date: 2014-08-29
WAF Node Build notes
___________________________________________________
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Install minimum ubuntu(13.04) with openssh selected.
Set IP 192.168.10.220/24
GW 192.168.10.1
DNS 208.67.222.222 & 208.67.220.220
apt-get update
apt-get upgrade
apt-get install apache2 sqlite3 libcgi-pm-perl
a2enmod proxy proxy_http ssl
mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
# generate signing request
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
# self sign request
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
#to remove password from private key so service restart does not require assistance
openssl rsa -in server.key -out server.key.nopass
#copy /etc/apache2/sites-available to *-bak
#symlink in the ssl site config
ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl
nano /etc/apache2/sites-available/default
#———————————————————–
#———- Working HTTP Vhost for redirect logic ———-
#———————————————————–
<VirtualHost *:80>
UseCanonicalName off
ProxyPreserveHost on
ProxyRequests off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine on
#must be prior to www check and must go to secure else loop occurs
RewriteCond %{HTTP_HOST} ^secure
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTP_HOST} ^checkout
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTP_HOST} !^www
RewriteRule (.*) http://www\.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} off [NC]
RewriteCond %{REQUEST_URI} ^/secure/(.*) [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# RewriteCond %{HTTPS} off
# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
ProxyPass / http://192.168.10.15/
ProxyPassReverse / http://192.168.10.15/
</VirtualHost>
<VirtualHost *:80>
ServerName error.somedomain.co.uk
UseCanonicalName off
ProxyPreserveHost on
ProxyRequests off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://192.168.10.15/
ProxyPassReverse / http://192.168.10.15/
</VirtualHost>
<VirtualHost *:80>
ServerName extranet. somedomain.co.uk
ServerAlias bi. somedomain.co.uk
UseCanonicalName off
ProxyPreserveHost on
ProxyRequests off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
ProxyPass / http://172.16.1.16/
ProxyPassReverse / http://172.16.1.16/
</VirtualHost>
<VirtualHost *:80>
ServerName WAFCN1
ServerAdmin webmaster@localhost#
DocumentRoot /var/www
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory “/usr/lib/cgi-bin”>
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
#——————————————————-
#—– End of file ————————————-
#——————————————————-
nano /etc/apache2/sites-available/default-ssl
#———————————————————–
#———- Working HTTPs Vhosts needs SNI handling ——-
#———————————————————–
#NameVirtualHost *:443
<IfModule mod_proxy.c>
<VirtualHost *:443>
# Catch anyhost here and send to error vip on load balancer
#SSLStrictSNIVHostCheck on
UseCanonicalName off
SSLEngine On
SSLProxyEngine on
ProxyPreserveHost On
SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key.nopass
ProxyPass / http://192.168.10.7/
ProxyPassReverse / http://192.168.10.7/
</VirtualHost>
<VirtualHost *:443>
# just a test site
ServerName www.host. somedomain.co.uk
SSLEngine On
SSLProxyEngine on
ProxyPreserveHost On
SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH
SSLCertificateFile /etc/apache2/ssl/www.host.test.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.host.test.key.nopass
ProxyPass / http://192.168.10.15/
ProxyPassReverse / http://192.168.10.15/
</VirtualHost>
</IfModule>
#——————————————————-
#—– End of file ————————————-
#——————————————————-
nano /etc/apache2/ports.conf
#——————————————
#——- start of file —————-
#——————————————
NameVirtualHost *:80
Listen 80
<IfModule mod_proxy.c>
NameVirtualHost *:443
Listen 443
</IfModule>
<IfModule mod_ssl.c>
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
#——————————————————-
#—– End of file ————————————-
#——————————————————-
nano /etc/apache2/mod-available/proxy.conf
#——————————————
#——- start of file —————-
#——————————————
<IfModule mod_proxy.c>
ProxyRequests Off
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
#Allow from .example.com
</Proxy>
ProxyVia On
</IfModule>
#——————————————————-
#—– End of file ————————————-
#——————————————————-
Install Applicure DotNetDefender (install documentation available from website also)
make sure to remove any previous install # rm -r /usr/local/APPCure-full/
copy over the dotDefender-5.10.Linux.x86_64.deb.bin via winSCP and
# chmod 777 dotDefender-5.10.Linux.x86_64.deb.bin
./dotDefender-5.10.Linux.x86_64.deb.bin
@Next
@I agree
@next
enter; /usr/sbin/apache2 @next
@next
enter; dotDefender @next
enter the pw @next
select Auto @next
select 1 day @next
select Applicure @next
@next
@go
DotDefender Administration, Ensure your hosts files has entries for the nodes. Then browse to http://WAFCN[1 or 2]/dotDefender
Login as admin, using the common pw. You will have to start apache on the backup node to backup and restore setting between nodes. This is something that can be improved! Tried to do it in SVN but that breaks the backup node and dotdefender has to be reinstalled. So for now you have to backup and restore via the web gui.