pkg install isc-dhcp44-server ipxe syslinux nginx

mkdir /tftpboot
mkdir /tftpboot/netboot
mkdir /tftpboot/pxelinux.cfg
mkdir /tftpboot/netboot/{debian,ubuntu}
mkdir /tftpboot/netboot/debian/11
mkdir /tftpboot/netboot/ubuntu/20.04
mkdir /usr/local/etc/dhcpd.d/
touch /usr/local/etc/dhcpd.d/static.leases
chown dhcpd:wheel /usr/local/etc/dhcpd.d/static.leases
mkdir -p /usr/local/www/installer/
mkdir /usr/local/www/pxe/

Dans /tftpboot/pxelinux.cfg/default:

DEFAULT vesamenu.c32
PROMPT 0

MENU TITLE PXE Boot Menu
LABEL mfsbsd-pxe-install
    MENU LABEL Mfsbsd ^13.0 UFS
    MENU DEFAULT
    KERNEL memdisk
    APPEND iso
    INITRD http://172.17.0.29/pxe/bsd/fbsd/mfsbsd-13.0-custom-ufs.iso.gz

LABEL Ubuntu 20.04 LTS
    MENU LABEL Ubuntu ^20.04 LTS
    kernel netboot/ubuntu/20.04/ubuntu-installer/amd64/linux
    append initrd=netboot/ubuntu/20.04/ubuntu-installer/amd64/initrd.gz DECONF_DEBUG=5 debian-installer/locale=en_US keyboard-configuration/layoutcode=fr auto=true priority=critical interface=auto netcfg/dhcp_timeout=60 vga=off fb=false preseed/url=http://172.17.0.29/ubuntu_focal

LABEL Debian 11
    MENU LABEL Debian ^11
    kernel netboot/debian/11/debian-installer/amd64/linux
    append initrd=netboot/debian/11/debian-installer/amd64/initrd.gz DECONF_DEBUG=5 debian-installer/locale=en_US keyboard-configuration/layoutcode=fr auto=true priority=critical interface=auto netcfg/dhcp_timeout=60 vga=off fb=false preseed/url=http://172.17.0.29/debian_bullseye

dans /etc/rc.conf :

nginx_enable="YES"

dhcpd_enable="YES"
dhcpd_flags="-q"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="vtnet"
dhcpd_withumask="022"
inetd_enable="YES"

Le fichier /usr/local/etc/dhcpd.conf:

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

# option definitions common to all supported networks...
option domain-name-servers 172.17.0.11;

default-lease-time 600;
max-lease-time 7200;

# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# No service will be given on this subnet, but declaring it helps the 
# DHCP server to understand the network topology.

# PXE
next-server 172.17.0.29;
filename "pxelinux.0";

# This is a very basic subnet declaration.
subnet 172.17.0.0 netmask 255.255.255.0 {
  option routers 172.17.0.11;
}

include "/usr/local/etc/dhcpd.d/static.leases";

dans /etc/inetd.conf decommenter la ligne :

tftp    dgram   udp     wait    root    /usr/libexec/tftpd      tftpd -l -s /tftpboot

Copier les fichiers qui vont bien :

cp /usr/local/share/syslinux/bios/com32/modules/pxechn.c32 /tftpboot/
cp /usr/local/share/syslinux/bios/com32/elflink/ldlinux/ldlinux.c32 /tftpboot/
cp /usr/local/share/syslinux/bios/com32/menu/vesamenu.c32 /tftpboot/
cp /usr/local/share/syslinux/bios/memdisk/memdisk /tftpboot/
cp /usr/local/share/syslinux/bios/com32/libutil/libutil.c32 /tftpboot/
cp /usr/local/share/syslinux/bios/core/pxelinux.0 /tftpboot/
cp /usr/local/share/syslinux/bios/com32/lib/libcom32.c32 /tftpboot/

Télécharger : https://deb.debian.org/debian/dists/bullseye/main/installer-amd64/current/images/netboot/netboot.tar.gz

Extraire l'archive au bon endroit :

tar xzf netboot.tar.gz -C /tftpboot/netboot/debian/11/

Pour ubuntu 20.04 : http://archive.ubuntu.com/ubuntu/dists/focal/main/installer-amd64/current/legacy-images/netboot/netboot.tar.gz

Extraire l'archive au bon endroit :

tar xzf netboot.tar.gz -C /tftpboot/netboot/ubuntu/20.04/

Il faut que nginx ai l'options “more headers” :

nginx version: nginx/1.22.0
built with OpenSSL 1.1.1o-freebsd  3 May 2022
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --with-compat --with-pcre --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --with-mail_ssl_module --without-pcre2 --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-http_image_filter_module=dynamic --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/headers-more-nginx-module-d6d7eba --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ModSecurity-nginx-1.0.2

Le module en question :

--add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/headers-more-nginx-module-d6d7eba

Ça permet d'offusquer complètement le serveur web.

nginx.conf :

#user  nobody;
worker_processes  1;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info. 
#
#error_log  /var/log/nginx/error.log;
#

#pid        logs/nginx.pid;

load_module /usr/local/libexec/nginx/ngx_http_headers_more_filter_module.so;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    server_tokens off;
    more_clear_headers Server;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    include /usr/local/etc/nginx/vhosts/*.conf;
}

Vhost installer.conf :

server {
        listen  80;
        listen  [::]:80;

        root   /usr/local/www/installer/;
        location /pxe/ {
            alias /usr/local/www/pxe/;
            autoindex on;
        }
        location / {
            autoindex on;
        }

}

```