Fixed DNS-KEY and inconsistent networks
parent
7e76bffa3e
commit
1bb54e15dc
24
INSTALL.md
24
INSTALL.md
|
@ -488,24 +488,24 @@ Now edit the `etc/config` file
|
|||
```sh
|
||||
TLD='mynet'
|
||||
LOCAL_SERVER='hn'
|
||||
IPV4_NET='10.11.0.0/16'
|
||||
IPV6_NET='fd69:1337:0:420:f4:11::/96'
|
||||
WG_DNS='DNS=10.11.0.1'
|
||||
IPV4_NET='10.99.0.0/16'
|
||||
IPV6_NET='fd69:1337:0:420:f4:99::/96'
|
||||
WG_DNS='DNS=10.99.0.1'
|
||||
SSL_CONFIG_DIR="/etc/ssl/private/${TLD}"
|
||||
SSL_CA_CERT="${SSL_CONFIG_DIR}/_ca.crt"
|
||||
SSL_CA_KEY="${SSL_CONFIG_DIR}/_ca.key"
|
||||
SSL_ORG='My Cool Organization'
|
||||
SSL_DAYS='3650'
|
||||
SSL_CA_PASS='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
|
||||
DNS_KEY='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=='
|
||||
DNS_MASTER='10.3.0.1'
|
||||
DNS_KEY='hmac-sha512:wagon:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=='
|
||||
DNS_MASTER='10.99.0.1'
|
||||
DNS_TTL='86400'
|
||||
```
|
||||
|
||||
This file should be mostly self-explanitory. "SSL_CA_PASS" is the CA key passphrase created in the last section. The "DNS_KEY" can be found in the "secret" section of the `/etc/bind/keys/wagon.keys` file, which looks like this:
|
||||
This file should be mostly self-explanitory. "SSL_CA_PASS" is the CA key passphrase created in the last section. The "DNS_KEY" string should be created from the `/etc/bind/keys/wagon.keys` file, which looks like this:
|
||||
|
||||
```tsig
|
||||
key "wgapi-ksn" {
|
||||
key "wagon" {
|
||||
algorithm hmac-sha512;
|
||||
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==";
|
||||
};
|
||||
|
@ -533,11 +533,11 @@ That's not bad. We could take requests on that port, but let's take secure https
|
|||
# User API
|
||||
server {
|
||||
server_name wagon-dashboard-api.hn.mynet;
|
||||
listen 10.11.0.1:443 ssl http2;
|
||||
listen 10.99.0.1:443 ssl http2;
|
||||
ssl_certificate /etc/ssl/private/mynet/hn/server.crt;
|
||||
ssl_certificate_key /etc/ssl/private/mynet/hn/server.key;
|
||||
ssl_stapling off;
|
||||
allow 10.11.0.0/16; # All users
|
||||
allow 10.99.0.0/16; # All users
|
||||
deny all; # Everyone else
|
||||
location / {
|
||||
proxy_pass http://localhost:4442;
|
||||
|
@ -547,12 +547,12 @@ server {
|
|||
# Admin API
|
||||
server {
|
||||
server_name wagon-admin-api.hn.mynet;
|
||||
listen 10.11.0.1:443 ssl http2;
|
||||
listen 10.99.0.1:443 ssl http2;
|
||||
ssl_certificate /etc/ssl/private/mynet/hn/server.crt;
|
||||
ssl_certificate_key /etc/ssl/private/mynet/hn/server.key;
|
||||
ssl_stapling off;
|
||||
allow 10.11.1.0/24; # One admin
|
||||
allow 10.11.7.0/24; # Another admin
|
||||
allow 10.99.1.0/24; # One admin
|
||||
allow 10.99.7.0/24; # Another admin
|
||||
deny all; # Everyone else
|
||||
location / {
|
||||
proxy_pass http://localhost:4441;
|
||||
|
|
Loading…
Reference in New Issue