Firewall on Demand

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

    <title>Installation &mdash; fod 1.1.0 documentation</title>

    <link rel="stylesheet" href="_static/default.css" type="text/css" />

    <link rel="stylesheet" href="_static/pygments.css" type="text/css" />

    <script type="text/javascript">

      var DOCUMENTATION_OPTIONS = {

        URL_ROOT:    '',

        VERSION:     '1.1.0',

        COLLAPSE_INDEX: false,

        FILE_SUFFIX: '.html',

        HAS_SOURCE:  true

      };

    </script>

    <script type="text/javascript" src="_static/jquery.js"></script>

    <script type="text/javascript" src="_static/underscore.js"></script>

    <script type="text/javascript" src="_static/doctools.js"></script>

    <link rel="top" title="fod 1.1.0 documentation" href="index.html" />

    <link rel="prev" title="Firewall on Demand" href="index.html" /> 

  </head>

  <body>

    <div class="related">

      <h3>Navigation</h3>

      <ul>

        <li class="right" style="margin-right: 10px">

          <a href="genindex.html" title="General Index"

             accesskey="I">index</a></li>

        <li class="right" >

          <a href="index.html" title="Firewall on Demand"

             accesskey="P">previous</a> |</li>

        <li><a href="index.html">fod 1.1.0 documentation</a> &raquo;</li> 

      </ul>

    </div>  

    <div class="document">

      <div class="documentwrapper">

        <div class="bodywrapper">

          <div class="body">

  <div class="section" id="installation">

<h1>Installation<a class="headerlink" href="#installation" title="Permalink to this headline">¶</a></h1>

<div class="toctree-wrapper compound">

<ul class="simple">

</ul>

</div>

<div class="section" id="debian-wheezy-x64-django-1-4-x">

<h2>Debian Wheezy (x64) - Django 1.4.x<a class="headerlink" href="#debian-wheezy-x64-django-1-4-x" title="Permalink to this headline">¶</a></h2>

<p>This guide assumes that installation is carried out in /srv/flowspy directory. If other directory is to be used, please change the corresponding configuration files. It is also assumed that the root user will perform every action.</p>

<div class="section" id="upgrading-from-v-1-1-x">

<h3>Upgrading from v&lt;1.1.x<a class="headerlink" href="#upgrading-from-v-1-1-x" title="Permalink to this headline">¶</a></h3>

<div class="admonition note">

<p class="first admonition-title">Note</p>

<p>If PEER_*_TABLE tables are set to FALSE in settings.py, you need to perform the south migrations per application:</p>

<div class="last highlight-python"><pre>./manage.py migrate longerusername

./manage.py migrate flowspec

./manage.py migrate accounts</pre>

</div>

</div>

<p>If upgrading from flowspy version &lt;1.1.x pay attention to settings.py changes. Also, do not forget to run if PEER_*_TABLE tables are set to TRUE in settings.py:</p>

<div class="highlight-python"><pre>./manage.py migrate</pre>

</div>

<p>to catch-up with latest database changes.</p>

</div>

<div class="section" id="upgrading-from-v-1-0-x">

<h3>Upgrading from v&lt;1.0.x<a class="headerlink" href="#upgrading-from-v-1-0-x" title="Permalink to this headline">¶</a></h3>

<p>If upgrading from flowspy version &lt;1.0.x pay attention to settings.py changes. Also, do not forget to run:</p>

<div class="highlight-python"><pre>./manage.py migrate</pre>

</div>

<p>to catch-up with latest database changes.</p>

</div>

<div class="section" id="required-system-packages">

<h3>Required system packages<a class="headerlink" href="#required-system-packages" title="Permalink to this headline">¶</a></h3>

<p>Update and install the required packages:</p>

<div class="highlight-python"><pre>apt-get update

apt-get upgrade

apt-get install mysql-server apache2 memcached libapache2-mod-proxy-html gunicorn beanstalkd python-django python-django-south python-django-tinymce tinymce python-mysqldb python-yaml python-memcache python-django-registration python-ipaddr python-lxml mysql-client git python-django-celery python-paramiko python-gevent vim</pre>

</div>

<div class="admonition note">

<p class="first admonition-title">Note</p>

<p class="last">Set username and password for mysql if used</p>

</div>

<div class="admonition note">

<p class="first admonition-title">Note</p>

<p class="last">If you wish to deploy an outgoing mail server, now it is time to do it. Otherwise you could set FoD to send out mails via a third party account</p>

</div>

</div>

<div class="section" id="create-a-database">

<h3>Create a database<a class="headerlink" href="#create-a-database" title="Permalink to this headline">¶</a></h3>

<p>If you are using mysql, you should create a database:</p>

<div class="highlight-python"><pre>mysql -u root -p -e 'create database fod'</pre>

</div>

</div>

<div class="section" id="required-application-packages">

<h3>Required application packages<a class="headerlink" href="#required-application-packages" title="Permalink to this headline">¶</a></h3>

<p>Get the required packages and their dependencies and install them:</p>

<div class="highlight-python"><pre>apt-get install libxml2-dev libxslt-dev gcc python-dev</pre>

</div>

<ul>

<li><p class="first">ncclient: NETCONF python client:</p>

<div class="highlight-python"><pre>cd ~

git clone https://github.com/leopoul/ncclient.git

cd ncclient

python setup.py install</pre>

</div>

</li>

<li><p class="first">nxpy: Python Objects from/to XML proxy:</p>

<div class="highlight-python"><pre>cd ~

git clone https://code.grnet.gr/git/nxpy

cd nxpy

python setup.py install</pre>

</div>

</li>

<li><p class="first">flowspy: core application. Installation is done at /srv/flowspy:</p>

<div class="highlight-python"><pre>cd /srv

git clone https://code.grnet.gr/git/flowspy

cd flowspy</pre>

</div>

</li>

</ul>

</div>

</div>

<div class="section" id="application-configuration">

<h2>Application configuration<a class="headerlink" href="#application-configuration" title="Permalink to this headline">¶</a></h2>

<p>Copy settings.py.dist to settings.py:</p>

<div class="highlight-python"><pre>cd flowspy

cp settings.py.dist settings.py</pre>

</div>

<p>Edit settings.py file and set the following according to your configuration:</p>

<div class="highlight-python"><pre>ADMINS: set your admin name and email (assuming that your server can send notifications)

DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine

SECRET_KEY : Make this unique, and don't share it with anybody

STATIC_ROOT: /srv/flowspy/static (or your installation directory)

STATIC_URL (static media directory) . If you have followed the above this should be: /srv/flowspy/static

TEMPLATE_DIRS : If you have followed the above this should be: /srv/flowspy/templates

CACHE_BACKEND:  Enable Memcached for production or leave to DummyCache for development environments

Alternatively you could go for redis with the corresponding Django client lib.

NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work). This is the flowspec capable device

NETCONF_USER (enable ssh and netconf on device)

NETCONF_PASS

If beanstalk is selected the following should be left intact.

BROKER_HOST (beanstalk host)

BROKER_PORT (beanstalk port)

SERVER_EMAIL

EMAIL_SUBJECT_PREFIX

If beanstalk is selected the following should be left intact.

BROKER_URL (beanstalk url)

SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)

NOTIFY_ADMIN_MAILS (bcc mail addresses)

PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)

The whois client is meant to be used in case you have inserted peers with their ASes in the peers table and wish to get network info for each one in an automated manner.

PRIMARY_WHOIS

ALTERNATE_WHOIS

If you wish to deploy FoD with Shibboleth change the following attributes according to your setup:

SHIB_AUTH_ENTITLEMENT = 'urn:mace'

SHIB_ADMIN_DOMAIN = 'example.com'

SHIB_LOGOUT_URL = 'https://example.com/Shibboleth.sso/Logout'

SHIB_USERNAME = ['HTTP_EPPN']

SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']

SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME']

SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME']

SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT']</pre>

</div>

<p>If you have not installed an outgoing mail server you can always use your own account (either corporate or gmail, hotmail ,etc) by adding the following lines in settings.py:</p>

<div class="highlight-python"><div class="highlight"><pre><span class="n">EMAIL_USE_TLS</span> <span class="o">=</span> <span class="bp">True</span> <span class="c">#(or False)</span>

<span class="n">EMAIL_HOST</span> <span class="o">=</span> <span class="s">&#39;smtp.example.com&#39;</span>

<span class="n">EMAIL_HOST_USER</span> <span class="o">=</span> <span class="s">&#39;username&#39;</span>

<span class="n">EMAIL_HOST_PASSWORD</span> <span class="o">=</span> <span class="s">&#39;yourpassword&#39;</span>

<span class="n">EMAIL_PORT</span> <span class="o">=</span> <span class="mi">587</span> <span class="c">#(outgoing)</span>

</pre></div>

</div>

<p>It is strongly advised that you do not change the following to False values unless, you want to integrate FoD with you CRM or members database. This implies that you are able/have the rights to create database views between the two databases:</p>

<div class="highlight-python"><div class="highlight"><pre><span class="n">PEER_MANAGED_TABLE</span> <span class="o">=</span> <span class="bp">True</span>

<span class="n">PEER_RANGE_MANAGED_TABLE</span> <span class="o">=</span> <span class="bp">True</span>

<span class="n">PEER_TECHC_MANAGED_TABLE</span> <span class="o">=</span> <span class="bp">True</span>

</pre></div>

</div>

<p>By doing that the corresponding tables as defined in peers/models will not be created. As noted above, you have to create the views that the tables will rely on.</p>

<div class="admonition note">

<p class="first admonition-title">Note</p>

<p class="last">Soon we will release a version with django-registration as a means to add users and Shibboleth will become an alternative</p>

</div>

<p>Let&#8217;s move on with some copies and dir creations:</p>

<div class="highlight-python"><pre>mkdir /var/log/fod

chown www-data.www-data /var/log/fod

cp urls.py.dist urls.py

cd ..</pre>

</div>

<div class="admonition note">

<p class="first admonition-title">Note</p>

<p class="last">LOG_FILE_LOCATION in settings.py is set to <strong>/var/log/fod</strong>. Adjust the chown command above to your selected dir.</p>

</div>

</div>

<div class="section" id="system-configuration">

<h2>System configuration<a class="headerlink" href="#system-configuration" title="Permalink to this headline">¶</a></h2>

<p>Apache operates as a gunicorn Proxy with WSGI and Shibboleth modules enabled.

Depending on the setup the apache configuration may vary:</p>

<div class="highlight-python"><pre>a2enmod rewrite

a2enmod proxy

a2enmod ssl

a2enmod proxy_http</pre>

</div>

<p>If shibboleth is to be used:</p>

<div class="highlight-python"><pre>apt-get install libapache2-mod-shib2

a2enmod shib2</pre>

</div>

<p>Now it is time to configure beanstalk, gunicorn, celery and apache.</p>

<div class="section" id="beanstalkd">

<h3>beanstalkd<a class="headerlink" href="#beanstalkd" title="Permalink to this headline">¶</a></h3>

<p>Enable beanstalk by editting /etc/default/beanstalkd:</p>

<div class="highlight-python"><div class="highlight"><pre><span class="n">vim</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">default</span><span class="o">/</span><span class="n">beanstalkd</span>

</pre></div>

</div>

<p>Uncomment the line <strong>START=yes</strong> to enable beanstalk</p>

<p>Start beanstalkd:</p>

<div class="highlight-python"><pre>service beanstalkd start</pre>

</div>

</div>

<div class="section" id="gunicorn-d">

<h3>gunicorn.d<a class="headerlink" href="#gunicorn-d" title="Permalink to this headline">¶</a></h3>

<p>Create and edit /etc/gunicorn.d/fod:</p>

<div class="highlight-python"><div class="highlight"><pre><span class="n">vim</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gunicorn</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">fod</span>

</pre></div>

</div>

<p>FoD is served via gunicorn and is then proxied by Apache. If the above directory conventions have been followed so far, then your configuration should be:</p>

<div class="highlight-python"><div class="highlight"><pre><span class="n">CONFIG</span> <span class="o">=</span> <span class="p">{</span>

      <span class="s">&#39;mode&#39;</span><span class="p">:</span> <span class="s">&#39;django&#39;</span><span class="p">,</span>

      <span class="s">&#39;working_dir&#39;</span><span class="p">:</span> <span class="s">&#39;/srv/flowspy&#39;</span><span class="p">,</span>

      <span class="s">&#39;args&#39;</span><span class="p">:</span> <span class="p">(</span>

           <span class="s">&#39;--bind=127.0.0.1:8081&#39;</span><span class="p">,</span>

           <span class="s">&#39;--workers=1&#39;</span><span class="p">,</span>

           <span class="s">&#39;--worker-class=egg:gunicorn#gevent&#39;</span><span class="p">,</span>

           <span class="s">&#39;--timeout=30&#39;</span><span class="p">,</span>

           <span class="s">&#39;--debug&#39;</span><span class="p">,</span>

           <span class="s">&#39;--log-level=debug&#39;</span><span class="p">,</span>

           <span class="s">&#39;--log-file=/var/log/gunicorn/fod.log&#39;</span><span class="p">,</span>

      <span class="p">),</span>

<span class="p">}</span>

</pre></div>

</div>

</div>

<div class="section" id="celeryd">

<h3>celeryd<a class="headerlink" href="#celeryd" title="Permalink to this headline">¶</a></h3>

<p>Celery is used over beanstalkd to apply firewall rules in a serial manner so that locks are avoided on the flowspec capable device. In our setup celery runs via django. That is why the python-django-celery package was installed.</p>

<p>Create the celeryd daemon at /etc/init.d/celeryd <strong>if it does not already exist</strong>:</p>

<div class="highlight-python"><div class="highlight"><pre><span class="n">vim</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">celeryd</span>

</pre></div>

</div>

<p>The configuration should be:</p>

<div class="highlight-python"><pre>#!/bin/sh -e

# ============================================

#  celeryd - Starts the Celery worker daemon.

# ============================================

#

# :Usage: /etc/init.d/celeryd {start|stop|force-reload|restart|try-restart|status}

# :Configuration file: /etc/default/celeryd

#

# See http://docs.celeryq.org/en/latest/cookbook/daemonizing.html#init-script-celeryd

### BEGIN INIT INFO

# Provides:              celeryd

# Required-Start:     $network $local_fs $remote_fs

# Required-Stop:       $network $local_fs $remote_fs

# Default-Start:       2 3 4 5

# Default-Stop:        0 1 6

# Short-Description: celery task worker daemon

# Description:          Starts the Celery worker daemon for a single project.

### END INIT INFO

#set -e

DEFAULT_PID_FILE="/var/run/celery/%n.pid"

DEFAULT_LOG_FILE="/var/log/celery/%n.log"

DEFAULT_LOG_LEVEL="INFO"

DEFAULT_NODES="celery"

DEFAULT_CELERYD="-m celery.bin.celeryd_detach"

ENABLED="false"

[ -r "$CELERY_DEFAULTS" ] && . "$CELERY_DEFAULTS"

[ -r /etc/default/celeryd ] && . /etc/default/celeryd

if [ "$ENABLED" != "true" ]; then

      echo "celery daemon disabled - see /etc/default/celeryd."

      exit 0

fi

CELERYD_PID_FILE=${CELERYD_PID_FILE:-${CELERYD_PIDFILE:-$DEFAULT_PID_FILE}}

CELERYD_LOG_FILE=${CELERYD_LOG_FILE:-${CELERYD_LOGFILE:-$DEFAULT_LOG_FILE}}

CELERYD_LOG_LEVEL=${CELERYD_LOG_LEVEL:-${CELERYD_LOGLEVEL:-$DEFAULT_LOG_LEVEL}}

CELERYD_MULTI=${CELERYD_MULTI:-"celeryd-multi"}

CELERYD=${CELERYD:-$DEFAULT_CELERYD}

CELERYCTL=${CELERYCTL:="celeryctl"}

CELERYD_NODES=${CELERYD_NODES:-$DEFAULT_NODES}

export CELERY_LOADER

if [ -n "$2" ]; then

      CELERYD_OPTS="$CELERYD_OPTS $2"

fi

CELERYD_LOG_DIR=`dirname $CELERYD_LOG_FILE`

CELERYD_PID_DIR=`dirname $CELERYD_PID_FILE`

if [ ! -d "$CELERYD_LOG_DIR" ]; then

      mkdir -p $CELERYD_LOG_DIR

fi

if [ ! -d "$CELERYD_PID_DIR" ]; then

      mkdir -p $CELERYD_PID_DIR

fi

# Extra start-stop-daemon options, like user/group.

if [ -n "$CELERYD_USER" ]; then

      DAEMON_OPTS="$DAEMON_OPTS --uid=$CELERYD_USER"

      chown "$CELERYD_USER" $CELERYD_LOG_DIR $CELERYD_PID_DIR

fi

if [ -n "$CELERYD_GROUP" ]; then

      DAEMON_OPTS="$DAEMON_OPTS --gid=$CELERYD_GROUP"

      chgrp "$CELERYD_GROUP" $CELERYD_LOG_DIR $CELERYD_PID_DIR

fi

if [ -n "$CELERYD_CHDIR" ]; then

      DAEMON_OPTS="$DAEMON_OPTS --workdir=\"$CELERYD_CHDIR\""

fi

check_dev_null() {

      if [ ! -c /dev/null ]; then

           echo "/dev/null is not a character device!"

           exit 1

      fi

}

export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"

stop_workers () {

      $CELERYD_MULTI stop $CELERYD_NODES --pidfile="$CELERYD_PID_FILE"

}

start_workers () {

      $CELERYD_MULTI start $CELERYD_NODES $DAEMON_OPTS           \

                                    --pidfile="$CELERYD_PID_FILE"        \

                                    --logfile="$CELERYD_LOG_FILE"        \

                                    --loglevel="$CELERYD_LOG_LEVEL"     \

                                    --cmd="$CELERYD"                           \

                                    $CELERYD_OPTS

}

restart_workers () {

      $CELERYD_MULTI restart $CELERYD_NODES $DAEMON_OPTS        \

                                       --pidfile="$CELERYD_PID_FILE"     \

                                       --logfile="$CELERYD_LOG_FILE"     \

                                       --loglevel="$CELERYD_LOG_LEVEL"  \

                                       --cmd="$CELERYD"                        \

                                       $CELERYD_OPTS

}

case "$1" in

      start)

           check_dev_null

           start_workers

      ;;

      stop)

           check_dev_null

           stop_workers

      ;;

      reload|force-reload)

           echo "Use restart"

      ;;

      status)

           $CELERYCTL status $CELERYCTL_OPTS

      ;;

      restart)

           check_dev_null

           restart_workers

      ;;

      try-restart)

           check_dev_null

           restart_workers

      ;;

      *)

           echo "Usage: /etc/init.d/celeryd {start|stop|restart|try-restart|kill}"

           exit 1

      ;;

esac

exit 0</pre>

</div>

</div>

<div class="section" id="celeryd-configuration">

<h3>celeryd configuration<a class="headerlink" href="#celeryd-configuration" title="Permalink to this headline">¶</a></h3>

<p>celeryd requires a /etc/default/celeryd file to be in place.

Thus we are going to create this file (/etc/default/celeryd):</p>

<div class="highlight-python"><div class="highlight"><pre><span class="n">vim</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">default</span><span class="o">/</span><span class="n">celeryd</span>

</pre></div>

</div>

<p>Again if the directory conventions have been followed the file is (pay attention to the CELERYD_USER, CELERYD_GROUP and change accordingly)</p>

<div class="highlight-python"><pre># Default: false

ENABLED="true"

# Name of nodes to start, here we have a single node

CELERYD_NODES="w1"

# or we could have three nodes:

#CELERYD_NODES="w1 w2 w3"

# Where to chdir at start.

CELERYD_CHDIR="/srv/flowspy"

# How to call "manage.py celeryd_multi"

CELERYD_MULTI="python $CELERYD_CHDIR/manage.py celeryd_multi"

# How to call "manage.py celeryctl"

CELERYCTL="python $CELERYD_CHDIR/manage.py celeryctl"

# Extra arguments to celeryd

#CELERYD_OPTS="--time-limit=300 --concurrency=8"

CELERYD_OPTS="-E -B --schedule=/var/run/celery/celerybeat-schedule --concurrency=1 --soft-time-limit=180 --time-limit=1800"

# Name of the celery config module.

CELERY_CONFIG_MODULE="celeryconfig"

# %n will be replaced with the nodename.

CELERYD_LOG_FILE="/var/log/celery/fod_%n.log"

CELERYD_PID_FILE="/var/run/celery/%n.pid"

CELERYD_USER="root"

CELERYD_GROUP="root"

# Name of the projects settings module.

export DJANGO_SETTINGS_MODULE="flowspy.settings"</pre>

</div>

</div>

<div class="section" id="apache">

<h3>Apache<a class="headerlink" href="#apache" title="Permalink to this headline">¶</a></h3>

<p>Apache proxies gunicorn. Things are more flexible here as you may follow your own configuration and conventions. Create and edit /etc/apache2/sites-available/fod. You should set &lt;server_name&gt; and &lt;admin_mail&gt; along with your certificates. If under testing environment, you can use the provided snakeoil certs. If you do not intent to use Shibboleth delete or comment the corresponding configuration parts inside <strong>Shibboleth configuration</strong></p>

<div class="highlight-python"><div class="highlight"><pre><span class="n">vim</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">apache2</span><span class="o">/</span><span class="n">sites</span><span class="o">-</span><span class="n">available</span><span class="o">/</span><span class="n">fod</span>

</pre></div>

</div>

<p>Again if the directory conventions have been followed the file should be:</p>

<div class="highlight-python"><pre>&lt;VirtualHost *:80&gt;

    ServerAdmin webmaster@localhost

    ServerName  fod.example.com

    DocumentRoot /var/www

    ErrorLog ${APACHE_LOG_DIR}/fod_error.log

    # Possible values include: debug, info, notice, warn, error, crit,

    # alert, emerg.

    LogLevel debug

    CustomLog ${APACHE_LOG_DIR}/fod_access.log combined

    Alias /static       /srv/flowspy/static

      RewriteEngine On

      RewriteCond %{HTTPS} off

      RewriteRule ^/(.*) https://fod.example.com/$1 [L,R]

</VirtualHost>

<VirtualHost *:443>

    ServerName    fod.example.com

    ServerAdmin     webmaster@localhost

    ServerSignature        On

    SSLEngine on

    SSLCertificateFile    /etc/ssl/certs/fod.example.com.crt

    SSLCertificateChainFile /etc/ssl/certs/example-chain.pem

    SSLCertificateKeyFile    /etc/ssl/private/fod.example.com.key

    AddDefaultCharset UTF-8

    IndexOptions        +Charset=UTF-8

    ShibConfig       /etc/shibboleth/shibboleth2.xml

    Alias          /shibboleth-sp /usr/share/shibboleth

    <Location /login>

         AuthType shibboleth

         ShibRequireSession On

         ShibUseHeaders On

         ShibRequestSetting entityID https://idp.example.com/idp/shibboleth

         require valid-user

    </Location>

    # Shibboleth debugging CGI script

    ScriptAlias /shibboleth/test /usr/lib/cgi-bin/shibtest.cgi

    <Location /shibboleth/test>

         AuthType shibboleth

         ShibRequireSession On

         ShibUseHeaders On

         require valid-user

    </Location>

    <Location /Shibboleth.sso>

         SetHandler shib

    </Location>

    # Shibboleth SP configuration

    #SetEnv                       proxy-sendchunked

          <Proxy *>

           Order allow,deny

           Allow from all

           </Proxy>

           SSLProxyEngine           off

           ProxyErrorOverride     off

      ProxyTimeout     28800

         ProxyPass        /static !

         ProxyPass          /shibboleth !

         ProxyPass        /Shibboleth.sso !

           ProxyPass           / http://localhost:8081/ retry=0

           ProxyPassReverse / http://localhost:8081/

      Alias /static          /srv/flowspy/static

    LogLevel warn

    ErrorLog ${APACHE_LOG_DIR}/fod_error.log

      CustomLog ${APACHE_LOG_DIR}/fod_access.log combined

&lt;/VirtualHost&gt;</pre>

</div>

<p>Now, enable your site. You might want to disable the default site if fod is the only site you host on your server:</p>

<div class="highlight-python"><pre>a2dissite default

a2ensite fod</pre>

</div>

<p>You are not far away from deploying FoD. When asked for a super user, create one:</p>

<div class="highlight-python"><pre>cd /srv/flowspy

python manage.py syncdb

python manage.py migrate longerusername

python manage.py migrate flowspec

python manage.py migrate djcelery

python manage.py migrate accounts</pre>

</div>

<p>If you have not changed the values of the PEER_*_TABLE variables to False and thus you are going for a default installation (that is PEER_*_TABLE variables are set to True) , then run:</p>

<div class="highlight-python"><pre>python manage.py migrate peers</pre>

</div>

<p>If however you have set the PEER_*_TABLE variables to False and by accident you have ran the command above, then you have to cleanup you database manually by dropping the peer* tables plus the techc_email table. For MySQL the command is:</p>

<div class="highlight-python"><pre>DROP TABLE `peer`, `peer_networks`, `peer_range`, `peer_techc_emails`, techc_email;</pre>

</div>

<p>Restart, gunicorn and apache:</p>

<div class="highlight-python"><pre>service gunicorn restart &amp;&amp; service apache2 restart</pre>

</div>

</div>

</div>

<div class="section" id="propagate-the-flatpages">

<h2>Propagate the flatpages<a class="headerlink" href="#propagate-the-flatpages" title="Permalink to this headline">¶</a></h2>

<p>Inside the initial_data/fixtures_manual.xml file we have placed 4 flatpages (2 for Greek, 2 for English) with Information and Terms of Service about the service.

To import the flatpages, run from root folder:</p>

<div class="highlight-python"><pre>python manage.py loaddata initial_data/fixtures_manual.xml</pre>

</div>

</div>

<div class="section" id="testing-the-platform">

<h2>Testing the platform<a class="headerlink" href="#testing-the-platform" title="Permalink to this headline">¶</a></h2>

<p>Log in to the admin interface via <a class="reference external" href="https:/">https:/</a>/&lt;hostname&gt;/admin. Go to Peer ranges and add a new range (part of/or a complete subnet), eg. 10.20.0.0/19

Go to Peers and add a new peer, eg. id: 1, name: Test, AS: 16503, tag: TEST and move the network you have created from Avalable to Chosen. From the admin front, go to User, and edit your user. From the bottom of the page, select the TEST peer and save.

Last but not least, modify as required the existing (example.com) Site instance (admin home-&gt;Sites). You are done. As you are logged-in via the admin, there is no need to go through Shibboleth at this time. Go to <a class="reference external" href="https:/">https:/</a>/&lt;hostname&gt;/ and create a new rule. Your rule should be applied on the flowspec capable device after aprox. 10 seconds. If no Shibboleth authentication is available, a <a class="reference external" href="https:/">https:/</a>/&lt;hostname&gt;/altlogin is provided.</p>

</div>

<div class="section" id="branding">

<h2>Branding<a class="headerlink" href="#branding" title="Permalink to this headline">¶</a></h2>

<p>Via the admin interface you can modify flatpages to suit your needs</p>

<div class="section" id="footer">

<h3>Footer<a class="headerlink" href="#footer" title="Permalink to this headline">¶</a></h3>

<p>Under the templates folder (templates), you can alter the footer.html file to include your own footer messages, badges, etc.</p>

</div>

<div class="section" id="welcome-page">

<h3>Welcome Page<a class="headerlink" href="#welcome-page" title="Permalink to this headline">¶</a></h3>

<p>Under the templates folder (templates), you can alter the welcome page - welcome.html with your own images, carousel, videos, etc.</p>

</div>

</div>

</div>

          </div>

        </div>

      </div>

      <div class="sphinxsidebar">

        <div class="sphinxsidebarwrapper">

  <h3><a href="index.html">Table Of Contents</a></h3>

  <ul>

<li><a class="reference internal" href="#">Installation</a><ul>

<li><a class="reference internal" href="#debian-wheezy-x64-django-1-4-x">Debian Wheezy (x64) - Django 1.4.x</a><ul>

<li><a class="reference internal" href="#upgrading-from-v-1-1-x">Upgrading from v&lt;1.1.x</a></li>

<li><a class="reference internal" href="#upgrading-from-v-1-0-x">Upgrading from v&lt;1.0.x</a></li>

<li><a class="reference internal" href="#required-system-packages">Required system packages</a></li>

<li><a class="reference internal" href="#create-a-database">Create a database</a></li>

<li><a class="reference internal" href="#required-application-packages">Required application packages</a></li>

</ul>

</li>

<li><a class="reference internal" href="#application-configuration">Application configuration</a></li>

<li><a class="reference internal" href="#system-configuration">System configuration</a><ul>

<li><a class="reference internal" href="#beanstalkd">beanstalkd</a></li>

<li><a class="reference internal" href="#gunicorn-d">gunicorn.d</a></li>

<li><a class="reference internal" href="#celeryd">celeryd</a></li>

<li><a class="reference internal" href="#celeryd-configuration">celeryd configuration</a></li>

<li><a class="reference internal" href="#apache">Apache</a></li>

</ul>

</li>

<li><a class="reference internal" href="#propagate-the-flatpages">Propagate the flatpages</a></li>

<li><a class="reference internal" href="#testing-the-platform">Testing the platform</a></li>

<li><a class="reference internal" href="#branding">Branding</a><ul>

<li><a class="reference internal" href="#footer">Footer</a></li>

<li><a class="reference internal" href="#welcome-page">Welcome Page</a></li>

</ul>

</li>

</ul>

</li>

</ul>

  <h4>Previous topic</h4>

  <p class="topless"><a href="index.html"

                        title="previous chapter">Firewall on Demand</a></p>

  <h3>This Page</h3>

  <ul class="this-page-menu">

    <li><a href="_sources/install.txt"

           rel="nofollow">Show Source</a></li>

  </ul>

<div id="searchbox" style="display: none">

  <h3>Quick search</h3>

    <form class="search" action="search.html" method="get">

      <input type="text" name="q" />

      <input type="submit" value="Go" />

      <input type="hidden" name="check_keywords" value="yes" />

      <input type="hidden" name="area" value="default" />

    </form>

    <p class="searchtip" style="font-size: 90%">

    Enter search terms or a module, class or function name.

    </p>

</div>

<script type="text/javascript">$('#searchbox').show(0);</script>

        </div>

      </div>

      <div class="clearer"></div>

    </div>

    <div class="related">

      <h3>Navigation</h3>

      <ul>

        <li class="right" style="margin-right: 10px">

          <a href="genindex.html" title="General Index"

             >index</a></li>

        <li class="right" >

          <a href="index.html" title="Firewall on Demand"

             >previous</a> |</li>

        <li><a href="index.html">fod 1.1.0 documentation</a> &raquo;</li> 

      </ul>

    </div>

    <div class="footer">

        © Copyright 2014, Leonidas Poulopoulos (@leopoul), GRNET S.A.

      Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3.

    </div>

  </body>

</html>