.rb.
Rau cov neeg siv uas tau lees paub los ntawm koj tus kws kho mob OIDC, koj yuav pom OIDC Kev Sib Txuas mus rau hauv cov nplooj ntawv cov neeg siv cov ntsiab lus ntawm lub vev xaib UI yog tias Firezone tuaj yeem ua tiav rov qab tau cov cim tshiab.
Yog tias qhov no tsis ua haujlwm, koj yuav tsum tau rho tawm koj OAuth app uas twb muaj lawm thiab rov ua dua ODC teeb tsa cov kauj ruam rau tsim ib qho tshiab app kev koom ua ke .
Kuv muaj kev koom ua ke OAuth uas twb muaj lawm
Ua ntej 0.3.11, Firezone tau siv OAuth2 cov chaw muab kev pabcuam ua ntej.
Ua raws cov lus qhia no mus rau ODDC.
Kuv tsis tau koom ua ke ib tus neeg muab kev qhia txog tus kheej
Tsis xav ua.
Koj tuaj yeem ua raws li cov lus qhia no los pab SSO los ntawm tus kws kho mob ODC.
Hauv nws qhov chaw, default['firezone']['external url'] tau hloov qhov kev xaiv configuration default['firezone']['fqdn'].
Teem qhov no rau qhov URL ntawm koj lub Firezone online portal uas siv tau rau cov pej xeem. Nws yuav ua li ntawd rau https:// ntxiv rau FQDN ntawm koj tus neeg rau zaub mov yog tias sab laug undefined.
Cov ntaub ntawv teeb tsa nyob ntawm /etc/firezone/firezone.rb. Saib cov ntaub ntawv configuration siv rau ib daim ntawv teev tag nrho ntawm configuration variables thiab lawv cov lus piav qhia.
Firezone tsis khaws cov cuab yeej ntiag tug ntawm Firezone server raws li version 0.3.0.
Firezone Web UI yuav tsis tso cai rau koj rov rub tawm lossis pom cov kev teeb tsa no, tab sis txhua yam khoom siv uas twb muaj lawm yuav tsum txuas ntxiv ua haujlwm raws li yog.
Yog tias koj tab tom hloov kho los ntawm Firezone 0.1.x, muaj qee qhov kev hloov pauv cov ntaub ntawv uas yuav tsum tau hais los ntawm tus kheej.
Txhawm rau ua qhov tsim nyog hloov kho rau koj cov ntaub ntawv /etc/firezone/firezone.rb, khiav cov lus txib hauv qab no raws li hauv paus.
cp /etc/firezone/firezone.rb /etc/firezone/firezone.rb.bak
sed -i "s/\['enable'\]/\['enabled'\]/" /etc/firezone/firezone.rb
ncha “default['firezone']['connectivity_checks']['enabled'] = true” >> /etc/firezone/firezone.rb
ncha “default['firezone']['connectivity_checks']['interval'] = 3_600” >> /etc/firezone/firezone.rb
firezone-ctl reconfigure
firezone-ctl rov pib dua
Tshawb xyuas cov ntawv teev Firezone yog thawj kauj ruam ntse rau txhua yam teeb meem uas tuaj yeem tshwm sim.
Khiav sudo firezone-ctl tus Tsov tus tw los saib Firezone cav.
Feem ntau ntawm cov teeb meem kev sib txuas nrog Firezone yog coj los ntawm kev tsis sib haum iptables lossis nftables cov cai. Koj yuav tsum xyuas kom meej tias txhua txoj cai uas koj muaj nyob rau hauv tsis muaj kev sib tsoo nrog Firezone cov cai.
Nco ntsoov tias FORWARD saw tso cai rau pob ntawv los ntawm koj cov neeg siv WireGuard mus rau qhov chaw koj xav tso tawm ntawm Firezone yog tias koj qhov kev sib txuas hauv Is Taws Nem tsis zoo txhua zaus koj qhib koj lub WireGuard qhov.
Qhov no tuaj yeem ua tiav yog tias koj siv ufw los ntawm kev ua kom ntseeg tau tias txoj cai routing tsis raug tso cai:
ubuntu@fz:~$ sudo ufw default pub routed
Default routed txoj cai hloov mus rau 'pab'
(Nco ntsoov hloov kho koj cov cai raws li)
A ufw xwm txheej rau ib tug raug Firezone server tej zaum yuav zoo li no:
ubuntu@fz:~$ sudo ufw xwm txheej verbose
Status: active
Logging: on (qis)
Default: tsis kam (incoming), tso cai (outgoing), tso cai (routed)
Tshiab profiles: hla
Ua Haujlwm Los ntawm
———————
22/tcp PAUB TIAS nyob qhov twg
80/tcp PAUB TIAS nyob qhov twg
443/tcp PAUB TIAS nyob qhov twg
51820 / udp PAUB NTAU NTAU NTAU
22 / tcp (v6) TAG NRHO IN Anywhere (v6)
80 / tcp (v6) TAG NRHO IN Anywhere (v6)
443 / tcp (v6) TAG NRHO IN Anywhere (v6)
51820 / udp (v6) TAG NRHO txhua qhov chaw (v6)
Peb qhia kom txwv tsis pub nkag mus rau lub vev xaib cuam tshuam rau kev xa tawm yooj yim heev thiab lub hom phiaj tseem ceeb, raws li tau piav qhia hauv qab no.
Service | Default Chaw nres nkoj | Mloog Chaw Nyob | Hauj lwm |
Nginx | 80, 443 | tag nrho cov | Pej xeem HTTP(S) chaw nres nkoj rau kev tswj hwm Firezone thiab yooj yim rau kev lees paub. |
Hlau Saib Xyuas | 51820 | tag nrho cov | Public WireGuard chaw nres nkoj siv rau kev sib tham VPN. (UDP) |
postgresql ua | 15432 | 127.0.0.1 | Chaw nres nkoj hauv zos nkaus xwb siv rau cov khoom siv Postgresql server. |
Phoenix | 13000 | 127.0.0.1 | Local-tsuas chaw nres nkoj siv los ntawm upstream elixir app server. |
Peb qhia koj kom xav txog kev txwv tsis pub nkag mus rau Firezone qhov kev tshaj tawm lub vev xaib UI (los ntawm qhov chaw nres nkoj 443 / tcp thiab 80 / tcp) thiab siv WireGuard qhov los tswj Firezone rau kev tsim khoom thiab kev xa tawm rau pej xeem qhov twg ib tus thawj coj yuav ua tus saib xyuas ntawm kev tsim thiab faib cov cuab yeej teeb tsa rau cov neeg siv kawg.
Piv txwv li, yog tias tus thawj tswj hwm tsim cov cuab yeej teeb tsa thiab tsim qhov av nrog WireGuard chaw nyob hauv zos 10.3.2.2, ufw teeb tsa hauv qab no yuav ua rau tus thawj coj nkag mus rau Firezone lub vev xaib UI ntawm lub server wg-firezone interface siv lub neej ntawd 10.3.2.1. qhov chaw nyob:
root@demo:~# ufw xwm txheej verbose
Status: active
Logging: on (qis)
Default: tsis kam (incoming), tso cai (outgoing), tso cai (routed)
Tshiab profiles: hla
Ua Haujlwm Los ntawm
———————
22/tcp PAUB TIAS nyob qhov twg
51820 / udp PAUB NTAU NTAU NTAU
Txhua qhov PAUB HAUV 10.3.2.2
22 / tcp (v6) TAG NRHO IN Anywhere (v6)
51820 / udp (v6) TAG NRHO txhua qhov chaw (v6)
Qhov no yuav tawm xwb 22 / txp nthuav tawm rau SSH kev nkag mus tswj cov server (yeem), thiab 51820 XNUMX/ib nthuav tawm txhawm rau tsim WireGuard tunnels.
Firezone bundles ib Postgresql server thiab txuam psql kev siv hluav taws xob uas tuaj yeem siv los ntawm lub plhaub hauv zos xws li:
/opt/firezone/embedded/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p 15432
-c “SQL_STATEMENT”
Qhov no tuaj yeem pab tau rau kev debugging lub hom phiaj.
Cov hauj lwm ntau:
Sau npe txhua tus neeg siv:
/opt/firezone/embedded/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p 15432
-c “SELECT * Los ntawm cov neeg siv;”
Sau tag nrho cov khoom siv:
/opt/firezone/embedded/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p 15432
-c “SELECT * Los ntawm cov khoom siv;”
Hloov tus neeg siv lub luag haujlwm:
Teem lub luag haujlwm rau 'admin' lossis 'unprivileged':
/opt/firezone/embedded/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p 15432
-c “Hloov kho cov neeg siv SET lub luag haujlwm = 'admin' qhov twg email = '[email tiv thaiv]';”
Backup lub database:
Tsis tas li ntawd, suav nrog yog qhov kev pab cuam pg dump, uas tuaj yeem siv los khaws cov ntaub ntawv tsis tu ncua. Ua raws li cov cai hauv qab no kom pov tseg ib daim qauv ntawm cov ntaub ntawv hauv SQL query hom (hloov /path/to/backup.sql nrog rau qhov chaw uas cov ntaub ntawv SQL yuav tsum raug tsim):
/opt/firezone/embedded/bin/pg_dump \
-U firezone \
-d firezone \
-h localhost \
-p 15432 > /path/to/backup.sql
Tom qab Firezone tau ua tiav tiav lawm, koj yuav tsum ntxiv cov neeg siv los muab lawv nkag rau koj lub network. Web UI yog siv los ua qhov no.
Los ntawm kev xaiv "Add User" khawm hauv qab / cov neeg siv, koj tuaj yeem ntxiv tus neeg siv. Koj yuav tsum tau muab tus neeg siv nrog email chaw nyob thiab tus password. Txhawm rau tso cai nkag mus rau cov neeg siv hauv koj lub koom haum tau txais, Firezone tuaj yeem cuam tshuam thiab sib txuas nrog tus neeg muab kev pabcuam. Xav paub ntxiv muaj nyob rau hauv Txiaj Ntsig. < Ntxiv ib qhov txuas rau Authenticate
Peb tawm tswv yim thov kom cov neeg siv tsim lawv tus kheej cov cuab yeej teeb tsa kom tus yuam sij ntiag tug tsuas yog pom rau lawv. Cov neeg siv tuaj yeem tsim lawv tus kheej cov cuab yeej teeb tsa los ntawm kev ua raws li cov lus qhia ntawm lub Cov Lus Qhia Cov Neeg Siv Khoom nplooj.
Txhua tus neeg siv khoom teeb tsa tuaj yeem tsim los ntawm Firezone admins. Ntawm nplooj ntawv tus neeg siv profile nyob ntawm / cov neeg siv, xaiv qhov "Add Device" kev xaiv kom ua tiav qhov no.
[Insert screenshot]
Koj tuaj yeem xa email rau tus neeg siv cov ntaub ntawv WireGuard configuration tom qab tsim cov cuab yeej profile.
Cov neeg siv thiab cov khoom siv txuas nrog. Yog xav paub ntxiv txog yuav ua li cas ntxiv tus neeg siv, saib Ntxiv Cov Neeg Siv.
Los ntawm kev siv kernel's netfilter system, Firezone enables egress filtering peev xwm los qhia DROP lossis ACCEPT pob ntawv. Tag nrho cov tsheb khiav yog ib txwm tso cai.
IPv4 thiab IPv6 CIDRs thiab IP chaw nyob tau txais kev txhawb nqa los ntawm Allowlist thiab Denylist, feem. Koj tuaj yeem xaiv txoj cai tswjfwm rau tus neeg siv thaum ntxiv nws, uas siv txoj cai rau txhua tus neeg siv khoom siv.
Nruab thiab configure
Txhawm rau tsim kom muaj kev sib txuas VPN siv tus neeg siv WireGuard ib txwm, saib cov lus qhia no.
Cov neeg siv WireGuard Official nyob ntawm no yog Firezone sib xws:
Mus ntsib WireGuard lub vev xaib ntawm https://www.wireguard.com/install/ rau OS systems tsis tau hais los saum toj no.
Txawm hais tias koj tus thawj tswj hwm Firezone lossis koj tus kheej tuaj yeem tsim cov ntaub ntawv teeb tsa lub cuab yeej siv Firezone portal.
Mus saib qhov URL uas koj tus thawj tswj hwm Firezone tau muab rau tus kheej tsim cov ntaub ntawv teeb tsa lub cuab yeej. Koj lub tuam txhab yuav muaj qhov tshwj xeeb URL rau qhov no; Hauv qhov no, nws yog https://instance-id.yourfirezone.com.
Nkag mus rau Firezone Okta SSO
[Insert Screenshot]
Ntshuam the.conf cov ntaub ntawv rau hauv WireGuard tus neeg siv los ntawm kev qhib nws. Los ntawm flipping lub Activate hloov, koj tuaj yeem pib qhov kev sib ntsib VPN.
[Insert Screenshot]
Ua raws li cov lus qhia hauv qab no yog tias koj tus thawj tswj hwm lub network tau yuam kom rov ua qhov tseeb kom koj qhov kev sib txuas VPN ua haujlwm.
Koj xav tau:
Firezone portal's URL: Nug koj tus thawj tswj hwm network rau kev sib txuas.
Koj tus thawj tswj hwm network yuav tsum muaj peev xwm muab koj tus ID nkag mus thiab tus password. Qhov chaw Firezone yuav hais kom koj nkag mus siv ib qho kev pabcuam kos npe rau koj tus tswv ntiav siv (xws li Google lossis Okta).
[Insert Screenshot]
Mus rau Firezone portal's URL thiab nkag mus siv cov ntaub ntawv pov thawj uas koj tus thawj tswj hwm network tau muab. Yog tias koj twb tau kos npe rau hauv lawm, nyem lub pob rov ua pov thawj ua ntej kos npe rov qab.
[Insert Screenshot]
[Insert Screenshot]
Txhawm rau import WireGuard configuration profile siv Network Manager CLI ntawm Linux li, ua raws li cov lus qhia no (nmcli).
Yog tias qhov profile muaj IPv6 kev txhawb nqa qhib, sim import cov ntaub ntawv teeb tsa siv Network Manager GUI yuav ua tsis tiav nrog qhov yuam kev hauv qab no:
ipv6.method: txoj kev "auto" tsis txaus siab rau WireGuard
Nws yog ib qho tsim nyog rau nruab WireGuard cov chaw siv hluav taws xob siv. Qhov no yuav yog ib pob hu ua wireguard lossis wireguard-cov cuab yeej rau Linux faib.
Rau Ubuntu / Debian:
sudo apt nruab wireguard
Yuav siv Fedora:
sudo dnf nruab wireguard-cov cuab yeej
Arch Linux:
sudo pacman -S wireguard-cov cuab yeej
Mus ntsib WireGuard lub vev xaib official ntawm https://www.wireguard.com/install/ rau kev faib tawm uas tsis tau hais los saum toj no.
Txawm tias koj tus thawj tswj hwm Firezone lossis tus kheej tiam tuaj yeem tsim cov ntaub ntawv teeb tsa lub cuab yeej siv Firezone portal.
Mus saib qhov URL uas koj tus thawj tswj hwm Firezone tau muab rau tus kheej tsim cov ntaub ntawv teeb tsa lub cuab yeej. Koj lub tuam txhab yuav muaj qhov tshwj xeeb URL rau qhov no; Hauv qhov no, nws yog https://instance-id.yourfirezone.com.
[Insert Screenshot]
Ntshuam cov ntaub ntawv configuration muab siv nmcli:
sudo nmcli kev twb kev txuas import hom wireguard cov ntaub ntawv /path/to/configuration.conf
Lub npe ntawm cov ntaub ntawv teeb tsa yuav sib haum rau WireGuard kev sib txuas / interface. Tom qab ntshuam, kev sib txuas tuaj yeem hloov npe yog tias tsim nyog:
nmcli kev twb kev txuas hloov kho [lub npe qub] kev sib txuas.id [lub npe tshiab]
Ntawm kab hais kom ua, txuas mus rau VPN raws li hauv qab no:
nmcli kev sib txuas [vpn npe]
Txhawm rau kaw:
nmcli kev twb kev txuas down [vpn npe]
Cov Applet uas siv tau Network Manager kuj tseem siv tau los tswj kev sib txuas yog siv GUI.
Los ntawm kev xaiv "yog" rau qhov kev xaiv autoconnect, qhov kev sib txuas VPN tuaj yeem raug teeb tsa kom txuas tau:
nmcli kev twb kev txuas hloov kho [vpn npe] kev twb kev txuas. <<<<<<<<<<<<<<<<<<<<<<<
autoconnect yog
Txhawm rau lov tes taw kev sib txuas tsis siv neeg teeb nws rov qab mus rau tsis muaj:
nmcli kev twb kev txuas hloov kho [vpn npe] kev twb kev txuas.
autoconnect no
Txhawm rau qhib MFA Mus rau Firezone portal's /user account / sau npe mfa nplooj ntawv. Siv koj lub app authenticator luam theej duab QR code tom qab nws tau tsim, ces nkag mus rau tus lej rau tus lej.
Hu rau koj tus Admin kom rov pib dua koj tus as-qhauj cov ntaub ntawv nkag mus yog tias koj yuam kev koj lub authenticator app.
Qhov kev qhia no yuav taug kev koj mus txog cov txheej txheem ntawm kev teeb tsa WireGuard qhov sib cais qhov sib cais nrog Firezone kom tsuas yog kev khiav mus rau qhov tshwj xeeb IP tau xa mus los ntawm VPN server.
Tus IP ntau yam uas tus neeg siv yuav xa cov tsheb khiav hauv lub network tau teeb tsa hauv thaj chaw Tso cai IPs nyob rau ntawm / chaw teeb tsa / nplooj ntawv pib. Tsuas yog qhov tsim tshiab WireGuard qhov teeb tsa tsim los ntawm Firezone yuav raug cuam tshuam los ntawm kev hloov pauv rau daim teb no.
[Insert Screenshot]
Lub neej ntawd tus nqi yog 0.0.0.0/0, ::/0, uas khiav tag nrho cov tsheb khiav hauv lub network los ntawm tus neeg siv khoom mus rau VPN server.
Piv txwv ntawm cov nqi hauv daim teb no suav nrog:
0.0.0.0/0, ::/0 - tag nrho cov tsheb khiav hauv network yuav raug xa mus rau VPN server.
192.0.2.3/32 - tsuas yog kev khiav mus rau ib tus IP chaw nyob nkaus xwb yuav raug xa mus rau VPN server.
3.5.140.0/22 - tsuas yog khiav mus rau IPs hauv 3.5.140.1 - 3.5.143.254 ntau yam yuav raug xa mus rau VPN server. Hauv qhov piv txwv no, CIDR ntau rau thaj tsam ap-northeast-2 AWS tau siv.
Firezone xaiv qhov egress interface cuam tshuam nrog txoj hauv kev meej tshaj plaws ua ntej thaum txiav txim siab qhov twg yuav xa cov pob ntawv.
Cov neeg siv yuav tsum rov tsim kho cov ntaub ntawv teeb tsa thiab ntxiv rau lawv cov neeg siv WireGuard ib txwm nyob rau hauv thiaj li yuav hloov kho cov neeg siv khoom siv tam sim no nrog cov kev sib faib qhov tshiab.
Txog cov lus qhia, saib ntxiv ntaus ntawv. <<<<<<<<<<<< Ntxiv qhov txuas
Phau ntawv no yuav qhia tau hais tias yuav ua li cas txuas ob lub cuab yeej siv Firezone ua tus relay. Ib qho xwm txheej siv yog ua kom tus thawj coj nkag mus rau lub server, lub thawv, lossis lub tshuab uas muaj kev tiv thaiv los ntawm NAT lossis firewall.
Cov duab no qhia txog qhov xwm txheej ncaj nraim uas cov cuab yeej A thiab B tsim lub qhov.
[Insert firezone architectural duab]
Pib los ntawm kev tsim Ntaus A thiab Ntaus B los ntawm kev mus rau /users/[user_id]/new_device. Hauv kev teeb tsa rau txhua lub cuab yeej, xyuas kom meej tias cov kev ntsuas hauv qab no tau teeb tsa rau cov txiaj ntsig hauv qab no. Koj tuaj yeem teeb tsa cov cuab yeej teeb tsa thaum tsim lub cuab yeej teeb tsa (saib Ntxiv Devices). Yog tias koj xav tau hloov kho qhov chaw ntawm lub cuab yeej uas twb muaj lawm, koj tuaj yeem ua tau los ntawm kev tsim cov cuab yeej tshiab config.
Nco ntsoov tias txhua yam khoom siv muaj nplooj ntawv / chaw teeb tsa / qhov chaw nyob qhov twg PersistentKeepalive tuaj yeem teeb tsa.
AllowedIPs = 10.3.2.2/32
Qhov no yog IP lossis thaj tsam ntawm IPs ntawm Ntaus B
PersistentKeepalive = 25
Yog tias lub cuab yeej nyob tom qab NAT, qhov no ua kom lub cuab yeej muaj peev xwm ua kom lub qhov av muaj sia thiab txuas ntxiv tau txais pob ntawv los ntawm WireGuard interface. Feem ntau tus nqi ntawm 25 yog txaus, tab sis koj yuav tsum tau txo tus nqi no nyob ntawm koj ib puag ncig.
AllowedIPs = 10.3.2.3/32
Qhov no yog IP lossis thaj tsam ntawm IPs ntawm Ntaus A
PersistentKeepalive = 25
Qhov piv txwv no qhia txog qhov xwm txheej uas ntaus A tuaj yeem sib txuas lus nrog Devices B txog D ntawm ob qho tib si. Qhov kev teeb tsa no tuaj yeem sawv cev rau tus kws tshaj lij lossis tus thawj coj nkag mus rau ntau yam kev pabcuam (servers, ntim, lossis tshuab) hla ntau lub network.
[Architectural Diagram] <<<<<<<<<<<<<<<<<<<<<<
Xyuas kom tseeb tias cov kev teeb tsa hauv qab no tau ua nyob rau hauv txhua lub cuab yeej kev teeb tsa rau cov nqi sib xws. Thaum tsim cov cuab yeej teeb tsa, koj tuaj yeem hais qhia cov cuab yeej teeb tsa (saib Ntxiv Devices). Ib lub cuab yeej tshiab tuaj yeem tsim tau yog tias qhov chaw ntawm lub cuab yeej uas twb muaj lawm yuav tsum tau hloov kho.
AllowedIPs = 10.3.2.3/32, 10.3.2.4/32, 10.3.2.5/32
Qhov no yog tus IP ntawm cov cuab yeej B txog D. Cov IPs ntawm cov cuab yeej B txog D yuav tsum suav nrog hauv txhua qhov IP uas koj xaiv los teeb tsa.
PersistentKeepalive = 25
Qhov no tau lees paub tias lub cuab yeej tuaj yeem tswj hwm lub qhov thiab txuas ntxiv tau txais cov pob ntawv los ntawm WireGuard interface txawm tias nws muaj kev tiv thaiv los ntawm NAT. Feem ntau, tus nqi ntawm 25 yog qhov txaus, txawm li cas los xij, nyob ntawm koj qhov chaw nyob ib puag ncig, koj yuav tsum tau txo cov duab no.
Txhawm rau muab ib qho, zoo li qub egress IP rau tag nrho koj pab neeg cov tsheb khiav tawm, Firezone tuaj yeem siv los ua NAT lub rooj vag. Cov xwm txheej no suav nrog nws kev siv ntau zaus:
Kev Sib Tham Kev Sib Tham: Thov kom koj cov neeg siv khoom whitelist ib qhov chaw nyob IP zoo li tsis yog txhua tus neeg ua haujlwm tus IP ntaus ntawv tshwj xeeb.
Siv lub npe lossis npog koj qhov chaw IP rau kev nyab xeeb lossis kev ceev ntiag tug.
Ib qho piv txwv yooj yim ntawm kev txwv tsis pub nkag mus rau tus kheej lub vev xaib thov rau ib daim ntawv teev npe zoo li qub IP uas khiav Firezone yuav tshwm sim hauv cov ntawv no. Hauv qhov piv txwv no, Firezone thiab cov peev txheej tiv thaiv muaj nyob hauv VPC thaj chaw sib txawv.
Qhov kev daws teeb meem no nquag siv los ntawm kev tswj hwm tus IP whitelist rau ntau tus neeg siv kawg, uas tuaj yeem siv sijhawm ntev raws li cov npe nkag tau nthuav dav.
Peb lub hom phiaj yog los teeb tsa Firezone server ntawm EC2 piv txwv kom hloov pauv VPN tsheb mus rau cov peev txheej txwv. Hauv qhov piv txwv no, Firezone tab tom ua haujlwm ua tus neeg sawv cev hauv lub network lossis NAT lub rooj vag kom muab txhua lub cuab yeej txuas nrog ib qho tshwj xeeb rau pej xeem egress IP.
Hauv qhov no, EC2 piv txwv hu ua tc2.micro muaj Firezone piv txwv rau nws. Yog xav paub ntxiv txog kev xa mus rau Firezone, mus rau Daim Ntawv Qhia Kev Ua Haujlwm. In relation to AWS, be sure:
Firezone EC2 piv txwv cov pab pawg kev ruaj ntseg tso cai rau kev khiav tawm mus rau qhov chaw tiv thaiv tus IP chaw nyob.
Firezone piv txwv los nrog tus IP elastic. Cov tsheb thauj mus los uas raug xa mus los ntawm Firezone piv txwv mus rau sab nraud cov chaw yuav muaj qhov no raws li nws qhov chaw nyob IP. Tus IP chaw nyob hauv nqe lus nug yog 52.202.88.54.
[Insert Screenshot]<<<<<<<<<<<<<<<<<<<<<<<<<
Ib daim ntawv thov tus kheej lub vev xaib ua haujlwm raws li kev tiv thaiv hauv qhov no. Lub vev xaib app tsuas yog nkag tau los ntawm kev thov los ntawm IP chaw nyob 52.202.88.54. Nyob ntawm cov peev txheej, nws tuaj yeem tsim nyog tso cai nkag mus rau hauv ntau qhov chaw nres nkoj thiab hom tsheb. Qhov no tsis muaj nyob hauv phau ntawv no.
[Insert screenshot]<<<<<<<<<<<<<<<<<<<<<<<<<
Thov qhia rau tus thib peb tus thawj saib xyuas ntawm cov kev pab tiv thaiv tias kev khiav tsheb los ntawm tus IP zoo li qub uas tau teev tseg hauv Kauj Ruam 1 yuav tsum tso cai (qhov no 52.202.88.54).
Los ntawm lub neej ntawd, txhua tus neeg siv tsheb yuav mus los ntawm VPN server thiab tuaj ntawm tus IP zoo li qub uas tau teeb tsa hauv Kauj Ruam 1 (qhov no 52.202.88.54). Txawm li cas los xij, yog tias kev sib cais tunneling tau qhib lawm, kev teeb tsa tuaj yeem tsim nyog kom paub tseeb tias cov peev txheej tiv thaiv tus IP chaw nyob tau teev nyob rau ntawm Kev Tso Cai IPs.
Qhia hauv qab no yog ib daim ntawv teev tag nrho cov kev xaiv configuration muaj nyob rau hauv /etc/firezone/firezone.rb.
xaiv | piav qhia | vim tus nqi |
default['firezone']['external_url'] | URL siv nkag mus rau hauv lub vev xaib ntawm qhov xwm txheej Firezone. | “https://#{node['fqdn'] || node['hostname']}" |
default['firezone']['config_directory'] | Sab saum toj-theem directory rau Firezone configuration. | /etc/firezone' |
default['firezone']['install_directory'] | Sab saum toj-theem directory rau nruab Firezone rau. | /opt/firezone' |
default['firezone']['app_directory'] | Cov npe saum toj kawg nkaus rau nruab Firezone lub vev xaib thov. | “#{node['firezone']['install_directory']}/embedded/service/firezone” |
default['firezone']['log_directory'] | Sab saum toj-theem directory rau Firezone cav. | /var/log/firezone' |
default['firezone']['var_directory'] | Sab saum toj-theem directory rau Firezone runtime files. | /var/opt/firezone' |
default['firezone']['user'] | Lub npe ntawm cov neeg siv tsis muaj cai Linux feem ntau cov kev pabcuam thiab cov ntaub ntawv yuav yog. | hluav taws kub' |
default['firezone']['group'] | Lub npe ntawm Linux pab pawg feem ntau cov kev pabcuam thiab cov ntaub ntawv yuav yog. | hluav taws kub' |
default['firezone']['admin_email'] | Email chaw nyob rau thawj tus neeg siv Firezone. | “firezone@localhost” |
default['firezone']['max_devices_per_user'] | Cov khoom siv ntau tshaj plaws uas tus neeg siv tuaj yeem muaj. | 10 |
default['firezone']['allow_unprivileged_device_management'] | Tso cai rau cov neeg siv uas tsis yog-admin tsim thiab tshem tawm cov khoom siv. | TRUE |
default['firezone']['allow_unprivileged_device_configuration'] | Tso cai rau cov neeg siv uas tsis yog tus thawj tswj hwm hloov kho cov khoom siv. Thaum tsis siv neeg, tiv thaiv cov neeg siv tsis tau txais txiaj ntsig los ntawm kev hloov pauv txhua yam khoom siv tshwj tsis yog lub npe thiab cov lus piav qhia. | TRUE |
default['firezone']['egress_interface'] | Interface lub npe qhov twg tunneled tsheb yuav tawm. Yog tias tsis yog, lub neej ntawd txoj kev interface yuav raug siv. | nil |
default['firezone']['fips_enabled'] | Qhib lossis kaw OpenSSL FIPs hom. | nil |
default['firezone']['logging']['enabled'] | Qhib lossis kaw nkag hla Firezone. Teem kom tsis muaj tseeb rau lov tes taw kev nkag tag nrho. | TRUE |
default['enterprise']['name'] | Lub npe siv los ntawm tus kws ua zaub mov 'enterprise' cookbook. | hluav taws kub' |
default['firezone']['install_path'] | Txhim kho txoj kev siv los ntawm kws ua zaub mov 'enterprise' cookbook. Yuav tsum tau teem rau tib yam li lub install_directory saum toj no. | node['firezone']['install_directory'] |
default['firezone']['sysvinit_id'] | Ib tus cim siv hauv /etc/inittab. Yuav tsum yog ib ntu ntawm 1-4 cim. | SUP' |
default['firezone']['authentication']['local']['enabled'] | Pab lossis lov tes taw hauv zos email / password authentication. | TRUE |
default['firezone']['authentication']['auto_create_oidc_users'] | Yeej tsim cov neeg siv kos npe los ntawm ODDC thawj zaug. Disable tso cai rau cov neeg siv tam sim no nkag los ntawm ODDC. | TRUE |
default['firezone']['authentication']['disable_vpn_on_oidc_error'] | Disable tus neeg siv lub VPN yog tias muaj qhov yuam kev tau sim ua kom rov kho lawv cov ODC token. | cuav |
default['firezone']['authentication']['oidc'] | OpenID Connect config, nyob rau hauv hom ntawm {“tus neeg muab kev pabcuam” => [config…]} - Saib OpenIDConnect cov ntaub ntawv rau config piv txwv. | {} |
default['firezone']['nginx']['enabled'] | Pab lossis lov tes taw cov bundled nginx server. | TRUE |
default['firezone']['nginx']['ssl_port'] | HTTPS mloog chaw nres nkoj. | 443 |
default['firezone']['nginx']['directory'] | Phau ntawv khaws cia Firezone-related nginx virtual host configuration. | “#{node['firezone']['var_directory']}/nginx/etc” |
default['firezone']['nginx']['log_directory'] | Cov npe khaws cia Firezone-hais txog nginx log cov ntaub ntawv. | “#{node['firezone']['log_directory']}/nginx” |
default['firezone']['nginx']['log_rotation']['file_maxbytes'] | Cov ntaub ntawv loj uas yuav tig tau cov ntaub ntawv Nginx. | 104857600 |
default['firezone']['nginx']['log_rotation']['num_to_keep'] | Tus naj npawb ntawm Firezone nginx cov ntaub ntawv khaws cia ua ntej muab pov tseg. | 10 |
default['firezone']['nginx']['log_x_forwarded_for'] | Seb puas log Firezone nginx x-forwarded-for header. | TRUE |
default['firezone']['nginx']['hsts_header']['enabled'] | TRUE | |
default['firezone']['nginx']['hsts_header']['include_subdomains'] | Qhib lossis lov tes taw suav nrogSubDomains rau HSTS header. | TRUE |
default['firezone']['nginx']['hsts_header']['max_age'] | Lub hnub nyoog siab tshaj plaws rau HSTS header. | 31536000 |
default['firezone']['nginx']['redirect_to_canonical'] | Seb puas yuav hloov URLs mus rau canonical FQDN teev saum toj no | cuav |
default['firezone']['nginx']['cache']['enabled'] | Qhib lossis kaw qhov Firezone nginx cache. | cuav |
default['firezone']['nginx']['cache']['directory'] | Phau ntawv rau Firezone nginx cache. | “#{node['firezone']['var_directory']}/nginx/cache” |
default['firezone']['nginx']['user'] | Firezone tus neeg siv nginx. | node['firezone']['user'] |
default['firezone']['nginx']['group'] | Firezone nginx pawg. | node['firezone']['group'] |
default['firezone']['nginx']['dir'] | Sab saum toj-theem nginx configuration directory. | node['firezone']['nginx']['directory'] |
default['firezone']['nginx']['log_dir'] | Sab saum toj-theem nginx log directory. | node['firezone']['nginx']['log_directory'] |
default['firezone']['nginx']['pid'] | Qhov chaw rau nginx pid cov ntaub ntawv. | “#{node['firezone']['nginx']['directory']}/nginx.pid” |
default['firezone']['nginx']['daemon_disable'] | Disable nginx daemon hom yog li peb tuaj yeem saib xyuas nws hloov. | TRUE |
default['firezone']['nginx']['gzip'] | Tig nginx gzip compression rau lossis tawm. | ntawm " |
default['firezone']['nginx']['gzip_static'] | Tig nginx gzip compression rau lossis tawm rau cov ntaub ntawv zoo li qub. | tawm' |
default['firezone']['nginx']['gzip_http_version'] | HTTP version siv rau kev pabcuam cov ntaub ntawv zoo li qub. | 1.0 ' |
default['firezone']['nginx']['gzip_comp_level'] | nginx gzip compression qib. | 2 ' |
default['firezone']['nginx']['gzip_proxied'] | Enables los yog disables gzipping cov lus teb rau proxied thov nyob ntawm qhov kev thov thiab cov lus teb. | ib yam' |
default['firezone']['nginx']['gzip_vary'] | Enables lossis disables ntxig rau "Vary: Txais-Encoding" cov lus teb header. | tawm' |
default['firezone']['nginx']['gzip_buffers'] | Teem tus naj npawb thiab qhov loj ntawm buffers siv los compress cov lus teb. Yog tias tsis yog, nginx default yog siv. | nil |
default['firezone']['nginx']['gzip_types'] | MIME hom los pab gzip compression rau. | ['text/plain', 'text/css', 'application/x-javascript', 'text/xml', 'application/xml', 'application/rss+xml', 'application/atom+xml', ' ntawv/javascript', 'application/javascript', 'application/json'] |
default['firezone']['nginx']['gzip_min_length'] | Yam tsawg kawg ntawm cov ntaub ntawv ntev los pab kom cov ntaub ntawv gzip compression rau. | 1000 |
default['firezone']['nginx']['gzip_disable'] | Tus neeg siv-tus neeg sawv cev matcher rau lov tes taw gzip compression rau. | MSIE [1-6]\.' |
default['firezone']['nginx']['keepalive'] | Activates cache rau kev sib txuas rau cov servers saum toj kawg nkaus. | ntawm " |
default['firezone']['nginx']['keepalive_timeout'] | Timeout nyob rau hauv vib nas this rau khaws cia kev sib txuas mus rau upstream servers. | 65 |
default['firezone']['nginx']['worker_processes'] | Tus naj npawb ntawm cov txheej txheem nginx tus neeg ua haujlwm. | node['cpu'] && node['cpu']['total'] ? node['cpu']['total'] : 1 |
default['firezone']['nginx']['worker_connections'] | Muaj pes tsawg tus sib txuas sib txuas uas tuaj yeem qhib los ntawm cov txheej txheem ua haujlwm. | 1024 |
default['firezone']['nginx']['worker_rlimit_nofile'] | Hloov qhov txwv ntawm qhov ntau tshaj plaws ntawm cov ntaub ntawv qhib rau cov neeg ua haujlwm txheej txheem. Siv nginx default yog nil. | nil |
default['firezone']['nginx']['multi_accept'] | Seb cov neeg ua haujlwm yuav tsum lees txais ib qho kev sib txuas ntawm ib lub sijhawm lossis ntau yam. | TRUE |
default['firezone']['nginx']['event'] | Qhia meej txog cov txheej txheem kev sib txuas los siv hauv nginx txheej xwm ntsiab lus. | epoll' |
default['firezone']['nginx']['server_tokens'] | Tso cai lossis tsis ua haujlwm emitting nginx version ntawm nplooj ntawv yuam kev thiab hauv "Server" teb header teb. | nil |
default['firezone']['nginx']['server_names_hash_bucket_size'] | Teem lub thoob loj rau lub server npe hash tables. | 64 |
default['firezone']['nginx']['sendfile'] | Enables lossis disables siv nginx's sendfile(). | ntawm " |
default['firezone']['nginx']['access_log_options'] | Teeb tsa nginx nkag nkag xaiv xaiv. | nil |
default['firezone']['nginx']['error_log_options'] | Teeb tsa nginx yuam kev log xaiv. | nil |
default['firezone']['nginx']['disable_access_log'] | Disables nginx nkag log. | cuav |
default['firezone']['nginx']['types_hash_max_size'] | nginx hom hash max loj. | 2048 |
default['firezone']['nginx']['types_hash_bucket_size'] | nginx hom hash thoob loj. | 64 |
default['firezone']['nginx']['proxy_read_timeout'] | nginx proxy nyeem timeout. Teem rau nil siv nginx default. | nil |
default['firezone']['nginx']['client_body_buffer_size'] | nginx tus neeg siv lub cev tsis loj. Teem rau nil siv nginx default. | nil |
default['firezone']['nginx']['client_max_body_size'] | nginx tus neeg siv max lub cev loj. | Luas 250 m |
default['firezone']['nginx']['default']['modules'] | Qhia meej ntxiv nginx modules. | [] |
default['firezone']['nginx']['enable_rate_limiting'] | Pab lossis lov tes taw nginx tus nqi txwv. | TRUE |
default['firezone']['nginx']['rate_limiting_zone_name'] | Nginx tus nqi txwv cheeb tsam npe. | hluav taws kub' |
default['firezone']['nginx']['rate_limiting_backoff'] | Nginx tus nqi limiting backoff. | Luas 10 m |
default['firezone']['nginx']['rate_limit'] | Nginx tus nqi txwv. | 10r/s' |
default['firezone']['nginx']['ipv6'] | Tso cai rau nginx mloog HTTP thov rau IPv6 ntxiv rau IPv4. | TRUE |
default['firezone']['postgresql']['enabled'] | Pab los yog lov tes taw bundled Postgresql. Teem kom tsis tseeb thiab sau rau hauv cov kev xaiv database hauv qab no siv koj tus kheej Postgresql piv txwv. | TRUE |
default['firezone']['postgresql']['username'] | Tus neeg siv lub npe rau Postgresql. | node['firezone']['user'] |
default['firezone']['postgresql']['data_directory'] | Postgresql data directory. | “#{node['firezone']['var_directory']}/postgresql/13.3/data” |
default['firezone']['postgresql']['log_directory'] | Postgresql log directory. | “#{node['firezone']['log_directory']}/postgresql” |
default['firezone']['postgresql']['log_rotation']['file_maxbytes'] | Postgresql cav cov ntaub ntawv loj tshaj plaws ua ntej nws tig. | 104857600 |
default['firezone']['postgresql']['log_rotation']['num_to_keep'] | Tus naj npawb ntawm Postgresql cov ntaub ntawv khaws cia. | 10 |
default['firezone']['postgresql']['checkpoint_completion_target'] | Postgresql checkpoint tiav lub hom phiaj. | 0.5 |
default['firezone']['postgresql']['checkpoint_segments'] | Tus naj npawb ntawm Postgresql checkpoint ntu. | 3 |
default['firezone']['postgresql']['checkpoint_timeout'] | Postgresql checkpoint timeout. | 5 feeb' |
default['firezone']['postgresql']['checkpoint_warning'] | Postgresql checkpoint ceeb toom lub sij hawm nyob rau hauv vib nas this. | 30s' |
default['firezone']['postgresql']['effective_cache_size'] | Postgresql muaj txiaj ntsig cache loj. | 128 MB' |
default['firezone']['postgresql']['listen_address'] | Postgresql mloog chaw nyob. | 127.0.0.1 ' |
default['firezone']['postgresql']['max_connections'] | Postgresql max kev sib txuas. | 350 |
default['firezone']['postgresql']['md5_auth_cidr_addresses'] | Postgresql CIDRs tso cai rau md5 auth. | ['127.0.0.1/32', '::1/128'] |
default['firezone']['postgresql']['port'] | Postgresql mloog chaw nres nkoj. | 15432 |
default['firezone']['postgresql']['shared_buffers'] | Postgresql sib koom buffers loj. | “#{(node['memory']['total'].to_i / 4) / 1024}MB” |
default['firezone']['postgresql']['shmmax'] | Postgresql shmmax hauv bytes. | 17179869184 |
default['firezone']['postgresql']['shmall'] | Postgresql shmall hauv bytes. | 4194304 |
default['firezone']['postgresql']['work_mem'] | Postgresql ua haujlwm nco loj. | 8 MB' |
default['firezone']['database']['user'] | Qhia meej tus neeg siv lub npe Firezone yuav siv los txuas rau DB. | node['firezone']['postgresql']['username'] |
default['firezone']['database']['password'] | Yog tias siv DB sab nraud, qhia txog tus password Firezone yuav siv los txuas rau DB. | change_kuv' |
default['firezone']['database']['name'] | Database uas Firezone yuav siv. Yuav tsim yog tsis muaj. | hluav taws kub' |
default['firezone']['database']['host'] | Database host uas Firezone yuav txuas rau. | node['firezone']['postgresql']['listen_address'] |
default['firezone']['database']['port'] | Database chaw nres nkoj uas Firezone yuav txuas rau. | node['firezone']['postgresql']['port'] |
default['firezone']['database']['pool'] | Database pas dej loj loj Firezone yuav siv. | [10, Etc.nprocessors].max |
default['firezone']['database']['ssl'] | Seb puas yuav txuas rau lub database dhau SSL. | cuav |
default['firezone']['database']['ssl_opts'] | {} | |
default['firezone']['database']['parameters'] | {} | |
default['firezone']['database']['extensions'] | Database extensions kom pab tau. | { 'plpgsql' => tseeb, 'pg_trgm' => tseeb } |
default['firezone']['phoenix']['enabled'] | Qhib los yog lov tes taw Firezone lub vev xaib thov. | TRUE |
default['firezone']['phoenix']['listen_address'] | Firezone lub vev xaib thov mloog chaw nyob. Qhov no yuav yog qhov chaw nyob sab saud mloog uas nginx proxies. | 127.0.0.1 ' |
default['firezone']['phoenix']['port'] | Firezone lub vev xaib thov mloog chaw nres nkoj. Qhov no yuav yog qhov chaw nres nkoj sab saud uas nginx proxies. | 13000 |
default['firezone']['phoenix']['log_directory'] | Firezone web application log directory. | “#{node['firezone']['log_directory']}/phoenix” |
default['firezone']['phoenix']['log_rotation']['file_maxbytes'] | Firezone web application log file size. | 104857600 |
default['firezone']['phoenix']['log_rotation']['num_to_keep'] | Tus naj npawb ntawm Firezone lub vev xaib thov cov ntaub ntawv khaws cia. | 10 |
default['firezone']['phoenix']['crash_detection']['enabled'] | Pab kom los yog lov tes taw nqa cov ntawv thov Firezone lub vev xaib thaum pom tias muaj kev sib tsoo. | TRUE |
default['firezone']['phoenix']['external_trusted_proxies'] | Cov npe ntawm cov neeg tso siab thim rov qab tau formatted raws li Array ntawm IPs thiab / lossis CIDRs. | [] |
default['firezone']['phoenix']['private_clients'] | Cov npe ntawm cov neeg siv khoom ntiag tug HTTP cov neeg siv khoom, tau tsim ib qho Array ntawm IPs thiab / lossis CIDRs. | [] |
default['firezone']['wireguard']['enabled'] | Qhib lossis kaw qhov kev tswj hwm WireGuard bundled. | TRUE |
default['firezone']['wireguard']['log_directory'] | Sau npe rau kev tswj hwm WireGuard bundled. | “#{node['firezone']['log_directory']}/wireguard” |
default['firezone']['wireguard']['log_rotation']['file_maxbytes'] | WireGuard cav cov ntaub ntawv max loj. | 104857600 |
default['firezone']['wireguard']['log_rotation']['num_to_keep'] | Tus naj npawb ntawm WireGuard cov ntaub ntawv khaws cia. | 10 |
default['firezone']['wireguard']['interface_name'] | Lub npe WireGuard interface. Hloov pauv qhov ntsuas no tuaj yeem ua rau poob ib ntus hauv VPN txuas. | wg-firezone' |
default['firezone']['wireguard']['port'] | WireGuard mloog chaw nres nkoj. | 51820 |
default['firezone']['wireguard']['mtu'] | WireGuard interface MTU rau cov neeg rau zaub mov no thiab rau cov cuab yeej teeb tsa. | 1280 |
default['firezone']['wireguard']['endpoint'] | WireGuard Endpoint siv los tsim cov cuab yeej teeb tsa. Yog tias tsis yog, defaults rau server tus IP chaw nyob. | nil |
default['firezone']['wireguard']['dns'] | WireGuard DNS siv rau cov cuab yeej tsim tawm. | 1.1.1.1, 1.0.0.1' |
default['firezone']['wireguard']['allowed_ips'] | WireGuard AllowedIPs siv rau cov khoom tsim tsim. | 0.0.0.0/0, ::/0′ |
default['firezone']['wireguard']['persistent_keepalive'] | Default PersistentKeepalive chaw rau generated ntaus configurations. Tus nqi ntawm 0 disables. | 0 |
default['firezone']['wireguard']['ipv4']['enabled'] | Qhib lossis kaw IPv4 rau WireGuard network. | TRUE |
default['firezone']['wireguard']['ipv4']['masquerade'] | Pab lossis lov tes taw masquerade rau pob ntawv tawm hauv IPv4 qhov. | TRUE |
default['firezone']['wireguard']['ipv4']['network'] | WireGuard network IPv4 chaw nyob. | 10.3.2.0/24 ′ |
default['firezone']['wireguard']['ipv4']['address'] | WireGuard interface IPv4 chaw nyob. Yuav tsum nyob hauv WireGuard chaw nyob pas dej. | 10.3.2.1 ' |
default['firezone']['wireguard']['ipv6']['enabled'] | Qhib lossis kaw IPv6 rau WireGuard network. | TRUE |
default['firezone']['wireguard']['ipv6']['masquerade'] | Pab lossis lov tes taw masquerade rau pob ntawv tawm hauv IPv6 qhov. | TRUE |
default['firezone']['wireguard']['ipv6']['network'] | WireGuard network IPv6 chaw nyob. | fd00::3:2:0/120′ |
default['firezone']['wireguard']['ipv6']['address'] | WireGuard interface IPv6 chaw nyob. Yuav tsum nyob hauv IPv6 chaw nyob pas dej. | fd00::3:2:1′ |
default['firezone']['runit']['svlogd_bin'] | Runit svlogd hauv qhov chaw. | “#{node['firezone']['install_directory']}/embedded/bin/svlogd” |
default['firezone']['ssl']['directory'] | SSL directory rau khaws cov ntawv pov thawj tsim. | /var/opt/firezone/ssl' |
default['firezone']['ssl']['email_address'] | Email chaw nyob siv rau tus kheej kos npe daim ntawv pov thawj thiab ACME raws tu qauv daim ntawv ceeb toom rov ua dua tshiab. | |
default['firezone']['ssl']['acme']['enabled'] | Pab ACME rau kev muab ntawv pov thawj SSL tsis siv neeg. Disable qhov no los tiv thaiv Nginx los ntawm kev mloog ntawm chaw nres nkoj 80. Saib no rau cov lus qhia ntxiv. | cuav |
default['firezone']['ssl']['acme']['server'] | yemencrypt | |
default['firezone']['ssl']['acme']['keylength'] | Qhia meej hom thiab qhov ntev rau SSL daim ntawv pov thawj. Saib no | ib-256 |
default['firezone']['ssl']['certificate'] | Txoj kev mus rau daim ntawv pov thawj cov ntaub ntawv rau koj FQDN. Overrides ACME teeb tsa saum toj no yog tias tau teev tseg. Yog tias ob qho tib si ACME thiab qhov no tsis yog daim ntawv pov thawj tus kheej kos npe yuav raug tsim tawm. | nil |
default['firezone']['ssl']['certificate_key'] | Txoj kev mus rau daim ntawv pov thawj. | nil |
default['firezone']['ssl']['ssl_dparam'] | nginx ssl dh_param. | nil |
default['firezone']['ssl']['country_name'] | Lub teb chaws lub npe rau tus kheej kos npe daim ntawv pov thawj. | Teb Chaws Asmeskas' |
default['firezone']['ssl']['state_name'] | Lub xeev lub npe rau tus kheej kos npe daim ntawv pov thawj. | CA ' |
default['firezone']['ssl']['locality_name'] | Lub zos lub npe rau tus kheej kos npe daim ntawv pov thawj. | San Francisco' |
default['firezone']['ssl']['company_name'] | Lub tuam txhab npe tus kheej kos npe daim ntawv pov thawj. | Kuv lub tuam txhab' |
default['firezone']['ssl']['organizational_unit_name'] | Lub koom haum chav tsev npe rau tus kheej kos npe daim ntawv pov thawj. | Kev ua haujlwm' |
default['firezone']['ssl']['ciphers'] | SSL ciphers rau nginx siv. | ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’ |
default['firezone']['ssl']['fips_ciphers'] | SSL ciphers rau FIPs hom. | FIPS@ Strength:!aNULL:!eNULL' |
default['firezone']['ssl']['protocols'] | TLS raws tu qauv siv. | TLSv1 TLSv1.1 TLSv1.2′ |
default['firezone']['ssl']['session_cache'] | SSL ntu cache. | sib koom:SSL:4m' |
default['firezone']['ssl']['session_timeout'] | SSL lub sijhawm ncua sijhawm. | Luas 5 m |
default['firezone']['robots_allow'] | nginx robots tso cai. | /' |
default['firezone']['robots_disallow'] | nginx robots tsis tso cai. | nil |
default['firezone']['outbound_email']['from'] | Outbound email los ntawm qhov chaw nyob. | nil |
default['firezone']['outbound_email']['provider'] | Outbound email chaw muab kev pabcuam. | nil |
default['firezone']['outbound_email']['configs'] | Outbound email chaw zov me nyuam config. | saib omnibus/cookbooks/firezone/attributes/default.rb |
default['firezone']['telemetry']['enabled'] | Qhib los yog lov tes taw anonymized khoom telemetry. | TRUE |
default['firezone']['connectivity_checks']['enabled'] | Pab kom los yog lov tes taw Firezone connectivity checks service. | TRUE |
default['firezone']['connectivity_checks']['interval'] | Lub sijhawm nruab nrab ntawm kev sib txuas xyuas hauv vib nas this. | 3_600 |
________________________________________________________________
Ntawm no koj yuav pom cov npe ntawm cov ntaub ntawv thiab cov npe hais txog kev teeb tsa Firezone. Cov no tuaj yeem hloov pauv raws li kev hloov pauv rau koj cov ntaub ntawv teeb tsa.
Txoj kev | piav qhia |
/var/opt/firezone | Cov ntawv teev npe saum toj kawg nkaus uas muaj cov ntaub ntawv thiab tsim teeb tsa rau Firezone cov kev pab cuam. |
/opt/firezone | Cov ntawv teev npe saum toj kawg nkaus uas muaj cov tsev qiv ntawv tsim, binaries thiab cov ntaub ntawv runtime xav tau los ntawm Firezone. |
/usr/bin/firezone-ctl | firezone-ctl kev siv hluav taws xob rau kev tswj hwm koj qhov kev teeb tsa Firezone. |
/etc/systemd/system/firezone-runsvdir-start.service | systemd unit file rau pib Firezone runsvdir tus thawj saib xyuas txheej txheem. |
/etc/firezone | Firezone configuration files. |
__________________________________________________________
Nplooj ntawv no tsis muaj nyob hauv docs
_____________________________________________________________
Cov nftables firewall template hauv qab no tuaj yeem siv los ua kom ruaj ntseg rau lub server khiav Firezone. Tus qauv ua qee qhov kev xav; Tej zaum koj yuav tau kho cov cai kom haum rau koj cov ntaub ntawv siv:
Firezone teeb tsa nws tus kheej cov cai nftables tso cai / tsis lees paub kev tsheb mus rau cov chaw tau teeb tsa hauv lub vev xaib interface thiab tswj hwm NAT sab nraud rau cov neeg siv khoom.
Kev siv cov qauv firewall hauv qab no ntawm lub server uas twb tau khiav lawm (tsis yog thaum lub sijhawm khau raj) yuav ua rau Firezone cov cai raug tshem tawm. Qhov no yuav muaj kev cuam tshuam txog kev ruaj ntseg.
Txhawm rau ua haujlwm ntawm qhov no rov pib qhov kev pabcuam phoenix:
firezone-ctl restart phoenix
#!/usr/sbin/nft -f
## Clear/flush tag nrho cov cai uas twb muaj lawm
yaug cov cai
############################################################## ################
## Internet/WAN interface npe
txhais DEV_WAN = eth0
## WireGuard lub npe interface
txhais DEV_WIREGUARD = wg-firezone
## WireGuard mloog chaw nres nkoj
txhais WIREGUARD_PORT = 51820
################################# VARIABLES END ################### #############
# Lub ntsiab inet tsev neeg lim lub rooj
rooj inet filter {
# Cov cai rau kev xa mus
# Cov saw hlau no tau ua tiav ua ntej Firezone txuas ntxiv mus
saw txuas ntxiv {
hom lim nuv rau pem hauv ntej qhov tseem ceeb lim - 5; txoj cai txais
}
# Cov cai rau kev nkag nkag
chain input {
hom lim hook input qhov tseem ceeb lim; txoj cai poob
## Tso cai inbound tsheb mus rau loopback interface
iif lo \
txais \
saib "Cia tag nrho cov tsheb khiav hauv los ntawm loopback interface"
## Tso cai tsim thiab muaj feem cuam tshuam
ct xeev tsim, ntsig txog \
txais \
saib "Tso cai tsim / muaj feem cuam tshuam"
## Tso cai nkag mus hauv WireGuard
iif ib $DEV_WAN udp ua $WIREGUARD_PORT \
txee \
txais \
saib "Tso cai nkag mus hauv WireGuard"
## Nkag mus thiab tso cov pob ntawv tshiab TCP tsis yog SYN
tcp chij != syn ct state new \
txwv tus nqi 100/ feeb tawg 150 pob ntawv \
log ua ntej “IN – New !SYN:” \
saib "Tus nqi txwv txiav rau kev sib txuas tshiab uas tsis muaj SYN TCP chij teeb"
tcp chij != syn ct state new \
txee \
poob \
saib "Tso cov kev sib txuas tshiab uas tsis muaj SYN TCP chij teeb"
## Nkag mus thiab tso cov pob ntawv TCP nrog qhov tsis raug fin/syn chij teeb
tcp chij & (fin|syn) == (fin|syn) \
txwv tus nqi 100/ feeb tawg 150 pob ntawv \
log ua ntej “IN – TCP FIN|SIN:” \
saib "Tus nqi txwv txiav rau TCP pob ntawv uas tsis raug cai fin/syn chij teeb"
tcp chij & (fin|syn) == (fin|syn) \
txee \
poob \
saib "Tau TCP pob ntawv nrog qhov tsis raug fin/syn chij teeb"
## Nkag mus thiab poob TCP pob ntawv nrog cov teeb tsa tsis raug cai syn/rst
tcp chij & (syn|rst) == (syn|rst) \
txwv tus nqi 100/ feeb tawg 150 pob ntawv \
log ua ntej “IN – TCP SYN|RST:” \
saib "Tus nqi txwv txiav rau TCP pob ntawv uas tsis raug cai syn/rst chij teeb"
tcp chij & (syn|rst) == (syn|rst) \
txee \
poob \
saib "Tsho TCP pob ntawv nrog qhov tsis raug syn/rst chij teeb"
## Nkag mus thiab tso cov chij TCP tsis raug
tcp chij & (fin|syn|rst|psh|ack|urg) < (fin) \
txwv tus nqi 100/ feeb tawg 150 pob ntawv \
log ua ntej "IN-FIN:" \
saib "Tus nqi txwv txiav rau qhov tsis raug TCP chij (fin|syn|rst|psh|ack|urg) < (fin)"
tcp chij & (fin|syn|rst|psh|ack|urg) < (fin) \
txee \
poob \
saib "Tau TCP pob ntawv nrog tus chij (fin|syn|rst|psh|ack|urg) < (fin)"
## Nkag mus thiab tso cov chij TCP tsis raug
tcp chij & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
txwv tus nqi 100/ feeb tawg 150 pob ntawv \
log ua ntej “IN – FIN | PSH | URG:” \
saib "Tus nqi txwv txiav rau qhov tsis raug TCP chij (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)"
tcp chij & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
txee \
poob \
saib "Tau TCP pob ntawv nrog tus chij (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)"
## Tso tsheb khiav nrog lub xeev kev sib txuas tsis raug
ct xeev invalid \
txwv tus nqi 100/ feeb tawg 150 pob ntawv \
log chij tag nrho prefix “IN – Invalid:” \
saib "Tus nqi txwv txiav rau kev khiav tsheb nrog lub xeev tsis raug"
ct xeev invalid \
txee \
poob \
saib "Tso tsheb nrog lub xeev tsis raug txuas"
## Tso cai IPv4 ping / ping cov lus teb tab sis tus nqi txwv rau 2000 PPS
ip raws tu qauv icmp icmp hom { ncha- teb, ncha-thov } \
txwv tus nqi 2000/second \
txee \
txais \
saib "Tso cai inbound IPv4 ncha (ping) txwv rau 2000 PPS"
## Tso cai tag nrho lwm yam inbound IPv4 ICMP
ip raws tu qauv icmp \
txee \
txais \
saib "Cia tag nrho lwm yam IPv4 ICMP"
## Tso cai IPv6 ping / ping cov lus teb tab sis tus nqi txwv rau 2000 PPS
icmpv6 hom { ncha- teb, ncha-thov } \
txwv tus nqi 2000/second \
txee \
txais \
saib "Tso cai inbound IPv6 ncha (ping) txwv rau 2000 PPS"
## Tso cai tag nrho lwm yam inbound IPv6 ICMP
meta l4proto { icmpv6 } \
txee \
txais \
saib "Cia tag nrho lwm yam IPv6 ICMP"
## Tso cai inbound traceroute UDP ports tab sis txwv rau 500 PPS
udp ua 33434-33524
txwv tus nqi 500/second \
txee \
txais \
saib "Tso cai inbound UDP traceroute txwv rau 500 PPS"
## Tso cai rau sab hauv SSH
tcp ua SSH ct xeev new \
txee \
txais \
saib "Tso cai inbound SSH kev sib txuas"
## Tso cai inbound HTTP thiab HTTPS
tcp dport { http, https } ct xeev tshiab \
txee \
txais \
saib "Tso cai inbound HTTP thiab HTTPS kev sib txuas"
## Nkag mus rau qhov tsis sib xws tab sis tus nqi txwv kev nkag mus rau qhov siab kawg ntawm 60 cov lus / feeb
## Txoj cai ua ntej yuav raug siv rau cov tsheb tsis sib xws
txwv tus nqi 60/ feeb tawg 100 pob ntawv \
log ua ntej “IN – Drop:” \
saib “Log txhua yam kev tsheb tsis sib xws”
## suav cov tsheb tsis sib xws
txee \
saib "Suav ib qho kev tsheb tsis sib xws"
}
# Cov cai rau kev tso zis tawm
chain output {
hom lim hook tso zis qhov tseem ceeb lim; txoj cai poob
## Tso cai rau cov tsheb khiav tawm mus rau lub voj voog rov qab
oif lo \
txais \
saib "Cia tag nrho cov tsheb tawm mus rau loopback interface"
## Tso cai tsim thiab muaj feem cuam tshuam
ct xeev tsim, ntsig txog \
txee \
txais \
saib "Tso cai tsim / muaj feem cuam tshuam"
## Tso cai tawm WireGuard tsheb khiav tawm ua ntej tso kev sib txuas nrog lub xeev tsis zoo
oif $DEV_WAN ua sport $WIREGUARD_PORT \
txee \
txais \
saib "Tso cai WireGuard kev tsheb khiav tawm sab nraud"
## Tso tsheb khiav nrog lub xeev kev sib txuas tsis raug
ct xeev invalid \
txwv tus nqi 100/ feeb tawg 150 pob ntawv \
log chij tag nrho prefix “TAU – Invalid:” \
saib "Tus nqi txwv txiav rau kev khiav tsheb nrog lub xeev tsis raug"
ct xeev invalid \
txee \
poob \
saib "Tso tsheb nrog lub xeev tsis raug txuas"
## Tso cai rau tag nrho lwm yam sab nraud IPv4 ICMP
ip raws tu qauv icmp \
txee \
txais \
saib "Cia txhua hom IPv4 ICMP"
## Tso cai rau tag nrho lwm yam sab nraud IPv6 ICMP
meta l4proto { icmpv6 } \
txee \
txais \
saib "Cia txhua hom IPv6 ICMP"
## Tso cai tawm traceroute UDP chaw nres nkoj tab sis txwv rau 500 PPS
udp ua 33434-33524
txwv tus nqi 500/second \
txee \
txais \
saib "Tso cai tawm UDP traceroute txwv rau 500 PPS"
## Tso cai tawm HTTP thiab HTTPS kev sib txuas
tcp dport { http, https } ct xeev tshiab \
txee \
txais \
saib "Tso cai tawm HTTP thiab HTTPS kev sib txuas"
## Tso cai tawm SMTP xa tawm
tcp dport xa ct xeev tshiab \
txee \
txais \
saib "Tso cai tawm SMTP xa tawm"
## Tso cai rau kev thov DNS sab nraud
udp ua 53 \
txee \
txais \
saib "Tso cai tawm UDP DNS thov"
tcp ua 53 \
txee \
txais \
saib "Tso cai tawm TCP DNS thov"
## Tso cai tawm NTP thov
udp ua 123 \
txee \
txais \
saib "Thov tso cai tawm NTP thov"
## Nkag mus rau qhov tsis sib xws tab sis tus nqi txwv kev nkag mus rau qhov siab kawg ntawm 60 cov lus / feeb
## Txoj cai ua ntej yuav raug siv rau cov tsheb tsis sib xws
txwv tus nqi 60/ feeb tawg 100 pob ntawv \
log ua ntej "TAU - Poob:" \
saib “Log txhua yam kev tsheb tsis sib xws”
## suav cov tsheb tsis sib xws
txee \
saib "Suav ib qho kev tsheb tsis sib xws"
}
}
# Lub ntsiab NAT lim lub rooj
table inet nat {
# Cov cai rau NAT tsheb thauj mus los ua ntej
chain prerouting {
hom nat nuv prerouting qhov tseem ceeb dstnat; txoj cai txais
}
# Cov cai rau NAT tsheb khiav tom qab txoj kev
# Cov lus no tau ua tiav ua ntej Firezone tom qab txoj kab txuas
chain postrouting {
type nat nuv postrouting priority srcnat – 5; txoj cai txais
}
}
Lub firewall yuav tsum tau muab cia rau hauv qhov chaw cuam tshuam rau Linux faib uas tab tom khiav. Rau Debian/Ubuntu qhov no yog /etc/nftables.conf thiab rau RHEL qhov no yog /etc/sysconfig/nftables.conf.
nftables.service yuav tsum tau teeb tsa kom pib ntawm khau raj (yog tias tsis tau) teeb:
systemctl pab nftables.service
Yog tias ua ib qho kev hloov pauv rau firewall template lub syntax tuaj yeem siv tau los ntawm kev khiav cov lus txib:
nft -f /path/to/nftables.conf -c
Nco ntsoov xyuas lub firewall ua haujlwm raws li qhov xav tau raws li qee yam nftables nta yuav tsis muaj nyob ntawm qhov tso tawm khiav ntawm lub server.
_______________________________________________________________
Cov ntaub ntawv no nthuav tawm cov ntsiab lus ntawm telemetry Firezone sau los ntawm koj tus kheej tus kheej ua piv txwv thiab yuav ua li cas lov tes taw nws.
Hluav taws kub kev vam khom ntawm telemetry los ua qhov tseem ceeb rau peb txoj hauv kev thiab ua kom zoo dua cov peev txheej engineering peb yuav tsum ua kom Firezone zoo dua rau txhua tus.
Lub telemetry peb sau lub hom phiaj los teb cov lus nug hauv qab no:
Muaj peb qhov chaw tseem ceeb uas telemetry tau sau hauv Firezone:
Hauv txhua qhov ntawm peb lub ntsiab lus no, peb khaws qhov tsawg kawg nkaus ntawm cov ntaub ntawv tsim nyog los teb cov lus nug hauv nqe lus saum toj no.
Admin emails tsuas yog sau yog tias koj pom tseeb xaiv-hauv cov khoom hloov tshiab. Txwv tsis pub, cov ntaub ntawv tus kheej-txhais tau tus kheej yog yeej tsis sau.
Firezone khw muag khoom telemetry nyob rau hauv tus kheej-hosted piv txwv ntawm PostHog khiav nyob rau hauv ib tug private Kubernetes pawg, tsuas yog siv tau los ntawm pab neeg Firezone. Nov yog ib qho piv txwv ntawm cov xwm txheej telemetry uas tau xa los ntawm koj qhov piv txwv ntawm Firezone rau peb tus neeg rau zaub mov telemetry:
{
"Id": “0182272d-0b88-0000-d419-7b9a413713f1”,
“timestamp”: “2022-07-22T18:30:39.748000+00:00”,
“kev tshwm sim”: “fz_http_started”,
“distinct_id”: “1ec2e794-1c3e-43fc-a78f-1db6d1a37f54”,
“cov khoom”:{
“$geoip_city_name”: "Ashburn",
“$geoip_continent_code”: “NA”,
“$geoip_continent_name”: “North America”,
“$geoip_country_code”: “US”,
“$geoip_country_name”: “Tebchaws Asmeskas”,
“$geoip_latitude”: 39.0469,
“$geoip_longitude”: -77.4903,
“$geoip_postal_code”: "20149",
“$geoip_subdivision_1_code”: “VA”,
“$geoip_subdivision_1_name”: “Virginia”,
“$geoip_time_zone”: “America/New_York”,
“$ip”: "52.200.241.107",
“$plugins_deferred”: [],
“$plugins_failed”: [],
“$plugins_succeeded”: [
“GeoIP (3)”
],
“distinct_id”: “1zc2e794-1c3e-43fc-a78f-1db6d1a37f54”,
“fqdn”: “awsdemo.firezone.dev”,
“kernel_version”: "linux 5.13.0",
“version”: "0.4.6"
},
“Element_chain”: ""
}
CEEB TOOM
Pab neeg txhim kho Firezone kev vam khom ntawm kev txheeb xyuas cov khoom kom ua rau Firezone zoo dua rau txhua tus. Tawm hauv telemetry enabled yog ib qho txiaj ntsig zoo tshaj plaws uas koj tuaj yeem ua rau Firezone txoj kev loj hlob. Uas tau hais tias, peb nkag siab qee cov neeg siv muaj kev ceev ntiag tug lossis kev nyab xeeb dua thiab xav kom lov tes taw telemetry tag nrho. Yog tias yog koj, nyeem ntxiv.
Telemetry yog qhib los ntawm lub neej ntawd. Txhawm rau kom tsis txhob cuam tshuam cov khoom lag luam telemetry, teeb tsa cov kev xaiv hauv qab no rau qhov tsis tseeb hauv /etc/firezone/firezone.rb thiab khiav sudo firezone-ctl reconfigure los khaws cov kev hloov pauv.
default ['qhov hluav taws kub']['telemetry']['enabled'] = cuav
Qhov ntawd yuav ua tiav tag nrho cov khoom lag luam telemetry.