Proxy setup to allow/deny specific urls for BusinessVM

Signed-off-by: Enes Öztürk <enes.ozturk@unikie.com>
brianmcgillion · Oct 4, 2024 · e037186 · e037186
1 parent 64dbb0e
commit e037186
Show file tree

Hide file tree

Showing 5 changed files with 1,289 additions and 178 deletions.
diff --git a/modules/reference/appvms/business.nix b/modules/reference/appvms/business.nix
@@ -11,6 +11,12 @@ let
   #TODO: Move this to a common place
   xdgPdfPort = 1200;
   name = "business";
+  tiiVpnAddr = "151.253.154.18";
+  vpnOnlyAddr = "${tiiVpnAddr},jira.tii.ae,access.tii.ae,confluence.tii.ae,i-service.tii.ae,catalyst.atrc.ae";
+  netvmEntry = builtins.filter (x: x.name == "net-vm") config.ghaf.networking.hosts.entries;
+  netvmAddress = lib.head (builtins.map (x: x.ip) netvmEntry);
+  adminvmEntry = builtins.filter (x: x.name == "admin-vm") config.ghaf.networking.hosts.entries;
+  adminvmAddress = lib.head (builtins.map (x: x.ip) adminvmEntry);
 in
 {
   name = "${name}";
@@ -38,9 +44,10 @@ in
       pkgs.globalprotect-openconnect
       pkgs.losslesscut-bin
       pkgs.openconnect
-      pkgs.nftables
       pkgs.gnome-text-editor
-    ];
+    ]
+    ++ lib.optionals config.ghaf.profiles.debug.enable [ pkgs.tcpdump ];
+
   # TODO create a repository of mac addresses to avoid conflicts
   macAddress = "02:00:00:03:10:01";
   ramMb = 6144;
@@ -74,7 +81,6 @@ in
       };
 
       ghaf.reference.programs.chromium.enable = true;
-
       # Set default PDF XDG handler
       xdg.mime.defaultApplications."application/pdf" = "ghaf-pdf.desktop";
 
@@ -92,183 +98,45 @@ in
       #Firewall Settings
       networking = {
         firewall.enable = true;
+        proxy = {
+          default = "http://${netvmAddress}:${toString config.ghaf.reference.services.proxy-server.bindPort}";
+          noProxy = "192.168.101.10,${adminvmAddress},127.0.0.1,localhost,${vpnOnlyAddr}";
+        };
         firewall.extraCommands = ''
 
-          iptables -F
-            add_rule() {
-              local ip=$1
-              iptables -I OUTPUT -p tcp -d $ip --dport 80 -j ACCEPT
-              iptables -I OUTPUT -p tcp -d $ip --dport 443 -j ACCEPT
-              iptables -I INPUT -p tcp -s $ip --sport 80 -j ACCEPT
-              iptables -I INPUT -p tcp -s $ip --sport 443 -j ACCEPT
-            }
-           # Urls can be found from Source: https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges
-           # Allow microsoft365.com
-           add_rule 13.107.6.156
-           add_rule 13.107.9.156
-
-           # Exchange
-           add_rule 13.107.6.152/31
-           add_rule 13.107.18.10/31
-           add_rule 13.107.128.0/22
-           add_rule 23.103.160.0/20
-           add_rule 40.96.0.0/13
-           add_rule 40.104.0.0/15
-           add_rule 52.96.0.0/14
-           add_rule 131.253.33.215/32
-           add_rule 132.245.0.0/16
-           add_rule 150.171.32.0/22
-           add_rule 204.79.197.215/32
-
-
-           # Exchange Online
-           add_rule 40.92.0.0/15
-           add_rule 40.107.0.0/16
-           add_rule 52.100.0.0/14
-           add_rule 52.238.78.88/32
-           add_rule 104.47.0.0/17
-
-
-           # Sharepoint
-           add_rule 13.107.136.0/22
-           add_rule 40.108.128.0/17
-           add_rule 52.104.0.0/14
-           add_rule 104.146.128.0/17
-           add_rule 150.171.40.0/22
-
-
-           # Common
-           add_rule 13.107.6.171/32
-           add_rule 13.107.18.15/32
-           add_rule 13.107.140.6/32
-           add_rule 52.108.0.0/14
-           add_rule 52.244.37.168/32
-           add_rule 20.20.32.0/19
-           add_rule 20.190.128.0/18
-           add_rule 20.231.128.0/19
-           add_rule 40.126.0.0/18
-           add_rule 13.107.6.192/32
-           add_rule 13.107.9.192/32
-           add_rule 52.108.0.0/14
-
-           # Teams
-           add_rule 13.107.64.0/18
-           add_rule 52.112.0.0/14
-           add_rule 52.122.0.0/15
-           add_rule 52.108.0.0/14
-           add_rule 52.238.119.141/32
-           add_rule 52.244.160.207/32
-           add_rule 2.16.234.57
-           add_rule 23.56.21.152
-           add_rule 23.33.233.129
-           add_rule 52.123.0.0/16
-
-
-           # Allow VPN access.tii.ae and iservice
-           add_rule 151.253.154.18
-           add_rule 10.161.10.120
-
-           # To be checked
-           # Allow res.cdn.office.net
-           add_rule 152.199.21.175
-           add_rule 152.199.39.108
-           add_rule 2.21.231.0/24
-           add_rule 2.20.249.0/24
-           add_rule 152.199.0.0/16
-
-
-           # Allow js.monitor.azure.com
-           add_rule 13.107.246.0/24
-
-           # Allow c.s-microsoft.com
-           add_rule 23.207.193.242
-           add_rule 23.208.213.121
-           add_rule 23.208.173.122
-           add_rule 23.44.1.243
-           add_rule 104.65.229.0/24
-           add_rule 23.53.113.0/24
-           add_rule 2.19.105.47
-
-           # Allow microsoft.com
-           add_rule 20.70.246.20
-           add_rule 20.236.44.162
-           add_rule 20.76.201.171
-           add_rule 20.231.239.246
-           add_rule 20.112.250.133
-           add_rule 184.25.221.172
-
-           # statics.teams.cdn.office.net
-           add_rule 95.101.0.0/16
-           add_rule 184.87.193.0/24
-           add_rule 23.44.0.0/14
-           add_rule 96.16.53.0/24
-           add_rule 23.59.80.0/24
-           add_rule 23.202.33.0/24
-           add_rule 104.73.172.0/24
-           add_rule 184.27.123.0/24
-           add_rule 2.16.56.0/24
-           add_rule 23.219.73.130
-           add_rule 104.93.18.174
-           add_rule 2.21.225.158
-           add_rule 23.45.137.145
-           add_rule 23.48.121.167
-           add_rule 23.46.197.94
-           add_rule 104.80.21.47
-           add_rule 23.195.154.8
-           add_rule 193.229.113.0/24
-
-           # edge.skype.com for teams
-           add_rule 13.107.254.0/24
-           add_rule 13.107.3.0/24
-
-           # api.flightproxy.skype.com for teams
-           add_rule 98.66.0.0/16
-           add_rule 4.208.0.0/16
-           add_rule 4.225.208.0/24
-           add_rule 4.210.0.0/16
-           add_rule 108.141.240.0/24
-           add_rule 74.241.0.0/16
-           add_rule 20.216.0.0/16
-           add_rule 172.211.0.0/16
-           add_rule 20.50.217.0/24
-           add_rule 68.219.14.0/24
-           add_rule 20.107.136.0/24
-           add_rule 4.175.191.0/24
-           add_rule 98.64.0.0/16
-
-           # Allow tiiuae.sharepoint.com
-           add_rule 52.104.7.53
-           add_rule 52.105.255.39
-           add_rule 13.107.138.10
-           add_rule 13.107.136.10
-           add_rule 118.215.84.0/24
-           add_rule 104.69.171.0/24
-           add_rule 13.107.136.10
-           add_rule 23.15.111.0/24
-           # Allow shell.cdn.office.net
-           add_rule 23.50.92.176
-           add_rule 23.15.30.57
-           add_rule 23.50.187.58
-           add_rule 104.73.234.244
-           add_rule 104.83.143.131
-           # Allow res-1.cdn.office.net
-           add_rule 23.52.40.0/24
-           add_rule 23.64.122.0/24
-           add_rule 2.16.106.0/24
-           # Allow publiccdn.sharepointonline.com
-           add_rule 23.50.86.117
-           add_rule 104.69.168.125
-           add_rule 2.16.43.238
-           add_rule 23.34.79.0/24
-           add_rule 23.39.68.0/24
-           # r4.res.office365.com
-           add_rule 2.19.97.32
-           add_rule 2.22.61.139
-
-
-           # Block all other HTTP and HTTPS traffic
-           iptables -A OUTPUT -p tcp --dport 80 -j REJECT
-           iptables -A OUTPUT -p tcp --dport 443 -j REJECT
+          add_rule() {
+                local ip=$1
+                iptables -I OUTPUT -p tcp -d $ip --dport 80 -j ACCEPT
+                iptables -I OUTPUT -p tcp -d $ip --dport 443 -j ACCEPT
+                iptables -I INPUT -p tcp -s $ip --sport 80 -j ACCEPT
+                iptables -I INPUT -p tcp -s $ip --sport 443 -j ACCEPT
+              }
+          # Default policy 
+          iptables -P INPUT DROP
+
+          # Block any other unwanted traffic (optional)
+          iptables -N logreject
+          iptables -A logreject -j LOG
+          iptables -A logreject -j REJECT
+
+          # allow everything for local VPN traffic
+          iptables -A INPUT -i tun0 -j ACCEPT
+          iptables -A FORWARD -i tun0 -j ACCEPT
+          iptables -A FORWARD -o tun0 -j ACCEPT
+          iptables -A OUTPUT -o tun0 -j ACCEPT
+
+          # WARN: if all the traffic including VPN flowing through proxy is intended,
+          # remove "add_rule 151.253.154.18" rule and pass "--proxy-server=http://192.168.100.1:3128" to openconnect(VPN) app.
+          # also remove "151.253.154.18,tii.ae,.tii.ae,sapsf.com,.sapsf.com" addresses from noProxy option and add
+          # them to allow acl list in modules/reference/appvms/3proxy-config.nix file.
+          # Allow VPN access.tii.ae 
+          add_rule ${tiiVpnAddr}
+
+          # Block all other HTTP and HTTPS traffic
+          iptables -A OUTPUT -p tcp --dport 80 -j logreject
+          iptables -A OUTPUT -p tcp --dport 443 -j logreject
+          iptables -A OUTPUT -p udp --dport 80 -j logreject
+          iptables -A OUTPUT -p udp --dport 443 -j logreject
 
         '';
       };

diff --git a/modules/reference/profiles/mvp-user-trial.nix b/modules/reference/profiles/mvp-user-trial.nix
@@ -34,6 +34,7 @@ in
         services = {
           enable = true;
           dendrite = true;
+          proxy-business = lib.mkForce config.ghaf.reference.appvms.business-vm;
         };
 
         personalize = {

diff --git a/modules/reference/services/default.nix b/modules/reference/services/default.nix
@@ -10,14 +10,17 @@ in
   imports = [
     ./dendrite-pinecone/dendrite-pinecone.nix
     ./dendrite-pinecone/dendrite-config.nix
+    ./proxy-server/3proxy-config.nix
   ];
   options.ghaf.reference.services = {
     enable = mkEnableOption "Enable the Ghaf reference services";
     dendrite = mkEnableOption "Enable the dendrite-pinecone service";
+    proxy-business = mkEnableOption "Enable the proxy server service";
   };
   config = mkIf cfg.enable {
     ghaf.reference.services = {
       dendrite-pinecone.enable = mkForce (cfg.dendrite && isNetVM);
+      proxy-server.enable = mkForce (cfg.proxy-business && isNetVM);
     };
   };
 }
diff --git a/modules/reference/services/proxy-server/3proxy-config.nix b/modules/reference/services/proxy-server/3proxy-config.nix
@@ -0,0 +1,107 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{ config, lib, ... }:
+let
+  cfg = config.ghaf.reference.services.proxy-server;
+  inherit (lib) mkEnableOption mkIf;
+  # use nix-prefetch-url to calculate sha256 checksum
+  # TODO The urls should be fetched during boot. The script should be implemented in netvm or adminvm
+  #pkgs.fetchurl {
+  #  url = "https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7";
+  #  sha256 = "1zly0g23vray4wg6fjxxdys6zzksbymlzggbg75jxqcf8g9j6xnw";
+  #};
+  msEndpointsFile = ./ms_urls.json;
+  # Read and parse the JSON file
+  msEndpointsData = builtins.fromJSON (builtins.readFile msEndpointsFile);
+
+  # Extract URLs from the JSON data based on categories
+  msExtractUrls = map (x: x.urls or [ ]) (
+    lib.filter (
+      x: x.category == "Optimize" || x.category == "Allow" || x.category == "Default"
+    ) msEndpointsData
+  );
+
+  msUrlsFlattened = builtins.concatLists msExtractUrls ++ [ "microsoft365.com" ];
+
+  tiiUrls = [
+    #for jira avatars
+    "*.gravatar.com"
+    # for confluence icons
+    "*.atlassian.com"
+    "*tii.ae"
+    "*tii.org"
+    "hcm22.sapsf.com"
+    "aderp.addigital.gov.ae"
+    "s1.mn1.ariba.com"
+    "tii.sourcing.mn1.ariba.com"
+    "a1c7ohabl.accounts.ondemand.com"
+    "flpnwc-ojffapwnic.dispatcher.ae1.hana.ondemand.com"
+    "*.docusign.com"
+    "access.clarivate.com"
+  ];
+
+  ssrcUrls = [
+    "*.cachix.org"
+    "cache.vedenemo.dev"
+    "vedenemo.dev"
+    "loki.ghaflogs.vedenemo.dev"
+    "ghaflogs.vedenemo.dev"
+    "himalia.vedenemo.dev"
+  ];
+  netvmEntry = builtins.filter (x: x.name == "net-vm") config.ghaf.networking.hosts.entries;
+  netvmAddr = lib.head (builtins.map (x: x.ip) netvmEntry);
+in
+{
+  options.ghaf.reference.services.proxy-server = {
+    enable = mkEnableOption "Enable proxy server module";
+    bindPort = lib.mkOption {
+      type = lib.types.int;
+      default = 3128;
+      description = "Bind port for proxy server";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [
+
+    ];
+
+    #Firewall Settings
+    networking = {
+      firewall.enable = true;
+      firewall.extraCommands = ''
+         # Allow incoming connections to 3proxy on port ${toString cfg.bindPort} from the client's IP
+        iptables -I INPUT -p tcp -s 192.168.100.0/24 --dport ${toString cfg.bindPort} -j ACCEPT
+        iptables -I INPUT -p udp -s 192.168.100.0/24 --dport ${toString cfg.bindPort} -j ACCEPT
+      '';
+    };
+    services._3proxy = {
+      enable = true;
+      services = [
+        {
+          type = "proxy";
+          bindAddress = "${netvmAddr}";
+          inherit (cfg) bindPort;
+          maxConnections = 200;
+          auth = [ "iponly" ];
+          acl = [
+            {
+              rule = "allow";
+              targets = msUrlsFlattened;
+            }
+            {
+              rule = "allow";
+              targets = tiiUrls;
+            }
+            {
+              rule = "allow";
+              targets = ssrcUrls;
+            }
+            { rule = "deny"; }
+          ];
+        }
+      ];
+    };
+
+  };
+}