From eb2a404f3a3557aa27686c780d3a1a162bd4b110 Mon Sep 17 00:00:00 2001 From: Vincent Vanwaelscappel Date: Mon, 18 Sep 2023 16:08:38 +0200 Subject: [PATCH] wait #6286 @0.5 --- app/Fluidbook/HostingLoadBalancer.php | 7 +- app/Models/TeamServers.php | 94 +++++++++++++++++++++------ 2 files changed, 78 insertions(+), 23 deletions(-) diff --git a/app/Fluidbook/HostingLoadBalancer.php b/app/Fluidbook/HostingLoadBalancer.php index ed7afc551..0144d1e04 100644 --- a/app/Fluidbook/HostingLoadBalancer.php +++ b/app/Fluidbook/HostingLoadBalancer.php @@ -7,9 +7,10 @@ use Cubist\Util\Files\Files; class HostingLoadBalancer { protected static $_servers = [ - ['name' => 's1', 'host' => 's1.lb.fluidbook.com', 'weight' => 2], - ['name' => 's2', 'host' => 's2.lb.fluidbook.com', 'weight' => 1], - ['name' => 's3', 'host' => 's3.lb.fluidbook.com', 'weight' => 1], + ['name' => 's1', 'host' => 's1.lb.fluidbook.com', 'weight' => 5], + ['name' => 's2', 'host' => 's2.lb.fluidbook.com', 'weight' => 2], + ['name' => 's3', 'host' => 's3.lb.fluidbook.com', 'weight' => 2], + ['name' => 's4', 'host' => 's4.lb.fluidbook.com', 'weight' => 6], ]; protected static function _pingCache() diff --git a/app/Models/TeamServers.php b/app/Models/TeamServers.php index e2f69286c..49becbc26 100644 --- a/app/Models/TeamServers.php +++ b/app/Models/TeamServers.php @@ -6,6 +6,7 @@ use App\SubForms\TeamServer; use Cubist\Backpack\Magic\Fields\BunchOfFieldsMultiple; use Cubist\Backpack\Magic\Fields\Textarea; use Cubist\Backpack\Magic\Models\CubistMagicAbstractModel; +use Cubist\Net\Util; use Cubist\Util\Files\Files; use Cubist\Util\Text; @@ -35,45 +36,63 @@ class TeamServers extends CubistMagicAbstractModel $clients = Text::explodeNewLines($this->clients); $ip = Text::explodeNewLines($this->ip); + $sshports = [22, 22022, 22822, 22222]; + foreach ($servers as $k => $server) { $fw = '#!/bin/bash' . "\n\n"; - $fw .= 'apt install bind9 dnsutils' . "\n"; + $fw .= 'export DEBIAN_FRONTEND=noninteractive' . "\n"; + $fw .= 'apt install --no-install-recommends -y bind9 dnsutils' . "\n"; $fw .= 'service bind9 restart' . "\n\n"; - $fw .= 'blacklist=(' . implode(' ', $blacklist) . ')' . "\n"; + $fw .= '# Reset all rules +ufw --force reset +# Disable firewall +ufw disable + +ufw default allow outgoing + +'; + $bhosts = []; + foreach ($blacklist as $k => $b) { + $bhosts[] = '$b' . $k; + $fw .= 'b' . $k . '=' . self::digOrIP($b) . "\n"; + } + $fw .= 'blacklist=(' . implode(' ', $bhosts) . ')' . "\n\n"; $hosts = []; foreach ($servers as $k => $s) { $hosts[] = '$s' . $k; - $fw .= 's' . $k . '=`dig +short ' . $s['name'] . '.cubedesigners.com | tail -1`' . "\n"; + $fw .= 's' . $k . '=' . self::digOrIP($s['name'] . '.cubedesigners.com') . "\n"; $others = Text::explodeNewLines($s['others']); foreach ($others as $kk => $o) { $hosts[] = '$s' . $k . '_' . $kk; - $fw .= 's' . $k . '_' . $kk . '=`dig +short ' . $o . ' | tail -1`' . "\n"; + $fw .= 's' . $k . '_' . $kk . '=' . self::digOrIP($o) . "\n"; } } $fw .= "\n"; foreach ($ip as $k => $i) { $hosts[] = '$i' . $k; - $fw .= 'i' . $k . '=`dig +short ' . $i . ' | tail -1`' . "\n"; + $fw .= 'i' . $k . '=' . self::digOrIP($i) . "\n"; } $fw .= "\n"; - $fw .= 'auth=(' . implode(' ', $hosts) . ')' . "\n"; + $fw .= 'auth=(' . implode(' ', $hosts) . ')' . "\n\n"; if ($server['backup']) { $backup = []; foreach ($clients as $k => $c) { $backup[] = '$c' . $k; - $fw .= 'c' . $k . '=`dig +short ' . $c . ' | tail -1`' . "\n"; + $fw .= 'c' . $k . '=' . self::digOrIP($c) . "\n"; } $fw .= 'backup=(' . implode(' ', $backup) . ')' . "\n"; } - $openPorts = explode(',', $server['ports']); + + $openPorts = Text::trimExplode(',', $server['ports']); + if ($server['dns']) { $openPorts[] = 53; } @@ -81,6 +100,14 @@ class TeamServers extends CubistMagicAbstractModel $openPorts[] = 80; $openPorts[] = 443; } + if ($server['mail']) { + $openPorts[] = 25; + $openPorts[] = 143; + $openPorts[] = 465; + $openPorts[] = 487; + $openPorts[] = 993; + $openPorts[] = 4190; + } foreach ($openPorts as $openPort) { $fw .= 'ufw allow ' . $openPort . "\n"; @@ -91,28 +118,33 @@ class TeamServers extends CubistMagicAbstractModel do ufw deny in from $ip ufw deny in to $ip - ufw deny out from $ip - ufw deny out to $ip done for ip in "${auth[@]}" -do - ufw allow out to $ip port 22 - ufw allow from $ip - ufw allow to $ip -done' . "\n\n"; +do' . "\n"; + $fw .= "\t" . 'ufw allow from $ip' . "\n"; + $fw .= "\t" . 'ufw allow to $ip' . "\n"; + $fw .= "\t" . 'ufw allow out from $ip' . "\n"; + $fw .= "\t" . 'ufw allow out to $ip' . "\n"; + $fw .= 'done' . "\n\n"; if (isset($backup) && count($backup)) { - $fw .= 'for ip in "${auth[@]}" + $fw .= 'for ip in "${backup[@]}" do ufw allow in from $ip port 22 done' . "\n\n"; } - $fw .= '#SSH -ufw deny out 22 -# Finally enable firewall + + $fw .= '#SSH' . "\n"; + foreach ($sshports as $sshport) { + $fw .= 'ufw deny out ' . $sshport . "\n"; + } + + $fw .= '# Finally enable firewall ufw --force enable + # Enable loging ufw logging on + # Display status ufw status verbose @@ -123,10 +155,32 @@ rm /etc/ufw/before6.rules.* rm /lib/ufw/user6.rules.* rm /lib/ufw/user.rules.* '; - file_put_contents(Files::mkdir(resource_path('servers/' . $server['name'])) . 'firewall', $fw); + + } + $update = '@echo off +cd /D D:\Works\Scripts +scp -P 58745 -r toolbox@toolbox.fluidbook.com:/application/resources/servers/ ./ +cd /D D:\Works\Scripts\servers' . "\n\n"; + + foreach ($servers as $server) { + $update .= 'scp -P ' . $server['port'] . ' ./' . $server['name'] . '/firewall root@' . $server['name'] . '.cubedesigners.com:/usr/local/bin/fw' . "\n"; + $update .= 'ssh -p ' . $server['port'] . ' root@' . $server['name'] . '.cubedesigners.com \'chmod 755 /usr/local/bin/fw;/usr/local/bin/fw\'' . "\n\n"; + } + file_put_contents(resource_path('servers') . '/' . 'update.bat', str_replace("\n", "\r\n", $update)); + + + } + + protected static function digOrIP($address) + { + if (Util::isValidIP($address) || Util::isValidCIDR($address)) { + return $address; + } else { + return '`dig +short ' . $address . ' | tail -1`'; + } } } -- 2.39.5