Imiyalo yesinyathelo nesinyathelo sokuphakela i-Hailbytes VPN nge-Firezone GUI inikezwe lapha.
Umphathi: Ukusetha isenzakalo seseva kuhlobene ngokuqondile nale ngxenye.
Imihlahlandlela Yomsebenzisi: Amadokhumenti awusizo angakufundisa indlela yokusebenzisa i-Firezone nokuxazulula izinkinga ezijwayelekile. Ngemva kokuthi iseva isisetshenziswe ngempumelelo, bheka lesi sigaba.
I-Split Tunneling: Sebenzisa i-VPN ukuze uthumele ithrafikhi kuphela kumabanga athile e-IP.
Ukugunyazwa: Setha ikheli le-IP elimile leseva ye-VPN ukuze usebenzise ukugunyazwa.
Imigudu Ehlehlayo: Dala imigudu phakathi kontanga abambalwa usebenzisa amahubhu ahlehlayo.
Siyajabula ukukusiza uma udinga usizo lokufaka, ukwenza ngendlela oyifisayo, noma ukusebenzisa i-Hailbytes VPN.
Ngaphambi kokuthi abasebenzisi bakhiqize noma badawunilode amafayela okumisa idivayisi, i-Firezone ingalungiselelwa ukuthi idinga ukuqinisekiswa. Abasebenzisi bangaphinda badinge ukugunyaza kabusha ngezikhathi ezithile ukuze bagcine uxhumano lwabo lwe-VPN lusebenza.
Nakuba indlela yokungena ezenzakalelayo ye-Firezone kuyi-imeyili yasendaweni nephasiwedi, ingaphinda ihlanganiswe nanoma yimuphi umhlinzeki wobunikazi osezingeni we-OpenID Connect (OIDC). Abasebenzisi manje sebeyakwazi ukungena ngemvume ku-Firezone besebenzisa i-Okta, Google, Azure AD, noma imininingwane yomhlinzeki wabo womazisi oyimfihlo.
Hlanganisa Umhlinzeki Ojwayelekile we-OIDC
Imingcele yokumisa edingwa yi-Firezone ukuze ivumele i-SSO isebenzisa umhlinzeki we-OIDC iboniswa esibonelweni esingezansi. Ku-/etc/firezone/firezone.rb, ungathola ifayela lokumisa. Qalisa kabusha i-firezone-ctl bese uqala kabusha i-firezone-ctl ukuze ubuyekeze uhlelo lokusebenza futhi wenze izinguquko.
# Lesi isibonelo esisebenzisa i-Google ne-Okta njengomhlinzeki womazisi we-SSO.
# Izilungiselelo eziningi ze-OIDC zingangezwa kusibonelo esifanayo se-Firezone.
# I-Firezone ingakhubaza i-VPN yomsebenzisi uma kukhona iphutha elitholwe ukuzama
# ukuze bavuselele ithokheni_yabo yokufinyelela. Lokhu kuqinisekisiwe ukuze kusebenzele i-Google, i-Okta, kanye
# I-Azure SSO futhi isetshenziselwa ukunqamula ngokuzenzakalelayo i-VPN yomsebenzisi uma isusiwe
# kusukela kumhlinzeki we-OIDC. Shiya lokhu kukhutshaziwe uma umhlinzeki wakho we-OIDC
I-# inezinkinga zokuvuselela amathokheni okufinyelela njengoba ingase iphazamise ngokungalindelekile a
# iseshini ye-VPN yomsebenzisi.
okuzenzakalelayo['firezone']['authentication']['disable_vpn_on_oidc_error'] = amanga
okuzenzakalelayo['firezone']['ukuqinisekisa']['oidc'] = {
google: {
discovery_document_uri: “https://accounts.google.com/.well-known/openid-configuration”,
client_id: “ ”,
imfihlo_yeklayenti: “ ”,
redirect_uri: “https://instance-id.yourfirezone.com/auth/oidc/google/callback/”,
response_type: “ikhodi”,
ububanzi: "iphrofayili ye-imeyili evuliwe",
ilebula: "Google"
},
okta: {
discovery_document_uri: “https:// /.well-known/openid-configuration”,
client_id: “ ”,
imfihlo_yeklayenti: “ ”,
redirect_uri: “https://instance-id.yourfirezone.com/auth/oidc/okta/callback/”,
response_type: “ikhodi”,
ububanzi: "iphrofayili ye-imeyili evuliwe ungaxhunyiwe ku-inthanethi_ukufinyelela",
ilebula: "Okta"
}
}
Izilungiselelo ezilandelayo zokulungiselela ziyadingeka ukuze kuhlanganiswe:
Kumhlinzeki ngamunye we-OIDC kwakhiwa i-URL enhle ehambisanayo ukuze iqondiswe kabusha ku-URL yokungena ngemvume yomhlinzeki omisiwe. Njengesibonelo sokucushwa kwe-OIDC ngenhla, ama-URL yilawa:
Abahlinzeki esinawo imibhalo yabo:
Uma umnikezeli wakho kamazisi enesixhumanisi esijwayelekile se-OIDC futhi singekho ohlwini olungenhla, sicela uye kumadokhumenti akhe ukuze uthole ulwazi mayelana nendlela yokubuyisela izilungiselelo ezidingekayo zokucushwa.
Ukulungiselelwa ngaphansi kwezilungiselelo/ukuvikela kungashintshwa ukuze kudinge ukugunyazwa kabusha ngezikhathi ezithile. Lokhu kungasetshenziselwa ukuphoqelela imfuneko yokuthi abasebenzisi bangene ku-Firezone njalo ukuze baqhubeke neseshini yabo ye-VPN.
Ubude besikhathi bungalungiselelwa ukuthi bube phakathi kwehora elilodwa nezinsuku ezingamashumi ayisishiyagalolunye. Ngokusetha lokhu kokuthi Ungalokothi, unganika amandla amaseshini e-VPN nganoma yisiphi isikhathi. Yilokhu okujwayelekile.
Umsebenzisi kufanele anqamule iseshini yakhe ye-VPN futhi angene kuphothali ye-Firezone ukuze aqinisekise kabusha iseshini ye-VPN ephelelwe yisikhathi (i-URL ecaciswe phakathi nokusetshenziswa).
Ungaphinda uqinisekise isikhathi sakho ngokulandela iziqondiso ezinembile zeklayenti ezitholakala lapha.
Isimo Soxhumano Lwe-VPN
Ikholomu yethebula le-VPN yekhasi labasebenzisi ibonisa isimo sokuxhuma komsebenzisi. Lezi yizimo zokuxhuma:
KUNIKA AMANDLA - Uxhumano luvuliwe.
KUKHUBAZIWE - Ukuxhumeka kukhutshaziwe umlawuli noma ukwehluleka ukuvuselela i-OIDC.
KUPHELELWE ISIKHATHI - Ukuxhumeka kukhutshaziwe ngenxa yokuphelelwa yisikhathi kokuqinisekisa noma umsebenzisi engangenanga ngemvume okokuqala.
Ngesixhumi esivamile se-OIDC, i-Firezone inika amandla i-Single Sign-On (SSO) nge-Google Workspace kanye ne-Cloud Identity. Lo mhlahlandlela uzokukhombisa ukuthi ungayithola kanjani imingcele yokumisa ebhalwe ngezansi, edingekayo ekuhlanganiseni:
1. Isikrini se-OAuth ConfigA
Uma kungokokuqala udala i-ID yeklayenti entsha ye-OAuth, uzocelwa ukuthi ulungiselele isikrini semvume.
*Khetha Okungaphakathi ngohlobo lomsebenzisi. Lokhu kuqinisekisa ukuthi ama-akhawunti angabasebenzisi kuphela ku-Google Workspace Organization yakho angadala ukulungiselelwa kwedivayisi. UNGAKHETHI Okungaphandle ngaphandle kwalapho ufuna ukunika amandla noma ubani one-Akhawunti ye-Google evumelekile ukuthi akhe izilungiselelo zedivayisi.
Esikrinini solwazi lohlelo lokusebenza:
2. Dala OAuth Client IDA
Lesi sigaba sisekelwe emibhalweni ye-Google ku ukusetha i-OAuth 2.0.
Vakashela i-Google Cloud Console Ikhasi lemininingwane ikhasi, chofoza + Dala Imininingwane bese ukhetha i-ID yeklayenti le-OAuth.
Esikrinini sokudala i-ID yeklayenti le-OAuth:
Ngemva kokudala i-ID yeklayenti le-OAuth, uzonikezwa i-ID yeklayenti kanye nemfihlo yeklayenti. Lezi zizosetshenziswa kanye ne-URI yokuqondisa kabusha esinyathelweni esilandelayo.
Hlela /etc/firezone/firezone.rb ukufaka izinketho ezingezansi:
# Ukusebenzisa i-Google njengomhlinzeki womazisi we-SSO
okuzenzakalelayo['firezone']['ukuqinisekisa']['oidc'] = {
google: {
discovery_document_uri: “https://accounts.google.com/.well-known/openid-configuration”,
client_id: “ ”,
imfihlo_yeklayenti: “ ”,
redirect_uri: “https://instance-id.yourfirezone.com/auth/oidc/google/callback/”,
response_type: “ikhodi”,
ububanzi: "iphrofayili ye-imeyili evuliwe",
ilebula: "Google"
}
}
Qalisa kabusha i-firezone-ctl bese uqala kabusha i-firezone-ctl ukuze ubuyekeze uhlelo lokusebenza. Manje kufanele ubone inkinobho yokungena ngemvume nge-Google kumsuka we-URL ye-Firezone.
I-Firezone isebenzisa isixhumi esijwayelekile se-OIDC ukuze kusize ukungena ngemvume okukodwa (i-SSO) nge-Okta. Lesi sifundo sizokukhombisa ukuthi ungayithola kanjani imingcele yokumisa ebhalwe ngezansi, edingekayo ekuhlanganiseni:
Lesi sigaba somhlahlandlela sisekelwe ku Amadokhumenti ka-Okta.
Ku-Admin Console, hamba kokuthi Izicelo > Izicelo bese uchofoza okuthi Dala Ukuhlanganisa Uhlelo Lokusebenza. Setha indlela yokungena ku-OICD – OpenID Xhuma kanye nohlobo lohlelo lokusebenza ohlelweni lweWebhu.
Lungiselela lezi zilungiselelo:
Uma izilungiselelo sezilondoloziwe, uzonikezwa i-ID Yeklayenti, Imfihlo Yeklayenti, kanye ne-Okta Domain. Lawa manani angu-3 azosetshenziswa kusinyathelo sesi-2 ukuze kulungiselelwe i-Firezone.
Hlela /etc/firezone/firezone.rb ukufaka izinketho ezingezansi. Eyakho discovery_document_url ngizo /.well-known/openid-configuration kwengezwe kuze kube sekugcineni kwakho okta_domain.
# Ukusebenzisa i-Okta njengomhlinzeki womazisi we-SSO
okuzenzakalelayo['firezone']['ukuqinisekisa']['oidc'] = {
okta: {
discovery_document_uri: “https:// /.well-known/openid-configuration”,
client_id: “ ”,
imfihlo_yeklayenti: “ ”,
redirect_uri: “https://instance-id.yourfirezone.com/auth/oidc/okta/callback/”,
response_type: “ikhodi”,
ububanzi: "iphrofayili ye-imeyili evuliwe ungaxhunyiwe ku-inthanethi_ukufinyelela",
ilebula: "Okta"
}
}
Qalisa kabusha i-firezone-ctl bese uqala kabusha i-firezone-ctl ukuze ubuyekeze uhlelo lokusebenza. Manje kufanele ubone okuthi Ngena ngemvume ngenkinobho ye-Okta kumsuka we-URL ye-Firezone.
Abasebenzisi abakwazi ukufinyelela uhlelo lokusebenza lwe-Firezone bangakhawulelwa u-Okta. Iya ekhasini Lezabelo ze-Firezone App Integration ye-Okta Admin Console ukuze ufeze lokhu.
Ngesixhumi esijwayelekile se-OIDC, i-Firezone yenza i-Single Sign-On (SSO) nge-Azure Active Directory. Leli bhukwana lizokukhombisa ukuthi ungayithola kanjani imingcele yokumisa ebhalwe ngezansi, edingekayo ekuhlanganiseni:
Lo mhlahlandlela uthathwe ku- I-Azure Active Directory Amadokhumenti.
Iya ekhasini le-Azure Active Directory lengosi ye-Azure. Khetha inketho yemenyu ethi Phatha, khetha Ukubhalisa Okusha, bese ubhalisa ngokunikeza ulwazi olungezansi:
Ngemuva kokubhalisa, vula ukubukwa kwemininingwane yesicelo bese ukopisha ifayela I-ID yohlelo lokusebenza (yeklayenti).. Leli kuzoba inani le-client_id. Okulandelayo, vula imenyu yamaphoyinti okugcina ukuze ubuyise Idokhumenti yemethadatha ye-OpenID Xhuma. Lokhu kuzoba inani le-discovery_document_uri.
Dala imfihlo yeklayenti elisha ngokuchofoza inketho ethi Izitifiketi nezimfihlo ngaphansi kwemenyu ethi Lawula. Kopisha imfihlo yeklayenti; inani eliyimfihlo leklayenti lizoba leli.
Okokugcina, khetha isixhumanisi sezimvume ze-API ngaphansi kwemenyu ethi Phatha, chofoza Engeza imvume, bese ukhetha Igrafu ye-Microsoft, Engeza imeyili, kuvulekile, ukufinyelela_okungaxhunyiwe ku-inthanethi futhi Iphrofayili kuzimvume ezidingekayo.
Hlela /etc/firezone/firezone.rb ukufaka izinketho ezingezansi:
# Ukusebenzisa I-Azure Active Directory njengomhlinzeki womazisi we-SSO
okuzenzakalelayo['firezone']['ukuqinisekisa']['oidc'] = {
i-azure: {
discovery_document_uri: “https://login.microsoftonline.com/ /v2.0/.well-known/openid-configuration”,
client_id: “ ”,
imfihlo_yeklayenti: “ ”,
redirect_uri: “https://instance-id.yourfirezone.com/auth/oidc/azure/callback/”,
response_type: “ikhodi”,
ububanzi: "iphrofayili ye-imeyili evuliwe ungaxhunyiwe ku-inthanethi_ukufinyelela",
ilebula: "Azure"
}
}
Qalisa kabusha i-firezone-ctl bese uqala kabusha i-firezone-ctl ukuze ubuyekeze uhlelo lokusebenza. Manje kufanele ubone Ukungena ngemvume ngenkinobho ye-Azure kumsuka we-URL ye-Firezone.
I-Azure AD inika amandla abalawuli ukukhawulela ukufinyelela kohlelo lokusebenza eqenjini elithile labasebenzisi ngaphakathi kwenkampani yakho. Ulwazi olwengeziwe mayelana nendlela yokwenza lokhu lungatholakala kumadokhumenti e-Microsoft.
I-Chef Omnibus isetshenziswa i-Firezone ukuphatha imisebenzi ehlanganisa ukupakishwa kokukhishwa, ukugadwa kwenqubo, ukuphathwa kwelogi, nokuningi.
Ikhodi yeRuby yenza ifayela eliyisisekelo lokucushwa, elitholakala ku-/etc/firezone/firezone.rb. Ukuqalisa kabusha i-sudo firezone-ctl ukulungisa kabusha ngemva kokwenza izinguquko kuleli fayela kubangela uChef abone izinguquko futhi azisebenzise ohlelweni olusebenzayo lwamanje.
Bona ireferensi yefayela lokumisa ukuze uthole uhlu oluphelele lweziguquko zokucushwa nezincazelo zazo.
Isenzakalo sakho se-Firezone singaphathwa nge- firezone-ctl umyalo, njengoba kuboniswe ngezansi. Imiyalo engaphansi eminingi idinga isiqalo nge sudo.
impande@demo:~# firezone-ctl
omnibus-ctl: umyalo (i-subcommand)
Imiyalo evamile:
hlambulula
Susa *yonke* idatha ye-firezone, bese uqala kusukela ekuqaleni.
dala-noma-setha kabusha-admin
Isetha kabusha iphasiwedi yomlawuli nge-imeyili ecaciswe ngokuzenzakalelayo['firezone']['admin_email'] noma idala umlawuli omusha uma leyo imeyili ingekho.
Usizo
Phrinta lo mlayezo wosizo.
lungisa kabusha
Lungisa kabusha uhlelo lokusebenza.
setha kabusha inethiwekhi
Isetha kabusha ama-nftables, isixhumi esibonakalayo se-WireGuard, kanye netafula lomzila libuyele kokumisiwe kwe-Firezone.
show-config
Bonisa ukucushwa okuzokwenziwa ngokuphinda ulungise.
teardown-network
Isusa isixhumi esibonakalayo se-WireGuard kanye nethebula le-firezone nftables.
phoqa-isitifiketi-ukuvuselela
Phoqa ukuvuselelwa kwesitifiketi manje ngisho noma singakaphelelwa yisikhathi.
ukuvuselela-isitifiketi
Isusa i-cronjob evuselela izitifiketi.
khipha
Bulala zonke izinqubo futhi ukhiphe umphathi wenqubo (idatha izogcinwa).
Version
Bonisa inguqulo yamanje ye-Firezone
Imiyalo Yokuphathwa Kwesevisi:
umusa-ukubulala
Zama ukuma okuhle, bese u-SIGKILL lonke iqembu lenqubo.
hup
Thumela izinsiza i-HUP.
Int
Thumela izinsiza i-INT.
ukubulala
Thumela izinsiza i-KILL.
kanye
Qala izinkonzo uma ziphansi. Ungawaqalisi kabusha uma eyeka.
Qala kabusha
Misa amasevisi uma esebenza, bese uwaqalisa futhi.
uhlu lwezinsiza
Faka kuhlu zonke izinsiza (amasevisi anikwe amandla avela nge-*.)
isiqalo
Qala amasevisi uma ephansi, futhi uwaqale kabusha uma ema.
Isimo
Bonisa isimo sazo zonke izinkonzo.
Ima
Misa amasevisi, futhi ungawaqalisi kabusha.
umsila
Buka amalogi wesevisi azo zonke izinkonzo ezinikwe amandla.
eside
Thumela izinsiza i-TERM.
usr1
Thumela izinsiza nge-USR1.
usr2
Thumela izinsiza nge-USR2.
Wonke amaseshini e-VPN kufanele anqanyulwe ngaphambi kokuthuthukisa i-Firezone, ephinde ifune ukuvala i-Web UI. Esimeni lapho kukhona okungahambanga kahle ngesikhathi sokuthuthukisa, sicebisa ukuthi kubekwe eceleni ihora lokulungiswa.
Ukuze uthuthukise i-Firezone, yenza lezi zinyathelo ezilandelayo:
Uma kuphakama izinkinga, sicela usazise nge ukuthumela ithikithi lokusekela.
Kunezinguquko ezimbalwa eziphulwayo kanye nezinguquko zokumisa ku-0.5.0 okufanele zibhekwe. Thola okwengeziwe ngezansi.
I-Nginx ayisasekeli amandla e-SSL kanye namapharamitha embobo okungewona awe-SSL njengenguqulo engu-0.5.0. Ngenxa yokuthi i-Firezone idinga i-SSL ukuze isebenze, seluleka ukususa inqwaba yesevisi ye-Nginx ngokusetha okuzenzakalelayo['firezone']['nginx']['enabled'] = amanga futhi uqondise ummeleli wakho ohlehlayo kuhlelo lokusebenza lwe-Phoenix ku-port 13000 esikhundleni salokho (ngokuzenzakalelayo ).
0.5.0 yethula ukwesekwa kwephrothokholi ye-ACME yokuvuselela ngokuzenzakalelayo izitifiketi ze-SSL ngesevisi ye-Nginx ehlanganisiwe. Ukuze sikwazi,
Amathuba wokwengeza imithetho enezindawo eziyimpinda asekho ku-Firezone 0.5.0. Iskripthi sethu sokuthutha sizobona ngokuzenzakalelayo lezi zimo phakathi nokuthuthukela ku-0.5.0 futhi sigcine kuphela imithetho indawo okuyiwa kuyo ehlanganisa omunye umthetho. Akukho okumele ukwenze uma lokhu kulungile.
Uma kungenjalo, ngaphambi kokuthuthukisa, sicebisa ukuthi ushintshe isethi yakho yemithetho ukuze uqede lezi zimo.
I-Firezone 0.5.0 isusa usekelo lwesitayela esidala se-Okta ne-Google SSO ukuze ivune ukulungiselelwa okusha, okuvumelana nezimo okusekelwe ku-OIDC.
Uma unokuthile okucushwayo ngaphansi kwezikhiye ezizenzakalelayo['firezone']['authentication']['okta'] noma ezizenzakalelayo['firezone']['authentication']['google'] okhiye, udinga ukuthuthela lezi ku-OIDC yethu. ukucushwa okusekelwe kusetshenziswa umhlahlandlela ongezansi.
Ukucushwa okukhona kwe-Google OAuth
Susa le migqa equkethe izilungiselelo ze-Google OAuth ezindala efayeleni lakho lokumisa elitholakala ku-/etc/firezone/firezone.rb
okuzenzakalelayo['firezone']['authentication']['google']['enabled']
okuzenzakalelayo['firezone']['ukuqinisekisa']['google']['client_id']
okuzenzakalelayo['firezone']['authentication']['google']['client_secret']
okuzenzakalelayo['firezone']['authentication']['google']['redirect_uri']
Bese, ulungiselela i-Google njengomhlinzeki we-OIDC ngokulandela izinqubo lapha.
(Nikeza imiyalelo yesixhumanisi)<<<<<<<<<<<<<<<<
Lungiselela i-Google OAuth ekhona
Susa le migqa equkethe ukulungiselelwa kwe-Okta OAuth endala kufayela lakho lokumisa elitholakala /etc/firezone/firezone.rb
okuzenzakalelayo['i-firezone']['ukuqinisekisa']['okta']['kunikwe amandla']
okuzenzakalelayo['firezone']['ukuqinisekisa']['okta']['client_id']
okuzenzakalelayo['firezone']['ukuqinisekisa']['okta']['client_secret']
Okuzenzakalelayo['firezone']['ukuqinisekisa']['okta']['site']
Bese, lungiselela u-Okta njengomhlinzeki we-OIDC ngokulandela izinqubo lapha.
Ngokuya ngokusetha kwakho kwamanje kanye nenguqulo, landela izinkomba ezingezansi:
Uma usuvele unokuhlanganiswa kwe-OIDC:
Kwabanye abahlinzeki be-OIDC, ukuthuthukela ku->= 0.3.16 kudingeka kutholwe ithokheni yokuvuselela yohlelo lokufinyelela ungaxhunyiwe ku-inthanethi. Ngokwenza lokhu, kwenziwa isiqiniseko sokuthi i-Firezone ibuyekeza nomhlinzeki kamazisi nokuthi uxhumano lwe-VPN luyavalwa ngemva kokususwa komsebenzisi. Ukuphindaphinda kwangaphambilini kwe-Firezone akunaso lesi sici. Kwezinye izimo, abasebenzisi abasuswayo kumhlinzeki wakho wobunikazi bangase baxhumeke ku-VPN.
Kuyadingeka ukufaka ukufinyelela okungaxhunyiwe ku-inthanethi kupharamitha yesikophu yokucushwa kwakho kwe-OIDC kubahlinzeki be-OIDC abasekela ububanzi bokufinyelela ungaxhunyiwe ku-inthanethi. Ukulungisa kabusha i-Firezone-ctl kufanele kwenziwe ukuze kusetshenziswe izinguquko kufayela lokumisa le-Firezone, elitholakala kokuthi /etc/firezone/firezone.rb.
Kubasebenzisi abagunyazwe umhlinzeki wakho we-OIDC, uzobona isihloko esithi Izixhumanisi ze-OIDC ekhasini lemininingwane yomsebenzisi le-UI yewebhu uma i-Firezone ikwazi ukubuyisa ngempumelelo ithokheni yokuvuselela.
Uma lokhu kungasebenzi, uzodinga ukususa uhlelo lwakho lokusebenza olukhona lwe-OAuth bese uphinda izinyathelo zokusetha ze-OIDC ukuze dala ukuhlanganiswa kohlelo lokusebenza olusha .
Nginokuhlanganisa okukhona kwe-OAuth
Ngaphambi komhla ka-0.3.11, i-Firezone yasebenzisa abahlinzeki abamiswe ngaphambilini be-OAuth2.
Landela imiyalo lapha ukuthuthela ku-OIDC.
Angikahlanganisi umhlinzeki kamazisi
Asikho isenzo esidingekayo.
Ungakwazi ukulandela imiyalelo lapha ukuze unike amandla i-SSO ngomhlinzeki we-OIDC.
Endaweni yakho, okuzenzakalelayo['i-firezone']['i-url yangaphandle'] kuthathe indawo yenketho yokumisa okuzenzakalelayo['firezone']['fqdn'].
Setha lokhu ku-URL yengosi yakho ye-inthanethi ye-Firezone efinyeleleka emphakathini jikelele. Izozenzekela ku-https:// kanye ne-FQDN yeseva yakho uma ishiywe ingachazwanga.
Ifayela lokumisa litholakala ku-/etc/firezone/firezone.rb. Bona ireferensi yefayela lokumisa ukuze uthole uhlu oluphelele lweziguquko zokucushwa nezincazelo zazo.
I-Firezone ayisagcini okhiye abayimfihlo bedivayisi kuseva ye-Firezone kusukela kunguqulo engu-0.3.0.
I-Firezone Web UI ngeke ikuvumele ukuthi ulande kabusha noma ubone lokhu kulungiselelwa, kodwa noma imaphi amadivaysi akhona kufanele aqhubeke nokusebenza njengoba enjalo.
Uma uthuthukela ku-Firezone 0.1.x, kunezinguquko ezimbalwa zefayela lokumisa okufanele zisingathwe mathupha.
Ukuze wenze izinguquko ezidingekayo kufayela lakho /etc/firezone/firezone.rb, sebenzisa imiyalo engezansi njengempande.
cp /etc/firezone/firezone.rb /etc/firezone/firezone.rb.bak
sed -i “s/\['vumela'\]/\['kunikwe amandla'\]/” /etc/firezone/firezone.rb
echo “default['firezone']['connectivity_checks']['enabled'] = true” >> /etc/firezone/firezone.rb
echo “okuzenzakalelayo['firezone']['connectivity_checks']['interval'] = 3_600” >> /etc/firezone/firezone.rb
lungisa kabusha i-firezone-ctl
i-firezone-ctl iqala kabusha
Ukuhlola amalogi e-Firezone kuyisinyathelo sokuqala esihlakaniphile sanoma yiziphi izinkinga ezingase zenzeke.
Qalisa umsila we-sudo firezone-ctl ukuze ubuke amalogi we-Firezone.
Iningi lezinkinga zokuxhuma nge-Firezone zilethwa ama-iptables angahambelani noma imithetho ye-nftables. Kufanele uqiniseke ukuthi noma yimiphi imithetho onayo ayingqubuzani nemithetho ye-Firezone.
Qiniseka ukuthi uchungechunge lwe-FORWARD luvumela amaphakethe asuka kumakhasimende akho e-WireGuard aye ezindaweni ofuna ukuzivumela ukuthi zidlule ku-Firezone uma uxhumo lwakho lwe-inthanethi luwohloka njalo uma wenza kusebenze umhubhe wakho we-WireGuard.
Lokhu kungase kufinyelelwe uma usebenzisa i-ufw ngokuqinisekisa ukuthi inqubomgomo yomzila ozenzakalelayo ivunyelwe:
ubuntu@fz:~$ sudo ufw okuzenzakalelayo vumela ukuhanjiswa
Inqubomgomo yomzila ozenzakalelayo ishintshile ukuze ithi 'vumela'
(qiniseka ukuthi ubuyekeza imithetho yakho ngokufanele)
A ufw isimo seseva ye-Firezone evamile singabukeka kanje:
ubuntu@fz:~$ sudo ufw status verbose
Isimo: iyasebenza
Ukungena ngemvume: kuvuliwe (okuphansi)
Okuzenzakalelayo: nqaba (ongenayo), vumela (ophumayo), vumela (kumzila)
Amaphrofayili amasha: yeqa
Ukwenza Kusuka
————-
22/tcp VUMELA noma kuphi
80/tcp VUMELA noma kuphi
443/tcp VUMELA noma kuphi
51820/udp VUMELA noma kuphi
22/tcp (v6) VUMELA noma kuphi (v6)
80/tcp (v6) VUMELA noma kuphi (v6)
443/tcp (v6) VUMELA noma kuphi (v6)
51820/udp (v6) VUMELA noma kuphi (v6)
Seluleka ukukhawulela ukufinyelela esibonakalayo sewebhu ukuze uthole ukuthunyelwa kokukhiqiza okubucayi kakhulu futhi okubaluleke kakhulu, njengoba kuchazwe ngezansi.
Izikhungo | Imbobo ezenzakalelayo | Lalela Ikheli | Incazelo |
Nginx | 80, 443 | konke | Imbobo ye-HTTP(S) yomphakathi yokuphatha i-Firezone nokuqinisekisa ubuqiniso. |
I-Wire Guard | 51820 | konke | Imbobo ye-Public WireGuard esetshenziselwa izikhathi ze-VPN. (UDP) |
Iposi | 15432 | 127.0.0.1 | Imbobo yendawo kuphela esetshenziselwa iseva ye-Postgresql ehlanganisiwe. |
Phoenix | 13000 | 127.0.0.1 | Imbobo yendawo kuphela esetshenziswa iseva yohlelo lokusebenza ye-elixir ekhuphukayo. |
Sikweluleka ukuthi ucabange ngokukhawulela ukufinyelela ku-UI yewebhu evezwe esidlangalaleni ye-Firezone (ngezimbobo ezizenzakalelayo 443/tcp kanye ne-80/tcp) futhi esikhundleni salokho usebenzise umhubhe we-WireGuard ukuze uphathe i-Firezone yokukhiqiza nokuphakela umphakathi lapho umlawuli oyedwa ezobe ephethe. yokudala nokusabalalisa ukulungiselelwa kwedivayisi kubasebenzisi bokugcina.
Ngokwesibonelo, uma umlawuli edale ukucushwa kwedivayisi futhi wadala umhubhe onekheli lendawo le-WireGuard elingu-10.3.2.2, ukulungiselelwa okulandelayo kwe-ufw kuzovumela umlawuli ukuthi afinyelele i-UI yewebhu ye-Firezone kusixhumi esibonakalayo se-wg-firezone yeseva esebenzisa okuzenzakalelayo 10.3.2.1 ikheli lomhubhe:
impande @ idemo:~# ufw isimo se-verbose
Isimo: iyasebenza
Ukungena ngemvume: kuvuliwe (okuphansi)
Okuzenzakalelayo: nqaba (ongenayo), vumela (ophumayo), vumela (kumzila)
Amaphrofayili amasha: yeqa
Ukwenza Kusuka
————-
22/tcp VUMELA noma kuphi
51820/udp VUMELA noma kuphi
Noma kuphi VUMELA KU-10.3.2.2
22/tcp (v6) VUMELA noma kuphi (v6)
51820/udp (v6) VUMELA noma kuphi (v6)
Lokhu kuzohamba kuphela 22/tcp kuvezwe ukufinyelela kwe-SSH ukuphatha iseva (uma uthanda), kanye 51820/udp kuveziwe ukuze kusungulwe imigudu ye-WireGuard.
I-Firezone ihlanganisa iseva ye-Postgresql nokufanisa psql ithuluzi elingasetshenziswa kusuka kugobolondo lendawo kanje:
/opt/firezone/embedded/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p 15432 \
-c “SQL_STATEMENT”
Lokhu kungaba usizo ngezinjongo zokususa iphutha.
Imisebenzi ejwayelekile:
Ukufaka kuhlu bonke abasebenzisi:
/opt/firezone/embedded/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p 15432 \
-c “KHETHA * KUbasebenzisi;”
Ifaka kuhlu wonke amadivayisi:
/opt/firezone/embedded/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p 15432 \
-c “KHETHA * EZIMPAWENI;”
Shintsha indima yomsebenzisi:
Setha indima ku-'admin' noma 'ukungakhethi':
/opt/firezone/embedded/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p 15432 \
-c “BUYEKEZA abasebenzisi BEKA indima = 'admin' LAPHO i-imeyili = 'user@example.com';”
Yenza isipele sesizindalwazi:
Ngaphezu kwalokho, kufakiwe uhlelo lokulahla i-pg, olungase lusetshenziselwe ukuthatha izipele ezivamile zesizindalwazi. Sebenzisa ikhodi elandelayo ukuze ulahle ikhophi yesizindalwazi ngefomethi evamile yombuzo we-SQL (shintshanisa /path/to/backup.sql ngendawo lapho ifayela le-SQL okufanele lidalwe khona):
/opt/firezone/embedded/bin/pg_dump \
-U firezone \
-d firezone \
-h localhost \
-p 15432 > /path/to/backup.sql
Ngemuva kokuthi i-Firezone isisetshenziswe ngempumelelo, kufanele ungeze abasebenzisi ukuze ubanikeze ukufinyelela kunethiwekhi yakho. I-Web UI isetshenziselwa ukwenza lokhu.
Ngokukhetha inkinobho ethi “Engeza Umsebenzisi” ngaphansi/kwabasebenzisi, ungangeza umsebenzisi. Uzodingeka ukuthi unikeze umsebenzisi ikheli le-imeyili kanye nephasiwedi. Ukuze uvumele ukufinyelela kubasebenzisi enhlanganweni yakho ngokuzenzakalela, i-Firezone ingaphinda ixhumane futhi ivumelanise nomhlinzeki wobunikazi. Imininingwane eyengeziwe iyatholakala ku Qinisekisa. < Engeza isixhumanisi ukuze Qinisekisa
Sicebisa ukucela ukuthi abasebenzisi badale okwabo ukulungiselelwa kwedivayisi ukuze ukhiye oyimfihlo ubonakale kubo kuphela. Abasebenzisi bangakwazi ukukhiqiza ukulungiselelwa kwedivayisi yabo ngokulandela izikhombisi-ndlela ku- Iziyalezo zeklayenti ikhasi.
Konke ukulungiselelwa kwedivayisi yomsebenzisi kungadalwa abalawuli be-Firezone. Ekhasini lephrofayela yomsebenzisi elitholakala ku/abasebenzisi, khetha inketho ethi “Engeza Idivayisi” ukuze ufeze lokhu.
[Faka isithombe-skrini]
Ungathumela i-imeyili kumsebenzisi ifayela lokucushwa le-WireGuard ngemva kokudala iphrofayela yedivayisi.
Abasebenzisi namadivayisi axhunyiwe. Ukuze uthole imininingwane eyengeziwe yokuthi ungangeza kanjani umsebenzisi, bheka Faka Abasebenzisi.
Ngokusebenzisa isistimu yesihlungi se-kernel, i-Firezone inika amandla amandla okuhlunga e-egress ukucacisa amaphakethe we-DROP noma we-ACCEPT. Yonke ithrafikhi ivamise ukuvunyelwa.
Ama-IPv4 kanye ne-IPv6 CIDR namakheli asesizindeni se-inthanethi asekelwa ngohlu Oluvunyelwe kanye Nohlu Lokuphika, ngokulandelana. Ungakhetha ukwenza isimiso kumsebenzisi uma usingeza, osisebenzisa isimiso kuwo wonke amadivayisi alowo msebenzisi.
Faka futhi ulungiselele
Ukuze usungule uxhumano lwe-VPN usebenzisa iklayenti lendabuko le-WireGuard, bheka lo mhlahlandlela.
Amaklayenti e-WireGuard Asemthethweni atholakala lapha ahambisana ne-Firezone:
Vakashela iwebhusayithi esemthethweni ye-WireGuard kokuthi https://www.wireguard.com/install/ yezinhlelo ze-OS ezingashiwongo ngenhla.
Umlawuli wakho we-Firezone noma wena ungakwazi ukukhiqiza ifayela lokucushwa kwedivayisi usebenzisa iphothali ye-Firezone.
Vakashela i-URL umlawuli wakho we-Firezone ayinikeze ukuze uzenzele wena ifayela lokucushwa kwedivayisi. Ifemu yakho izoba ne-URL ehlukile yalokhu; kulesi simo, yi-https://instance-id.yourfirezone.com.
Ngena ngemvume ku-Firezone Okta SSO
[Faka isithombe-skrini]
Ngenisa ifayela le-.conf kuklayenti le-WireGuard ngokulivula. Ngokuphenya iswishi ethi Cupha, ungaqala iseshini ye-VPN.
[Faka isithombe-skrini]
Landela imiyalelo engezansi uma umlawuli wenethiwekhi yakho ekugunyaze ukuqinisekiswa okuphindelelayo ukuze ugcine uxhumano lwakho lwe-VPN lusebenza.
Udinga:
I-URL yephothali ye-Firezone: Buza umlawuli wenethiwekhi yakho ukuze akuxhume.
Umlawuli wenethiwekhi yakho kufanele akwazi ukukunikeza ukungena kwakho nephasiwedi. Isayithi le-Firezone lizokwazisa ukuthi ungene ngemvume usebenzisa isevisi yokungena ngemvume eyodwa umqashi wakho ayisebenzisayo (njenge-Google noma i-Okta).
[Faka isithombe-skrini]
Iya ku-URL yengosi ye-Firezone bese ungena usebenzisa imininingwane ehlinzekwe ngumlawuli wenethiwekhi yakho. Uma usungenile kakade, chofoza inkinobho yokuphinda uqinisekise ngaphambi kokuphinda ungene ngemvume.
[Faka isithombe-skrini]
[Faka isithombe-skrini]
Ukuze ungenise iphrofayela yokumisa ye-WireGuard usebenzisa I-Network Manager CLI kumadivayisi e-Linux, landela le miyalo (nmcli).
Uma iphrofayela inosekelo lwe-IPv6 olunikwe amandla, ukuzama ukungenisa ifayela lokumisa usebenzisa i-Network Manager GUI kungase kuhluleke ngephutha elilandelayo:
ipv6.method: indlela “okuzenzakalelayo” ayisekelwe ku-WireGuard
Kuyadingeka ukufaka izinsiza ze-WireGuard userspace. Leli kuzoba iphakheji elibizwa ngokuthi i-wireguard noma i-wireguard-amathuluzi wokusabalalisa kwe-Linux.
Okwe-Ubuntu/Debian:
sudo apt ukufaka i-wireguard
Ukusebenzisa i-Fedora:
sudo dnf faka amathuluzi we-wireguard
I-Arch Linux:
sudo pacman -S wireguard-amathuluzi
Vakashela iwebhusayithi ye-WireGuard esemthethweni kokuthi https://www.wireguard.com/install/ ukuze uthole ukusatshalaliswa okungashiwongo ngenhla.
Umlawuli wakho we-Firezone noma isizukulwane sakho singakhiqiza ifayela lokucushwa kwedivayisi kusetshenziswa iphothali ye-Firezone.
Vakashela i-URL umlawuli wakho we-Firezone ayinikeze ukuze uzenzele wena ifayela lokucushwa kwedivayisi. Ifemu yakho izoba ne-URL ehlukile yalokhu; kulesi simo, yi-https://instance-id.yourfirezone.com.
[Faka isithombe-skrini]
Ngenisa ifayela lokucushwa elinikeziwe usebenzisa i-nmcli:
I-sudo nmcli yokungenisa uhlobo lwefayela le-wireguard /path/to/configuration.conf
Igama lefayela lokucushwa lizohambisana noxhumo/isixhumi esibonakalayo se-WireGuard. Ngemuva kokungenisa, ukuxhumana kungaqanjwa kabusha uma kunesidingo:
uxhumano lwe-nmcli guqula [igama elidala] uxhumano.id [igama elisha]
Ngomugqa womyalo, xhuma ku-VPN kanje:
uxhumano lwe-nmcli phezulu [igama le-vpn]
Ukuze unqamule:
uxhumano lwe-nmcli phansi [igama le-vpn]
I-applet yesiphathi senethiwekhi esebenzayo ingasetshenziswa futhi ukuphatha uxhumano uma usebenzisa i-GUI.
Ngokukhetha okuthi “yebo” kunketho yokuxhuma ngokuzenzakalela, uxhumano lwe-VPN lungalungiselelwa ukuthi luxhume ngokuzenzakalelayo:
uxhumano lwe-nmcli guqula [igama le-vpn] uxhumano. <<<<<<<<<<<<<<<<<<<<<
xhuma ngokuzenzakalelayo yebo
Ukuze ukhubaze ukuxhumana okuzenzakalelayo kubuyisele kokuthi cha:
uxhumano lwe-nmcli guqula [igama le-vpn] uxhumano.
xhuma ngokuzenzakalelayo inombolo
Ukuze uvule i-MFA Yiya ekhasini le-Firezone portal's/akhawunti yomsebenzisi/register mfa page. Sebenzisa uhlelo lwakho lokusebenza lokufakazela ubuqiniso ukuze uskene ikhodi ye-QR ngemva kokuthi yenziwe, bese ufaka ikhodi enezinhlamvu eziyisithupha.
Xhumana nomlawuli wakho ukuze usethe kabusha ulwazi lokufinyelela lwe-akhawunti yakho uma ubeka kabi uhlelo lwakho lokusebenza lokufakazela ubuqiniso.
Lesi sifundo sizokuhambisa enqubweni yokusetha isici sokuhlukanisa esihlukanisayo se-WireGuard nge-Firezone ukuze kube kuphela ithrafikhi eya kububanzi obuthile be-IP okudluliselwa ngeseva ye-VPN.
Ububanzi be-IP iklayenti elizohambisa ithrafikhi yenethiwekhi yabo bubekwe enkambini ye-IPs evunyelwe etholakala ekhasini elithi /izilungiselelo/okuzenzakalelayo. Ukulungiselelwa okusha kwe-WireGuard kuphela okukhiqizwe yi-Firezone okuzothintwa izinguquko kule nkambu.
[Faka isithombe-skrini]
Inani elizenzakalelayo ngu-0.0.0.0/0, ::/0, elihambisa yonke ithrafikhi yenethiwekhi ukusuka kuklayenti kuya kuseva ye-VPN.
Izibonelo zamanani kule nkambu zifaka:
0.0.0.0/0, ::/0 - yonke ithrafikhi yenethiwekhi izohanjiswa kuseva ye-VPN.
192.0.2.3/32 – ithrafikhi kuphela eya ekhelini le-IP elilodwa izohanjiswa kuseva ye-VPN.
3.5.140.0/22 – ithrafikhi kuphela eya kuma-IPs ebangeni le-3.5.140.1 – 3.5.143.254 izohanjiswa kuseva ye-VPN. Kulesi sibonelo, kusetshenziswe ububanzi be-CIDR besifunda se-ap-northeast-2 AWS.
I-Firezone ikhetha isixhumi esibonakalayo se-egress esihlotshaniswa nomzila onembe kakhulu kuqala lapho inquma ukuthi ikuphi umzila wephakethe.
Abasebenzisi kufanele bakhiqize kabusha amafayela okumisa futhi bawengeze eklayenti labo lendabuko le-WireGuard ukuze babuyekeze amadivayisi akhona abasebenzisi ngokulungiselelwa okusha komhubhe ohlukanisiwe.
Ukuze uthole imiyalo, bheka engeza idivayisi. <<<<<<<<<< Faka isixhumanisi
Le manuwali izobonisa indlela yokuxhumanisa amadivaysi amabili usebenzisa i-Firezone njengokudluliselwa. Icala elilodwa elijwayelekile lokusebenzisa ukunika amandla umlawuli ukuthi afinyelele iseva, isitsha, noma umshini ovikelwe i-NAT noma i-firewall.
Lo mfanekiso ubonisa isimo esiqondile lapho Amadivayisi A no-B akha khona umhubhe.
[Faka isithombe sezakhiwo ze-firezone]
Qala ngokudala Idivayisi A kanye Nedivayisi B ngokuzulazulela ku-/users/[user_id]/new_device. Kuzilungiselelo zedivayisi ngayinye, qinisekisa ukuthi imingcele elandelayo isethwe kumanani abhalwe ngezansi. Ungasetha izilungiselelo zedivayisi lapho udala ukucushwa kwedivayisi (bona okuthi Engeza Amadivayisi). Uma udinga ukubuyekeza izilungiselelo kudivayisi ekhona, ungenza kanjalo ngokukhiqiza ukulungiselelwa kwedivayisi entsha.
Qaphela ukuthi wonke amadivayisi anekhasi elithi /settings/defaults lapho i-PersistentKeepalive ingacushwa khona.
Ama-IP avunyelwe = 10.3.2.2/32
Lena i-IP noma ububanzi be-IPs Yedivayisi B
PersistentKeepalive = 25
Uma idivayisi ingemuva kwe-NAT, lokhu kuqinisekisa ukuthi idivayisi iyakwazi ukugcina umhubhe uphila futhi iqhubeke nokuthola amaphakethe avela kusixhumi esibonakalayo se-WireGuard. Ngokuvamile inani elingu-25 lanele, kodwa kungase kudingeke wehlise leli nani kuye ngendawo okuyo.
Ama-IP avunyelwe = 10.3.2.3/32
Lena i-IP noma ububanzi bama-IPs wedivayisi A
PersistentKeepalive = 25
Lesi sibonelo sibonisa isimo lapho Idivayisi A ingaxhumana namadivayisi B ukuya ku-D kuzo zombili izinkomba. Lokhu kusetha kungamela unjiniyela noma umlawuli ofinyelela izinsiza eziningi (amaseva, iziqukathi, noma imishini) kuwo wonke amanethiwekhi ahlukahlukene.
[Umdwebo Wezakhiwo]<<<<<<<<<<<<<<<<<<<<<<
Qiniseka ukuthi izilungiselelo ezilandelayo zenziwe kuzilungiselelo zedivayisi ngayinye ukuya kumanani ahambisanayo. Uma udala ukucushwa kwedivayisi, ungacacisa izilungiselelo zedivayisi (bona okuthi Engeza Amadivayisi). Ukulungiselelwa kwedivayisi entsha kungadalwa uma izilungiselelo kudivayisi ekhona zidinga ukubuyekezwa.
AllowedIPs = 10.3.2.3/32, 10.3.2.4/32, 10.3.2.5/32
Lena i-IP yamadivayisi B ukuya ku-D. Ama-IP Wamadivayisi B ukuya ku-D kufanele afakwe kunoma yibuphi ububanzi be-IP okhetha ukubusetha.
PersistentKeepalive = 25
Lokhu kuqinisekisa ukuthi idivayisi ingakwazi ukunakekela umhubhe futhi iqhubeke nokuthola amaphakethe avela kusixhumi esibonakalayo se-WireGuard ngisho noma ivikelwe i-NAT. Ezimweni eziningi, inani elingu-25 lanele, kodwa kuye ngendawo ekuzungezile, kungase kudingeke wehlise lesi sibalo.
Ukuze unikeze i-IP ye-egress eyodwa, emile ukuze yonke ithrafikhi yethimba lakho iphume, i-Firezone ingasetshenziswa njengesango le-NAT. Lezi zimo zihlanganisa ukusetshenziswa kwayo njalo:
Ukusebenzelana Kokubonisana: Cela ukuthi ikhasimende lakho ligunyaze ikheli elilodwa le-IP elimile kune-IP yesisebenzi ngasinye esiyingqayizivele.
Ukusebenzisa ummeleli noma ukuvala i-IP yomthombo wakho ngezinjongo zokuphepha noma zobumfihlo.
Isibonelo esilula sokukhawulela ukufinyelela kuhlelo lokusebenza lwewebhu oluzibambele wena ku-IP eyodwa emile egunyaziwe esebenzisa i-Firezone sizoboniswa kulokhu okuthunyelwe. Kulo mfanekiso, i-Firezone kanye nensiza evikelekile isezindaweni ezihlukene ze-VPC.
Lesi sixazululo sisetshenziswa kaningi esikhundleni sokuphatha uhlu olumhlophe lwe-IP kubasebenzisi abaningi bokugcina, okungase kudle isikhathi njengoba uhlu lokufinyelela lukhula.
Umgomo wethu uwukusetha iseva ye-Firezone esimweni se-EC2 ukuze iqondise kabusha ithrafikhi ye-VPN kusisetshenziswa esikhawulelwe. Kulesi sibonelo, i-Firezone isebenza njengommeleli wenethiwekhi noma isango le-NAT ukuze inikeze idivayisi ngayinye exhunyiwe i-IP yomphakathi ehlukile.
Kulokhu, isenzakalo se-EC2 okuthiwa i-tc2.micro sinesenzakalo se-Firezone esifakiwe kuso. Ukuze uthole ulwazi mayelana nokusebenzisa i-Firezone, hamba kokuthi Umhlahlandlela Wokusebenzisa. Maqondana ne-AWS, qiniseka:
Iqembu lezokuphepha lesenzakalo se-Firezone EC2 livumela ithrafikhi ephumayo ukuya ekhelini le-IP lesisetshenziswa esivikelwe.
Isibonelo se-Firezone siza ne-IP enwebekayo. Ithrafikhi edluliselwa ngesenzakalo se-Firezone ezindaweni ezingaphandle izoba nalokhu njengekheli layo le-IP eliwumthombo. Ikheli le-IP okukhulunywa ngalo lithi 52.202.88.54.
[Faka isithombe-skrini]<<<<<<<<<<<<<<<<<<<<<<<
Uhlelo lokusebenza lwewebhu oluzisingathile lusebenza njengesisetshenziswa esivikelwe kulesi simo. Uhlelo lokusebenza lwewebhu lungafinyelelwa kuphela ngezicelo ezivela ekhelini le-IP 52.202.88.54. Ngokuya ngesisetshenziswa, kungadingeka ukuthi kuvunyelwe ithrafikhi engenayo kumachweba ahlukahlukene kanye nezinhlobo zethrafikhi. Lokhu akuvezwanga kule manuwali.
[Faka isithombe-skrini]<<<<<<<<<<<<<<<<<<<<<<<
Sicela utshele inkampani yangaphandle ephethe isisetshenziswa esivikelwe ukuthi ithrafikhi evela ku-IP emile echazwe esinyathelweni 1 kufanele ivunyelwe (kulokhu 52.202.88.54).
Ngokuzenzakalelayo, yonke ithrafikhi yomsebenzisi izodlula kuseva ye-VPN futhi ivele ku-IP emile eyalungiselelwa ku-Isinyathelo 1 (kulokhu 52.202.88.54). Kodwa-ke, uma ukuhlukaniswa kukamhubhe kunikwe amandla, izilungiselelo zingadingeka ukuze uqiniseke ukuthi i-IP yesisetshenziswa esivikelwe ifakwe ohlwini phakathi kwama-IP avunyelwe.
Okuboniswe ngezansi uhlu oluphelele lwezinketho zokucushwa ezitholakala kulo /etc/firezone/firezone.rb.
option | incazelo | inani elizenzakalelayo |
okuzenzakalelayo['firezone']['external_url'] | I-URL isetshenziselwe ukufinyelela iphothali yewebhu yalesi senzakalo se-Firezone. | “https://#{node['fqdn'] || node['igama lomphathi']}" |
okuzenzakalelayo['firezone']['config_directory'] | Uhla lwemibhalo lwezinga eliphezulu lokucushwa kwe-Firezone. | /etc/firezone' |
okuzenzakalelayo['firezone']['install_directory'] | Umkhombandlela wezinga eliphezulu ongafaka kuwo i-Firezone. | /khetha/indawo yomlilo' |
okuzenzakalelayo['firezone']['app_directory'] | Uhla lwemibhalo lwezinga eliphezulu lokufaka uhlelo lwewebhu le-Firezone. | “#{node['firezone']['install_directory']}/embedded/service/firezone” |
okuzenzakalelayo['firezone']['log_directory'] | Umkhombandlela wezinga eliphezulu lamalogi e-Firezone. | /var/log/firezone' |
okuzenzakalelayo['firezone']['var_directory'] | Uhla lwemibhalo olusezingeni eliphezulu lwamafayela esikhathi sokusebenza se-Firezone. | /var/opt/firezone' |
okuzenzakalelayo['firezone']['user'] | Igama lomsebenzisi we-Linux ongenamalungelo iningi lezinsiza namafayela azoba okwakho. | indawo yomlilo' |
okuzenzakalelayo['firezone']['group'] | Igama leqembu le-Linux iningi lamasevisi namafayela kuzoba okwakho. | indawo yomlilo' |
okuzenzakalelayo['firezone']['admin_email'] | Ikheli le-imeyili lomsebenzisi wokuqala we-Firezone. | "firezone@localhost" |
okuzenzakalelayo['firezone']['max_devices_per_user'] | Inombolo enkulu yamadivayisi umsebenzisi angaba nayo. | 10 |
okuzenzakalelayo['firezone']['vumela_unprivileged_device_management'] | Ivumela abasebenzisi abangebona abaphathi ukuthi badale futhi basuse amadivayisi. | TRUE |
okuzenzakalelayo['firezone']['vumela_unprivileged_device_configuration'] | Ivumela abasebenzisi abangebona abaphathi ukuthi baguqule ukucushwa kwedivayisi. Uma kukhutshaziwe, kuvimbela abasebenzisi abangenamalungelo ekuguquleni zonke izinkambu zedivayisi ngaphandle kwegama nencazelo. | TRUE |
okuzenzakalelayo['firezone']['egress_interface'] | Igama lesixhumi esibonakalayo lapho ithrafikhi emhubhe izophuma khona. Uma kungekho, kuzosetshenziswa isixhumi esibonakalayo esizenzakalelayo. | nil |
okuzenzakalelayo['firezone']['fips_enabled'] | Nika amandla noma vala imodi ye-OpenSSL FIPs. | nil |
okuzenzakalelayo['firezone']['logging']['enabled'] | Nika amandla noma khubaza ukungena ku-Firezone yonkana. Misa kumanga ukuze ukhubaze ukungena ngemvume ngokuphelele. | TRUE |
okuzenzakalelayo['ibhizinisi']['igama'] | Igama elisetshenziswe incwadi yokupheka ye-Chef 'enterprise'. | indawo yomlilo' |
okuzenzakalelayo['firezone']['install_path'] | Faka indlela esetshenziswa incwadi yokupheka ye-Chef 'enterprise'. Kufanele isethwe ifane ne-install_directory engenhla. | nodi['firezone']['install_directory'] |
okuzenzakalelayo['firezone']['sysvinit_id'] | Isihlonzi esisetshenziswe ku-/etc/inittab. Kumelwe kube ukulandelana okuyingqayizivele kwezinhlamvu ezingu-1-4. | SUP' |
okuzenzakalelayo['indawo yomlilo']['ukuqinisekisa']['indawo']['kunikwe amandla'] | Nika amandla noma vala ukufakazela ubuqiniso be-imeyili/iphasiwedi yendawo. | TRUE |
okuzenzakalelayo['firezone']['authentication']['auto_create_oidc_users'] | Dala ngokuzenzakalelayo abasebenzisi abangena ngemvume besuka ku-OIDC okokuqala ngqa. Khubaza ukuvumela abasebenzisi abakhona kuphela ukuthi bangene ngemvume nge-OIDC. | TRUE |
okuzenzakalelayo['firezone']['ukuqinisekisa']['disable_vpn_on_oidc_error'] | Khubaza i-VPN yomsebenzisi uma kutholwa iphutha ezama ukuvuselela ithokheni yabo ye-OIDC. | FALSE |
okuzenzakalelayo['firezone']['ukuqinisekisa']['oidc'] | Ukulungiselelwa kwe-OpenID Connect, ngefomethi ethi {“umhlinzeki” => [hlela…]} – Bona OpenIDConnect imibhalo ngezibonelo ze-config. | {} |
okuzenzakalelayo['indawo yomlilo']['nginx']['inikwe amandla'] | Nika amandla noma vala iseva ye-nginx ehlanganisiwe. | TRUE |
okuzenzakalelayo['firezone']['nginx']['ssl_port'] | Imbobo yokulalela ye-HTTPS. | 443 |
okuzenzakalelayo['firezone']['nginx']['directory'] | Uhla lwemibhalo lokugcina ukucushwa komsingathi we-nginx okuhlobene ne-Firezone. | “#{node['firezone']['var_directory']}/nginx/etc” |
okuzenzakalelayo['firezone']['nginx']['log_directory'] | Uhla lwemibhalo lokugcina amafayela welogi ahlobene ne-Firezone. | “#{node['firezone']['log_directory']}/nginx” |
okuzenzakalelayo['firezone']['nginx']['log_rotation']['file_maxbytes'] | Usayizi wefayela ozozungezisa kuwo amafayela welogi we-Nginx. | 104857600 |
okuzenzakalelayo['indawo yomlilo']['nginx']['log_rotation']['num_to_keep'] | Inombolo yamafayela welogi we-Firezone nginx okufanele uwagcine ngaphambi kokulahlwa. | 10 |
okuzenzakalelayo['firezone']['nginx']['log_x_forwarded_for'] | Ukuthi uzongena yini ku-Firezone nginx x-idluliselwe phambili kunhlokweni. | TRUE |
okuzenzakalelayo['i-firezone']['nginx']['hsts_header']['inikwe amandla'] | TRUE | |
okuzenzakalelayo['firezone']['nginx']['hsts_header']['include_subdomains'] | Nika amandla noma vala i- includeSubDomains for the HSTS header. | TRUE |
okuzenzakalelayo['firezone']['nginx']['hsts_header']['max_age'] | Iminyaka yobudala ephezulu yesihloko se-HSTS. | 31536000 |
okuzenzakalelayo['firezone']['nginx']['redirect_to_canonical'] | Ukuthi kufanele kuqondiswe kabusha ama-URL ku-canonical FQDN ecaciswe ngenhla | FALSE |
okuzenzakalelayo['i-firezone']['nginx']['cache']['inikwe amandla'] | Nika amandla noma vala i-Firezone nginx cache. | FALSE |
okuzenzakalelayo['firezone']['nginx']['cache']['directory'] | Uhla lwemibhalo lwe-Firezone nginx cache. | “#{node['firezone']['var_directory']}/nginx/cache” |
okuzenzakalelayo['firezone']['nginx']['user'] | Umsebenzisi we-Firezone nginx. | node['firezone']['user'] |
okuzenzakalelayo['firezone']['nginx']['group'] | Iqembu le-Firezone nginx. | node['firezone']['group'] |
okuzenzakalelayo['firezone']['nginx']['dir'] | Uhla lwemibhalo lokucushwa kwe-nginx yezinga eliphezulu. | node['firezone']['nginx']['directory'] |
okuzenzakalelayo['firezone']['nginx']['log_dir'] | Uhla lwemibhalo lwe-nginx lwezinga eliphezulu. | node['firezone']['nginx']['log_directory'] |
okuzenzakalelayo['firezone']['nginx']['pid'] | Indawo yefayela le-nginx pid. | “#{node['firezone']['nginx']['directory']}/nginx.pid” |
okuzenzakalelayo['firezone']['nginx']['daemon_disable'] | Khubaza imodi ye-nginx daemon ukuze sikwazi ukuyigada. | TRUE |
okuzenzakalelayo['indawo yomlilo']['nginx']['gzip'] | Vula noma uvale ukucindezelwa kwe-nginx gzip. | qhubeka' |
okuzenzakalelayo['firezone']['nginx']['gzip_static'] | Vula noma uvale ukucindezelwa kwe-nginx gzip kumafayela amile. | off' |
okuzenzakalelayo['indawo yomlilo']['nginx']['gzip_http_version'] | Inguqulo ye-HTTP ezosetshenziselwa ukunikeza amafayela amile. | 1.0 ' |
okuzenzakalelayo['firezone']['nginx']['gzip_comp_level'] | izinga lokucindezela le-nginx gzip. | 2 ' |
okuzenzakalelayo['firezone']['nginx']['gzip_proxied'] | Inika amandla noma ikhubaze i-gzipping yezicelo ze-proxied kuye ngesicelo nempendulo. | noma yini' |
okuzenzakalelayo['firezone']['nginx']['gzip_vary'] | Inika amandla noma ivimbe ukufaka unhlokweni wempendulo othi “Vary: Yamukela-Umbhalo Wekhodi”. | off' |
okuzenzakalelayo['indawo yomlilo']['nginx']['gzip_buffers'] | Isetha inombolo nosayizi wamabhafa asetshenziselwa ukucindezela impendulo. Uma kungekho, kusetshenziswa okuzenzakalelayo kwe-nginx. | nil |
okuzenzakalelayo['firezone']['nginx']['gzip_types'] | Izinhlobo ze-MIME ukuze unike amandla ukucindezelwa kwe-gzip. | ['text/plain', 'text/css','application/x-javascript', 'text/xml', 'application/xml', 'application/rss+xml', 'application/atom+xml', ' text/javascript', 'application/javascript', 'application/json'] |
okuzenzakalelayo['firezone']['nginx']['gzip_min_length'] | Ubude befayela obuncane bokuvumela ukucindezelwa kwefayela kwe-gzip. | 1000 |
okuzenzakalelayo['firezone']['nginx']['gzip_disable'] | Isifanisi somenzeli womsebenzisi ukuze ukhubaze ukucindezelwa kwe-gzip. | I-MSIE [1-6]\.' |
okuzenzakalelayo['indawo yomlilo']['nginx']['gcina uphile'] | Yenza kusebenze inqolobane yokuxhumeka kumaseva akhuphukayo. | qhubeka' |
okuzenzakalelayo['firezone']['nginx']['keepalive_timeout'] | Isikhathi siphelile ngemizuzwana ukuze kuxhumeke i-keelife kumaseva akhuphukayo. | 65 |
okuzenzakalelayo['indawo yomlilo']['nginx']['izinqubo_zabasebenzi'] | Inombolo yezinqubo zabasebenzi be-nginx. | node['cpu'] && node['cpu']['total'] ? node['cpu']['inani'] : 1 |
okuzenzakalelayo['firezone']['nginx']['worker_connections'] | Inombolo enkulu yokuxhumeka ngesikhathi esisodwa okungavulwa inqubo yesisebenzi. | 1024 |
okuzenzakalelayo['firezone']['nginx']['worker_rlimit_nofile'] | Ishintsha umkhawulo enanini eliphezulu lamafayela avuliwe ezinqubo zomsebenzi. Isebenzisa okuzenzakalelayo kwe-nginx uma kungekho. | nil |
okuzenzakalelayo['firezone']['nginx']['multi_accept'] | Ukuthi abasebenzi kufanele bamukele ukuxhumana okukodwa ngesikhathi noma okuningi. | TRUE |
okuzenzakalelayo['indawo yomlilo']['nginx']['umcimbi'] | Icacisa indlela yokucubungula uxhumano ezosetshenziswa ngaphakathi komongo wemicimbi ye-nginx. | epoll' |
okuzenzakalelayo['firezone']['nginx']['server_tokens'] | Inika amandla noma ikhubaze ukukhishwa kwenguqulo ye-nginx emakhasini ephutha kanye nasenkambini yesihloko sempendulo "Iseva". | nil |
okuzenzakalelayo['firezone']['nginx']['server_names_hash_bucket_size'] | Isetha usayizi webhakede wamagama eseva amatafula e-hashi. | 64 |
okuzenzakalelayo['firezone']['nginx']['sendfile'] | Inika amandla noma ikhubaze ukusetshenziswa kwefayela le-nginx(). | qhubeka' |
okuzenzakalelayo['firezone']['nginx']['access_log_options'] | Isetha izinketho zelogi yokufinyelela ye-nginx. | nil |
okuzenzakalelayo['firezone']['nginx']['error_log_options'] | Isetha izinketho zelogi yephutha ye-nginx. | nil |
okuzenzakalelayo['firezone']['nginx']['disable_access_log'] | Ikhubaza ifayela lokungena le-nginx. | FALSE |
okuzenzakalelayo['firezone']['nginx']['types_hash_max_size'] | nginx izinhlobo ze-hash usayizi omkhulu. | 2048 |
okuzenzakalelayo['firezone']['nginx']['types_hash_bucket_size'] | nginx izinhlobo usayizi webhakede le-hashi. | 64 |
okuzenzakalelayo['firezone']['nginx']['proxy_read_timeout'] | nginx proxy ukufunda ukuphela kwesikhathi. Misa ku-nil ukuze usebenzise okuzenzakalelayo kwe-nginx. | nil |
okuzenzakalelayo['indawo yomlilo']['nginx']['client_body_buffer_size'] | usayizi webhafa womzimba weklayenti le-nginx. Misa ku-nil ukuze usebenzise okuzenzakalelayo kwe-nginx. | nil |
okuzenzakalelayo['firezone']['nginx']['client_max_body_size'] | iklayenti le-nginx usayizi womzimba omkhulu. | 250m' |
okuzenzakalelayo['indawo yomlilo']['nginx']['okuzenzakalelayo']['amamojula'] | Cacisa amamojula e-nginx engeziwe. | [] |
okuzenzakalelayo['firezone']['nginx']['enable_rate_limiting'] | Nika amandla noma vala ukukhawulelwa kwesilinganiso se-nginx. | TRUE |
okuzenzakalelayo['firezone']['nginx']['rate_limiting_zone_name'] | Igama lendawo ekhawula izinga le-Nginx. | indawo yomlilo' |
okuzenzakalelayo['firezone']['nginx']['rate_limiting_backoff'] | Isilinganiso se-Nginx esibuyisela emuva. | 10m' |
okuzenzakalelayo['firezone']['nginx']['rate_limit'] | Umkhawulo wesilinganiso se-Nginx. | 10r/s' |
okuzenzakalelayo['firezone']['nginx']['ipv6'] | Vumela i-nginx ukuthi ilalele izicelo ze-HTTP ze-IPv6 ngaphezu kwe-IPv4. | TRUE |
okuzenzakalelayo['firezone']['postgresql']['enabled'] | Nika amandla noma khubaza i-Postgresql ehlanganisiwe. Sethela kumanga futhi ugcwalise izinketho zesizindalwazi ngezansi ukuze usebenzise esakho isibonelo se-Postgresql. | TRUE |
okuzenzakalelayo['firezone']['postgresql']['igama lomsebenzisi'] | Igama lomsebenzisi le-Postgresql. | node['firezone']['user'] |
okuzenzakalelayo['firezone']['postgresql']['data_directory'] | Idatha ye-Postgresql. | “#{node['firezone']['var_directory']}/postgresql/13.3/data” |
okuzenzakalelayo['firezone']['postgresql']['log_directory'] | Uhlu lwemibhalo ye-Postgresql. | “#{node['firezone']['log_directory']}/postgresql” |
okuzenzakalelayo['firezone']['postgresql']['log_rotation']['file_maxbytes'] | Ifayela lokungena le-Postgresql likasayizi omkhulu ngaphambi kokuthi lizungeziswe. | 104857600 |
okuzenzakalelayo['indawo yomlilo']['postgresql']['log_rotation']['num_to_keep'] | Inombolo yamafayela welogi we-Postgresql okufanele uwagcine. | 10 |
okuzenzakalelayo['firezone']['postgresql']['checkpoint_completion_target'] | Ithagethi yokuqedwa kwendawo yokuhlola ye-Postgresql. | 0.5 |
okuzenzakalelayo['firezone']['postgresql']['checkpoint_segments'] | Inombolo yezingxenye zephoyinti lokuhlola le-Postgresql. | 3 |
okuzenzakalelayo['firezone']['postgresql']['checkpoint_timeout'] | Isikhathi sokuvala sephoyinti lokuhlola le-Postgresql. | 5min' |
okuzenzakalelayo['firezone']['postgresql']['checkpoint_warning'] | Isikhathi sesexwayiso sephoyinti lokuhlola le-Postgresql ngemizuzwana. | 30s' |
okuzenzakalelayo['firezone']['postgresql']['effective_cache_size'] | Usayizi wenqolobane osebenzayo we-Postgresql. | 128MB' |
okuzenzakalelayo['firezone']['postgresql']['lalela_ikheli'] | Ikheli lokulalela le-Postgresql. | 127.0.0.1 ' |
okuzenzakalelayo['firezone']['postgresql']['max_connections'] | Ukuxhumana okuphezulu kwe-Postgresql. | 350 |
okuzenzakalelayo['firezone']['postgresql']['md5_auth_cidr_addresses'] | Ama-Postgresql CIDRs ukuvumela i-md5 auth. | ['127.0.0.1/32', ':1/128'] |
okuzenzakalelayo['firezone']['postgresql']['port'] | Imbobo yokulalela ye-Postgresql. | 15432 |
okuzenzakalelayo['firezone']['postgresql']['shared_buffers'] | Usayizi wamabhafa owabiwe we-Postgresql. | “#{(inodi['inkumbulo']['inani'].to_i / 4) / 1024}MB” |
okuzenzakalelayo['firezone']['postgresql']['shmmax'] | I-Postgresql shmmax ngamabhayithi. | 17179869184 |
okuzenzakalelayo['firezone']['postgresql']['shmall'] | I-Postgresql shmall ngamabhayithi. | 4194304 |
okuzenzakalelayo['firezone']['postgresql']['work_mem'] | Usayizi wenkumbulo esebenzayo ye-Postgresql. | 8MB' |
okuzenzakalelayo['firezone']['database']['user'] | Icacisa igama lomsebenzisi iFirezone ezolisebenzisa ukuxhuma ku-DB. | node['firezone']['postgresql']['igama lomsebenzisi'] |
okuzenzakalelayo['firezone']['database']['password'] | Uma usebenzisa i-DB yangaphandle, icacisa iphasiwedi ezosetshenziswa i-Firezone ukuxhuma ku-DB. | ngishintshe_ |
okuzenzakalelayo['firezone']['database']['igama'] | Isizindalwazi esizosetshenziswa yiFirezone. Izodalwa uma ingekho. | indawo yomlilo' |
okuzenzakalelayo['firezone']['database']['host'] | Umsingathi wesizindalwazi iFirezone ezoxhumeka kuye. | node['firezone']['postgresql']['lalela_ikheli'] |
okuzenzakalelayo['firezone']['database']['port'] | Imbobo yesizindalwazi iFirezone ezoxhumeka kuyo. | node['firezone']['postgresql']['port'] |
okuzenzakalelayo['firezone']['database']['pool'] | Usayizi wechibi lesizindalwazi kuzosetshenziswa iFirezone. | [10, Etc.nprocessors].ubuningi |
okuzenzakalelayo['firezone']['database']['ssl'] | Ukuthi uxhumeke kusizindalwazi nge-SSL. | FALSE |
okuzenzakalelayo['firezone']['database']['ssl_opts'] | {} | |
okuzenzakalelayo['firezone']['database']['parameters'] | {} | |
okuzenzakalelayo['firezone']['database']['extensions'] | Izandiso zesizindalwazi ukuze zinikwe amandla. | { 'plpgsql' => iqiniso, 'pg_trgm' => iqiniso } |
okuzenzakalelayo['i-firezone']['phoenix']['inikwe amandla'] | Nika amandla noma vala uhlelo lokusebenza lewebhu le-Firezone. | TRUE |
okuzenzakalelayo['firezone']['phoenix']['lalela_ikheli'] | Ikheli lokulalela lewebhu le-Firezone. Leli kuzoba yikheli lokulalela elikhuphuka nomfula ama-proxies we-nginx. | 127.0.0.1 ' |
okuzenzakalelayo['firezone']['phoenix']['port'] | Imbobo yokulalela yewebhu ye-Firezone. Lokhu kuzoba imbobo ekhuphukayo esebenza njenge-nginx. | 13000 |
okuzenzakalelayo['firezone']['phoenix']['log_directory'] | Uhla lwemibhalo lwefayela lokungena lewebhu ye-Firezone. | “#{node['firezone']['log_directory']}/phoenix” |
okuzenzakalelayo['firezone']['phoenix']['log_rotation']['file_maxbytes'] | Usayizi wefayela lokungena lewebhu le-Firezone. | 104857600 |
okuzenzakalelayo['indawo yomlilo']['phoenix']['log_rotation']['num_to_keep'] | Inombolo yamafayela elogi yohlelo lokusebenza lwewebhu ye-Firezone okufanele uwagcine. | 10 |
okuzenzakalelayo['firezone']['phoenix']['crash_detection']['enabled'] | Nika amandla noma vala ukwehlisa uhlelo lokusebenza lwewebhu ye-Firezone uma kutholwa ukuphahlazeka. | TRUE |
okuzenzakalelayo['firezone']['phoenix']['external_trusted_proxies'] | Uhlu lwama-proxies athenjwayo ahlehlayo afomethwe Njengohlu lwama-IP kanye/noma ama-CIDR. | [] |
okuzenzakalelayo['firezone']['phoenix']['private_clients'] | Uhlu lwamaklayenti enethiwekhi eyimfihlo ye-HTTP, afomethwe Uhlu lwama-IP kanye/noma ama-CIDR. | [] |
okuzenzakalelayo['firezone']['wireguard']['enabled'] | Nika amandla noma vala ukuphathwa kwe-WireGuard okuhlanganisiwe. | TRUE |
okuzenzakalelayo['firezone']['wireguard']['log_directory'] | Uhla lwemibhalo lokungena lokuphathwa kwe-WireGuard okuhlanganisiwe. | “#{node['firezone']['log_directory']}/wireguard” |
okuzenzakalelayo['firezone']['wireguard']['log_rotation']['file_maxbytes'] | Ubukhulu befayela lokungena le-WireGuard. | 104857600 |
okuzenzakalelayo['firezone']['wireguard']['log_rotation']['num_to_keep'] | Inombolo yamafayela elogi e-WireGuard okufanele agcinwe. | 10 |
okuzenzakalelayo['firezone']['wireguard']['interface_name'] | Igama lesixhumi esibonakalayo se-WireGuard. Ukushintsha le pharamitha kungase kubangele ukulahleka kwesikhashana ekuxhumekeni kwe-VPN. | wg-firezone' |
okuzenzakalelayo['firezone']['wireguard']['port'] | Imbobo yokulalela ye-WireGuard. | 51820 |
okuzenzakalelayo['firezone']['wireguard']['mtu'] | I-WireGuard interface ye-MTU yale seva kanye nokulungiselelwa kwedivayisi. | 1280 |
okuzenzakalelayo['firezone']['wireguard']['endpoint'] | I-WireGuard Endpoint ezosetshenziselwa ukukhiqiza ukulungiselelwa kwedivayisi. Uma kungekho, ishintsha ngokuzenzakalelayo ekhelini le-IP lomphakathi leseva. | nil |
okuzenzakalelayo['firezone']['wireguard']['dns'] | I-WireGuard DNS ezosetshenziselwa ukulungiselelwa kwedivayisi okukhiqizwayo. | 1.1.1.1, 1.0.0.1′ |
okuzenzakalelayo['firezone']['wireguard']['allowed_ips'] | I-WireGuard AllowedIPs ukuthi isetshenziselwe ukulungiselelwa kwedivayisi okukhiqizwayo. | 0.0.0.0/0, ::/0′ |
okuzenzakalelayo['firezone']['wireguard']['persistent_keepalive'] | Okuzenzakalelayo kokulungiselelwa kwe-PersistentKeepalive ekucushweni kwedivayisi ekhiqiziwe. Inani elingu-0 liyakhubaza. | 0 |
okuzenzakalelayo['firezone']['wireguard']['ipv4']['enabled'] | Nika amandla noma khubaza i-IPv4 kunethiwekhi ye-WireGuard. | TRUE |
okuzenzakalelayo['firezone']['wireguard']['ipv4']['masquerade'] | Nika amandla noma vala i-masquerade kumaphakethe ashiya umhubhe we-IPv4. | TRUE |
okuzenzakalelayo['firezone']['wireguard']['ipv4']['inethiwekhi'] | I-WireGuard network IPv4 ikheli pool. | 10.3.2.0/24 ' |
okuzenzakalelayo['firezone']['wireguard']['ipv4']['ikheli'] | Ikheli le-IPv4 le-WireGuard. Kufanele ibe ngaphakathi kwephuli yekheli le-WireGuard. | 10.3.2.1 ' |
okuzenzakalelayo['firezone']['wireguard']['ipv6']['enabled'] | Nika amandla noma khubaza i-IPv6 kunethiwekhi ye-WireGuard. | TRUE |
okuzenzakalelayo['firezone']['wireguard']['ipv6']['masquerade'] | Nika amandla noma vala i-masquerade kumaphakethe ashiya umhubhe we-IPv6. | TRUE |
okuzenzakalelayo['firezone']['wireguard']['ipv6']['inethiwekhi'] | I-WireGuard network IPv6 ikheli pool. | fd00::3:2:0/120′ |
okuzenzakalelayo['firezone']['wireguard']['ipv6']['ikheli'] | Ikheli le-IPv6 le-WireGuard. Kufanele ibe ngaphakathi kwephuli yekheli le-IPv6. | fd00::3:2:1′ |
okuzenzakalelayo['indawo yomlilo']['runit']['svlogd_bin'] | Runit svlogd indawo yomgqomo. | “#{node['firezone']['install_directory']}/embedded/bin/svlogd” |
okuzenzakalelayo['firezone']['ssl']['directory'] | Uhla lwemibhalo lwe-SSL lokugcina izitifiketi ezikhiqiziwe. | /var/opt/firezone/ssl' |
okuzenzakalelayo['firezone']['ssl']['ikheli_le-imeyili'] | Ikheli le-imeyili elizosetshenziselwa izitifiketi ezizisayinele kanye nezaziso zokuvuselela iphrothokholi ye-ACME. | wena@isibonelo.com' |
okuzenzakalelayo['firezone']['ssl']['acme']['inikwe amandla'] | Nika amandla i-ACME ukuze uthole ukunikezwa kwesitifiketi se-SSL okuzenzakalelayo. Khubaza lokhu ukuze uvimbele i-Nginx ekulaleleni ku-port 80. Bona lapha ukuthola eminye imiyalelo. | FALSE |
okuzenzakalelayo['firezone']['ssl']['acme']['server'] | letsencrypt | |
okuzenzakalelayo['firezone']['ssl']['acme']['keylength'] | Cacisa uhlobo lokhiye nobude bezitifiketi ze-SSL. Bheka lapha | ec-256 |
okuzenzakalelayo['firezone']['ssl']['isitifiketi'] | Indlela eya kufayela lesitifiketi le-FQDN yakho. Ikhipha ukulungiselelwa kwe-ACME ngenhla uma kucacisiwe. Uma kokubili i-ACME kanye nalokhu kungekho isitifiketi esizisayinele sizokhiqizwa. | nil |
okuzenzakalelayo['firezone']['ssl']['certificate_key'] | Indlela eya kufayela lesitifiketi. | nil |
okuzenzakalelayo['firezone']['ssl']['ssl_dhparam'] | nginx ssl dh_param. | nil |
okuzenzakalelayo['firezone']['ssl']['country_name'] | Igama lezwe lesitifiketi ozibhalisele. | US' |
okuzenzakalelayo['firezone']['ssl']['state_name'] | Igama lesifunda lesitifiketi esizisayinele. | CA ' |
okuzenzakalelayo['firezone']['ssl']['locality_name'] | Igama lendawo yesitifiketi esizisayinele. | I-San Francisco' |
okuzenzakalelayo['firezone']['ssl']['igama_lenkampani'] | Igama lenkampani elizisayinele isitifiketi. | Inkampani yami' |
okuzenzakalelayo['firezone']['ssl']['organizational_unit_name'] | Igama leyunithi yenhlangano yesitifiketi esizisayinele. | Imisebenzi' |
okuzenzakalelayo['firezone']['ssl']['ciphers'] | Amaciphe e-SSL azosetshenziswa yi-nginx. | ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’ |
okuzenzakalelayo['firezone']['ssl']['fips_ciphers'] | Amaciphe e-SSL emodi ye-FIPs. | FIPS@STRENGTH:!nuLL:!eNULL' |
okuzenzakalelayo['firezone']['ssl']['protocols'] | Izivumelwano ze-TLS ezizosetshenziswa. | TLSv1 TLSv1.1 TLSv1.2′ |
okuzenzakalelayo['firezone']['ssl']['session_cache'] | Inqolobane yeseshini ye-SSL. | okwabiwe:SSL:4m' |
okuzenzakalelayo['firezone']['ssl']['session_timeout'] | Isikhathi sokuvala seseshini ye-SSL. | 5m' |
okuzenzakalelayo['indawo yomlilo']['amarobhothi_vumela'] | amarobhothi nginx avumela. | /' |
okuzenzakalelayo['indawo yomlilo']['amarobhothi_angavumeli'] | amarobhothi nginx awavumi. | nil |
okuzenzakalelayo['firezone']['outbound_imeyili']['from'] | I-imeyili ephumayo evela ekhelini. | nil |
okuzenzakalelayo['indawo yomlilo']['i-imeyili_ephumayo']['umnikezeli'] | Umhlinzeki wesevisi ye-imeyili ephumayo. | nil |
okuzenzakalelayo['firezone']['outbound_email']['configs'] | Izilungiselelo zomhlinzeki we-imeyili aphumayo. | bona i-omnibus/cookbooks/firezone/attributes/default.rb |
okuzenzakalelayo['firezone']['telemetry']['enabled'] | Nika amandla noma vala i-telemetry yomkhiqizo ongaziwa. | TRUE |
okuzenzakalelayo['firezone']['connectivity_checks']['enabled'] | Nika amandla noma vala isevisi yokuhlola ukuxhumeka kwe-Firezone. | TRUE |
okuzenzakalelayo['firezone']['connectivity_checks']['interval'] | Isikhawu phakathi kokuhlolwa kokuxhumana ngemizuzwana. | 3_600 |
________________________________________________________________
Lapha uzothola uhlu lwamafayela nezinkomba ezihlobene nokufakwa okujwayelekile kwe-Firezone. Lokhu kungashintsha kuye ngezinguquko zefayela lakho lokucushwa.
indlela | incazelo |
/var/opt/firezone | Uhla lwemibhalo lwezinga eliphezulu oluqukethe idatha kanye nokucushwa okukhiqiziwe kwamasevisi ahlanganisiwe e-Firezone. |
/opt/firezone | Uhla lwemibhalo olusezingeni eliphezulu oluqukethe imitapo yolwazi eyakhelwe, okuhamba ngakubili namafayela esikhathi sokusebenza adingwa yiFirezone. |
/usr/bin/firezone-ctl | isisetshenziswa se-firezone-ctl sokuphatha ukufakwa kwakho kwe-Firezone. |
/etc/systemd/system/firezone-runsvdir-start.service | ifayela leyunithi ye-systemd lokuqala inqubo yomphathi we-Firezone runsvdir. |
/etc/firezone | Amafayela okumisa ezone ye-Firezone. |
__________________________________________________________
Leli khasi belingenalutho kumadokhumenti
_____________________________________________________________
Isifanekiso se-firewall esilandelayo singasetshenziswa ukuvikela iseva esebenzisa i-Firezone. Ithempulethi yenza imibono ethile; kungase kudingeke ulungise imithetho ukuze ivumelane nesimo sakho sokusebenzisa:
I-Firezone ilungiselela eyayo imithetho ye-nfttables ukuze ivumele/yenqabe ithrafikhi eya ezindaweni ezilungiselelwe ku-interface yewebhu kanye nokusingatha i-NAT ephumayo yethrafikhi yeklayenti.
Ukusebenzisa isifanekiso esingezansi se-firewall kuseva esivele sisebenza (hhayi ngesikhathi sokuqalisa) kuzoholela ekutheni imithetho ye-Firezone isulwe. Lokhu kungase kube nemithelela yezokuphepha.
Ukuze usebenzele lokhu qala kabusha isevisi ye-phoenix:
i-firezone-ctl iqalisa kabusha i-phoenix
#!/usr/sbin/nft -f
## Sula/susa yonke imithetho ekhona
shayela isethi yemithetho
################################# IZINHLOKO ################## ################
## Igama lesixhumi esibonakalayo se-inthanethi/WAN
chaza i-DEV_WAN = eth0
## Igama lesikhombimsebenzisi se-WireGuard
chaza i-DEV_WIREGUARD = wg-firezone
## Imbobo yokulalela ye-WireGuard
chaza i-WIREGUARD_PORT = 51820
################################ IZINHLOKO ZIYAPHELA #################### #############
# Ithebula lokuhlunga lomndeni eliyinhloko le-inet
isihlungi se-inet yetafula {
# Imithetho yethrafikhi edlulisiwe
# Lolu chungechunge lucutshungulwa ngaphambi kweketango eliya phambili le-Firezone
iketango phambili {
thayipha isihlungi sehhuku yokuya phambili isihlungi esibalulekile - 5; yamukela inqubomgomo
}
# Imithetho yethrafikhi yokufaka
okokufaka kweketango {
thayipha isihlungi se-hook yokufaka kuqala isihlungi; ukwehla kwenqubomgomo
## Vumela ithrafikhi engenayo ku-loopback interface
uma ngibona \
vuma \
amazwana "Vumela yonke i-traffic ukuthi ingene ku-loopback interface"
## Imvume esunguliwe nokuxhumana okuhlobene
isimo simisiwe, sihlobene \
vuma \
amazwana "Imvume yokuxhumana okusunguliwe/okuhlobene"
## Vumela ithrafikhi ye-WireGuard engena ngaphakathi
uma $DEV_WAN udp dport $WIREGUARD_PORT \
isibali \
vuma \
amazwana "Vumela ithrafikhi ye-WireGuard engenayo"
## Ngena bese uphonsa amaphakethe amasha e-TCP angewona ama-SYN
amafulegi we-tcp != i-sync ct state entsha \
isilinganiso somkhawulo 100/umzuzu wokuqhuma 150 amaphakethe \
log isiqalo “IN – Okusha !SYN: “ \
amazwana “Linganisela ukugawulwa kwemithi kokuxhumana okusha okunganalo ifulegi le-SYN TCP”
amafulegi we-tcp != i-sync ct state entsha \
isibali \
wisa \
amazwana "Dedela ukuxhumana okusha okunganalo ifulegi le-SYN TCP"
## Ngena bese uphonsa amaphakethe e-TCP anesethi yefulegi le-fin/syn elingavumelekile
tcp amafulegi & (fin|syn) == (fin|syn) \
isilinganiso somkhawulo 100/umzuzu wokuqhuma 150 amaphakethe \
log isiqalo “IN – TCP FIN|SIN: “ \
amazwana “Linganisela ukuloga okulinganiselwe kwamaphakethe e-TCP anesethi engavumelekile yefulegi le-fin/syn”
tcp amafulegi & (fin|syn) == (fin|syn) \
isibali \
wisa \
amazwana “Yehlisa amaphakethe e-TCP anesethi yefulegi ye-fin/syn engavumelekile”
## Ngena bese uphonsa amaphakethe e-TCP anesethi yefulegi engavumelekile/yokuqala
tcp amafulegi & (syn|rst) == (syn|rst) \
isilinganiso somkhawulo 100/umzuzu wokuqhuma 150 amaphakethe \
log isiqalo “IN – TCP SYN|RST: “ \
amazwana “Linganisela ukuloga okulinganiselwe kwamaphakethe e-TCP anesethi yefulegi engavumelekile/yokuqala”
tcp amafulegi & (syn|rst) == (syn|rst) \
isibali \
wisa \
amazwana “Yehlisa amaphakethe e-TCP anesethi yefulegi engavumelekile/yokuqala”
## Ngena bese udedela amafulegi e-TCP angavumelekile
tcp amafulegi & (fin|syn|rst|psh|ack|urg) < (fin) \
isilinganiso somkhawulo 100/umzuzu wokuqhuma 150 amaphakethe \
log isiqalo “KU--FIN:” \
amazwana “Linganisa ukugawulwa kwemithi kumafulegi we-TCP angavumelekile (fin|syn|rst|psh|ack|urg) < (fin)”
tcp amafulegi & (fin|syn|rst|psh|ack|urg) < (fin) \
isibali \
wisa \
amazwana “Yehlisa amaphakethe e-TCP anamafulegi (fin|syn|st|psh|ack|urg) < (fin)”
## Ngena bese udedela amafulegi e-TCP angavumelekile
tcp amafulegi & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
isilinganiso somkhawulo 100/umzuzu wokuqhuma 150 amaphakethe \
log isiqalo “IN – FIN|PSH|URG:” \
amazwana “Linganisa ukugawulwa kwemithi kumafulegi we-TCP angavumelekile (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)”
tcp amafulegi & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
isibali \
wisa \
amazwana “Yehlisa amaphakethe e-TCP anamafulegi (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)”
## Yehlisa ithrafikhi ngesimo sokuxhuma esingavumelekile
ct state ayivumelekile \
isilinganiso somkhawulo 100/umzuzu wokuqhuma 150 amaphakethe \
log ihlaba umkhosi sonke isiqalo “IN – Akuvumelekile: “ \
amazwana “Linganisela ukugawulwa kwemithi yethrafikhi enesimo sokuxhuma esingavumelekile”
ct state ayivumelekile \
isibali \
wisa \
amazwana "Yehlisa ithrafikhi ngesimo sokuxhumeka esingavumelekile"
## Vumela i-IPv4 izimpendulo ze-ping/ping kodwa umkhawulo wesilinganiso ufike ku-2000 PPS
ip uhlobo lwe-protocol icmp icmp {echo-reply, echo-request } \
isilinganiso somkhawulo 2000/kwesibili\
isibali \
vuma \
amazwana "Vumela ukungena kwe-IPv4 echo (ping) kukhawulelwe ku-2000 PPS"
## Vumela yonke enye i-IPv4 ICMP engenayo
ip protocol icmp \
isibali \
vuma \
amazwana "Vumela yonke enye i-IPv4 ICMP"
## Vumela i-IPv6 izimpendulo ze-ping/ping kodwa umkhawulo wesilinganiso ufike ku-2000 PPS
icmpv6 uhlobo {echo-reply, echo-request } \
isilinganiso somkhawulo 2000/kwesibili\
isibali \
vuma \
amazwana "Vumela ukungena kwe-IPv6 echo (ping) kukhawulelwe ku-2000 PPS"
## Vumela yonke enye i-IPv6 ICMP engenayo
imeta l4proto { icmpv6 } \
isibali \
vuma \
amazwana "Vumela yonke enye i-IPv6 ICMP"
## Vumela izimbobo ze-traceroute ye-UDP engena ngaphakathi kodwa ukhawule ku-500 PPS
udp dport 33434-33524 \
isilinganiso somkhawulo 500/kwesibili\
isibali \
vuma \
amazwana "Imvume ye-UDP traceroute engenayo ikhawulelwe kuma-500 PPS"
## Imvume ye-SSH engenayo
tcp dport ssh ct state new \
isibali \
vuma \
amazwana "Vumela ukuxhumana kwe-SSH kwangaphakathi"
## Imvume yokungena kwe-HTTP ne-HTTPS
tcp dport {http, https } ct state new \
isibali \
vuma \
amazwana "Vumela ukuxhumana kwe-HTTP ne-HTTPS kwangaphakathi"
## Faka noma iyiphi ithrafikhi engenakuqhathaniswa kodwa ukugawulwa kwesilinganiso esilinganiselwe kufikela kumiyalezo engama-60/ngomzuzu
## Inqubomgomo ezenzakalelayo izosetshenziswa kuthrafikhi engafaniswa
isilinganiso somkhawulo 60/umzuzu wokuqhuma 100 amaphakethe \
log isiqalo "IN - Drop:" \
amazwana "Lokha noma iyiphi ithrafikhi engafaniswa"
## Bala ithrafikhi engenakuqhathaniswa
isibali \
amazwana "Bala noma iyiphi ithrafikhi engafaniswa"
}
# Imithetho yokuphuma kwethrafikhi
okukhipha iketango {
thayipha isihlungi se-hook yokuphuma kuqala kwesihlungi; ukwehla kwenqubomgomo
## Vumela ithrafikhi ephumayo ku-loopback interface
bheka \
vuma \
amazwana "Vumela yonke i-traffic ku-loopback interface"
## Imvume esunguliwe nokuxhumana okuhlobene
isimo simisiwe, sihlobene \
isibali \
vuma \
amazwana "Imvume yokuxhumana okusunguliwe/okuhlobene"
## Vumela ithrafikhi ye-WireGuard ephumayo ngaphambi kokuyeka ukuxhumana nesimo esibi
oif $DEV_WAN udp ezemidlalo $WIREGUARD_PORT \
isibali \
vuma \
amazwana "Permit WireGuard traffic out"
## Yehlisa ithrafikhi ngesimo sokuxhuma esingavumelekile
ct state ayivumelekile \
isilinganiso somkhawulo 100/umzuzu wokuqhuma 150 amaphakethe \
log ihlaba umkhosi sonke isiqalo “OUT – Akuvumelekile: “ \
amazwana “Linganisela ukugawulwa kwemithi yethrafikhi enesimo sokuxhuma esingavumelekile”
ct state ayivumelekile \
isibali \
wisa \
amazwana "Yehlisa ithrafikhi ngesimo sokuxhumeka esingavumelekile"
## Vumela yonke enye i-IPv4 ICMP ephumayo
ip protocol icmp \
isibali \
vuma \
amazwana "Vumela zonke izinhlobo ze-IPv4 ICMP"
## Vumela yonke enye i-IPv6 ICMP ephumayo
imeta l4proto { icmpv6 } \
isibali \
vuma \
amazwana "Vumela zonke izinhlobo ze-IPv6 ICMP"
## Vumela izimbobo ze-traceroute ye-UDP ephumayo kodwa ukhawule ku-500 PPS
udp dport 33434-33524 \
isilinganiso somkhawulo 500/kwesibili\
isibali \
vuma \
amazwana "Vumela ukuphuma kwe-UDP traceroute ekhawulelwe ku-500 PPS"
## Vumela ukuxhumana okuphumayo kwe-HTTP ne-HTTPS
tcp dport {http, https } ct state new \
isibali \
vuma \
amazwana "Vumela ukuphuma kwe-HTTP ne-HTTPS ukuxhumana"
## Vumela ukuthunyelwa kwe-SMTP ephumayo
Ukuhanjiswa kwe-tcp dport ct kusha \
isibali \
vuma \
amazwana "Vumela ukuthunyelwa kwe-SMTP ephumayo"
## Vumela izicelo ze-DNS eziphumayo
udp dport 53 \
isibali \
vuma \
amazwana "Vumela izicelo ze-UDP DNS eziphumayo"
tcp dport 53 \
isibali \
vuma \
amazwana "Vumela izicelo ze-TCP DNS eziphumayo"
## Vumela izicelo ze-NTP eziphumayo
udp dport 123 \
isibali \
vuma \
amazwana "Vumela izicelo ze-NTP eziphumayo"
## Faka noma iyiphi ithrafikhi engenakuqhathaniswa kodwa ukugawulwa kwesilinganiso esilinganiselwe kufikela kumiyalezo engama-60/ngomzuzu
## Inqubomgomo ezenzakalelayo izosetshenziswa kuthrafikhi engafaniswa
isilinganiso somkhawulo 60/umzuzu wokuqhuma 100 amaphakethe \
log isiqalo "Phuma - Yehlisa:" \
amazwana "Lokha noma iyiphi ithrafikhi engafaniswa"
## Bala ithrafikhi engenakuqhathaniswa
isibali \
amazwana "Bala noma iyiphi ithrafikhi engafaniswa"
}
}
# Ithebula eliyinhloko lokuhlunga le-NAT
itafula inet nat {
# Imithetho ye-NAT traffic pre-routing
i-chain prerouting {
thayipha i-nat hook yokubeka kuqala i-dstnat; inqubomgomo yamukela
}
# Imithetho ye-NAT traffic post-routing
# Leli thebula licutshungulwa ngaphambi kochungechunge lwe-Firezone post-routing
ukuthunyelwa kwe-chain {
thayipha i-nat hook postrouting priority srcnat - 5; yamukela inqubomgomo
}
}
I-firewall kufanele igcinwe endaweni efanele yokusabalalisa kwe-Linux esebenzayo. Ku-Debian/Ubuntu lena yi-/etc/nftables.conf kanti ku-RHEL lena ngu/etc/sysconfig/nftables.conf.
I-nftables.service izodinga ukulungiswa ukuze iqale ku-boot (uma ingakaqali) isethiwe:
i-systemctl inika amandla i-nftables.service
Uma wenza noma yiziphi izinguquko kusifanekiso somlilo i-syntax ingaqinisekiswa ngokusebenzisa umyalo wokuhlola:
nft -f /path/to/nftables.conf -c
Qiniseka ukuthi uqinisekisa ukuthi i-firewall isebenza njengoba kulindelekile njengoba izici ezithile ze-nfttables zingase zingatholakali kuye ngokukhishwa okusebenza kuseva.
_______________________________________________________________
Lo mbhalo wethula uhlolojikelele lwe-telemetry Firezone eqoqwayo kusukela kumcimbi osingethwe nguwe nokuthi ungayikhubaza kanjani.
Indawo yomlilo ukuthembela ku-telemetry ukuze sibeke phambili umgwaqo wethu futhi sithuthukise izinsiza zobunjiniyela esinazo ukuze senze i-Firezone ibe ngcono kuwo wonke umuntu.
I-telemetry esiyiqoqayo ihlose ukuphendula imibuzo elandelayo:
Kunezindawo ezintathu eziyinhloko lapho i-telemetry iqoqwa khona eFirezone:
Kuzo zonke lezi zimo ezintathu, sithwebula inani elincane ledatha elidingekayo ukuze kuphendulwe imibuzo esigabeni esingenhla.
Ama-imeyili omlawuli aqoqwa kuphela uma ukhetha ukungena ezibuyekezweni zomkhiqizo. Uma kungenjalo, ulwazi lomuntu siqu oluhlonzayo ungalokothi kuqoqiwe.
I-Firezone igcina i-telemetry esimweni esizibambele sona se-PostHog egijima kuqoqo eliyimfihlo le-Kubernetes, elifinyeleleka kuphela ithimba le-Firezone. Nasi isibonelo somcimbi we-telemetry othunyelwa kusukela kusibonelo sakho se-Firezone kuya kuseva yethu ye-telemetry:
{
"Id": “0182272d-0b88-0000-d419-7b9a413713f1”,
"isitembu sesikhathi": “2022-07-22T18:30:39.748000+00:00”,
"umcimbi": “fz_http_started”,
"i-id_ehlukile": “1ec2e794-1c3e-43fc-a78f-1db6d1a37f54”,
"izakhiwo":{
“$geoip_city_name”: "Ashburn",
“$geoip_continent_code”: "NA",
“$geoip_continent_name”: "I-America esenyakatho",
“$geoip_country_code”: "US",
“$geoip_country_name”: "Iziwe Ezihlangene",
“$geoip_latitude”: 39.0469,
“$geoip_longitude”: -77.4903,
“$geoip_postal_code”: "20149",
“$geoip_subdivision_1_code”: "VA",
“$geoip_subdivision_1_name”: "Virginia",
“$geoip_time_zone”: “IMelika/New_York”,
“$ip”: "52.200.241.107",
“$plugins_deferred”: [],
“$plugins_feiled”: [],
“$plugins_succeeded”: [
I-GeoIP (3)"
],
"i-id_ehlukile": “1zc2e794-1c3e-43fc-a78f-1db6d1a37f54”,
"fqdn": “awsdemo.firezone.dev”,
"kernel_version": "Linux 5.13.0",
"inguqulo": "0.4.6"
},
"iketanga_lezinto": ""
}
QAPHELA
Ithimba lokuthuthukisa iFirezone ukuthembela ekuhlaziyeni umkhiqizo ukwenza i-Firezone ibe ngcono kuwo wonke umuntu. Ukushiya i-telemetry inikwe amandla kuwumnikelo owodwa obaluleke kakhulu ongawenza ekuthuthukisweni kwe-Firezone. Sesikushilo lokho, siyaqonda ukuthi abanye abasebenzisi banezidingo eziphakeme zobumfihlo noma zokuphepha futhi bangathanda ukukhubaza i-telemetry ngokuphelele. Uma kunguwe lowo, qhubeka ufunda.
I-Telemetry inikwe amandla ngokuzenzakalela. Ukuze ukhubaze ngokuphelele i-telemetry yomkhiqizo, setha inketho yokumisa elandelayo ibe amanga kokuthi /etc/firezone/firezone.rb bese usebenzisa i-sudo firezone-ctl reconfigure ukuze uthathe izinguquko.
okuzenzakalelayo['indawo yomlilo']['i-telemetry']['kunikwe amandla'] = bamanga
Lokho kuzokhubaza ngokuphelele yonke i-telemetry yomkhiqizo.
Hailbytes
9511 Queens Guard Ct.
Laurel, MD 20723
Ifoni: (732) 771-9995
I-imeyili: info@hailbytes.com
Thola izindaba zakamuva ze-cybersecurity ngqo ebhokisini lakho lokungenayo.
