Build NAT for Vmware Esxi with pfSense

By default, Vmware Esxi hyper-visor doe not support NAT, it only gives bridge to the guest VMs to get the network address. So when you do not have enough DHCP resources to assign to many VMs in your network, NAT will be a option to let the VMs can share IP resources and also let outside can access VMs.

Here is some links I refereed when I did our Esxi + pfSense servers reconfiguration recently.

https://doc.pfsense.org/index.php/PfSense_on_VMware_vSphere_/_ESXi

http://blog.romant.net/technology/configuring-nat-on-esx-and-esxi/

https://sxkdz.org/vmware-esxi-and-pfsense-router-deploy/

https://www.jsnowcreations.com/guides/computer-guides/setup-steps-for-single-nic-hetzner-root-server-running-esxi-with-pfsense-router/

And I note down some points you need to pay attention when doing this , my cases are in the 5.1 and 5,5 version Esxi:

1. If you only have one physical NIC running (vmnic0), then you need one IP for VMware Management Interface,  and another IP for pfSense WAN interface, these two IP running at same NIC interface. So two IPs face to outside is minimum for NAT even in one NIC case.

2. vSwitch0 is used by VMs by default, and your new created switch group (not binding to any NIC) will be vSwitch1. So normally pfSense will have two virtual network interface: WAN binding to the vSwitch0 and LAN binding to the vSwitch1 to work as the NAT gateway.

3. After you have the pfSense running, assign some VMs to the LAN and you then can surf from LAN VM to the pfSense LAN interface (LAN gateway)’s http admin UI to manage the pfSense,  with default account admin/pfsense. You need to have basic firewall and LAN gateway knowledge to manage this gateway.

4. To let outside client to access the VM, you need to config the NAT port forwarding at the pfSense WAN interface. And also pay attention to the default check box of the firewall policy to let the 10.****, 198.*****, 172**** can access the your VM if you need it.

4. For the flexibility of the system pfSense WAN MAC can be changed, but not LAN side. you may need a reboot of the pfSense when you change the WAN MAC.

Advertisements

Free API management choices for distributed Restful Web Service

If you are looking for cheaper solution for the web service API management, this list might can help to give some hints.

As far you have distributed or micro web service, you will involve in the how to put all the shared feature into one place for each WS, such security, authentication and auditing. Here I list some free or low cost solution for the API lifecycle management framework and products.  When you use amazon AWS or Microsoft Azure cloud, they already supply similar service. For the open source way for small companies who do not want the bundle to a cloud provider, a self-controlled API management solution will give you more flexibility and independence for future migration.

Basically they have either on-premise or as-a-service model to go. With on-premise, means be deployed in either a physical or virtual data center. And as-a-service cloud version will let you integrate with cloud based API management and you can manage it from anywhere.

  1. WSO2 on-premises – WSO2 API Manager is a 100% open source enterprise-class solution that supports API publishing, lifecycle management, application development, access control, rate limiting and analytics in one cleanly integrated system. Running on java, most database and Apache ActiveMQ. Apache 2.0 license.
  2. Kong Community Edition  – open source with a lot customers base. Kong’s server, based on the widely adopted NGINX HTTP server, which is a reverse proxy processing your clients’ requests to your upstream services. Kong’s datastore, in which the configuration is stored to allow you to horizontally scale Kong nodes. Apache Cassandra and PostgreSQL be used.
  1. Tyk On-Premises – not open source, Single gateway Tyk Pro licences are FREE forever. Simply install your preferred package FREE for a single gateway, affordable at scale. No need to maintain forks, third party dependencies, or purchase SaaS add-ons. Just download the FREE Open Source API Gateway, get a FREE Tyk dashboard licence, use Tyk commercially… for FREE. No hidden costs, no restrictions on number of users, APIs or analytics retention. The entire platform, under your control, on your own servers. Priced according to the number of gateways in your environment, not the size of your team. Full access to the entire platform, no features held-back, starts from FREE!
  2. Apiman (not add new feature any more after redhat get the 3scale) – simple to use, install on wildfly ( Elasticsearch) or tomcat 8
  3. Api Umbleralla – looks like easy to use and install – require MongoDB and Elasticsearch
  4. gravitee.io – a very new API manager, has the gateway, manange API and portal three parts,   required MongoDB to store mandatory data and ElasticSearch (Apache License V2)
  5. Apigee – acquired by google, not free.
  6. Apiary free edition – with oracle, API Blueprint is simple and accessible to everybody involved in the API lifecycle. Its syntax is concise yet expressive. API Blueprint is completely open sourced under the MIT license. Its future is transparent and open. API Blueprint doesn’t need a closed work group. Instead it uses the RFC process similar to Rust language  or Django Enhancement Proposal RFC processes.

How to setup the nginx for https reverse proxy

Here is just one example how you can setup the nginx server to let it forward the https call and consume the ssl  cert (you have created in my last article).

In fact at the location section you can forward request to the non https server which could in your DMZ. Outside surf will surf the public domain and with https secured.

server {
 listen 443 ssl;
 server_name wayneshare.com;

ssl_certificate cert_wayneshare/cert_wayneshare.crt;
 ssl_certificate_key cert_wayneshare/key_wayneshare.pem;

ssl_session_cache shared:SSL:1m;
 ssl_session_timeout 5m;

ssl_ciphers HIGH:!aNULL:!MD5;
 ssl_prefer_server_ciphers on;

client_body_buffer_size 200k;
 client_header_buffer_size 20k;
 client_max_body_size 256m;
 large_client_header_buffers 16 32k;

access_log /var/log/nginx/node0.access.log;
 error_log /var/log/nginx/node0.error.log info;

location /internal/ {
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_pass http://10.1.1.36/internal/;
 }
}

 

As you have the https enabled now, so you can set a force redirect of your http site or URL to a https URL. just use nginx setting :

 

server {
 listen 80;
............
 location /internal/ {
    return 301 https://$server_name$request_uri;
}
}

 

How to setup at tomcat to consume the https cert

After I get my signed ssl/https cert from a CA, I need to use it for web server like apache, nginx and tomat. Here I give one example how to import the cert to key store and then config the tomcat to use it at 443 port:

1. To import an existing certificate signed by root CA into a PKCS12 keystore using OpenSSL you would execute a command like:

openssl pkcs12 -export -in wayneshare.crt -inkey mykey.key -out wayneshare.p12 -name mycerts -CAfile myCA.crt -caname root -chain

Or by keytool:

The cert you got from CA normally is signed by several level root CA in cert, it is a chain cert structure. So if you import the Chain Certificate into your keystore by key tool, you need import the root CA cert first by levels:

keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>

And finally you can import your signed new Certificate

keytool -import -alias mycerts -keystore <your_keystore_filename> -trustcacerts -file <your_certificate_filename>

Such as for my case, i have two levels of root Cert to import before I import my real cert:

keytool -import -alias root -keystore keystore.jks -trustcacerts -file wayneshare_com.ca0.crt
keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file wayneshare_com.ca1.crt
keytool -import -alias waynecert -keystore keystore.jks -storepass mypass -trustcacerts -file wayneshare_com.crt

 

2. After crt is added to the key store, not we can change the server.xml of tomcat to add key store there:

<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443" maxThreads="500"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/home/certificate/keystore.jks" keystorePass="mypass"
clientAuth="false" sslProtocol="TLS"/>

/home/certificate/ is a folder i use to put my cert and keystores

3. restart your tomcat then you should be ok at 443 port!

 

 

 

How to get a https certificate for your website.

It is common that your web site need a ssl certificate to ensure the https secure. There are some free cert creation and suppliers there. Here I am going to use SSLS.COM – a budget supplier as example supplier to list  the steps that to get a cert for your web site

1. First, create a Java keystore contains your 2048 bit private key, assign a validate years:

sudo keytool -genkey -alias mycert -keystore keystore.jks -storepass mypass -keyalg RSA -keysize 2048 -keypass mypass -validity 3650 -dname "cn=wayneshare.com,OU=Dept Name,O=Wayne Share LLC,L=Palo Alto,ST=CA,C=US"

also save as a PKCS key format.

sudo keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype pkcs12
keytool -list -v -keystore keystore.jks -storepass mypass
keytool -list -v -keystore keystore.p12 -storetype PKCS12 -storepass mypass

2. Create a CSR by private key, To create your CSR, run the following command:

sudo keytool -certreq -keyalg RSA -alias waynecert -file certreq.csr -keystore keystore.jks

3. I use the ssls.com to create our SSL cert. make an order there.

4. active the ssl cert there by our CSR content at the SSLS.COM

4.1 paste the CSR content to active step of ssls.com

less certreq.csr

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDEjCCAfoCAQAwgZwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UE
BxMJUGFsbyBBbHRvMTswOQYDVQQKEzJCb3NjaCBSZXNlYXJjaCBhbmQgVGVjaG5v
bG9neSBDZW50ZXIgTm9ydGggQW1lcmljYTEUMBIGA1UECxMLQ1IvUlRDLUhNSTMx
GTAXBgNVBAMTEGljbG91ZC1yYWRpby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCAJnRWYm48FVmqVDBAf4+UWW9k2uI0oOMC9yazAgGQecH8lKwH
GwJO0cHWAnBT86d7chdmr2susfwQ47vDcfmHU8q2Rwk3xADYSHxob5GYnTSewHUI
YFTUOx/G7a/w/jrjLZlR5ZP8TBHoM+4+5aYHrbL/ctFX4xgOW57T7JNwtlhlfkxI
a5xRjpL721SE1ribDZKdsZOjO9Y7x/SKvdH3ljKINM8HO6u60uTyVJFuJkgd81lt
Pk6u1V9MizieLek5GSNPyapiqAGndRCkpEHdB3CKG7zolhoCryQ/oLxEwETTgSSO
ddPLyD8NY/dulzPiGsMJ5aWScV2zuPHRwuLNAgMBAAGgMDAuBgkqhkiG9w0BCQ4x
ITAfMB0GA1UdDgQWBBS0lua3qgUb5oqcxcXDQbNaUGu33jANBgkqhkiG9w0BAQsF
AAOCAQEAcfJF73FUhiIF+ZMQud/D8mmKOy5tIGjWNWQacNl4bmPeCDmpoNCMRu25
8R3hYAY6jDvamPz2JZ6iLS857R7wdnSiC5bAo0jnQ3AMODxqJp49Em5qJzpzZ2NC
X/Aooom62nQU0QzfuBENRaeTChlcTylvh4daGYJUseXyCvt/mE0tdgHnh8ynAg8P
w+mBkedHbinkxGYgbplFyDML3bm16EvvAFDZNR1499YbbpCmLV8uXp6RhwPBkb8x
KSizazvez2SNi9vEMqkmNI65Z5P4KS/p1lUd+GAS+EdUwt97hZtFIVCn/p7C6SPf
1cQNPghutNf8ULIpjh1pdY99OnpIjA==
-----END NEW CERTIFICATE REQUEST-----

4.2 input myself info for contact:

Administrative wayne zhou
contact waynzhou@wayneshare.com
3888 Miranda Place
Palo Alto, CA, 94304
United States

4.3 So, to confirm you have the domain, SSLS.COM has two ways at here:
one is use a email under your domain account, like the admin@wayneshare.com. another one is need to access your website server, such as apache/nginx to put a verification file over there for comodoca (root CA) to verify your site under your control.

Download a file from ssls.com for cert verification, you get this msg first:
“You’re almost done. Upload file to /.well-known/pki-validation/ public directory of wayneshare.com. Do not rename the file or edit its contents. If you’re not sure what to do, please contact support.”

File name we got is: F26FF4AD68EEB3785D28B5420663D6A5.txt
File Content just One line: 591E88059BC38F2F09DC9C426E83C607F7414728CFDAD1D1F4711A4658904C1F comodoca.com 5a1ca2e34e5ee

5. Put F26FF4AD68EEB3785D28B5420663D6A5.txt to my nginx server:
As I use nginx as the reverse proxy, so I need to install the https at nginx side, not at the tomcat side.
So this step is to put the challenge onto the nginx server to prove you are the owner of the website wayneshare.com

Add this line and restart the nginx
location = /.well-known/pki-validation/F26FF4AD68EEB3785D28B5420663D6A5.txt {
alias /home/www/.well-known/pki-validation/F26FF4AD68EEB3785D28B5420663D6A5.txt;
}

After I put the file under the /home/www folder, this link should work:

http://wayneshare.com/.well-known/pki-validation/F26FF4AD68EEB3785D28B5420663D6A5.txt

then you can contact the support of the SSLS.COM and soon you will get email about the cert file. Just save the cert for your site to use it.

6. import the signed cert into the keystore file for web server usage.
sudo keytool -certreq -keyalg RSA -alias waynecert -file certreq.csr -keystore keystore.jks

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Notes: related command for keytool

keytool –list

# export the private key

# export the cert
keytool -export -rfc -alias mycerts -file cert_1.crt

# import key from another key store

keytool -importkeystore -srckeystore ~/.keystore -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias mycerts -deststorepass mypass -destkeypass mypass

Export certificate using openssl:

openssl pkcs12 -in keystore.p12 -nokeys -out cert_1.pem

Export unencrypted private key:

openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key_1.pem

Spring MVC + Security Note (4) – Migrate from Spring Security 3.X to 4.X

By W.ZH

Refer to this link

http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html

Here are some notes that common change in page or configuration files:

  1. default URL for login and logout form action are changed:
    /j_spring_security_logout     to /logout
    /j_spring_security_check     to /login
    So we need to change our JSP content for these two.
  2. Default csrf is enabled… so if you want to be disabled, just add this
    <csrf disabled=”true”/> in the <http />tag
    If you want enable, you do not need to do sth.
  3. <access-denied-handler error-page=”/page/403″ />  put inside the <http />
    not like old on as the attribute <http *** />
  4. If you have more than one roles, you can not use the
    access=”ROLE_USER,ROLE_ADMIN”  any more, you have to change to<http auto-config=”true” use-expressions=”true” >
    …..
    <intercept-url  ……. access=”hasAnyRole(‘ROLE_USER’,’ROLE_ADMIN’)” …..you maybe have others need changes, need to refer to reference page

Spring MVC + Security Note (3) – About the Role Name

By WZH.

In the last two examples we see that user has a role define called ROLE_USER

<user     name=”mkyong”
password=”123456″
authorities=”ROLE_USER” />

<intercept-url pattern=”/admin**” access=”ROLE_USER” />

 

You should note that ROLE_USER here is a string only.  Just need to matched the authorities later in the  Authentication part.  Authentication provider give this role and it matched with the login part request, then this role will will assigned to this principle after authentication.

You can define any role by your self. Only ROLE_ANONYMOUS is a predefined role name in the spring security to an anonymous user.

Inside Spring, the default AccessDecisionManager (which interprets the access attributes that you specify in the intercept-url element) uses a RoleVoter implementation. By default this looks for the prefix “ROLE_” on the attribute, so your best option is to make sure that your roles have this prefix.

If you want use another prefix, . eg AAA_USER, you have to define a custom AppVoter:

<bean class=”org.springframework.security.vote.RoleVoter”>
<property name=”rolePrefix” value=”AAA”/>
</bean>
you need to read more on how to do this thing.