This page journals content related to SEC-440 project 2. See network diagram for visual representation.

Table of Contents:

• My General Plan

• OPT network setup

• Web02 setup

• HA setup

  • HA1 base setup

  • HA2 base setup

• HAProxy setup

  • HA1 HAProxy setup

  • HA2 HAProxy setup

• Keepalived setup

  • HA1 Keepalived setup

  • HA2 Keepalived setup

• HA enabling

• Sources

My General Plan

General plan for tackling the assignment:

1. OPT Network (vyo1/vyos2)

   1. 10.0.6 & VRRP is already going, double check

   2. NAT, DNS for destination and DNS forwarding

2. WEB02 setup

   1. General setup (IP address, user, hostname)

   2. HTTPD (make sure enabled)

      1. Web pages

3. HAProxy (ha1,ha2)

   1. General stuff (IP address via netplan, user, hostname)

   2. Load balance web01 and web02 via HAProxy

   3. Using cURL for testing

4. Keepalived - on ha01/ha02

   1. Using cURL for testing

5. Update destination NAT to point to HAProxy (10.0.6.10)

OPT network setup

First I set the ha1,ha2 VMs to use the OPT network adapter and set web02 to the LAN adapter, made sure vyos1/vyos2 3rd adapters were on OPT aswell.

On both vyos boxes I then setup OPT network DNS and NAT:

config
set nat source rule 15 description 'OPT to CYBER'
set nat source rule 15 outbound-interface 'eth0'
set nat source rule 15 source address '10.0.6.0/24'
set nat source rule 15 translation address 'masquerade'
set service dns forwarding allow-from '10.0.6.0/24'
set service dns forwarding listen-address '10.0.6.1'
commit

Below shows the vyos settings set up correctly:

Web02 setup

On web02 I logged in as root and set the hostname/added a user:

sudo hostnamectl set-hostname “web02-oliver”
adduser olivermustoe
usermod -aG wheel olivermustoe

Then I set a password for root and the olivermustoe admin user:

passwd
passwd olivermustoe

I would then re-login as olivermustoe, and I disabled the root password/root ssh login in /etc/ssh/sshd_config:

sudo usermod -L root

(Below shows disabling root login in /etc/ssh/sshd_config)

Then using the nmtui command I setup my networking like the following under "Edit a connection" > the first and only connection available "ens192":

Below shows connectivity working on web02:

Then on web02 I install Apache web server and opened firewall port 80:

sudo yum update -y
sudo yum install httpd -y
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
sudo firewall-cmd --reload

And created a index.html like the following (in /var/www/html/index.html):

Finally I started httpd (with status check):

sudo systemctl start httpd
sudo systemctl status httpd
sudo systemctl enable httpd

I would as well update my web01 index.html like the following:

HA setup

HA1 base setup

First I logged into ha1 with champuser, then I setup ha1's hostname and an admin user on ha1 (using the following):

sudo hostnamectl set-hostname "ha01-oliver"
sudo adduser olivermustoe
sudo usermod -aG sudo olivermustoe
sudo passwd olivermustoe

(NOTE: Don't need passwd above but its a good double check)

Then I relogged in as olivermustoe > I disabled the champuser password/root ssh login in /etc/ssh/sshd_config

sudo usermod -L champuser

(Below shows disabling root login in /etc/ssh/sshd_config)

Then I setup the following netplan in /etc/netplan/00-installer-config.yaml WITH sudo vi:

And applied it with sudo netplan apply, with this I could successfully ping google.com:

HA2 base setup

I would repeat the same setup process of the HA1 base setup on ha2 with the following changes:

1. Hostname is "ha02-oliver"

2. Used the following netplan:

HAProxy setup

HA1 HAProxy setup

On ha1 I installed haproxy:

sudo apt install haproxy -y

Then on ha1 I created a copy of the original HAProxy config:

sudo cp /etc/haproxy/haproxy.cfg ./habroxy.cfg.backup

Then I added the following to /etc/haproxy/haproxy.cfg WITH sudo vi:

frontend ha
    bind *:80
    default_backend webpool
backend webpool
    balance roundrobin
    server web01 10.0.5.100:80 check
    server web02 10.0.5.101:80 check

And then I restarted and checked HAProxy's status:

sudo systemctl restart haproxy
sudo systemctl status haproxy

Testing HAProxy with curl 10.0.6.11 from xubuntulan:

I would save my haproxy.cfg for ha1 in Github.

HA2 HAProxy setup

I would repeat the HA1 HAProxy setup for ha2 (installing haproxy > creating backup > creating configuration exactly the same as ha1 > restart and check status > check with curl):

(NOTE: Used scp to copy the config file from ha1 into the olivermustoe home directory on ha2, then used sudo cp to copy it to HAProxy directory.)

I would save my haproxy.cfg for ha2 in Github.

Keepalived setup

HA1 Keepalived setup

First I installed keepalived on ha1:

sudo apt update
sudo apt install keepalived -y

Then I setup its configuration (in /etc/keepalived/keepalived.conf, should be owned by root):

vrrp_instance ha {
    state MASTER
    interface ens160
    virtual_router_id 30
    priority 200
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass oliver
    }
    virtual_ipaddress {
      10.0.6.10/24
    }
}

Then I restarted and checked keepalived's status:

sudo systemctl restart keepalived
sudo systemctl status keepalived

With ip a I could check and see the 10.0.6.10 address is now on the ens160 interface:

Used curl 10.0.6.10 to test:

I would save my keepalived.conf under keepalived.conf.ha1 (file must be renamed to "keepalived.conf"/moved to /etc/keepalived if it was to work on a system.)

HA2 Keepalived setup

I would repeat the HA1 Keepalived setup on ha2 with the following differences:

1. Used the following keepalived configuration:

vrrp_instance ha {
    state BACKUP
    interface ens160
    virtual_router_id 30
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass oliver
    }
    virtual_ipaddress {
      10.0.6.10/24
    }
}

I would save my keepalived.conf under keepalived.conf.ha2 (file must be renamed to "keepalived.conf"/moved to /etc/keepalived if it was to work on a system.)

HA enabling

On both vyos boxes (vyos1,vyos2) I set the following to change rule 10 to point to the HA VRRP address (10.0.6.10):

config
delete nat destination rule 10
set nat destination rule 10 description 'Allow HTTP from WAN to ha'
set nat destination rule 10 destination address '10.0.17.116'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '10.0.6.10'
set nat destination rule 10 translation port '80'
commit

Checked that the destination rule was working with curl 10.0.17.116/?[1-5] on xubuntuwan:

I would then save my firewall configs for this lab according to my Vyos reference.

Last thing I did was I made sure that HAProxy and Keepalived were enabled on ha1 and ha2 with the following commands run on system each!:

sudo systemctl enable haproxy
sudo systemctl enable keepalived

Sources

• https://idroot.us/install-haproxy-ubuntu-22-04/
• https://www.questioncomputer.com/how-to-install-and-lab-keepalived-on-ubuntu-20-04-and-rocky-linux-8-5/
• https://www.learnitguide.net/2021/11/configure-ha-cluster-using-keepalived.html
• https://tecadmin.net/setup-ip-failover-on-ubuntu-with-keepalived/
• https://linuxhint.com/install-configure-haproxy-ubuntu-22-04/