Skip to content

Commit

Permalink
Proxy setup to allow/deny specific urls for BusinessVM
Browse files Browse the repository at this point in the history 
Signed-off-by: Enes Öztürk <[email protected]>
  • Loading branch information
@enesoztrk
enesoztrk committed Oct 1, 2024
1 parent 501e1ce commit cbb9edb
Show file tree
Hide file tree
Showing 4 changed files with 179 additions and 254 deletions.
367 changes: 113 additions & 254 deletions modules/reference/appvms/business.nix
View file
Original file line number Diff line number Diff line change
@@ -1,272 +1,131 @@
# Copyright 2024 TII (SSRC) and the Ghaf contributors
# SPDX-License-Identifier: Apache-2.0
#
{
pkgs,
config,
lib,
...
}:
{ pkgs, config, lib, ... }:
let
#TODO: Move this to a common place
xdgPdfPort = 1200;
name = "business";
in
{

in {
name = "${name}";
packages =
let
# PDF XDG handler is executed when the user opens a PDF file in the browser
# The xdgopenpdf script sends a command to the guivm with the file path over TCP connection
xdgPdfItem = pkgs.makeDesktopItem {
name = "ghaf-pdf";
desktopName = "Ghaf PDF handler";
exec = "${xdgOpenPdf}/bin/xdgopenpdf %u";
mimeTypes = [ "application/pdf" ];
};
xdgOpenPdf = pkgs.writeShellScriptBin "xdgopenpdf" ''
filepath=$(/run/current-system/sw/bin/realpath "$1")
echo "Opening $filepath" | systemd-cat -p info
echo $filepath | ${pkgs.netcat}/bin/nc -N gui-vm ${toString xdgPdfPort}
'';
in
[
pkgs.chromium
pkgs.xdg-utils
xdgPdfItem
xdgOpenPdf
pkgs.globalprotect-openconnect
pkgs.openconnect
pkgs.nftables
];
packages = let
# PDF XDG handler is executed when the user opens a PDF file in the browser
# The xdgopenpdf script sends a command to the guivm with the file path over TCP connection
xdgPdfItem = pkgs.makeDesktopItem {
name = "ghaf-pdf";
desktopName = "Ghaf PDF handler";
exec = "${xdgOpenPdf}/bin/xdgopenpdf %u";
mimeTypes = [ "application/pdf" ];
};
xdgOpenPdf = pkgs.writeShellScriptBin "xdgopenpdf" ''
filepath=$(/run/current-system/sw/bin/realpath "$1")
echo "Opening $filepath" | systemd-cat -p info
echo $filepath | ${pkgs.netcat}/bin/nc -N gui-vm ${toString xdgPdfPort}
'';
in [
pkgs.chromium
pkgs.pulseaudio
pkgs.xdg-utils
xdgPdfItem
xdgOpenPdf
pkgs.globalprotect-openconnect
pkgs.openconnect
pkgs.tcpdump
];
# TODO create a repository of mac addresses to avoid conflicts
macAddress = "02:00:00:03:10:01";
ramMb = 6144;
cores = 4;
extraModules = [
{
imports = [ ../programs/chromium.nix ];
time.timeZone = config.time.timeZone;

microvm = {
qemu.extraArgs = lib.optionals (
config.ghaf.hardware.usb.internal.enable
&& (lib.hasAttr "cam0" config.ghaf.hardware.usb.internal.qemuExtraArgs)
) config.ghaf.hardware.usb.internal.qemuExtraArgs.cam0;
devices = [ ];
};

ghaf.givc.appvm = {
enable = true;
name = lib.mkForce "business-vm";
applications = lib.mkForce ''
{
"chromium": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland ${config.ghaf.givc.idsExtraArgs}",
"outlook": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://outlook.office.com/mail/ ${config.ghaf.givc.idsExtraArgs}",
"office": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://microsoft365.com ${config.ghaf.givc.idsExtraArgs}",
"teams": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://teams.microsoft.com ${config.ghaf.givc.idsExtraArgs}",
"gpclient": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/gpclient -platform wayland"
}'';
};

ghaf.reference.programs.chromium.enable = true;

# Set default PDF XDG handler
xdg.mime.defaultApplications."application/pdf" = "ghaf-pdf.desktop";
extraModules = [{
imports = [ ../programs/chromium.nix ];
# Enable pulseaudio for Chromium VM
security.rtkit.enable = true;
users.extraUsers.ghaf.extraGroups = [ "audio" "video" ];

hardware.pulseaudio = {
enable = true;
extraConfig = ''
load-module module-tunnel-sink-new sink_name=business-speaker server=audio-vm:4713 reconnect_interval_ms=1000
load-module module-tunnel-source-new source_name=business-mic server=audio-vm:4713 reconnect_interval_ms=1000
'';
package = pkgs.pulseaudio-ghaf;
};

time.timeZone = config.time.timeZone;

microvm = {
qemu.extraArgs = lib.optionals (config.ghaf.hardware.usb.internal.enable
&& (lib.hasAttr "cam0" config.ghaf.hardware.usb.internal.qemuExtraArgs))
config.ghaf.hardware.usb.internal.qemuExtraArgs.cam0;
devices = [ ];
};

ghaf.givc.appvm = {
enable = true;
name = lib.mkForce "business-vm";
applications = lib.mkForce ''
{
"chromium": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland",
"outlook": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://outlook.office.com/mail/",
"office": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://microsoft365.com",
"teams": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://teams.microsoft.com",
"gpclient": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/gpclient -platform wayland"
}'';
};

ghaf.reference.programs.chromium.enable = true;
# Set default PDF XDG handler
xdg.mime.defaultApplications."application/pdf" = "ghaf-pdf.desktop";

# TODO: Add a way to configure the gpclient
# also check the openconnect cli options https://discourse.nixos.org/t/globalprotect-vpn/24014/5
services.globalprotect = {
enable = true;
csdWrapper = "${pkgs.openconnect}/libexec/openconnect/hipreport.sh";
};

#Firewall Settings
networking = {
firewall.enable = true;
proxy = {
httpProxy = "http://192.168.100.1:3128";
httpsProxy = "http://192.168.100.1:3128";
noProxy = "192.168.101.10,192.168.100.10";

# TODO: Add a way to configure the gpclient
# also check the openconnect cli options https://discourse.nixos.org/t/globalprotect-vpn/24014/5
services.globalprotect = {
enable = true;
csdWrapper = "${pkgs.openconnect}/libexec/openconnect/hipreport.sh";
};
firewall.extraCommands = ''
iptables -N logreject
iptables -A logreject -j LOG
iptables -A logreject -j REJECT
# # Allow incoming connections to 3proxy on port 3128 from the client's IP
# iptables -A INPUT -p tcp --sport 3128 -j ACCEPT
# iptables -A INPUT -p udp --sport 3128 -j ACCEPT
# # Allow established and related connections
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# # Allow DNS lookups for domain resolution
# iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT
# Block any other unwanted traffic (optional)
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Block all other HTTP and HTTPS traffic
iptables -A OUTPUT -p tcp --dport 80 -j logreject
iptables -A OUTPUT -p tcp --dport 443 -j logreject
iptables -A OUTPUT -p udp --dport 80 -j logreject
iptables -A OUTPUT -p udp --dport 443 -j logreject
#Firewall Settings
networking = {
firewall.enable = true;
firewall.extraCommands = ''
iptables -F
add_rule() {
local ip=$1
iptables -I OUTPUT -p tcp -d $ip --dport 80 -j ACCEPT
iptables -I OUTPUT -p tcp -d $ip --dport 443 -j ACCEPT
iptables -I INPUT -p tcp -s $ip --sport 80 -j ACCEPT
iptables -I INPUT -p tcp -s $ip --sport 443 -j ACCEPT
}
# Urls can be found from Source: https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges
# Allow microsoft365.com
add_rule 13.107.6.156
add_rule 13.107.9.156
# Exchange
add_rule 13.107.6.152/31
add_rule 13.107.18.10/31
add_rule 13.107.128.0/22
add_rule 23.103.160.0/20
add_rule 40.96.0.0/13
add_rule 40.104.0.0/15
add_rule 52.96.0.0/14
add_rule 131.253.33.215/32
add_rule 132.245.0.0/16
add_rule 150.171.32.0/22
add_rule 204.79.197.215/32
# Exchange Online
add_rule 40.92.0.0/15
add_rule 40.107.0.0/16
add_rule 52.100.0.0/14
add_rule 52.238.78.88/32
add_rule 104.47.0.0/17
# Sharepoint
add_rule 13.107.136.0/22
add_rule 40.108.128.0/17
add_rule 52.104.0.0/14
add_rule 104.146.128.0/17
add_rule 150.171.40.0/22
# Common
add_rule 13.107.6.171/32
add_rule 13.107.18.15/32
add_rule 13.107.140.6/32
add_rule 52.108.0.0/14
add_rule 52.244.37.168/32
add_rule 20.20.32.0/19
add_rule 20.190.128.0/18
add_rule 20.231.128.0/19
add_rule 40.126.0.0/18
add_rule 13.107.6.192/32
add_rule 13.107.9.192/32
add_rule 52.108.0.0/14
# Teams
add_rule 13.107.64.0/18
add_rule 52.112.0.0/14
add_rule 52.122.0.0/15
add_rule 52.108.0.0/14
add_rule 52.238.119.141/32
add_rule 52.244.160.207/32
add_rule 2.16.234.57
add_rule 23.56.21.152
add_rule 23.33.233.129
add_rule 52.123.0.0/16
# Allow VPN access.tii.ae and iservice
add_rule 151.253.154.18
add_rule 10.161.10.120
# To be checked
# Allow res.cdn.office.net
add_rule 152.199.21.175
add_rule 152.199.39.108
add_rule 2.21.231.0/24
add_rule 2.20.249.0/24
add_rule 152.199.0.0/16
# Allow js.monitor.azure.com
add_rule 13.107.246.0/24
# Allow c.s-microsoft.com
add_rule 23.207.193.242
add_rule 23.208.213.121
add_rule 23.208.173.122
add_rule 23.44.1.243
add_rule 104.65.229.0/24
add_rule 23.53.113.0/24
add_rule 2.19.105.47
# Allow microsoft.com
add_rule 20.70.246.20
add_rule 20.236.44.162
add_rule 20.76.201.171
add_rule 20.231.239.246
add_rule 20.112.250.133
add_rule 184.25.221.172
# statics.teams.cdn.office.net
add_rule 95.101.0.0/16
add_rule 184.87.193.0/24
add_rule 23.44.0.0/14
add_rule 96.16.53.0/24
add_rule 23.59.80.0/24
add_rule 23.202.33.0/24
add_rule 104.73.172.0/24
add_rule 184.27.123.0/24
add_rule 2.16.56.0/24
add_rule 23.219.73.130
add_rule 104.93.18.174
add_rule 2.21.225.158
add_rule 23.45.137.145
add_rule 23.48.121.167
add_rule 23.46.197.94
add_rule 104.80.21.47
add_rule 23.195.154.8
add_rule 193.229.113.0/24
# edge.skype.com for teams
add_rule 13.107.254.0/24
add_rule 13.107.3.0/24
# api.flightproxy.skype.com for teams
add_rule 98.66.0.0/16
add_rule 4.208.0.0/16
add_rule 4.225.208.0/24
add_rule 4.210.0.0/16
add_rule 108.141.240.0/24
add_rule 74.241.0.0/16
add_rule 20.216.0.0/16
add_rule 172.211.0.0/16
add_rule 20.50.217.0/24
add_rule 68.219.14.0/24
add_rule 20.107.136.0/24
add_rule 4.175.191.0/24
add_rule 98.64.0.0/16
# Allow tiiuae.sharepoint.com
add_rule 52.104.7.53
add_rule 52.105.255.39
add_rule 13.107.138.10
add_rule 13.107.136.10
add_rule 118.215.84.0/24
add_rule 104.69.171.0/24
add_rule 13.107.136.10
add_rule 23.15.111.0/24
# Allow shell.cdn.office.net
add_rule 23.50.92.176
add_rule 23.15.30.57
add_rule 23.50.187.58
add_rule 104.73.234.244
add_rule 104.83.143.131
# Allow res-1.cdn.office.net
add_rule 23.52.40.0/24
add_rule 23.64.122.0/24
add_rule 2.16.106.0/24
# Allow publiccdn.sharepointonline.com
add_rule 23.50.86.117
add_rule 104.69.168.125
add_rule 2.16.43.238
add_rule 23.34.79.0/24
add_rule 23.39.68.0/24
# r4.res.office365.com
add_rule 2.19.97.32
add_rule 2.22.61.139
# Block all other HTTP and HTTPS traffic
iptables -A OUTPUT -p tcp --dport 80 -j REJECT
iptables -A OUTPUT -p tcp --dport 443 -j REJECT
'';
};
}
];
'';
};
}];
borderColor = "#00FF00";
ghafAudio.enable = true;
vtpm.enable = true;
}
1 change: 1 addition & 0 deletions modules/reference/profiles/mvp-user-trial.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ in
services = {
enable = true;
dendrite = true;
proxy-business = lib.mkForce config.ghaf.reference.appvms.business-vm;
};

personalize = {
Expand Down
Loading

0 comments on commit cbb9edb

Please sign in to comment.