diff options
Diffstat (limited to 'docs')
20 files changed, 471 insertions, 157 deletions
diff --git a/docs/_static/images/uefi_secureboot_01.png b/docs/_static/images/uefi_secureboot_01.png Binary files differnew file mode 100644 index 00000000..02ec56b0 --- /dev/null +++ b/docs/_static/images/uefi_secureboot_01.png diff --git a/docs/_static/images/uefi_secureboot_02.png b/docs/_static/images/uefi_secureboot_02.png Binary files differnew file mode 100644 index 00000000..336d654d --- /dev/null +++ b/docs/_static/images/uefi_secureboot_02.png diff --git a/docs/_static/images/uefi_secureboot_03.png b/docs/_static/images/uefi_secureboot_03.png Binary files differnew file mode 100644 index 00000000..ff126842 --- /dev/null +++ b/docs/_static/images/uefi_secureboot_03.png diff --git a/docs/_static/images/uefi_secureboot_04.png b/docs/_static/images/uefi_secureboot_04.png Binary files differnew file mode 100644 index 00000000..90242299 --- /dev/null +++ b/docs/_static/images/uefi_secureboot_04.png diff --git a/docs/_static/images/uefi_secureboot_05.png b/docs/_static/images/uefi_secureboot_05.png Binary files differnew file mode 100644 index 00000000..b08cb946 --- /dev/null +++ b/docs/_static/images/uefi_secureboot_05.png diff --git a/docs/_static/images/uefi_secureboot_06.png b/docs/_static/images/uefi_secureboot_06.png Binary files differnew file mode 100644 index 00000000..784f0eed --- /dev/null +++ b/docs/_static/images/uefi_secureboot_06.png diff --git a/docs/_static/images/uefi_secureboot_07.png b/docs/_static/images/uefi_secureboot_07.png Binary files differnew file mode 100644 index 00000000..6ff450b4 --- /dev/null +++ b/docs/_static/images/uefi_secureboot_07.png diff --git a/docs/cli.rst b/docs/cli.rst index b0445140..7ba34bc4 100644 --- a/docs/cli.rst +++ b/docs/cli.rst @@ -329,7 +329,7 @@ configured, changes are added through a collection of :cfgcmd:`set` and Both these ``show`` commands should be executed when in operational mode, they do not work directly in configuration mode. There is a -special way on how to :ref:`run_opmode_from_config_mode`. +special way on how to :ref:run_opmode_from_config_mode. .. hint:: Use the ``show configuration commands | strip-private`` command when you want to hide private data. You may want to do so if @@ -528,7 +528,7 @@ mode using :cfgcmd:`show | commands` set address dhcp set hw-id 00:53:ad:44:3b:03 -These commands are also relative to the level you are inside and only +These commands are also relative to the level you are inside and only relevant configuration blocks will be displayed when entering a sub-level. @@ -620,7 +620,7 @@ different levels in the hierarchy. Use this command to preserve configuration changes upon reboot. By default it is stored at */config/config.boot*. In the case you want to store the configuration file somewhere else, you can add a local - path, a SCP address, a FTP address or a TFTP address. + path, a SCP address, a FTP address or a TFTP address. .. code-block:: none @@ -687,13 +687,13 @@ different levels in the hierarchy. system will reboot into previous config revision. .. code-block:: none - + vyos@router# set firewall interface eth0 local name FromWorld - vyos@router# commit-confirm + vyos@router# commit-confirm commit confirm will be automatically reboot in 10 minutes unless confirmed Proceed? [confirm]y [edit] - vyos@router# confirm + vyos@router# confirm [edit] .. cfgcmd:: copy @@ -709,8 +709,8 @@ different levels in the hierarchy. .. code-block:: none - - vyos@router# show firewall name FromWorld + + vyos@router# show firewall name FromWorld default-action drop rule 10 { action accept @@ -719,7 +719,7 @@ different levels in the hierarchy. } } [edit] - vyos@router# edit firewall name FromWorld + vyos@router# edit firewall name FromWorld [edit firewall name FromWorld] vyos@router# copy rule 10 to rule 20 [edit firewall name FromWorld] @@ -736,7 +736,7 @@ different levels in the hierarchy. You can also rename config subtrees: .. code-block:: none - + vyos@router# rename rule 10 to rule 5 [edit firewall name FromWorld] vyos@router# commit @@ -747,8 +747,8 @@ different levels in the hierarchy. with no parameters. .. code-block:: none - - vyos@router# show + + vyos@router# show default-action drop rule 5 { action accept @@ -797,11 +797,6 @@ different levels in the hierarchy. firewall` command would return starting after the ``firewall {`` line, hiding the comment. - - - - - .. _run_opmode_from_config_mode: Access opmode from config mode @@ -1024,7 +1019,7 @@ to load it with the ``load`` command: .. code-block:: none - vyos@vyos# load + vyos@vyos# load Possible completions: <Enter> Load from system config file <file> Load from file on local machine @@ -1034,7 +1029,7 @@ to load it with the ``load`` command: http://<host>/<file> Load from file on remote machine https://<host>/<file> Load from file on remote machine tftp://<host>/<file> Load from file on remote machine - + Restore Default @@ -1057,4 +1052,3 @@ configuration too. .. note:: If you are remotely connected, you will lose your connection. You may want to copy first the config, edit it to ensure connectivity, and load the edited config. - diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst index 39956236..9c360d35 100644 --- a/docs/configuration/firewall/bridge.rst +++ b/docs/configuration/firewall/bridge.rst @@ -386,6 +386,44 @@ described in this section: Match based on VLAN priority (Priority Code Point - PCP). Range is also supported. +Packet Modifications +==================== + +Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify +packets before they are sent out. This feaure provides more flexibility in +packet handling. + +.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter + rule <1-999999> set dscp <0-63> + + Set a specific value of Differentiated Services Codepoint (DSCP). + +.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter + rule <1-999999> set mark <1-2147483647> + + Set a specific packet mark value. + +.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter + rule <1-999999> set tcp-mss <500-1460> + + Set the TCP-MSS (TCP maximum segment size) for the connection. + +.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter + rule <1-999999> set ttl <0-255> + + Set the TTL (Time to Live) value. + +.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter + rule <1-999999> set hop-limit <0-255> + + Set hop limit value. + +.. cfgcmd:: set firewall bridge [forward | output] filter + rule <1-999999> set connection-mark <0-2147483647> + + Set connection mark value. + + Use IP firewall =============== diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index abae31a5..419a9339 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -980,6 +980,56 @@ geoip) to keep database and rules updated. Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts. +Packet Modifications +==================== + +Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify +packets before they are sent out. This feaure provides more flexibility in +packet handling. + +.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> + set dscp <0-63> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + set dscp <0-63> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set dscp <0-63> + + Set a specific value of Differentiated Services Codepoint (DSCP). + +.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> + set mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + set mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set mark <1-2147483647> + + Set a specific packet mark value. + +.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> + set tcp-mss <500-1460> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + set tcp-mss <500-1460> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set tcp-mss <500-1460> + + Set the TCP-MSS (TCP maximum segment size) for the connection. + +.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> + set ttl <0-255> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + set ttl <0-255> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set ttl <0-255> + + Set the TTL (Time to Live) value. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + set connection-mark <0-2147483647> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set connection-mark <0-2147483647> + + Set connection mark value. + ******** Synproxy ******** diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst index 5f526dac..0c995c12 100644 --- a/docs/configuration/firewall/ipv6.rst +++ b/docs/configuration/firewall/ipv6.rst @@ -970,6 +970,56 @@ geoip) to keep database and rules updated. Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts. +Packet Modifications +==================== + +Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify +packets before they are sent out. This feaure provides more flexibility in +packet handling. + +.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> + set dscp <0-63> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + set dscp <0-63> +.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> + set dscp <0-63> + + Set a specific value of Differentiated Services Codepoint (DSCP). + +.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> + set mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + set mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> + set mark <1-2147483647> + + Set a specific packet mark value. + +.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> + set tcp-mss <500-1460> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + set tcp-mss <500-1460> +.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> + set tcp-mss <500-1460> + + Set the TCP-MSS (TCP maximum segment size) for the connection. + +.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> + set hop-limit <0-255> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + set hop-limit <0-255> +.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> + set hop-limit <0-255> + + Set hop limit value. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + set connection-mark <0-2147483647> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set connection-mark <0-2147483647> + + Set connection mark value. + ******** Synproxy ******** diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/haproxy.rst index 32be85c8..3ce59b35 100644 --- a/docs/configuration/loadbalancing/reverse-proxy.rst +++ b/docs/configuration/loadbalancing/haproxy.rst @@ -1,11 +1,11 @@ ############# -Reverse-proxy +Haproxy ############# .. include:: /_include/need_improvement.txt -VyOS reverse-proxy is balancer and proxy server that provides +Haproxy is a balancer and proxy server that provides high-availability, load balancing and proxying for TCP (level 4) and HTTP-based (level 7) applications. @@ -20,37 +20,37 @@ to be applied and specifies the real servers to be utilized. Service ------- -.. cfgcmd:: set load-balancing reverse-proxy service <name> listen-address +.. cfgcmd:: set load-balancing haproxy service <name> listen-address <address> Set service to bind on IP address, by default listen on any IPv4 and IPv6 -.. cfgcmd:: set load-balancing reverse-proxy service <name> port +.. cfgcmd:: set load-balancing haproxy service <name> port <port> Create service `<name>` to listen on <port> -.. cfgcmd:: set load-balancing reverse-proxy service <name> mode +.. cfgcmd:: set load-balancing haproxy service <name> mode <tcp|http> Configure service `<name>` mode TCP or HTTP -.. cfgcmd:: set load-balancing reverse-proxy service <name> backend +.. cfgcmd:: set load-balancing haproxy service <name> backend <name> Configure service `<name>` to use the backend <name> -.. cfgcmd:: set load-balancing reverse-proxy service <name> ssl +.. cfgcmd:: set load-balancing haproxy service <name> ssl certificate <name> Set SSL certificate <name> for service <name> -.. cfgcmd:: set load-balancing reverse-proxy service <name> +.. cfgcmd:: set load-balancing haproxy service <name> http-response-headers <header-name> value <header-value> Set custom HTTP headers to be included in all responses -.. cfgcmd:: set load-balancing reverse-proxy service <name> logging facility +.. cfgcmd:: set load-balancing haproxy service <name> logging facility <facility> level <level> Specify facility and level for logging. @@ -64,12 +64,12 @@ Rules allow to control and route incoming traffic to specific backend based on predefined conditions. Rules allow to define matching criteria and perform action accordingly. -.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> +.. cfgcmd:: set load-balancing haproxy service <name> rule <rule> domain-name <name> Match domain name -.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> +.. cfgcmd:: set load-balancing haproxy service <name> rule <rule> ssl <sni> SSL match Server Name Indication (SNI) option: @@ -79,7 +79,7 @@ perform action accordingly. Indication -.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> +.. cfgcmd:: set load-balancing haproxy service <name> rule <rule> url-path <match> <url> Allows to define URL path matching rules for a specific service. @@ -92,12 +92,12 @@ perform action accordingly. * ``end`` Matches the end of the URL path. * ``exact`` Requires an exactly match of the URL path -.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> +.. cfgcmd:: set load-balancing haproxy service <name> rule <rule> set backend <name> Assign a specific backend to a rule -.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> +.. cfgcmd:: set load-balancing haproxy service <name> rule <rule> redirect-location <url> Redirect URL to a new location @@ -106,7 +106,7 @@ perform action accordingly. Backend ------- -.. cfgcmd:: set load-balancing reverse-proxy backend <name> balance +.. cfgcmd:: set load-balancing haproxy backend <name> balance <balance> Load-balancing algorithms to be used for distributed requests among the @@ -120,54 +120,54 @@ Backend * ``least-connection`` Distributes requests to the server with the fewest active connections -.. cfgcmd:: set load-balancing reverse-proxy backend <name> mode +.. cfgcmd:: set load-balancing haproxy backend <name> mode <mode> Configure backend `<name>` mode TCP or HTTP -.. cfgcmd:: set load-balancing reverse-proxy backend <name> server +.. cfgcmd:: set load-balancing haproxy backend <name> server <name> address <x.x.x.x> Set the address of the backend server to which the incoming traffic will be forwarded -.. cfgcmd:: set load-balancing reverse-proxy backend <name> server +.. cfgcmd:: set load-balancing haproxy backend <name> server <name> port <port> Set the address of the backend port -.. cfgcmd:: set load-balancing reverse-proxy backend <name> server +.. cfgcmd:: set load-balancing haproxy backend <name> server <name> check Active health check backend server -.. cfgcmd:: set load-balancing reverse-proxy backend <name> server +.. cfgcmd:: set load-balancing haproxy backend <name> server <name> send-proxy Send a Proxy Protocol version 1 header (text format) -.. cfgcmd:: set load-balancing reverse-proxy backend <name> server +.. cfgcmd:: set load-balancing haproxy backend <name> server <name> send-proxy-v2 Send a Proxy Protocol version 2 header (binary format) -.. cfgcmd:: set load-balancing reverse-proxy backend <name> ssl +.. cfgcmd:: set load-balancing haproxy backend <name> ssl ca-certificate <ca-certificate> Configure requests to the backend server to use SSL encryption and authenticate backend against <ca-certificate> -.. cfgcmd:: set load-balancing reverse-proxy backend <name> ssl no-verify +.. cfgcmd:: set load-balancing haproxy backend <name> ssl no-verify Configure requests to the backend server to use SSL encryption without validating server certificate -.. cfgcmd:: set load-balancing reverse-proxy backend <name> +.. cfgcmd:: set load-balancing haproxy backend <name> http-response-headers <header-name> value <header-value> Set custom HTTP headers to be included in all responses using the backend -.. cfgcmd:: set load-balancing reverse-proxy backend <name> logging facility +.. cfgcmd:: set load-balancing haproxy backend <name> logging facility <facility> level <level> Specify facility and level for logging. @@ -180,22 +180,22 @@ Global Global parameters -.. cfgcmd:: set load-balancing reverse-proxy global-parameters max-connections +.. cfgcmd:: set load-balancing haproxy global-parameters max-connections <num> Limit maximum number of connections -.. cfgcmd:: set load-balancing reverse-proxy global-parameters ssl-bind-ciphers +.. cfgcmd:: set load-balancing haproxy global-parameters ssl-bind-ciphers <ciphers> Limit allowed cipher algorithms used during SSL/TLS handshake -.. cfgcmd:: set load-balancing reverse-proxy global-parameters tls-version-min +.. cfgcmd:: set load-balancing haproxy global-parameters tls-version-min <version> Specify the minimum required TLS version 1.2 or 1.3 -.. cfgcmd:: set load-balancing reverse-proxy global-parameters logging +.. cfgcmd:: set load-balancing haproxy global-parameters logging facility <facility> level <level> Specify facility and level for logging. @@ -212,22 +212,22 @@ HTTP checks For web application providing information about their state HTTP health checks can be used to determine their availability. -.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check +.. cfgcmd:: set load-balancing haproxy backend <name> http-check Enables HTTP health checks using OPTION HTTP requests against '/' and expecting a successful response code in the 200-399 range. -.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check +.. cfgcmd:: set load-balancing haproxy backend <name> http-check method <method> Sets the HTTP method to be used, can be either: option, get, post, put -.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check +.. cfgcmd:: set load-balancing haproxy backend <name> http-check uri <path> Sets the endpoint to be used for health checks -.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check +.. cfgcmd:: set load-balancing haproxy backend <name> http-check expect <condition> Sets the expected result condition for considering a server healthy. @@ -244,7 +244,7 @@ TCP checks Health checks can also be configured for TCP mode backends. You can configure protocol aware checks for a range of Layer 7 protocols: -.. cfgcmd:: set load-balancing reverse-proxy backend <name> health-check <protocol> +.. cfgcmd:: set load-balancing haproxy backend <name> health-check <protocol> Available health check protocols: * ``ldap`` LDAP protocol check. @@ -261,15 +261,15 @@ protocol aware checks for a range of Layer 7 protocols: Redirect HTTP to HTTPS ====================== -Configure the load-balancing reverse-proxy service for HTTP. +Configure the load-balancing haproxy service for HTTP. This configuration listen on port 80 and redirect incoming requests to HTTPS: .. code-block:: none - set load-balancing reverse-proxy service http port '80' - set load-balancing reverse-proxy service http redirect-http-to-https + set load-balancing haproxy service http port '80' + set load-balancing haproxy service http redirect-http-to-https The name of the service can be different, in this example it is only for convenience. @@ -287,17 +287,17 @@ servers (srv01 and srv02) using the round-robin load-balancing algorithm. .. code-block:: none - set load-balancing reverse-proxy service my-tcp-api backend 'bk-01' - set load-balancing reverse-proxy service my-tcp-api mode 'tcp' - set load-balancing reverse-proxy service my-tcp-api port '8888' + set load-balancing haproxy service my-tcp-api backend 'bk-01' + set load-balancing haproxy service my-tcp-api mode 'tcp' + set load-balancing haproxy service my-tcp-api port '8888' - set load-balancing reverse-proxy backend bk-01 balance 'round-robin' - set load-balancing reverse-proxy backend bk-01 mode 'tcp' + set load-balancing haproxy backend bk-01 balance 'round-robin' + set load-balancing haproxy backend bk-01 mode 'tcp' - set load-balancing reverse-proxy backend bk-01 server srv01 address '192.0.2.11' - set load-balancing reverse-proxy backend bk-01 server srv01 port '8881' - set load-balancing reverse-proxy backend bk-01 server srv02 address '192.0.2.12' - set load-balancing reverse-proxy backend bk-01 server srv02 port '8882' + set load-balancing haproxy backend bk-01 server srv01 address '192.0.2.11' + set load-balancing haproxy backend bk-01 server srv01 port '8881' + set load-balancing haproxy backend bk-01 server srv02 address '192.0.2.12' + set load-balancing haproxy backend bk-01 server srv02 port '8882' Balancing based on domain name @@ -315,23 +315,23 @@ to the backend ``bk-api-02`` .. code-block:: none - set load-balancing reverse-proxy service http description 'bind app listen on 443 port' - set load-balancing reverse-proxy service http mode 'tcp' - set load-balancing reverse-proxy service http port '80' + set load-balancing haproxy service http description 'bind app listen on 443 port' + set load-balancing haproxy service http mode 'tcp' + set load-balancing haproxy service http port '80' - set load-balancing reverse-proxy service http rule 10 domain-name 'node1.example.com' - set load-balancing reverse-proxy service http rule 10 set backend 'bk-api-01' - set load-balancing reverse-proxy service http rule 20 domain-name 'node2.example.com' - set load-balancing reverse-proxy service http rule 20 set backend 'bk-api-02' + set load-balancing haproxy service http rule 10 domain-name 'node1.example.com' + set load-balancing haproxy service http rule 10 set backend 'bk-api-01' + set load-balancing haproxy service http rule 20 domain-name 'node2.example.com' + set load-balancing haproxy service http rule 20 set backend 'bk-api-02' - set load-balancing reverse-proxy backend bk-api-01 description 'My API-1' - set load-balancing reverse-proxy backend bk-api-01 mode 'tcp' - set load-balancing reverse-proxy backend bk-api-01 server api01 address '127.0.0.1' - set load-balancing reverse-proxy backend bk-api-01 server api01 port '4431' - set load-balancing reverse-proxy backend bk-api-02 description 'My API-2' - set load-balancing reverse-proxy backend bk-api-02 mode 'tcp' - set load-balancing reverse-proxy backend bk-api-02 server api01 address '127.0.0.2' - set load-balancing reverse-proxy backend bk-api-02 server api01 port '4432' + set load-balancing haproxy backend bk-api-01 description 'My API-1' + set load-balancing haproxy backend bk-api-01 mode 'tcp' + set load-balancing haproxy backend bk-api-01 server api01 address '127.0.0.1' + set load-balancing haproxy backend bk-api-01 server api01 port '4431' + set load-balancing haproxy backend bk-api-02 description 'My API-2' + set load-balancing haproxy backend bk-api-02 mode 'tcp' + set load-balancing haproxy backend bk-api-02 server api01 address '127.0.0.2' + set load-balancing haproxy backend bk-api-02 server api01 port '4432' Terminate SSL @@ -357,30 +357,30 @@ connection limit of 4000 and a minimum TLS version of 1.3. .. code-block:: none - set load-balancing reverse-proxy service http description 'Force redirect to HTTPS' - set load-balancing reverse-proxy service http port '80' - set load-balancing reverse-proxy service http redirect-http-to-https + set load-balancing haproxy service http description 'Force redirect to HTTPS' + set load-balancing haproxy service http port '80' + set load-balancing haproxy service http redirect-http-to-https - set load-balancing reverse-proxy service https backend 'bk-default' - set load-balancing reverse-proxy service https description 'listen on 443 port' - set load-balancing reverse-proxy service https mode 'http' - set load-balancing reverse-proxy service https port '443' - set load-balancing reverse-proxy service https ssl certificate 'cert' - set load-balancing reverse-proxy service https http-response-headers Strict-Transport-Security value 'max-age=31536000' + set load-balancing haproxy service https backend 'bk-default' + set load-balancing haproxy service https description 'listen on 443 port' + set load-balancing haproxy service https mode 'http' + set load-balancing haproxy service https port '443' + set load-balancing haproxy service https ssl certificate 'cert' + set load-balancing haproxy service https http-response-headers Strict-Transport-Security value 'max-age=31536000' - set load-balancing reverse-proxy service https rule 10 url-path exact '/.well-known/xxx' - set load-balancing reverse-proxy service https rule 10 set redirect-location '/certs/' - set load-balancing reverse-proxy service https rule 20 url-path end '/mail' - set load-balancing reverse-proxy service https rule 20 url-path exact '/email/bar' - set load-balancing reverse-proxy service https rule 20 set redirect-location '/postfix/' + set load-balancing haproxy service https rule 10 url-path exact '/.well-known/xxx' + set load-balancing haproxy service https rule 10 set redirect-location '/certs/' + set load-balancing haproxy service https rule 20 url-path end '/mail' + set load-balancing haproxy service https rule 20 url-path exact '/email/bar' + set load-balancing haproxy service https rule 20 set redirect-location '/postfix/' - set load-balancing reverse-proxy backend bk-default description 'Default backend' - set load-balancing reverse-proxy backend bk-default mode 'http' - set load-balancing reverse-proxy backend bk-default server sr01 address '192.0.2.23' - set load-balancing reverse-proxy backend bk-default server sr01 port '80' + set load-balancing haproxy backend bk-default description 'Default backend' + set load-balancing haproxy backend bk-default mode 'http' + set load-balancing haproxy backend bk-default server sr01 address '192.0.2.23' + set load-balancing haproxy backend bk-default server sr01 port '80' - set load-balancing reverse-proxy global-parameters max-connections '4000' - set load-balancing reverse-proxy global-parameters tls-version-min '1.3' + set load-balancing haproxy global-parameters max-connections '4000' + set load-balancing haproxy global-parameters tls-version-min '1.3' SSL Bridging @@ -402,17 +402,17 @@ and checks backend server has a valid certificate trusted by CA ``cacert`` .. code-block:: none - set load-balancing reverse-proxy service https backend 'bk-bridge-ssl' - set load-balancing reverse-proxy service https description 'listen on 443 port' - set load-balancing reverse-proxy service https mode 'http' - set load-balancing reverse-proxy service https port '443' - set load-balancing reverse-proxy service https ssl certificate 'cert' + set load-balancing haproxy service https backend 'bk-bridge-ssl' + set load-balancing haproxy service https description 'listen on 443 port' + set load-balancing haproxy service https mode 'http' + set load-balancing haproxy service https port '443' + set load-balancing haproxy service https ssl certificate 'cert' - set load-balancing reverse-proxy backend bk-bridge-ssl description 'SSL backend' - set load-balancing reverse-proxy backend bk-bridge-ssl mode 'http' - set load-balancing reverse-proxy backend bk-bridge-ssl ssl ca-certificate 'cacert' - set load-balancing reverse-proxy backend bk-bridge-ssl server sr01 address '192.0.2.23' - set load-balancing reverse-proxy backend bk-bridge-ssl server sr01 port '443' + set load-balancing haproxy backend bk-bridge-ssl description 'SSL backend' + set load-balancing haproxy backend bk-bridge-ssl mode 'http' + set load-balancing haproxy backend bk-bridge-ssl ssl ca-certificate 'cacert' + set load-balancing haproxy backend bk-bridge-ssl server sr01 address '192.0.2.23' + set load-balancing haproxy backend bk-bridge-ssl server sr01 port '443' Balancing with HTTP health checks @@ -422,21 +422,21 @@ This configuration enables HTTP health checks on backend servers. .. code-block:: none - set load-balancing reverse-proxy service my-tcp-api backend 'bk-01' - set load-balancing reverse-proxy service my-tcp-api mode 'tcp' - set load-balancing reverse-proxy service my-tcp-api port '8888' + set load-balancing haproxy service my-tcp-api backend 'bk-01' + set load-balancing haproxy service my-tcp-api mode 'tcp' + set load-balancing haproxy service my-tcp-api port '8888' - set load-balancing reverse-proxy backend bk-01 balance 'round-robin' - set load-balancing reverse-proxy backend bk-01 mode 'tcp' + set load-balancing haproxy backend bk-01 balance 'round-robin' + set load-balancing haproxy backend bk-01 mode 'tcp' - set load-balancing reverse-proxy backend bk-01 http-check method 'get' - set load-balancing reverse-proxy backend bk-01 http-check uri '/health' - set load-balancing reverse-proxy backend bk-01 http-check expect 'status 200' + set load-balancing haproxy backend bk-01 http-check method 'get' + set load-balancing haproxy backend bk-01 http-check uri '/health' + set load-balancing haproxy backend bk-01 http-check expect 'status 200' - set load-balancing reverse-proxy backend bk-01 server srv01 address '192.0.2.11' - set load-balancing reverse-proxy backend bk-01 server srv01 port '8881' - set load-balancing reverse-proxy backend bk-01 server srv01 check - set load-balancing reverse-proxy backend bk-01 server srv02 address '192.0.2.12' - set load-balancing reverse-proxy backend bk-01 server srv02 port '8882' - set load-balancing reverse-proxy backend bk-01 server srv02 check + set load-balancing haproxy backend bk-01 server srv01 address '192.0.2.11' + set load-balancing haproxy backend bk-01 server srv01 port '8881' + set load-balancing haproxy backend bk-01 server srv01 check + set load-balancing haproxy backend bk-01 server srv02 address '192.0.2.12' + set load-balancing haproxy backend bk-01 server srv02 port '8882' + set load-balancing haproxy backend bk-01 server srv02 check diff --git a/docs/configuration/loadbalancing/index.rst b/docs/configuration/loadbalancing/index.rst index 382bd0d7..92dcc622 100644 --- a/docs/configuration/loadbalancing/index.rst +++ b/docs/configuration/loadbalancing/index.rst @@ -9,4 +9,4 @@ Load-balancing :includehidden: wan - reverse-proxy + haproxy diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index af397456..e72e8e8b 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -67,19 +67,22 @@ API Set a named api key. Every key has the same, full permissions on the system. -.. cfgcmd:: set service https api debug +REST +==== + +.. cfgcmd:: set service https api rest + + Enable REST API + +.. cfgcmd:: set service https api rest debug To enable debug messages. Available via :opcmd:`show log` or :opcmd:`monitor log` -.. cfgcmd:: set service https api strict +.. cfgcmd:: set service https api rest strict Enforce strict path checking. -.. cfgcmd:: set service https api cors allow-origin <origin> - - Allow cross-origin requests from `<origin>`. - GraphQL ======= @@ -105,12 +108,17 @@ GraphQL Set the byte length of the JWT secret. Default is 32. +.. cfgcmd:: set service https api graphql cors allow-origin <origin> + + Allow cross-origin requests from `<origin>`. + ********************* Example Configuration ********************* -Set an API-KEY is the minimal configuration to get a working API Endpoint. +Setting REST API and an API-KEY is the minimal configuration to get a working API Endpoint. .. code-block:: none set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY + set service https api rest diff --git a/docs/index.rst b/docs/index.rst index 4db014a9..69768eb8 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -5,22 +5,21 @@ VyOS User Guide ############### - .. grid:: 3 :gutter: 2 - + .. grid-item-card:: Get / Build VyOS - + Quickly :ref:`Build<contributing/build-vyos:build vyos>` your own Image or take a look at how to :ref:`download<installation/install:download>` a free or supported version. - + .. grid-item-card:: Install VyOS Read about how to install VyOS on :ref:`Bare Metal<installation/install:installation>` or in a - :ref:`Virtual Environment<installation/virtual/index:running vyos in virtual environments>` and - how to use an image with the usual :ref:`cloud<installation/cloud/index:running VyOS in Cloud Environments>` providers - + :ref:`Virtual Environment<installation/virtual/index:Virtual Environments>` and + how to use an image with the usual :ref:`cloud<installation/cloud/index:Cloud Environments>` providers + .. grid-item-card:: Configuration and Operation @@ -28,20 +27,20 @@ VyOS User Guide set up :ref:`advanced routing<configuration/protocols/index:protocols>`, :ref:`VRFs<configuration/vrf/index:vrf>`, or :ref:`VPNs<configuration/vpn/index:vpn>` for example. - + .. grid-item-card:: Automate - Integrate VyOS in your automation Workflow with + Integrate VyOS in your automation Workflow with :ref:`Ansible<vyos-ansible>`, have your own :ref:`local scripts<command-scripting>`, or configure VyOS with the :ref:`HTTPS-API<vyosapi>`. - + .. grid-item-card:: Examples Get some inspiration from the :ref:`Configuration Blueprints<configexamples/index:Configuration Blueprints>` to build your infrastructure. - + .. grid-item-card:: Contribute and Community diff --git a/docs/installation/vyos-on-baremetal.rst b/docs/installation/bare-metal.rst index 7d843521..6578f84e 100644 --- a/docs/installation/vyos-on-baremetal.rst +++ b/docs/installation/bare-metal.rst @@ -1,7 +1,7 @@ .. _vyosonbaremetal: ##################### -Running on Bare Metal +Bare Metal Deployment ##################### Supermicro A2SDi (Atom C3000) diff --git a/docs/installation/cloud/index.rst b/docs/installation/cloud/index.rst index 5236f092..a76dba4c 100644 --- a/docs/installation/cloud/index.rst +++ b/docs/installation/cloud/index.rst @@ -1,8 +1,6 @@ -################################## -Running VyOS in Cloud Environments -################################## - - +################## +Cloud Environments +################## .. toctree:: :caption: Content @@ -10,4 +8,4 @@ Running VyOS in Cloud Environments aws azure gcp - oracel
\ No newline at end of file + oracel diff --git a/docs/installation/index.rst b/docs/installation/index.rst index 435a16cd..9ab43b0e 100644 --- a/docs/installation/index.rst +++ b/docs/installation/index.rst @@ -2,8 +2,6 @@ Installation and Image Management ################################# - - .. toctree:: :maxdepth: 2 :caption: Content @@ -11,7 +9,8 @@ Installation and Image Management install virtual/index cloud/index - vyos-on-baremetal + bare-metal update image + secure-boot migrate-from-vyatta diff --git a/docs/installation/secure-boot.rst b/docs/installation/secure-boot.rst new file mode 100644 index 00000000..817ca663 --- /dev/null +++ b/docs/installation/secure-boot.rst @@ -0,0 +1,178 @@ +.. _secure_boot: + +########### +Secure Boot +########### + +Initial UEFI secure boot support is available (:vytask:`T861`). We utilize +``shim`` from Debian 12 (Bookworm) which is properly signed by the UEFI +SecureBoot key from Microsoft. + +.. note:: There is yet no signed version of ``shim`` for VyOS, thus we + provide no signed image for secure boot yet. If you are interested in + secure boot you can build an image on your own. + +To generate a custom ISO with your own secure boot keys, run the following +commands prior to your ISO image build: + +.. code-block:: bash + + cd vyos-build + openssl req -new -x509 -newkey rsa:4096 \ + -keyout data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.key \ + -out data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.der \ + -outform DER -days 36500 -subj "/CN=MyMOK/" -nodes + openssl x509 -inform der \ + -in data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.der \ + -out data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.pem + +************ +Installation +************ + +As our version of ``shim`` is not signed by Microsoft we need to enroll the +previously generated :abbr:`MOK (Machine Owner Key)` to the system. + +First of all you will need to disable UEFI secure boot for the installation. + +.. figure:: /_static/images/uefi_secureboot_01.png + :alt: Disable UEFI secure boot + +Proceed with the regular VyOS :ref:`installation <permanent_installation>` on +your system, but instead of the final ``reboot`` we will enroll the +:abbr:`MOK (Machine Owner Key)`. + +.. code-block:: none + + vyos@vyos:~$ install mok + input password: + input password again: + +The requested ``input password`` can be user chosen and is only needed after +rebooting the system into MOK Manager to permanently install the keys. + +With the next reboot, MOK Manager will automatically launch + +.. figure:: /_static/images/uefi_secureboot_02.png + :alt: Disable UEFI secure boot + +Select ``Enroll MOK`` + +.. figure:: /_static/images/uefi_secureboot_03.png + :alt: Disable UEFI secure boot + +You can now view the key to be installed and ``continue`` with the Key installation + +.. figure:: /_static/images/uefi_secureboot_04.png + :alt: Disable UEFI secure boot + +.. figure:: /_static/images/uefi_secureboot_05.png + :alt: Disable UEFI secure boot + +Now you will need the password previously defined + +.. figure:: /_static/images/uefi_secureboot_06.png + :alt: Disable UEFI secure boot + +Now reboot and re-enable UEFI secure boot. + +.. figure:: /_static/images/uefi_secureboot_07.png + :alt: Disable UEFI secure boot + +VyOS will now launch in UEFI secure boot mode. This can be double-checked by running +either one of the commands: + +.. code-block:: none + + vyos@vyos:~$ show secure-boot + SecureBoot enabled + +.. code-block:: none + + vyos@vyos:~$ show log kernel | match Secure + Oct 08 19:15:41 kernel: Secure boot enabled + +.. code-block:: none + + vyos@vyos:~$ show version + Version: VyOS 1.5-secureboot + Release train: current + Release flavor: generic + + Built by: autobuild@vyos.net + Built on: Tue 08 Oct 2024 18:00 UTC + Build UUID: 5702ca38-e6f4-470f-b89e-ffc29baee474 + Build commit ID: 9eb61d3b6cf426 + + Architecture: x86_64 + Boot via: installed image + System type: KVM guest + Secure Boot: enabled <-- UEFI secure boot indicator + + Hardware vendor: QEMU + Hardware model: Standard PC (i440FX + PIIX, 1996) + Hardware S/N: + Hardware UUID: 1f6e7f5c-fb52-4c33-96c9-782fbea36436 + + Copyright: VyOS maintainers and contributors + +************ +Image Update +************ + +.. note:: There is yet no signed version of ``shim`` for VyOS, thus we + provide no signed image for secure boot yet. If you are interested in + secure boot you can build an image on your own. + +During image installation you will install your :abbr:`MOK (Machine Owner +Key)` into the UEFI variables to add trust to this key. After enabling +secure boot support in UEFI again, you can only boot into your signed image. + +It is no longer possible to boot into a CI generated rolling release as those +are currently not signed by a trusted party (:vytask:`T861` work in progress). +This also means that you need to sign all your successor builds you build on +your own with the exact same key, otherwise you will see: + +.. code-block:: none + + error: bad shim signature + error: you need to load the kernel first + +************ +Linux Kernel +************ + +In order to add an additional layer of security that can already be used in nonesecure +boot images already is ephem,eral key signing of the Linux Kernel modules. + +https://patchwork.kernel.org/project/linux-integrity/patch/20210218220011.67625-5-nayna@linux.ibm.com/ + +Whenever our CI system builds a Kernel package and the required 3rd party modules, +we will generate a temporary (ephemeral) public/private key-pair that's used for signing the +modules. The public key portion is embedded into the Kernel binary to verify the loaded +modules. + +After the Kernel CI build completes, the generated key is discarded - meaning we can no londer +sign additional modules with out key. Our Kernel configuration also contains the option +``CONFIG_MODULE_SIG_FORCE=y`` which means that we enforce all modules to be signed. If you +try to load an unsigned module, it will be rejected with the following error: + +``insmod: ERROR: could not insert module malicious.ko: Key was rejected by service`` + +Thos we close the door to load any malicious stuff after the image was assembled into the +Kernel as module. You can of course disable this behavior on custom builds. + +************ +Troubleshoot +************ + +In most of the cases if something goes wrong you will see the following error message +during system boot: + +.. code-block:: none + + error: bad shim signature + error: you need to load the kernel first + +This means that the Machine Owner Key used to sign the Kernel is not trusted by your +UEFI. You need to install the MOK via ``install mok`` as stated above. diff --git a/docs/installation/virtual/index.rst b/docs/installation/virtual/index.rst index 8b088598..1654ff9e 100644 --- a/docs/installation/virtual/index.rst +++ b/docs/installation/virtual/index.rst @@ -1,6 +1,6 @@ -#################################### -Running VyOS in Virtual Environments -#################################### +#################### +Virtual Environments +#################### .. toctree:: :caption: Content |
