Statistics
| Branch: | Tag: | Revision:

root / doc / index.md @ 1c9bea54

History | View | Annotate | Download (21.2 kB)

1
Firewall on Demand
2
==================
3

    
4
Description
5
-----------
6

    
7
Firewall on Demand applies, via Netconf, flow rules to a network device.
8
These rules are then propagated via e-bgp to peering routers. Each user
9
is authenticated against shibboleth. Authorization is performed via a
10
combination of a Shibboleth attribute and the peer network address range
11
that the user originates from. FoD is meant to operate over this
12
architecture:
13

    
14
    +-----------+          +------------+        +------------+
15
    |   FoD     | NETCONF  | flowspec   | ebgp   |   router   |
16
    | web app   +----------> device     +-------->            |
17
    +-----------+          +------+-----+        +------------+
18
                                  | ebgp
19
                                  |
20
                           +------v-----+
21
                           |   router   |
22
                           |            |
23
                           +------------+
24

    
25
NETCONF is chosen as the mgmt protocol to apply rules to a single
26
flowspec capable device. Rules are then propagated via igbp to all
27
flowspec capable routers. Of course FoD could apply rules directly (via
28
NETCONF always) to a router and then ibgp would do the rest. In GRNET’s
29
case the flowspec capable device is an EX4200.
30

    
31
  **attention**
32

    
33
  Make sure your FoD server has ssh access to your flowspec device.
34

    
35
  **attention**
36

    
37
  Installation instructions assume a clean Debian Wheezy with Django 1.4
38

    
39
Contact
40
-------
41

    
42
You can find more about FoD or raise your issues at [GRNET FoD
43
repository][].
44

    
45
You can contact us directly at staurosk{at}noc[dot]grnet(.)gr
46

    
47
Repositories
48
------------
49

    
50
  [GRNET FoD repository]: https://code.grnet.gr/projects/flowspy
51
  [Github FoD repository]: https://github.com/grnet/flowspy
52

    
53
Installation
54
============
55

    
56
Debian Wheezy (x64) - Django 1.4.x
57
----------------------------------
58

    
59
This guide assumes that installation is carried out in /srv/flowspy
60
directory. If other directory is to be used, please change the
61
corresponding configuration files. It is also assumed that the root user
62
will perform every action.
63

    
64
### Upgrading from v\<1.1.x
65

    
66
> **note**
67
>
68
> If PEER\_\*\_TABLE tables are set to FALSE in settings.py, you need to
69
> perform the south migrations per application:
70
>
71
>     ./manage.py migrate longerusername
72
>     ./manage.py migrate flowspec
73
>     ./manage.py migrate accounts
74

    
75
If upgrading from flowspy version \<1.1.x pay attention to settings.py
76
changes. Also, do not forget to run if PEER\_\*\_TABLE tables are set to
77
TRUE in settings.py:
78

    
79
    ./manage.py migrate
80

    
81
to catch-up with latest database changes.
82

    
83
### Upgrading from v\<1.0.x
84

    
85
If upgrading from flowspy version \<1.0.x pay attention to settings.py
86
changes. Also, do not forget to run:
87

    
88
    ./manage.py migrate
89

    
90
to catch-up with latest database changes.
91

    
92
### Required system packages
93

    
94
Update and install the required packages:
95

    
96
    apt-get update
97
    apt-get upgrade
98
    apt-get install mysql-server apache2 memcached libapache2-mod-proxy-html gunicorn beanstalkd python-django python-django-south python-django-tinymce tinymce python-mysqldb python-yaml python-memcache python-django-registration python-ipaddr python-lxml mysql-client git python-django-celery python-paramiko python-gevent vim
99

    
100
Also, django rest framework package is required. In debian Wheezy it is
101
not available, but one can install it via pip.
102

    
103
  **note**
104

    
105
  Set username and password for mysql if used
106

    
107
  **note**
108

    
109
  If you wish to deploy an outgoing mail server, now it is time to do
110
  it. Otherwise you could set FoD to send out mails via a third party
111
  account
112

    
113
### Create a database
114

    
115
If you are using mysql, you should create a database:
116

    
117
    mysql -u root -p -e 'create database fod'
118

    
119
### Required application packages
120

    
121
Get the required packages and their dependencies and install them:
122

    
123
    apt-get install libxml2-dev libxslt-dev gcc python-dev
124

    
125
-   ncclient: NETCONF python client:
126

    
127
        cd ~
128
        git clone https://github.com/leopoul/ncclient.git
129
        cd ncclient
130
        python setup.py install
131

    
132
-   nxpy: Python Objects from/to XML proxy:
133

    
134
        cd ~
135
        git clone https://code.grnet.gr/git/nxpy
136
        cd nxpy
137
        python setup.py install
138

    
139

    
140
- flowspy: core web application. Installation is done at /srv/flowspy::
141
        cd /srv
142
        git clone https://code.grnet.gr/git/flowspy
143
        cd flowspy
144

    
145
Application configuration
146
=========================
147

    
148
Copy settings.py.dist to settings.py:
149

    
150
    cd flowspy
151
    cp settings.py.dist settings.py
152

    
153
Edit settings.py file and set the following according to your
154
configuration:
155

    
156
    ADMINS: set your admin name and email (assuming that your server can send notifications)
157
    DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine
158
    SECRET_KEY : Make this unique, and don't share it with anybody
159
    STATIC_ROOT: /srv/flowspy/static (or your installation directory)
160
    STATIC_URL (static media directory) . If you have followed the above this should be: /srv/flowspy/static
161
    TEMPLATE_DIRS : If you have followed the above this should be: /srv/flowspy/templates
162
    CACHE_BACKEND:  Enable Memcached for production or leave to DummyCache for development environments
163
    Alternatively you could go for redis with the corresponding Django client lib.
164
    NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work). This is the flowspec capable device
165
    NETCONF_USER (enable ssh and netconf on device)
166
    NETCONF_PASS
167
    If beanstalk is selected the following should be left intact.
168
    BROKER_HOST (beanstalk host)
169
    BROKER_PORT (beanstalk port)
170
    SERVER_EMAIL
171
    EMAIL_SUBJECT_PREFIX
172
    If beanstalk is selected the following should be left intact.
173
    BROKER_URL (beanstalk url)
174
    SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)
175
    NOTIFY_ADMIN_MAILS (bcc mail addresses)
176
    PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)
177
    The whois client is meant to be used in case you have inserted peers with their ASes in the peers table and wish to get network info for each one in an automated manner.
178
    PRIMARY_WHOIS
179
    ALTERNATE_WHOIS
180
    If you wish to deploy FoD with Shibboleth change the following attributes according to your setup:
181
    SHIB_AUTH_ENTITLEMENT = 'urn:mace'
182
    SHIB_ADMIN_DOMAIN = 'example.com'
183
    SHIB_LOGOUT_URL = 'https://example.com/Shibboleth.sso/Logout'
184
    SHIB_USERNAME = ['HTTP_EPPN']
185
    SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
186
    SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME']
187
    SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME']
188
    SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT']
189

    
190
If you have not installed an outgoing mail server you can always use
191
your own account (either corporate or gmail, hotmail ,etc) by adding the
192
following lines in settings.py:
193

    
194
    EMAIL_USE_TLS = True #(or False)
195
    EMAIL_HOST = 'smtp.example.com'
196
    EMAIL_HOST_USER = 'username'
197
    EMAIL_HOST_PASSWORD = 'yourpassword'
198
    EMAIL_PORT = 587 #(outgoing)
199

    
200
It is strongly advised that you do not change the following to False
201
values unless, you want to integrate FoD with you CRM or members
202
database. This implies that you are able/have the rights to create
203
database views between the two databases:
204

    
205
    PEER_MANAGED_TABLE = True
206
    PEER_RANGE_MANAGED_TABLE = True
207
    PEER_TECHC_MANAGED_TABLE = True
208

    
209
By doing that the corresponding tables as defined in peers/models will
210
not be created. As noted above, you have to create the views that the
211
tables will rely on.
212

    
213
  **note**
214

    
215
  Soon we will release a version with django-registration as a means to
216
  add users and Shibboleth will become an alternative
217

    
218
Let’s move on with some copies and dir creations:
219

    
220
    mkdir /var/log/fod
221
    chown www-data.www-data /var/log/fod
222
    cp urls.py.dist urls.py
223
    cd ..
224

    
225
  **note**
226

    
227
  LOG\_FILE\_LOCATION in settings.py is set to **/var/log/fod**. Adjust
228
  the chown command above to your selected dir.
229

    
230
System configuration
231
====================
232

    
233
Apache operates as a gunicorn Proxy with WSGI and Shibboleth modules
234
enabled. Depending on the setup the apache configuration may vary:
235

    
236
    a2enmod rewrite
237
    a2enmod proxy
238
    a2enmod ssl
239
    a2enmod proxy_http
240

    
241
If shibboleth is to be used:
242

    
243
    apt-get install libapache2-mod-shib2
244
    a2enmod shib2
245

    
246
Now it is time to configure beanstalk, gunicorn, celery and apache.
247

    
248
beanstalkd
249
----------
250

    
251
Enable beanstalk by editting /etc/default/beanstalkd:
252

    
253
    vim /etc/default/beanstalkd
254

    
255
Uncomment the line **START=yes** to enable beanstalk
256

    
257
Start beanstalkd:
258

    
259
    service beanstalkd start
260

    
261
gunicorn.d
262
----------
263

    
264
Create and edit /etc/gunicorn.d/fod:
265

    
266
    vim /etc/gunicorn.d/fod
267

    
268
FoD is served via gunicorn and is then proxied by Apache. If the above
269
directory conventions have been followed so far, then your configuration
270
should be:
271

    
272
    CONFIG = {
273
          'mode': 'django',
274
          'working_dir': '/srv/flowspy',
275
          'args': (
276
               '--bind=127.0.0.1:8081',
277
               '--workers=1',
278
               '--worker-class=egg:gunicorn#gevent',
279
               '--timeout=30',
280
               '--debug',
281
               '--log-level=debug',
282
               '--log-file=/var/log/gunicorn/fod.log',
283
          ),
284
    }
285

    
286
celeryd
287
=======
288

    
289
Celery is used over beanstalkd to apply firewall rules in a serial
290
manner so that locks are avoided on the flowspec capable device. In our
291
setup celery runs via django. That is why the python-django-celery
292
package was installed.
293

    
294
Create the celeryd daemon at /etc/init.d/celeryd **if it does not
295
already exist**:
296

    
297
    vim /etc/init.d/celeryd
298

    
299
The configuration should be:
300

    
301
    #!/bin/sh -e
302
    # ============================================
303
    #  celeryd - Starts the Celery worker daemon.
304
    # ============================================
305
    #
306
    # :Usage: /etc/init.d/celeryd {start|stop|force-reload|restart|try-restart|status}
307
    # :Configuration file: /etc/default/celeryd
308
    #
309
    # See http://docs.celeryq.org/en/latest/cookbook/daemonizing.html#init-script-celeryd
310

    
311

    
312
    ### BEGIN INIT INFO
313
    # Provides:              celeryd
314
    # Required-Start:     $network $local_fs $remote_fs
315
    # Required-Stop:       $network $local_fs $remote_fs
316
    # Default-Start:       2 3 4 5
317
    # Default-Stop:        0 1 6
318
    # Short-Description: celery task worker daemon
319
    # Description:          Starts the Celery worker daemon for a single project.
320
    ### END INIT INFO
321

    
322
    #set -e
323

    
324
    DEFAULT_PID_FILE="/var/run/celery/%n.pid"
325
    DEFAULT_LOG_FILE="/var/log/celery/%n.log"
326
    DEFAULT_LOG_LEVEL="INFO"
327
    DEFAULT_NODES="celery"
328
    DEFAULT_CELERYD="-m celery.bin.celeryd_detach"
329
    ENABLED="false"
330

    
331
    [ -r "$CELERY_DEFAULTS" ] && . "$CELERY_DEFAULTS"
332

    
333
    [ -r /etc/default/celeryd ] && . /etc/default/celeryd
334

    
335
    if [ "$ENABLED" != "true" ]; then
336
          echo "celery daemon disabled - see /etc/default/celeryd."
337
          exit 0
338
    fi
339

    
340

    
341
    CELERYD_PID_FILE=${CELERYD_PID_FILE:-${CELERYD_PIDFILE:-$DEFAULT_PID_FILE}}
342
    CELERYD_LOG_FILE=${CELERYD_LOG_FILE:-${CELERYD_LOGFILE:-$DEFAULT_LOG_FILE}}
343
    CELERYD_LOG_LEVEL=${CELERYD_LOG_LEVEL:-${CELERYD_LOGLEVEL:-$DEFAULT_LOG_LEVEL}}
344
    CELERYD_MULTI=${CELERYD_MULTI:-"celeryd-multi"}
345
    CELERYD=${CELERYD:-$DEFAULT_CELERYD}
346
    CELERYCTL=${CELERYCTL:="celeryctl"}
347
    CELERYD_NODES=${CELERYD_NODES:-$DEFAULT_NODES}
348

    
349
    export CELERY_LOADER
350

    
351
    if [ -n "$2" ]; then
352
          CELERYD_OPTS="$CELERYD_OPTS $2"
353
    fi
354

    
355
    CELERYD_LOG_DIR=`dirname $CELERYD_LOG_FILE`
356
    CELERYD_PID_DIR=`dirname $CELERYD_PID_FILE`
357
    if [ ! -d "$CELERYD_LOG_DIR" ]; then
358
          mkdir -p $CELERYD_LOG_DIR
359
    fi
360
    if [ ! -d "$CELERYD_PID_DIR" ]; then
361
          mkdir -p $CELERYD_PID_DIR
362
    fi
363

    
364
    # Extra start-stop-daemon options, like user/group.
365
    if [ -n "$CELERYD_USER" ]; then
366
          DAEMON_OPTS="$DAEMON_OPTS --uid=$CELERYD_USER"
367
          chown "$CELERYD_USER" $CELERYD_LOG_DIR $CELERYD_PID_DIR
368
    fi
369
    if [ -n "$CELERYD_GROUP" ]; then
370
          DAEMON_OPTS="$DAEMON_OPTS --gid=$CELERYD_GROUP"
371
          chgrp "$CELERYD_GROUP" $CELERYD_LOG_DIR $CELERYD_PID_DIR
372
    fi
373

    
374
    if [ -n "$CELERYD_CHDIR" ]; then
375
          DAEMON_OPTS="$DAEMON_OPTS --workdir=\"$CELERYD_CHDIR\""
376
    fi
377

    
378

    
379
    check_dev_null() {
380
          if [ ! -c /dev/null ]; then
381
               echo "/dev/null is not a character device!"
382
               exit 1
383
          fi
384
    }
385

    
386

    
387
    export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
388

    
389

    
390
    stop_workers () {
391
          $CELERYD_MULTI stop $CELERYD_NODES --pidfile="$CELERYD_PID_FILE"
392
    }
393

    
394

    
395
    start_workers () {
396
          $CELERYD_MULTI start $CELERYD_NODES $DAEMON_OPTS           \
397
                                        --pidfile="$CELERYD_PID_FILE"        \
398
                                        --logfile="$CELERYD_LOG_FILE"        \
399
                                        --loglevel="$CELERYD_LOG_LEVEL"     \
400
                                        --cmd="$CELERYD"                           \
401
                                        $CELERYD_OPTS
402
    }
403

    
404

    
405
    restart_workers () {
406
          $CELERYD_MULTI restart $CELERYD_NODES $DAEMON_OPTS        \
407
                                           --pidfile="$CELERYD_PID_FILE"     \
408
                                           --logfile="$CELERYD_LOG_FILE"     \
409
                                           --loglevel="$CELERYD_LOG_LEVEL"  \
410
                                           --cmd="$CELERYD"                        \
411
                                           $CELERYD_OPTS
412
    }
413

    
414

    
415

    
416
    case "$1" in
417
          start)
418
               check_dev_null
419
               start_workers
420
          ;;
421

    
422
          stop)
423
               check_dev_null
424
               stop_workers
425
          ;;
426

    
427
          reload|force-reload)
428
               echo "Use restart"
429
          ;;
430

    
431
          status)
432
               $CELERYCTL status $CELERYCTL_OPTS
433
          ;;
434

    
435
          restart)
436
               check_dev_null
437
               restart_workers
438
          ;;
439

    
440
          try-restart)
441
               check_dev_null
442
               restart_workers
443
          ;;
444

    
445
          *)
446
               echo "Usage: /etc/init.d/celeryd {start|stop|restart|try-restart|kill}"
447
               exit 1
448
          ;;
449
    esac
450

    
451
    exit 0
452

    
453
celeryd configuration
454
=====================
455

    
456
celeryd requires a /etc/default/celeryd file to be in place. Thus we are
457
going to create this file (/etc/default/celeryd):
458

    
459
    vim /etc/default/celeryd
460

    
461
Again if the directory conventions have been followed the file is (pay
462
attention to the CELERYD\_USER, CELERYD\_GROUP and change accordingly) :
463

    
464
    # Default: false
465
    ENABLED="true"
466

    
467
    # Name of nodes to start, here we have a single node
468
    CELERYD_NODES="w1"
469
    # or we could have three nodes:
470
    #CELERYD_NODES="w1 w2 w3"
471

    
472
    # Where to chdir at start.
473
    CELERYD_CHDIR="/srv/flowspy"
474
    # How to call "manage.py celeryd_multi"
475
    CELERYD_MULTI="python $CELERYD_CHDIR/manage.py celeryd_multi"
476

    
477
    # How to call "manage.py celeryctl"
478
    CELERYCTL="python $CELERYD_CHDIR/manage.py celeryctl"
479

    
480
    # Extra arguments to celeryd
481
    #CELERYD_OPTS="--time-limit=300 --concurrency=8"
482
    CELERYD_OPTS="-E -B --schedule=/var/run/celery/celerybeat-schedule --concurrency=1 --soft-time-limit=180 --time-limit=1800"
483
    # Name of the celery config module.
484
    CELERY_CONFIG_MODULE="celeryconfig"
485

    
486
    # %n will be replaced with the nodename.
487
    CELERYD_LOG_FILE="/var/log/celery/fod_%n.log"
488
    CELERYD_PID_FILE="/var/run/celery/%n.pid"
489

    
490
    CELERYD_USER="root"
491
    CELERYD_GROUP="root"
492

    
493
    # Name of the projects settings module.
494
    export DJANGO_SETTINGS_MODULE="flowspy.settings"
495

    
496
Apache
497
======
498

    
499
Apache proxies gunicorn. Things are more flexible here as you may follow
500
your own configuration and conventions. Create and edit
501
/etc/apache2/sites-available/fod. You should set \<server\_name\> and
502
\<admin\_mail\> along with your certificates. If under testing
503
environment, you can use the provided snakeoil certs. If you do not
504
intent to use Shibboleth delete or comment the corresponding
505
configuration parts inside **Shibboleth configuration** :
506

    
507
    vim /etc/apache2/sites-available/fod
508

    
509
Again if the directory conventions have been followed the file should
510
be:
511

    
512
    <VirtualHost *:80>
513
        ServerAdmin webmaster@localhost
514
        ServerName  fod.example.com
515
        DocumentRoot /var/www
516

    
517
        ErrorLog ${APACHE_LOG_DIR}/fod_error.log
518

    
519
        # Possible values include: debug, info, notice, warn, error, crit,
520
        # alert, emerg.
521
        LogLevel debug
522

    
523
        CustomLog ${APACHE_LOG_DIR}/fod_access.log combined
524

    
525
        Alias /static       /srv/flowspy/static
526
          RewriteEngine On
527
          RewriteCond %{HTTPS} off
528
          RewriteRule ^/(.*) https://fod.example.com/$1 [L,R]
529
    </VirtualHost>
530

    
531
    <VirtualHost *:443>
532
        ServerName    fod.example.com
533
        ServerAdmin     webmaster@localhost
534
        ServerSignature        On
535

    
536
        SSLEngine on
537
        SSLCertificateFile    /etc/ssl/certs/fod.example.com.crt
538
        SSLCertificateChainFile /etc/ssl/certs/example-chain.pem
539
        SSLCertificateKeyFile    /etc/ssl/private/fod.example.com.key
540

    
541
        AddDefaultCharset UTF-8
542
        IndexOptions        +Charset=UTF-8
543

    
544
        ShibConfig       /etc/shibboleth/shibboleth2.xml
545
        Alias          /shibboleth-sp /usr/share/shibboleth
546

    
547

    
548
        <Location /login>
549
             AuthType shibboleth
550
             ShibRequireSession On
551
             ShibUseHeaders On
552
             ShibRequestSetting entityID https://idp.example.com/idp/shibboleth
553
             require valid-user
554
        </Location>
555

    
556
        # Shibboleth debugging CGI script
557
        ScriptAlias /shibboleth/test /usr/lib/cgi-bin/shibtest.cgi
558
        <Location /shibboleth/test>
559
             AuthType shibboleth
560
             ShibRequireSession On
561
             ShibUseHeaders On
562
             require valid-user
563
        </Location>
564

    
565
        <Location /Shibboleth.sso>
566
             SetHandler shib
567
        </Location>
568

    
569
        # Shibboleth SP configuration
570

    
571
        #SetEnv                       proxy-sendchunked
572

    
573
              <Proxy *>
574
               Order allow,deny
575
               Allow from all
576
               </Proxy>
577

    
578
               SSLProxyEngine           off
579
               ProxyErrorOverride     off
580
          ProxyTimeout     28800
581
             ProxyPass        /static !
582
             ProxyPass          /shibboleth !
583
             ProxyPass        /Shibboleth.sso !
584

    
585
               ProxyPass           / http://localhost:8081/ retry=0
586
               ProxyPassReverse / http://localhost:8081/
587

    
588
          Alias /static          /srv/flowspy/static
589

    
590
        LogLevel warn
591

    
592
Now, enable your site. You might want to disable the default site if fod
593
is the only site you host on your server:
594

    
595
    a2dissite default
596
    a2ensite fod
597

    
598
You are not far away from deploying FoD. When asked for a super user,
599
create one:
600

    
601
    cd /srv/flowspy
602
    python manage.py syncdb
603
    python manage.py migrate longerusername
604
    python manage.py migrate flowspec
605
    python manage.py migrate djcelery
606
    python manage.py migrate accounts
607
    python manage.py migrate
608

    
609
If you have not changed the values of the PEER\_\*\_TABLE variables to
610
False and thus you are going for a default installation (that is
611
PEER\_\*\_TABLE variables are set to True) , then run:
612

    
613
    python manage.py migrate peers
614

    
615
If however you have set the PEER\_\*\_TABLE variables to False and by
616
accident you have ran the command above, then you have to cleanup you
617
database manually by dropping the peer\* tables plus the techc\_email
618
table. For MySQL the command is:
619

    
620
    DROP TABLE `peer`, `peer_networks`, `peer_range`, `peer_techc_emails`, techc_email;
621

    
622
Restart, gunicorn and apache:
623

    
624
    service gunicorn restart && service apache2 restart
625

    
626
Propagate the flatpages
627
=======================
628

    
629
Inside the initial\_data/fixtures\_manual.xml file we have placed 4
630
flatpages (2 for Greek, 2 for English) with Information and Terms of
631
Service about the service. To import the flatpages, run from root
632
folder:
633

    
634
    python manage.py loaddata initial_data/fixtures_manual.xml
635

    
636
Testing the platform
637
====================
638

    
639
Log in to the admin interface via [https:\\/\\/][]\<hostname\>/admin. Go
640
to Peer ranges and add a new range (part of/or a complete subnet), eg.
641
10.20.0.0/19 Go to Peers and add a new peer, eg. id: 1, name: Test, AS:
642
16503, tag: TEST and move the network you have created from Avalable to
643
Chosen. From the admin front, go to User, and edit your user. From the
644
bottom of the page, select the TEST peer and save. Last but not least,
645
modify as required the existing (example.com) Site instance (admin
646
home-\>Sites). You are done. As you are logged-in via the admin, there
647
is no need to go through Shibboleth at this time. Go to
648
[https:\\/\\/][]\<hostname\>/ and create a new rule. Your rule should be
649
applied on the flowspec capable device after aprox. 10 seconds. If no
650
Shibboleth authentication is available, a
651
[https:\\/\\/][]\<hostname\>/altlogin is provided.
652

    
653
Branding
654
========
655

    
656
Via the admin interface you can modify flatpages to suit your needs
657

    
658
Footer
659
------
660

    
661
Under the templates folder (templates), you can alter the footer.html
662
file to include your own footer messages, badges, etc.
663

    
664
Welcome Page
665
------------
666

    
667
Under the templates folder (templates), you can alter the welcome page -
668
welcome.html with your own images, carousel, videos, etc.
669

    
670
Usage
671
======
672

    
673
Web interface
674
-------------------------
675
FoD comes with a web interface, in which one can edit and apply new routes.
676

    
677
Rest Api
678
--------------
679

    
680
There is a rest api available in /api/v1/. One can set new rules or see the applied ones by using it.
681

    
682

    
683