Nebula配置模板:可重用的配置模式和示例
项目地址: https://gitcode.com/GitHub_Trending/ne/nebula 概述
Nebula是一个专注于性能、简洁性和安全性的可扩展覆盖网络工具,它允许您无缝连接世界各地的计算机。在实际部署中,合理的配置模板可以显著提高部署效率并减少错误。本文提供一系列经过验证的Nebula配置模板,涵盖不同场景和需求。
基础配置结构
Nebula配置文件采用YAML格式,主要包含以下核心部分:
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/host.crt
key: /etc/nebula/host.key
static_host_map:
"192.168.100.1": ["100.64.22.11:4242"]
lighthouse:
am_lighthouse: false
interval: 60
hosts:
- "192.168.100.1"
listen:
host: "::"
port: 4242
punchy:
punch: true
tun:
dev: nebula1
mtu: 1300
logging:
level: info
format: text
firewall:
outbound_action: drop
inbound_action: drop
conntrack:
tcp_timeout: 12m
udp_timeout: 3m
default_timeout: 10m
outbound:
- port: any
proto: any
host: any
inbound:
- port: any
proto: icmp
host: any
场景化配置模板
1. 标准节点配置模板
适用于大多数普通节点的通用配置:
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/{{hostname}}.crt
key: /etc/nebula/{{hostname}}.key
static_host_map:
"192.168.100.1": ["lighthouse.example.com:4242"]
"192.168.100.2": ["node2.example.com:4242"]
lighthouse:
am_lighthouse: false
interval: 60
hosts:
- "192.168.100.1"
- "192.168.100.2"
listen:
host: "0.0.0.0"
port: 4242
punchy:
punch: true
respond: true
tun:
dev: nebula1
mtu: 1300
tx_queue: 1000
logging:
level: info
format: text
firewall:
outbound_action: drop
inbound_action: drop
conntrack:
tcp_timeout: 12m
udp_timeout: 3m
default_timeout: 10m
outbound:
- port: any
proto: any
host: any
inbound:
- port: any
proto: icmp
host: any
- port: 22
proto: tcp
host: any
- port: 80
proto: tcp
host: any
- port: 443
proto: tcp
host: any
2. 灯塔节点(Lighthouse)配置模板
专门为灯塔节点优化的配置:
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/lighthouse.crt
key: /etc/nebula/lighthouse.key
lighthouse:
am_lighthouse: true
interval: 30
serve_dns: true
dns:
host: 0.0.0.0
port: 53
hosts: []
listen:
host: "0.0.0.0"
port: 4242
read_buffer: 20971520
write_buffer: 20971520
punchy:
punch: true
respond: true
tun:
dev: nebula0
mtu: 1500
tx_queue: 2000
logging:
level: warning
format: json
firewall:
outbound_action: drop
inbound_action: drop
conntrack:
tcp_timeout: 15m
udp_timeout: 5m
default_timeout: 15m
outbound:
- port: any
proto: any
host: any
inbound:
- port: any
proto: icmp
host: any
- port: 53
proto: udp
host: any
- port: 53
proto: tcp
host: any
3. 安全强化配置模板
适用于需要更高安全性的环境:
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/secure-host.crt
key: /etc/nebula/secure-host.key
blocklist:
- c99d4e650533b92061b09918e838a5a0a6aaee21eed1d12fd937682865936c72
disconnect_invalid: true
static_host_map:
"192.168.100.1": ["secure-lighthouse.example.com:4242"]
lighthouse:
am_lighthouse: false
interval: 120
hosts:
- "192.168.100.1"
remote_allow_list:
"0.0.0.0/0": false
"10.0.0.0/8": true
"192.168.0.0/16": true
listen:
host: "0.0.0.0"
port: 4242
send_recv_error: private
punchy:
punch: false
respond: false
tun:
dev: nebula1
mtu: 1300
drop_local_broadcast: true
drop_multicast: true
logging:
level: warning
format: json
disable_timestamp: false
firewall:
outbound_action: reject
inbound_action: reject
conntrack:
tcp_timeout: 10m
udp_timeout: 2m
default_timeout: 8m
outbound:
- port: any
proto: any
group: trusted-nodes
inbound:
- port: any
proto: icmp
group: trusted-nodes
- port: 22
proto: tcp
groups:
- admin
- trusted-nodes
- port: 9090
proto: tcp
group: monitoring
4. 高可用性配置模板
支持多灯塔和故障转移的配置:
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/ha-host.crt
key: /etc/nebula/ha-host.key
static_host_map:
"192.168.100.1": ["lighthouse1.example.com:4242"]
"192.168.100.2": ["lighthouse2.example.com:4242"]
"192.168.100.3": ["lighthouse3.example.com:4242"]
lighthouse:
am_lighthouse: false
interval: 30
hosts:
- "192.168.100.1"
- "192.168.100.2"
- "192.168.100.3"
listen:
host: "0.0.0.0"
port: 0
batch: 128
punchy:
punch: true
respond: true
delay: 2s
respond_delay: 10s
tun:
dev: nebula1
mtu: 1300
tx_queue: 1500
logging:
level: info
format: text
firewall:
outbound_action: drop
inbound_action: drop
conntrack:
tcp_timeout: 15m
udp_timeout: 4m
default_timeout: 12m
outbound:
- port: any
proto: any
host: any
inbound:
- port: any
proto: icmp
host: any
- port: 22
proto: tcp
host: any
- port: 9100
proto: tcp
host: any
防火墙规则模板
基于角色的访问控制
firewall:
outbound_action: drop
inbound_action: drop
outbound:
- port: any
proto: any
host: any
inbound:
# 管理员访问
- port: 22
proto: tcp
groups:
- admin
- bastion
# Web服务访问
- port: 80
proto: tcp
group: web-clients
- port: 443
proto: tcp
group: web-clients
# 数据库访问
- port: 3306
proto: tcp
groups:
- app-servers
- dba
# 监控访问
- port: 9100
proto: tcp
group: monitoring
- port: 9090
proto: tcp
group: monitoring
# 内部服务通信
- port: 8080-8090
proto: tcp
group: internal-services
# ICMP用于网络诊断
- port: any
proto: icmp
host: any
微服务架构防火墙规则
firewall:
outbound_action: drop
inbound_action: drop
outbound:
- port: any
proto: any
host: any
inbound:
# API网关到微服务
- port: 3000-3999
proto: tcp
group: api-gateway
local_cidr: 192.168.100.0/24
# 服务发现
- port: 8500
proto: tcp
group: consul-cluster
# 配置服务
- port: 8888
proto: tcp
group: config-server
# 消息队列
- port: 5672
proto: tcp
group: rabbitmq-clients
- port: 15672
proto: tcp
group: rabbitmq-admin
# 缓存服务
- port: 6379
proto: tcp
group: redis-clients
# 监控和日志
- port: 9090
proto: tcp
group: prometheus
- port: 9200
proto: tcp
group: elasticsearch
- port: 5044
proto: tcp
group: logstash
高级配置模式
多区域部署配置
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/multi-region.crt
key: /etc/nebula/multi-region.key
static_host_map:
# 区域A灯塔
"192.168.100.1": ["lighthouse-region-a.example.com:4242"]
"192.168.100.2": ["lighthouse-region-a-backup.example.com:4242"]
# 区域B灯塔
"192.168.100.101": ["lighthouse-region-b.example.com:4242"]
"192.168.100.102": ["lighthouse-region-b-backup.example.com:4242"]
# 区域C灯塔
"192.168.100.201": ["lighthouse-region-c.example.com:4242"]
lighthouse:
am_lighthouse: false
interval: 45
hosts:
- "192.168.100.1"
- "192.168.100.101"
- "192.168.100.201"
listen:
host: "0.0.0.0"
port: 4242
batch: 96
punchy:
punch: true
respond: true
delay: 1s
tun:
dev: nebula1
mtu: 1300
tx_queue: 1200
logging:
level: info
format: json
firewall:
outbound_action: drop
inbound_action: drop
conntrack:
tcp_timeout: 20m
udp_timeout: 5m
default_timeout: 15m
outbound:
- port: any
proto: any
host: any
inbound:
- port: any
proto: icmp
host: any
# 区域间通信
- port: 9000-9999
proto: tcp
groups:
- region-a
- region-b
- region-c
# 管理访问
- port: 22
proto: tcp
group: global-admin
容器化环境配置
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/container.crt
key: /etc/nebula/container.key
static_host_map:
"192.168.100.1": ["lighthouse.k8s-cluster.svc:4242"]
lighthouse:
am_lighthouse: false
interval: 30
hosts:
- "192.168.100.1"
listen:
host: "0.0.0.0"
port: 4242
batch: 32
punchy:
punch: true
respond: false
tun:
dev: nebula1
mtu: 1450
tx_queue: 500
logging:
level: info
format: json
disable_timestamp: true
firewall:
outbound_action: drop
inbound_action: drop
conntrack:
tcp_timeout: 10m
udp_timeout: 3m
default_timeout: 8m
outbound:
- port: any
proto: any
host: any
inbound:
- port: any
proto: icmp
host: any
# Kubernetes服务端口
- port: 30000-32767
proto: tcp
group: k8s-nodes
# 服务网格通信
- port: 15001
proto: tcp
group: istio-proxies
- port: 15006
proto: tcp
group: istio-proxies
# 监控端口
- port: 9100
proto: tcp
group: prometheus
- port: 9256
proto: tcp
group: node-exporter
配置最佳实践
1. 证书管理
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/{{.Hostname}}.crt
key: /etc/nebula/{{.Hostname}}.key
blocklist:
- "过期或撤销的证书指纹"
disconnect_invalid: true
2. 网络优化
listen:
host: "0.0.0.0"
port: 4242
batch: 64
read_buffer: 10485760
write_buffer: 10485760
tun:
dev: nebula1
mtu: 1300
tx_queue: 1000
3. 安全设置
firewall:
outbound_action: drop
inbound_action: reject
conntrack:
tcp_timeout: 12m
udp_timeout: 3m
default_timeout: 10m
lighthouse:
remote_allow_list:
"10.0.0.0/8": true
"172.16.0.0/12": true
"192.168.0.0/16": true
"0.0.0.0/0": false
故障排除配置
logging:
level: debug
format: text
disable_timestamp: false
handshakes:
try_interval: 100ms
retries: 20
tunnels:
drop_inactive: true
inactivity_timeout: 10m
stats:
type: prometheus
listen: 127.0.0.1:8080
path: /metrics
interval: 10s
message_metrics: true
lighthouse_metrics: true
总结
本文提供的Nebula配置模板涵盖了从基础部署到高级场景的各种需求。通过使用这些经过验证的模板,您可以:
- 快速部署:减少配置错误,提高部署效率
- 确保安全:遵循安全最佳实践
- 优化性能:合理的默认值和调优参数
- 支持扩展:模块化设计便于定制和扩展
根据您的具体需求选择合适的模板,并在此基础上进行适当的调整。记得在生产环境部署前进行充分的测试,确保配置符合您的网络环境和安全要求。
创作声明:本文部分内容由AI辅助生成(AIGC),仅供参考
