haproxy (#47), elefante-borneu-yul-01 (#45), aguia-pescadora-bravo (#16…

…): configuracao basica de haproxy com MongoDB (#48) e Redis (#51), ainda não clusterizados)
fititnt · May 28, 2019 · b5f85e9 · b5f85e9
1 parent a2b6d9c
commit b5f85e9
Show file tree

Hide file tree

Showing 5 changed files with 129 additions and 9 deletions.
diff --git a/logbook/aguia-pescadora-bravo.sh b/logbook/aguia-pescadora-bravo.sh
@@ -1077,6 +1077,16 @@ sudo systemctl reload nginx
 
 sudo certbot --nginx -d haproxy.abp.etica.ai
 
+##### HAProxy, como testar atualizacoes ANTES de implementar -------------------
+
+# Use o comando a seguir para testar se o arquivo /etc/haproxy/haproxy.cfg
+# poderá impedir que dar reload cause falha critica
+sudo haproxy -f /etc/haproxy/haproxy.cfg -c
+#sudo service haproxy configtest
+
+# Então aplique usando reload (melhor do que usar sudo systemctl restart haproxy)
+sudo systemctl reload haproxy
+
 ##### MariaDB (apenas cliente) _________________________________________________
 ### O objetivo aqui é ter do lado do cliente os pacotes mínimos para contectar
 ### ao cluster Elevante Bornéu

diff --git a/logbook/aguia-pescadora-bravo/etc/haproxy/haproxy.cfg b/logbook/aguia-pescadora-bravo/etc/haproxy/haproxy.cfg
@@ -37,15 +37,39 @@ defaults
 	errorfile 504 /etc/haproxy/errors/504.http
 
 # Load Balancing for Galera Cluster
-listen galera
+listen MariaDB-Galera-Cluster
 	bind 127.0.0.1:3306
 	balance leastconn
 	mode tcp
+	option tcplog
 	option mysql-check user haproxy
 	server elefante-borneu-yul-01 149.56.130.19:3306 maxconn 25 check weight 10
 	server elefante-borneu-yul-02 149.56.130.66:3306 maxconn 25 check weight 10
-	server elefante-borneu-yul-03 149.56.130.178:3306 maxconn 25 check weight 11
+	server elefante-borneu-yul-03 149.56.130.178:3306 maxconn 25 check weight 10
 
+listen MongoDB-TestFakeCluster
+	bind 127.0.0.1:27017
+	balance leastconn
+	mode tcp
+	option tcplog
+	server elefante-borneu-yul-01 149.56.130.19:27017 maxconn 25 check weight 10
+	server elefante-borneu-yul-02 149.56.130.66:27017 maxconn 25 check weight 10
+	server elefante-borneu-yul-03 149.56.130.178:27017 maxconn 25 check weight 10
+
+listen Redis-TestFakeCluster
+	bind 127.0.0.1:6379
+	balance leastconn
+	option tcp-check
+	tcp-check connect
+	tcp-check send PING\r\n
+	tcp-check expect string +PONG
+	#tcp-check send info\ replication\r\n
+	#tcp-check expect string role:master
+	tcp-check send QUIT\r\n
+	tcp-check expect string +OK
+	server elefante-borneu-yul-01 149.56.130.19:6379 maxconn 25 check weight 10
+	server elefante-borneu-yul-02 149.56.130.66:6379 maxconn 25 check weight 10
+	server elefante-borneu-yul-03 149.56.130.178:6379 maxconn 25 check weight 10
 
 listen stats
 	bind 127.0.0.1:1936

diff --git a/logbook/elefante-borneu-yul-01.sh b/logbook/elefante-borneu-yul-01.sh
@@ -187,6 +187,23 @@ sudo ufw allow mosh comment "Mosh, *, [TODO: restringir SSH no Cluster Elefante
 sudo ufw allow from 104.167.109.226 to any port 3306 comment "MariaDB, aguia-pescadora-alpha.etica.ai"
 sudo ufw allow from 192.99.247.117 to any port 3306 comment "MariaDB, aguia-pescadora-bravo.etica.ai"
 
+#### MongoDB -------------------------------------------------------------------
+## Sites de aplicação tem direito de acessar as porta específicas do MongoDB
+# @see https://docs.mongodb.com/manual/reference/default-mongodb-port/
+# @see https://docs.mongodb.com/manual/administration/security-checklist/
+# @see https://docs.mongodb.com/manual/security/
+
+sudo ufw allow from 104.167.109.226 to any port 27017 comment "MongoDB, aguia-pescadora-alpha.etica.ai"
+sudo ufw allow from 192.99.247.117 to any port 27017 comment "MongoDB, aguia-pescadora-bravo.etica.ai"
+
+#### Redis -------------------------------------------------------------------
+## Sites de aplicação tem direito de acessar as porta específicas do Redis
+# @see https://redis.io/topics/security
+# @see http://antirez.com/news/96 (Leia isso)
+
+sudo ufw allow from 104.167.109.226 to any port 6379 comment "Redis, aguia-pescadora-alpha.etica.ai"
+sudo ufw allow from 192.99.247.117 to any port 6379 comment "Redis, aguia-pescadora-bravo.etica.ai"
+
 ##### Firewall, ativação _______________________________________________________
 sudo ufw enable
 
@@ -358,12 +375,13 @@ journalctl -u mariadb.service
 # @see https://docs.mongodb.com/manual/core/replica-set-high-availability/
 # @see https://computingforgeeks.com/how-to-setup-mongodb-replication-on-ubuntu-18-04-lts/
 # @see https://docs.mongodb.com/manual/tutorial/backup-and-restore-tools/
-
 # @see https://medium.com/@vvangemert/mongodb-cluster-haproxy-and-the-failover-issue-285c1523628f
-
-# Adicionar links no github:
 # @see https://www.mongodb.com/blog/post/active-active-application-architectures-with-mongodb
 
+# TODO: adicionar no issue do GitHub:
+# @see https://docs.mongodb.com/manual/administration/security-checklist/
+# @see https://docs.mongodb.com/manual/security/
+
 ## Configurar pacotes
 # @see https://docs.mongodb.com/manual/tutorial/install-mongodb-on-ubuntu/#install-mongodb-community-edition-using-deb-packages
 sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
@@ -372,16 +390,15 @@ sudo apt update
 
 sudo apt install mongodb-org
 
-
 sudo systemctl start mongod
 sudo systemctl enable mongod
 
-
 #------------------------------------------------------------------------------#
 # SEÇÃO REDIS: 1. INSTALAÇÃO E CONFIGURAÇÃO INICIAL                            #
 # TL;DR: ...                                                                   #
 #------------------------------------------------------------------------------#
 # @see https://github.com/fititnt/cplp-aiops/issues/51
+# @see https://redis.io/topics/quickstart
 
 # @see https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-18-04
 sudo apt update

diff --git a/logbook/elefante-borneu-yul-01/etc/mongod.conf b/logbook/elefante-borneu-yul-01/etc/mongod.conf
@@ -0,0 +1,51 @@
+# mongod.conf
+
+# for documentation of all options, see:
+#   http://docs.mongodb.org/manual/reference/configuration-options/
+
+# Where and how to store data.
+storage:
+  dbPath: /var/lib/mongodb
+  journal:
+    enabled: true
+#  engine:
+#  mmapv1:
+#  wiredTiger:
+
+# where to write logging data.
+systemLog:
+  destination: file
+  logAppend: true
+  path: /var/log/mongodb/mongod.log
+
+## AVISO DE SEGURANCA: a alteracao de "bindIp: 127.0.0.1" para "bindIp: 0.0.0.0"
+##                     requer especial atencao e depende de protecao a nivel de
+##                     firewall e, adicionalmente, usuario e senha. Esteja ciente
+##                     que a alteração definica aqui DEPENDE de protecoes adicionais
+##                     que deveriam ser implementadas mesmo em projetos que nao
+##                     estao divugladas publicamente (fititnt, 2019-05-28 17:59 BRT)
+# @see https://docs.mongodb.com/manual/administration/security-checklist/
+
+# network interfaces
+net:
+  port: 27017
+#  bindIp: 127.0.0.1
+  bindIp: 0.0.0.0
+
+# how the process runs
+processManagement:
+  timeZoneInfo: /usr/share/zoneinfo
+
+#security:
+
+#operationProfiling:
+
+#replication:
+
+#sharding:
+
+## Enterprise-Only Options:
+
+#auditLog:
+
+#snmp:
diff --git a/logbook/elefante-borneu-yul-01/etc/redis/redis.conf b/logbook/elefante-borneu-yul-01/etc/redis/redis.conf
@@ -66,7 +66,22 @@
 # IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
 # JUST COMMENT THE FOLLOWING LINE.
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-bind 127.0.0.1 ::1
+
+## AVISO DE SEGURANCA: a alteracao de "bind 127.0.0.1 ::1" para "bind: 0.0.0.0"
+##                     requer especial atencao e depende de protecao a nivel de
+##                     firewall e, adicionalmente, usuario e senha. Esteja ciente
+##                     que a alteração definica aqui DEPENDE de protecoes adicionais
+##                     que deveriam ser implementadas mesmo em projetos que nao
+##                     estao divugladas publicamente (fititnt, 2019-05-28 17:59 BRT)
+# @see https://redis.io/topics/security
+# @see http://antirez.com/news/96  (Este link explica como vao te encontrar se errar!)
+##
+## RECOMENDACAo: Caso seu projeto tenha orcamento para permitir uma Private network
+##               e' recomendado que voce aceite. E em vez de permitir acesso em todas
+##               as portas, ao menos deixe explicitamente apenas no IP da rede interna.
+##               (fititnt, 2019-05-28 18:10 BRT)
+
+# bind 127.0.0.1 ::1
 
 # Protected mode is a layer of security protection, in order to avoid that
 # Redis instances left open on the internet are accessed and exploited.
@@ -85,7 +100,10 @@ bind 127.0.0.1 ::1
 # you are sure you want clients from other hosts to connect to Redis
 # even if no authentication is configured, nor a specific set of interfaces
 # are explicitly listed using the "bind" directive.
-protected-mode yes
+# protected-mode yes
+protected-mode no
+
+## AVISO DE SECURANCA: Veja comentarios sobre '# bind 127.0.0.1 ::1' neste mesmo arquivo (fititnt, 2019-05-28 18:22 BRT)
 
 # Accept connections on the specified port, default is 6379 (IANA #815344).
 # If port 0 is specified Redis will not listen on a TCP socket.