From 4aa612a2b61da86bc355cf0eaf42125970fcd029 Mon Sep 17 00:00:00 2001 From: Matthew R Date: Sat, 3 Apr 2021 02:08:09 -0400 Subject: [PATCH] Initial commit --- Asterisk/README.md | 13 +++ Dovecot/README.md | 15 +++ Dovecot/dovecot.conf | 102 ++++++++++++++++++ Nginx/README.md | 15 +++ .../Server Blocks/auth.libraryofcode.org.conf | 38 +++++++ .../Server Blocks/bin.libraryofcode.org.conf | 23 ++++ Nginx/Server Blocks/board.ins.conf | 64 +++++++++++ .../certapi.libraryofcode.org.conf | 44 ++++++++ .../cloud.libraryofcode.org.conf | 33 ++++++ Nginx/nginx.conf | 98 +++++++++++++++++ Postfix/README.md | 15 +++ Postfix/master.conf | 98 +++++++++++++++++ 12 files changed, 558 insertions(+) create mode 100644 Asterisk/README.md create mode 100644 Dovecot/README.md create mode 100644 Dovecot/dovecot.conf create mode 100644 Nginx/README.md create mode 100644 Nginx/Server Blocks/auth.libraryofcode.org.conf create mode 100644 Nginx/Server Blocks/bin.libraryofcode.org.conf create mode 100644 Nginx/Server Blocks/board.ins.conf create mode 100644 Nginx/Server Blocks/certapi.libraryofcode.org.conf create mode 100644 Nginx/Server Blocks/cloud.libraryofcode.org.conf create mode 100644 Nginx/nginx.conf create mode 100644 Postfix/README.md create mode 100644 Postfix/master.conf diff --git a/Asterisk/README.md b/Asterisk/README.md new file mode 100644 index 0000000..87f52f5 --- /dev/null +++ b/Asterisk/README.md @@ -0,0 +1,13 @@ +# Asterisk +*PBX - Private Branch Exchange* + +## Accounts +- root +- asterisk + +## Protocols +- PJSIP [5060-UDP] +- PJSIP over TLS [5061-UDP] +- SIP [5160-UDP] +- SIP over TLS [5161-UDP] +- IAX2 [4569-UDP] diff --git a/Dovecot/README.md b/Dovecot/README.md new file mode 100644 index 0000000..9c791c2 --- /dev/null +++ b/Dovecot/README.md @@ -0,0 +1,15 @@ +# Dovecot +*MDA - Mail Delivery Agent* + +## Accounts +- root +- dovecot +- dovenull +- mail + +## Protocols +- IMAP [143-TCP] +- IMAPS [993-TCP] + +## Locations +- `/etc/dovecot`: Configuration directory diff --git a/Dovecot/dovecot.conf b/Dovecot/dovecot.conf new file mode 100644 index 0000000..2896659 --- /dev/null +++ b/Dovecot/dovecot.conf @@ -0,0 +1,102 @@ +## Dovecot configuration file + +# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration + +# "doveconf -n" command gives a clean output of the changed settings. Use it +# instead of copy&pasting files when posting to the Dovecot mailing list. + +# '#' character and everything after it is treated as comments. Extra spaces +# and tabs are ignored. If you want to use either of these explicitly, put the +# value inside quotes, eg.: key = "# char and trailing whitespace " + +# Most (but not all) settings can be overridden by different protocols and/or +# source/destination IPs by placing the settings inside sections, for example: +# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { } + +# Default values are shown for each setting, it's not required to uncomment +# those. These are exceptions to this though: No sections (e.g. namespace {}) +# or plugin settings are added by default, they're listed only as examples. +# Paths are also just examples with the real defaults being based on configure +# options. The paths listed here are for configure --prefix=/usr +# --sysconfdir=/etc --localstatedir=/var + +# Enable installed protocols +!include_try /usr/share/dovecot/protocols.d/*.protocol + +# A comma separated list of IPs or hosts where to listen in for connections. +# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces. +# If you want to specify non-default ports or anything more complex, +# edit conf.d/master.conf. +#listen = *, :: + +# Base directory where to store runtime data. +#base_dir = /var/run/dovecot/ + +# Name of this instance. In multi-instance setup doveadm and other commands +# can use -i to select which instance is used (an alternative +# to -c ). The instance name is also added to Dovecot processes +# in ps output. +#instance_name = dovecot + +# Greeting message for clients. +#login_greeting = Dovecot ready. + +# Space separated list of trusted network ranges. Connections from these +# IPs are allowed to override their IP addresses and ports (for logging and +# for authentication checks). disable_plaintext_auth is also ignored for +# these networks. Typically you'd specify your IMAP proxy servers here. +#login_trusted_networks = + +# Space separated list of login access check sockets (e.g. tcpwrap) +#login_access_sockets = + +# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do +# proxying. This isn't necessary normally, but may be useful if the destination +# IP is e.g. a load balancer's IP. +#auth_proxy_self = + +# Show more verbose process titles (in ps). Currently shows user name and +# IP address. Useful for seeing who are actually using the IMAP processes +# (eg. shared mailboxes or if same uid is used for multiple accounts). +#verbose_proctitle = no + +# Should all processes be killed when Dovecot master process shuts down. +# Setting this to "no" means that Dovecot can be upgraded without +# forcing existing client connections to close (although that could also be +# a problem if the upgrade is e.g. because of a security fix). +#shutdown_clients = yes + +# If non-zero, run mail commands via this many connections to doveadm server, +# instead of running them directly in the same process. +#doveadm_worker_count = 0 +# UNIX socket or host:port used for connecting to doveadm server +#doveadm_socket_path = doveadm-server + +# Space separated list of environment variables that are preserved on Dovecot +# startup and passed down to all of its child processes. You can also give +# key=value pairs to always set specific settings. +#import_environment = TZ + +## +## Dictionary server settings +## + +# Dictionary can be used to store key=value lists. This is used by several +# plugins. The dictionary can be accessed either directly or though a +# dictionary server. The following dict block maps dictionary names to URIs +# when the server is used. These can then be referenced using URIs in format +# "proxy::". + +dict { + #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext + #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext +} + +# Most of the actual configuration gets included below. The filenames are +# first sorted by their ASCII value and parsed in that order. The 00-prefixes +# in filenames are intended to make it easier to understand the ordering. +!include conf.d/*.conf + +# A config file can also tried to be included without giving an error if +# it's not found: +!include_try local.conf diff --git a/Nginx/README.md b/Nginx/README.md new file mode 100644 index 0000000..28a061d --- /dev/null +++ b/Nginx/README.md @@ -0,0 +1,15 @@ +# Nginx +*HTTP/SMTP/IMAP/POP3 Proxy Server* + +## Accounts +- root +- www-data + +## Protocols +- HTTP [80-TCP] +- HTTPS [443-TCP] + +## Locations +- `/etc/nginx` - Configuration directory + + diff --git a/Nginx/Server Blocks/auth.libraryofcode.org.conf b/Nginx/Server Blocks/auth.libraryofcode.org.conf new file mode 100644 index 0000000..a652130 --- /dev/null +++ b/Nginx/Server Blocks/auth.libraryofcode.org.conf @@ -0,0 +1,38 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name auth.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:8200; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:8200 https://auth.libraryofcode.org; + + } +} diff --git a/Nginx/Server Blocks/bin.libraryofcode.org.conf b/Nginx/Server Blocks/bin.libraryofcode.org.conf new file mode 100644 index 0000000..d0228c0 --- /dev/null +++ b/Nginx/Server Blocks/bin.libraryofcode.org.conf @@ -0,0 +1,23 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name bin.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + root /var/binary; + location / { + autoindex on; + } +} diff --git a/Nginx/Server Blocks/board.ins.conf b/Nginx/Server Blocks/board.ins.conf new file mode 100644 index 0000000..b23e5de --- /dev/null +++ b/Nginx/Server Blocks/board.ins.conf @@ -0,0 +1,64 @@ +server { + listen 10.8.0.1:443 ssl http2; + #listen [::]:443 ssl http2; + server_name board.ins; + + ssl_certificate /etc/nginx/ssl/board-ins.chain.crt; + ssl_certificate_key /etc/nginx/ssl/board-ins.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:3121; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:3121 https://board.ins; + + } + + location /api { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:3892; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:3892 https://board.ins/api; + + } +} diff --git a/Nginx/Server Blocks/certapi.libraryofcode.org.conf b/Nginx/Server Blocks/certapi.libraryofcode.org.conf new file mode 100644 index 0000000..95bbeed --- /dev/null +++ b/Nginx/Server Blocks/certapi.libraryofcode.org.conf @@ -0,0 +1,44 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name certapi.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:3030; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:3030 https://certapi.libraryofcode.org; + + } +} diff --git a/Nginx/Server Blocks/cloud.libraryofcode.org.conf b/Nginx/Server Blocks/cloud.libraryofcode.org.conf new file mode 100644 index 0000000..0794de5 --- /dev/null +++ b/Nginx/Server Blocks/cloud.libraryofcode.org.conf @@ -0,0 +1,33 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name cloud.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + client_max_body_size 1G; + #limit_req zone=one burst=15; + + + location / { + return 307 $scheme://www.libraryofcode.org/; + } + location ~ /(.*)$ { + rewrite https://$1.cloud.libraryofcode.org temporary; + } +} diff --git a/Nginx/nginx.conf b/Nginx/nginx.conf new file mode 100644 index 0000000..f07f1ac --- /dev/null +++ b/Nginx/nginx.conf @@ -0,0 +1,98 @@ +# Main Nginx Configuration File + +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + more_set_headers 'Server: Library of Code Staff Command (https://www.libraryofcode.org)'; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem + ;ssl_ecdh_curve secp384r1; + + ## + # Logging Settings + ## + + #access_log /var/log/nginx/access.log; + #error_log /var/log/nginx/error.log; + + + log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' '"$host" sn="$server_name" ' 'rt=$request_time ' 'ua="$upstream_addr" us="$upstream_status" ' 'ut="$upstream_response_time" ul="$upstream_response_length" ' 'cs=$upstream_cache_status' ; + + access_log /var/log/nginx/access.log main_ext; + error_log /var/log/nginx/error.log warn; + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} diff --git a/Postfix/README.md b/Postfix/README.md new file mode 100644 index 0000000..a1dc523 --- /dev/null +++ b/Postfix/README.md @@ -0,0 +1,15 @@ +# Postfix +*MTA - Mail Transfer Agent* + +## Accounts +- root +- postfix + +## Protocols +- SMTP (MTA <-> MTA) [25-TCP] +- SMTP (MUA <-> MTA) [587-TCP] +- SMTPS (MUA <-> MTA) [467-TCP] + +## Locations +- `/etc/postfix` - Configuration directory + diff --git a/Postfix/master.conf b/Postfix/master.conf new file mode 100644 index 0000000..2fcb010 --- /dev/null +++ b/Postfix/master.conf @@ -0,0 +1,98 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname + +smtpd_banner = $myhostname Library of Code sp-us Staff Services | ESMTP (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on +# fresh installs. +compatibility_level = 2 + +# TLS parameters +smtpd_tls_cert_file=/etc/postfix/ssl/globalsign.crt +smtpd_tls_key_file=/etc/postfix/ssl/globalsign.key.pem +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_tls_security_level = may +smtpd_tls_security_level = may +smtp_tls_note_starttls_offer = yes +smtpd_tls_CAfile = /etc/postfix/ssl/globalsign.ca.crt +smtpd_tls_loglevel = 1 +smtpd_tls_received_header = yes +smtpd_tls_session_cache_timeout = 3600s +tls_random_source = dev:/dev/urandom + +# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for +# information on enabling SSL in the smtp client. + +# RESTRICTIONS +smtpd_relay_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + defer_unauth_destination, +smtpd_helo_restrictions = + permit_mynetworks, + reject_non_fqdn_helo_hostname, + reject_invalid_helo_hostname, + reject_unknown_helo_hostname, + permit, +smtpd_sender_restrictions = + reject_unknown_sender_domain, + reject_unknown_reverse_client_hostname, + reject_unknown_client_hostname, + reject_sender_login_mismatch, + permit_mynetworks, + permit_sasl_authenticated, + permit, +smtpd_recipient_restrictions = + reject_unauth_pipelining, + reject_non_fqdn_recipient, + reject_unknown_recipient_domain, + permit_mynetworks, + check_policy_service inet:127.0.0.1:10023 + permit, + +myhostname = staff.libraryofcode.org +alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases +alias_database = hash:/etc/aliases +smtpd_sender_login_maps = hash:/etc/postfix/virtual-mailbox-users + +myorigin = /etc/mailname +mydestination = $myhostname, libraryofcode.org, libraryofcode.us staff.libraryofcode.us, staff-libraryofcode.staff.libraryofcode.us, localhost.staff.libraryofcode.us, localhost, libraryofcode.us +relayhost = +relay_domains = lists.libraryofcode.org +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 63.141.252.130 +mailbox_size_limit = 0 +mailbox_command = procmail -a "$EXTENSION" DEFAULT=/var/mail/$USER +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all +smtpd_sasl_auth_enable = yes +broken_sasl_auth_clients = yes +milter_default_action = accept +milter_protocol = 6 +smtpd_milters = inet:localhost:8891, local:/opendmarc/opendmarc.sock +non_smtpd_milters = $smtpd_milters +mail_name = Library of Code sp-us | Staff Command +virtual_alias_maps = hash:/etc/postfix/virtual + +#authorized_submit_users = !boss, !test, static:all +message_size_limit = 1073741824 +transport_maps = hash:/etc/postfix/transport +unknown_local_recipient_reject_code = 550 +mailman_destination_recipient_limit = 1 +#local_recipient_maps = hash:/var/lib/mailman3/data/postfix_lmtp