assignment 3 enunciado

2026-05-11 11:38:51 +01:00
parent b03a6987f4
commit 66534a1648
57 changed files with 0 additions and 8 deletions
--- a/assignment2/conf/client.conf
+++ b/assignment2/conf/client.conf
@@ -0,0 +1,19 @@
+client
+dev tun
+proto udp
+remote 193.136.212.1 1194   # ip da vpn gateway
+persist-tun
+persist-key
+
+# certificados
+ca /etc/openvpn/client/ca.crt
+cert /etc/openvpn/client/user.crt
+key /etc/openvpn/client/user.key
+
+# auth
+cipher AES-256-GCM
+auth SHA256
+
+auth-user-pass
+tls-auth /etc/openvpn/client/ta.key 1
+reneg-sec 0
--- a/assignment2/conf/httpd-totp
+++ b/assignment2/conf/httpd-totp
@@ -0,0 +1,3 @@
+auth    required    pam_google_authenticator.so forward_pass secret=/home/${USER}/.google_authenticator user=apache
+auth    required    pam_unix.so use_first_pass
+account required    pam_unix.so
--- a/assignment2/conf/httpd.conf
+++ b/assignment2/conf/httpd.conf
@@ -0,0 +1,20 @@
+ServerRoot "/etc/httpd"
+
+Include conf.modules.d/*.conf
+LoadModule authnz_pam_module modules/mod_authnz_pam.so
+LoadModule mpm_event_module modules/mod_mpm_event.so
+
+User apache
+Group apache
+
+Listen 80
+Listen 443
+
+Include conf.d/*.conf
+
+DocumentRoot "/var/www/html"
+<Directory "/var/www/html">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    Require all granted
+</Directory>
--- a/assignment2/conf/ocsp-verify.sh
+++ b/assignment2/conf/ocsp-verify.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+depth=$1
+if [ "$depth" -eq 0 ]; then
+    if [ -n "$tls_serial_0" ]; then
+        # é preciso converter o serial para hexadecimal porque o openssl espera em hex
+        hex_serial=$(printf '%x' "$tls_serial_0")
+        status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
+        if echo "$status" | grep -q "good"; then
+            exit 0 # sucesso
+        fi
+
+        exit 1 # revogado ou não encontrado
+    fi
+    exit 1
+fi
--- a/assignment2/conf/ssl.conf
+++ b/assignment2/conf/ssl.conf
@@ -0,0 +1,64 @@
+<VirtualHost *:443>
+    ServerName 10.60.0.1
+    DocumentRoot /var/www/html
+
+    SSLEngine on
+    SSLCertificateFile /etc/httpd/ssl/apache.crt
+    SSLCertificateKeyFile /etc/httpd/ssl/apache.key
+    SSLCACertificateFile /etc/httpd/ssl/ca.crt
+
+    # mutual authentication
+    SSLVerifyClient require
+    SSLVerifyDepth 1
+
+    # ocsp validation
+    SSLOCSPEnable on
+    SSLOCSPDefaultResponder "http://10.60.0.1:8888"
+    SSLOCSPOverrideResponder on
+    SSLOCSPUseRequestNonce off
+
+    # session management 
+    Session On
+    SessionCookieName session path=/;HttpOnly;Secure
+
+    # proteger
+    <Location "/">
+        AuthType Form
+        AuthName "Coimbra VPN"
+        AuthFormProvider PAM
+        AuthPAMService httpd-totp
+        AuthFormLoginRequiredLocation "/login.html"
+        Require valid-user
+    </Location>
+
+    # public login page
+    <Location "/login.html">
+        AuthType None
+        Require all granted
+    </Location>
+
+    # login handler
+    <Location "/dologin">
+        SetHandler form-login-handler
+        AuthType Form
+        AuthName "Coimbra VPN"
+        AuthFormProvider PAM
+        AuthPAMService httpd-totp
+        Require all granted
+        AuthFormLoginSuccessLocation "/index.html"
+        AuthFormLoginRequiredLocation "/login.html?error=1"
+    </Location>
+
+    # logout handler
+    <Location "/logout">
+        SetHandler form-logout-handler
+        AuthFormLogoutLocation "/login.html?loggedout=1"
+    </Location>
+
+</VirtualHost>
+
+# redirect para https
+<VirtualHost *:80>
+    ServerName 10.60.0.1
+    Redirect permanent / https://10.60.0.1/
+</VirtualHost>
--- a/assignment2/conf/totp
+++ b/assignment2/conf/totp
@@ -0,0 +1,3 @@
+auth    required    pam_google_authenticator.so forward_pass
+auth    required    pam_unix.so use_first_pass
+account required    pam_unix.so
--- a/assignment2/conf/vpn.conf
+++ b/assignment2/conf/vpn.conf
@@ -0,0 +1,29 @@
+local 193.136.212.1
+port 1194
+proto udp
+dev tun
+
+verb 4
+
+# Bro is too honorable
+ca /etc/openvpn/server/ca.crt
+cert /etc/openvpn/server/vpn.crt
+key /etc/openvpn/server/vpn.key
+dh /etc/openvpn/server/dh2048.pem
+
+topology subnet
+server 10.8.0.0 255.255.255.0
+push "route 10.60.0.0 255.255.255.0"
+
+# OCSP and Revocation
+script-security 2
+tls-verify /etc/openvpn/server/ocsp-verify.sh
+# auth
+cipher AES-256-GCM
+auth SHA256
+
+# plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
+plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so totp
+tls-auth /etc/openvpn/server/ta.key 0
+
+