Fixed DNS-KEY and inconsistent networks
parent
7e76bffa3e
commit
1bb54e15dc
24
INSTALL.md
24
INSTALL.md
|
@ -488,24 +488,24 @@ Now edit the `etc/config` file
|
||||||
```sh
|
```sh
|
||||||
TLD='mynet'
|
TLD='mynet'
|
||||||
LOCAL_SERVER='hn'
|
LOCAL_SERVER='hn'
|
||||||
IPV4_NET='10.11.0.0/16'
|
IPV4_NET='10.99.0.0/16'
|
||||||
IPV6_NET='fd69:1337:0:420:f4:11::/96'
|
IPV6_NET='fd69:1337:0:420:f4:99::/96'
|
||||||
WG_DNS='DNS=10.11.0.1'
|
WG_DNS='DNS=10.99.0.1'
|
||||||
SSL_CONFIG_DIR="/etc/ssl/private/${TLD}"
|
SSL_CONFIG_DIR="/etc/ssl/private/${TLD}"
|
||||||
SSL_CA_CERT="${SSL_CONFIG_DIR}/_ca.crt"
|
SSL_CA_CERT="${SSL_CONFIG_DIR}/_ca.crt"
|
||||||
SSL_CA_KEY="${SSL_CONFIG_DIR}/_ca.key"
|
SSL_CA_KEY="${SSL_CONFIG_DIR}/_ca.key"
|
||||||
SSL_ORG='My Cool Organization'
|
SSL_ORG='My Cool Organization'
|
||||||
SSL_DAYS='3650'
|
SSL_DAYS='3650'
|
||||||
SSL_CA_PASS='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
|
SSL_CA_PASS='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
|
||||||
DNS_KEY='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=='
|
DNS_KEY='hmac-sha512:wagon:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=='
|
||||||
DNS_MASTER='10.3.0.1'
|
DNS_MASTER='10.99.0.1'
|
||||||
DNS_TTL='86400'
|
DNS_TTL='86400'
|
||||||
```
|
```
|
||||||
|
|
||||||
This file should be mostly self-explanitory. "SSL_CA_PASS" is the CA key passphrase created in the last section. The "DNS_KEY" can be found in the "secret" section of the `/etc/bind/keys/wagon.keys` file, which looks like this:
|
This file should be mostly self-explanitory. "SSL_CA_PASS" is the CA key passphrase created in the last section. The "DNS_KEY" string should be created from the `/etc/bind/keys/wagon.keys` file, which looks like this:
|
||||||
|
|
||||||
```tsig
|
```tsig
|
||||||
key "wgapi-ksn" {
|
key "wagon" {
|
||||||
algorithm hmac-sha512;
|
algorithm hmac-sha512;
|
||||||
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==";
|
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==";
|
||||||
};
|
};
|
||||||
|
@ -533,11 +533,11 @@ That's not bad. We could take requests on that port, but let's take secure https
|
||||||
# User API
|
# User API
|
||||||
server {
|
server {
|
||||||
server_name wagon-dashboard-api.hn.mynet;
|
server_name wagon-dashboard-api.hn.mynet;
|
||||||
listen 10.11.0.1:443 ssl http2;
|
listen 10.99.0.1:443 ssl http2;
|
||||||
ssl_certificate /etc/ssl/private/mynet/hn/server.crt;
|
ssl_certificate /etc/ssl/private/mynet/hn/server.crt;
|
||||||
ssl_certificate_key /etc/ssl/private/mynet/hn/server.key;
|
ssl_certificate_key /etc/ssl/private/mynet/hn/server.key;
|
||||||
ssl_stapling off;
|
ssl_stapling off;
|
||||||
allow 10.11.0.0/16; # All users
|
allow 10.99.0.0/16; # All users
|
||||||
deny all; # Everyone else
|
deny all; # Everyone else
|
||||||
location / {
|
location / {
|
||||||
proxy_pass http://localhost:4442;
|
proxy_pass http://localhost:4442;
|
||||||
|
@ -547,12 +547,12 @@ server {
|
||||||
# Admin API
|
# Admin API
|
||||||
server {
|
server {
|
||||||
server_name wagon-admin-api.hn.mynet;
|
server_name wagon-admin-api.hn.mynet;
|
||||||
listen 10.11.0.1:443 ssl http2;
|
listen 10.99.0.1:443 ssl http2;
|
||||||
ssl_certificate /etc/ssl/private/mynet/hn/server.crt;
|
ssl_certificate /etc/ssl/private/mynet/hn/server.crt;
|
||||||
ssl_certificate_key /etc/ssl/private/mynet/hn/server.key;
|
ssl_certificate_key /etc/ssl/private/mynet/hn/server.key;
|
||||||
ssl_stapling off;
|
ssl_stapling off;
|
||||||
allow 10.11.1.0/24; # One admin
|
allow 10.99.1.0/24; # One admin
|
||||||
allow 10.11.7.0/24; # Another admin
|
allow 10.99.7.0/24; # Another admin
|
||||||
deny all; # Everyone else
|
deny all; # Everyone else
|
||||||
location / {
|
location / {
|
||||||
proxy_pass http://localhost:4441;
|
proxy_pass http://localhost:4441;
|
||||||
|
|
Loading…
Reference in New Issue