# DMZ
## Definition
**De-Militarized Zone**
A physical or logical subnet that sits between the internal LAN and other untrusted networks. Also known as *perimiter networks* or *screened subnetworks.

Any public facing service should be placed in the DMZ. This includes websites, email servers, dns server, etc.

```text
        |     DMZ     |    ________
        |             |   (        )
  LAN   |    :80  <---|--( INTERNET )
        |    :443     |   (________)
    <---|------+      |
```
## Goals
1. Services should be available from the LAN and WAN using the same URL.
2. Services should be protected with SSL certificates.

I originally intended to set up port forwarding from the wild world web to a DMZ server. Unfortunately, due to unexpected technical difficulties (*cough* Xfinity is a shithole company *cough*) I will no longer have a publicly routable public IP. For the time being we will be using T-Mobile Home Internet and it's messy cg-nat. I am planning to finish setting up a DMZ reverse proxy server. ~~I will accomplish the *port forward* using `cloudflared` tunnels.~~ I will accomplish the *port forward* using a `snorkel` server that gives me a public ip address connected through `tailscale`.

## Reverse Proxy

My reverse proxy of choice is `nginx`. *I know...* Everyone l*aw*ves `traefik` nowdays, because `kubernetes` and *ingress bro!* Whatever. I don't care. Nginx is simple and it works. There is also a great web-ui available, [Nginx Proxy Manager](https://nginxproxymanager.com). It runs in `docker`. Here is the compose.yaml file:

```yaml
version: '3.8'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
      # Add any other Stream port you want to expose
      # - '21:21' # FTP

    # Uncomment the next line if you uncomment anything in the section
    # environment:
      # Uncomment this if you want to change the location of
      # the SQLite DB file within the container
      # DB_SQLITE_FILE: "/data/database.sqlite"

      # Uncomment this if IPv6 is not enabled on your host
      # DISABLE_IPV6: 'true'

    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
```

## Snorkel

Due to the fact that my LAN is behind cg-nat, I need a way to route requests from the Wild World Web (www) to my nginx proxy host. My first thought was to use `cloudflared` tunnels to expose services directly. That would negate the need for a reverse proxy because service could be directly exposed. However, my first goal is to be able to use the same URLs at home and in the wild and I could not imagine an effective way to accomplish that task because of the SSL certificates that would not match.

I ended up creating a droplet in DigitalOcean that basically acts as a router for public requests to services. It uses a program called `rinetd` to forward ports from a public ip, through my tailscale network, to my dmz host. The dmz hosts the reverse proxy and handles SSL certificates.

```text
  public ip
  :80, :443
    |   |
    | s |
    | n |
    | o |
 /\/| r |\/\/\/\
    | k |
    | e | tailscale
    | l | network
    \   \____________    | DMZ
     \_______________--> | Proxy to local
                         | network 10.0.1.0/24

```

### rinetd - TCP/UDP Port Redirector

This program is used to efficiently redirect connections from one IP address/port combination to another. It is useful when operating virtual servers, firewalls and the like.
[GitHub](https://github.com/samhocevar/rinetd)

Install on ubuntu/debian with `apt install rinetd`.

Default config file is `/etc/rinetd.conf`. May be launched as a systemd service.

#### Configuration:

```shell
#
# this is the configuration file for rinetd, the internet redirection server
#
# you may specify global allow and deny rules here
# only ip addresses are matched, hostnames cannot be specified here
# the wildcards you may use are * and ?
#
# allow 192.168.2.*
# deny 192.168.2.1?
# allow fe80:*
# deny 2001:618:*:e43f


#
# forwarding rules come here
#
# you may specify allow and deny rules after a specific forwarding rule
# to apply to only that forwarding rule
#
# bindadress  bindport  connectaddress  connectport  options...
# 0.0.0.0     80        192.168.1.2     80
# ::1         80        192.168.1.2     80
# 0.0.0.0     80        fe80::1         80
# 127.0.0.1   4000      127.0.0.1       3000
# 127.0.0.1   4000/udp  127.0.0.1       22           [timeout=1200]
# 127.0.0.1   8000/udp  192.168.1.2     8000/udp     [src=192.168.1.2,timeout=1200]

137.184.86.82 80 100.74.81.71 80
137.184.86.82 443 100.74.81.71 443
# these values are the publicip bindport and dmz-tailsnet-ip connectport

## todo ipv6
# 2604:a880:4:1d0::55a:d000 80 fd7a:115c:a1e0::d34a:5147 80
# 2604:a880:4:1d0::55a:d000 443 fd7a:115c:a1e0::d34a:5147 443

# logging information
logfile /var/log/rinetd.log

# uncomment the following line if you want web-server style logfile format
# logcommon
```

### tailscale config

- Install tailscale with `curl -fsSL https://tailscale.com/install.sh | sh`
- Generate authkey with `tag: snorkel`, adjust ACLs to only allow access to DMZ host on the tailnet, and `export TS_AUTHKEY=generatedvalue`.
- Run `tailscale up --authkey=$TS_AUTHKEY --accept-routes`

### Uptime Kuma Push Service

I use [UptimeKuma](https://uptime.kuma.pet) for monitoring. For this server I am using a Push monitor - which relies on a script and service on the server.

#### Script
Depends on jq

[Source: selfhosted.club](https://www.selfhosted.club/service-and-infrastructure-monitoring-with-uptimekuma-1/)

Copy script to `/usr/bin/uptime-kuma-push`. Usage:

```bash
uptime-kuma-push -t <uptime-kuma-token> -s <system_service> -p <ping_target> -u <up.thewestwoods.us>
```

```bash
#!/bin/bash
#################################
# Defaults                      #
#################################

default_url="up.thewestwoods.us"
default_ping="8.8.8.8"
status="up"
msg="OK"

#################################
# Help                          #
#################################
Help()
{
        # display help
        echo "Uptime Kuma Push script with ping and service monitoring."
        echo
        echo "Syntax: uptime-kuma-push [-u|t|s|p]"
        echo "options:"
        echo " - u    Set the url for the Uptime Kuma server e.g. $default_url."
        echo " - t    Token from the Uptime Kuma monitor settings."
        echo " - s    Local system service to watch (optional)."
        echo " - p    Ping target as hostname or IP address (optional)."
        echo " - h    Print this Help"
        echo
}

################################
# Main Program                 #
################################
while getopts u:t:s:p:h flag
do
        case "${flag}" in
                u) base_url=${OPTARG};;
                t) token=${OPTARG};;
                s) system_service=${OPTARG};;
                p) ping_target=${OPTARG};;
                h) # Display Help
                   Help
                   exit;;
        esac
done

if [ -z $token ]; then
        echo "Usage: $0 -t <push_token> [options...]" >&2
        echo "Uptime Kuma Token is required."
        exit 1
fi

if [ -z $base_url ]; then
        base_url="$default_url"
fi

if [ -z $system_service ]; then
        system_service="Not watching any service."
else
        if systemctl is-active --quiet "$system_service"; then
                status="up"
                msg="OK"
        else
                status="down"
                msg="Service $system_service is not running."
        fi
fi

if [ -z $ping_target ]; then
        ping_target="$default_ping"
fi

#echo "Uptime Kuma Server URL: $base_url";
#echo "Uptime Kuma Token: $token";
#echo "System Service to watch: $system_service";
#echo "Server to Ping: $ping_target";

# Execute the ping command and capture the output
ping_output=$(ping -c 1 $ping_target | awk '/rtt/ {print $4}' | cut -d '/' -f 2)

# URL-encode the token
token=$(printf "%s" "$token" | jq -s -R -r @uri)

# URL-encode the ping output
encoded_ping_output=$(printf "%s" "$ping_output" | jq -s -R -r @uri)

# URL-encode the message
encoded_msg=$(printf "%s" "$msg" | jq -s -R -r @uri)

curl_url="https://${base_url}/api/push/${token}?status=${status}&msg=${encoded_msg}&ping=${encoded_ping_output}"

curl_command="curl --fail --retry 5 ${curl_url}"

# echo $curl_command
exec $curl_command
if [ $? -ne 0 ]; then
        echo "Failed: $result" >&2
fi
```

#### systemd Service
- *Not* enabled
- *Not* started

/etc/systemd/system/uptime-kuma-push.service
```bash
[Unit]
Description=Uptime Kuma push monitor

[Service]
ExecStart=/usr/bin/uptime-kuma-push -t Y16lRMqsEg -p dmz -s rinetd

[Install]
WantedBy=multi-user.target
```

#### systemd Timer
- `systemctl enable uptime-kuma-push.timer`
- `systemctl start uptime-kuma-push.timer`
- `OnCalenar=*:0/5` runs the service every 5 minutes starting with 0
  - Alternative is `OnActiveSec=5m` - runs every 5 minutes starting when `systemctl start` is run

/etc/systemd/system/uptime-kuma-push.timer
```bash
[Unit]
Description=Uptime Kuma push monitor timer

[Timer]
OnCalendar=*:0/5
AccuracySec=1s
Persistent=true

[Install]
WantedBy=timers.target
```

### cloud-config
```yaml
#cloud-config
#users:
#  - name: samyules
#    shell: /bin/bash
#    sudo: ['ALL=(ALL) OPASSWD:ALL']
#    ssh_import_id:
#      - gh:samyules
#disable_root: true

# add ssh authorized keys
ssh_authorized_keys:
  - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBCuKIkqr7l87llAp0xtQ9Eo+SgeyGbbUZbjgqPJkI135I1M+6xA+PxrQ0MOI+wqUZqdDcA9GrsQsF4M7xXVBUw= samyules@ipad1
  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFeHdSzxZtuDwrdq+9xcTHCYOqn72C0/+AHNDgPBdsIdx4Z5bPDUMOWAwO5bccetgY0km0/R/dpG4IRpjqGoxUBCnUt1fcEsn/+0iAq2hQjItgbjYy7mzyRTSMG1aDa2gdPCtoYHFv0dtVSz0RWi0qRdimduyG4LEIn3LNNgPr6gJoCbkmdeHz4S5ar4sitrkC1Juprd2KdZ5DQD1x8rEVdXQKS73zcDuzMk+dxsEXzOTvnn/xYo39FOKqrKerKL17oA9LtTSD6qW0ufBMMRn4l/658eA2YBMtsHbtlx3/SntkZeFp26GymBygbjCT9CsLKINr1TTJb+OSXK7W6SW3 samwestwood@Hilarys-iMac.home.lan
  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhFgLfsXKUp5oi3bgHzv9IxvilNed9sxavSLCu8gxM/Wn6TShASS810YqkFYHvjhVAvkSfb94gcpPwSWL7rvXy7E4I7HAwwwhiu+2TbeVeC+tuqu5M5TaB4ldrF8FGs6yHK1lizNhEgttarWqiMJ02qiLK3O0WAv6wu21ereO5cyHb172l0oGEG70HcoQFKjYJJ5800ij1iv6s+4fKafSrd4VaacGHUmQ6QmtBOjK8t7Jw8dpppspk1jwmli9uAyO3XsNjINXzHdxalTsFuXSv/YU2mi3Y+MDE3tlRXQ6rHl05sYp/vanosYCUSNAWrYhrHb1TXl9aUmrG43zHrfZ1 samyules@ammocan
  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINU/fEtAWKogerEOxaqmlx+fV6jC+NTOsVbp6559ChkP samyules@iphone13pro

# Install software

package_update: true
package_upgrade: true
packages:
  - jq
  - rinetd

# Write files for Uptime Kuma service script
write_files:
  - encodings: b64
    content: |
      IyEvYmluL2Jhc2gKIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCiMgRGVmYXVsdHMg
      ICAgICAgICAgICAgICAgICAgICAgIwojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMK
      CmRlZmF1bHRfdXJsPSJ1cC50aGV3ZXN0d29vZHMudXMiCmRlZmF1bHRfcGluZz0iOC44LjguOCIK
      c3RhdHVzPSJ1cCIKbXNnPSJPSyIKCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIwoj
      IEhlbHAgICAgICAgICAgICAgICAgICAgICAgICAgICMKIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
      IyMjIyMjIyMjCkhlbHAoKQp7CgkjIGRpc3BsYXkgaGVscAoJZWNobyAiVXB0aW1lIEt1bWEgUHVz
      aCBzY3JpcHQgd2l0aCBwaW5nIGFuZCBzZXJ2aWNlIG1vbml0b3JpbmcuIgoJZWNobwoJZWNobyAi
      U3ludGF4OiB1cHRpbWUta3VtYS1wdXNoIFstdXx0fHN8cF0iCgllY2hvICJvcHRpb25zOiIKCWVj
      aG8gIiAtIHUgICAgU2V0IHRoZSB1cmwgZm9yIHRoZSBVcHRpbWUgS3VtYSBzZXJ2ZXIgZS5nLiAk
      ZGVmYXVsdF91cmwuIgoJZWNobyAiIC0gdCAgICBUb2tlbiBmcm9tIHRoZSBVcHRpbWUgS3VtYSBt
      b25pdG9yIHNldHRpbmdzLiIKCWVjaG8gIiAtIHMgICAgTG9jYWwgc3lzdGVtIHNlcnZpY2UgdG8g
      d2F0Y2ggKG9wdGlvbmFsKS4iCgllY2hvICIgLSBwICAgIFBpbmcgdGFyZ2V0IGFzIGhvc3RuYW1l
      IG9yIElQIGFkZHJlc3MgKG9wdGlvbmFsKS4iCgllY2hvICIgLSBoICAgIFByaW50IHRoaXMgSGVs
      cCIKCWVjaG8KfQoKIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKIyBNYWluIFByb2dy
      YW0gICAgICAgICAgICAgICAgICMKIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKd2hp
      bGUgZ2V0b3B0cyB1OnQ6czpwOmggZmxhZwpkbwoJY2FzZSAiJHtmbGFnfSIgaW4KCQl1KSBiYXNl
      X3VybD0ke09QVEFSR307OwoJCXQpIHRva2VuPSR7T1BUQVJHfTs7CgkJcykgc3lzdGVtX3NlcnZp
      Y2U9JHtPUFRBUkd9OzsKCQlwKSBwaW5nX3RhcmdldD0ke09QVEFSR307OwoJCWgpICMgRGlzcGxh
      eSBIZWxwCgkJICAgSGVscAoJCSAgIGV4aXQ7OwoJZXNhYwpkb25lCgppZiBbIC16ICR0b2tlbiBd
      CnRoZW4KCWVjaG8gIlVzYWdlOiAkMCAtdCA8cHVzaF90b2tlbj4gW29wdGlvbnMuLi5dIiA+JjIK
      CWVjaG8gIlVwdGltZSBLdW1hIFRva2VuIGlzIHJlcXVpcmVkLiIKCWV4aXQgMQpmaQoKaWYgWyAt
      eiAkYmFzZV91cmwgXTsgdGhlbgoJYmFzZV91cmw9IiRkZWZhdWx0X3VybCIKZmkKCmlmIFsgLXog
      JHN5c3RlbV9zZXJ2aWNlIF07IHRoZW4KCXN5c3RlbV9zZXJ2aWNlPSJOb3Qgd2F0Y2hpbmcgYW55
      IHNlcnZpY2UuIgplbHNlCglpZiBzeXN0ZW1jdGwgaXMtYWN0aXZlIC0tcXVpZXQgIiRzeXN0ZW1f
      c2VydmljZSI7IHRoZW4KCQlzdGF0dXM9InVwIgoJCW1zZz0iT0siCgllbHNlCgkJc3RhdHVzPSJk
      b3duIgoJCW1zZz0iU2VydmljZSAkc3lzdGVtX3NlcnZpY2UgaXMgbm90IHJ1bm5pbmcuIgoJZmkK
      ZmkKCmlmIFsgLXogJHBpbmdfdGFyZ2V0IF0KdGhlbgoJcGluZ190YXJnZXQ9IiRkZWZhdWx0X3Bp
      bmciCmZpCgojZWNobyAiVXB0aW1lIEt1bWEgU2VydmVyIFVSTDogJGJhc2VfdXJsIjsKI2VjaG8g
      IlVwdGltZSBLdW1hIFRva2VuOiAkdG9rZW4iOwojZWNobyAiU3lzdGVtIFNlcnZpY2UgdG8gd2F0
      Y2g6ICRzeXN0ZW1fc2VydmljZSI7CiNlY2hvICJTZXJ2ZXIgdG8gUGluZzogJHBpbmdfdGFyZ2V0
      IjsKCiMgRXhlY3V0ZSB0aGUgcGluZyBjb21tYW5kIGFuZCBjYXB0dXJlIHRoZSBvdXRwdXQKcGlu
      Z19vdXRwdXQ9JChwaW5nIC1jIDEgJHBpbmdfdGFyZ2V0IHwgYXdrICcvcnR0LyB7cHJpbnQgJDR9
      JyB8IGN1dCAtZCAnLycgLWYgMikKCiMgVVJMLWVuY29kZSB0aGUgdG9rZW4KdG9rZW49JChwcmlu
      dGYgIiVzIiAiJHRva2VuIiB8IGpxIC1zIC1SIC1yIEB1cmkpCgojIFVSTC1lbmNvZGUgdGhlIHBp
      bmcgb3V0cHV0CmVuY29kZWRfcGluZ19vdXRwdXQ9JChwcmludGYgIiVzIiAiJHBpbmdfb3V0cHV0
      IiB8IGpxIC1zIC1SIC1yIEB1cmkpCgojIFVSTC1lbmNvZGUgdGhlIG1lc3NhZ2UKZW5jb2RlZF9t
      c2c9JChwcmludGYgIiVzIiAiJG1zZyIgfCBqcSAtcyAtUiAtciBAdXJpKQoKY3VybF91cmw9Imh0
      dHBzOi8vJHtiYXNlX3VybH0vYXBpL3B1c2gvJHt0b2tlbn0/c3RhdHVzPSR7c3RhdHVzfSZtc2c9
      JHtlbmNvZGVkX21zZ30mcGluZz0ke2VuY29kZWRfcGluZ19vdXRwdXR9IgoKY3VybF9jb21tYW5k
      PSJjdXJsIC0tZmFpbCAtLXJldHJ5IDUgJHtjdXJsX3VybH0iCgojIGVjaG8gJGN1cmxfY29tbWFu
      ZApleGVjICRjdXJsX2NvbW1hbmQKaWYgWyAkPyAtbmUgMCBdOyB0aGVuCgllY2hvICJGYWlsZWQ6
      ICRyZXN1bHQiID4mMgpmaQo=
    owner: root:root
    path: /usr/bin/uptime-kuma-push
    permissions: '0755'
  - content: |
      [Unit]
      Description=Uptime Kuma push monitor
      
      [Service]
      ExecStart=/usr/bin/uptime-kuma-push -t Y16lRMqsEg -s rinetd -p dmz
      
      [Install]
      WantedBy=multi-user.target      
    path: /etc/systemd/system/uptime-kuma-push.service
  - content: |
      [Unit]
      Description=Uptime Kuma push monitor timer
      
      [Timer]
      OnCalendar=*:0/5
      AccuracySec=1s
      Persistent=true
      
      [Install]
      WantedBy=timers.target
    
runcmd:
  - 'curl -fsSL https://tailscale.com/install.sh | sh'
  - 'tailscale up --authkey=$TS_AUTHKEY --accept-routes --ssh'
  - 'systemctl daemon-reload'
  - 'systemctl enable uptime-kuma-push.timer'
  - 'systemctl start uptime-kuma-push.timer'
  ```

## Security in the DMZ

In the DMZ, attacks should be expected. Web servers and other exposed services are targets. The DMZ server should be hardened with a firewall. I prefer using *Uncomplicated Firewall*, aka `ufw`. It has sane defaults and is easy to configure.

### `ufw` setup

In [None]:
apt install ufw

The default settings allow outgoing and deny incoming connections. You can configure it to allow specific services before enabling it. You can use common service names or port numbers. The following example will limit ssh access from a specific subnet, and allow public traffic to :80 and :443. 

In [None]:
ufw allow from 10.0.1.0/24 ssh
ufw allow 80
ufw allow https ## ufw allow 443

Then enable the firewall.

In [None]:
ufw enable

### Problems

#### `docker` don't work with firewall
My choice to use `docker` to manage services presents some unique challenges in the DMZ. The docker daemon directly writes to `iptables`. This means that whenever a service exposes a port in docker, it bypasses *any* and *all* firewall rules. A few years ago I attempted to build a similar setup without luck. At that time I concluded that it was not suitable to run docker on a public host.

#### The Fix
I did some more research and I found a solid fix on [StackOverflow](https://stackoverflow.com/a/51741599). @Feng did a a great job explaining all of it in his answer. It is accomplished by changing one single `ufw` congiguration file, allowing the default docker config to remain, and changing the way you expose services with ufw. 

Add the following to the end of `/etc/ufw/after.rules`:

```ini
# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER
```

Then restart ufw using `sudo systemctl restart ufw`.

By default the localhost can access docker resources, but the firewall will restrict access from external hosts. In order to expose docker resources to public hosts you set up a route to the *container* host port. You also need to know the container ip address. It should look like this:

`ufw route allow proto tcp from any to 172.17.0.2 port 443`

This will expose the soecific container and port, while still protecting the host port. To [find the container ip](https://stackoverflow.com/a/20686101) use this:

```bash
docker inspect \
  -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' container_name_or_id
```