Deploy a mini-infrastructure: a core server + a web server + an admin workstation. Security, web (vhosts/HTTPS/reverse proxy), centralized logs, automated backups.
- srv-core: security baseline + centralized logging + backups
- srv-web: Nginx (vhosts, HTTPS, reverse proxy)
- cli-admin: administration / testing workstation
- srv-core: 192.168.56.10
- srv-web: 192.168.56.11
- cli-admin: 192.168.56.12
- configs/: configuration files (ssh, nftables, nginx, rsyslog…)
- configs/systemd/: systemd units (.service/.timer)
- scripts/: bash scripts
- docs/proofs/: proofs (command outputs)
- Script:
scripts/backup-configs.srv-core.sh - systemd:
configs/systemd/backup-configs.service+.timer - Restore test: extract
etc/nftables.conffrom the latest archive to/tmp/restore-test/(seedocs/proofs/backup-restore-*)
- cli-admin: 192.168.56.12 (admin workstation / tests)
- srv-core: 192.168.56.10 (internal services + logs + backups)
- srv-web: 192.168.56.11 (Nginx front-end HTTPS + reverse proxy)
- SSH: keys only (
PasswordAuthentication no) + fail2ban sshd - Firewall: nftables default drop policy + minimal port exposure
- Web: self-signed HTTPS + HTTP→HTTPS redirect + security headers
- Reverse proxy:
app.site1.lab→srv-core:8080(internal) - /admin: BasicAuth + fail2ban nginx-http-auth (automatic ban)
- HTTP→HTTPS:
curl -I http://site1.lab - HTTPS OK:
curl -k -I https://site1.lab - Reverse proxy:
curl -k https://app.site1.lab/ - /admin without creds:
curl -k -I https://site1.lab/admin/(401) - /admin with creds:
curl -k -u demo:*** https://site1.lab/admin/ - Fail2ban ban: after several bad logins → IP banned (see proof)