vasco/FSI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

assignment 3 enunciado

Browse Source
This commit is contained in:
vasco
2026-05-11 11:38:51 +01:00
parent b03a6987f4
commit 66534a1648
57 changed files with 0 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
conf/client.conf
View File

@@ -1,19 +0,0 @@
client
dev tun
proto udp
remote 193.136.212.1 1194 # ip da vpn gateway
persist-tun
persist-key
# certificados
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/user.crt
key /etc/openvpn/client/user.key
# auth
cipher AES-256-GCM
auth SHA256
auth-user-pass
tls-auth /etc/openvpn/client/ta.key 1
reneg-sec 0

3
conf/httpd-totp
View File

@@ -1,3 +0,0 @@
auth required pam_google_authenticator.so forward_pass secret=/home/${USER}/.google_authenticator user=apache
auth required pam_unix.so use_first_pass
account required pam_unix.so

20
conf/httpd.conf
View File

@@ -1,20 +0,0 @@
ServerRoot "/etc/httpd"
Include conf.modules.d/*.conf
LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule mpm_event_module modules/mod_mpm_event.so
User apache
Group apache
Listen 80
Listen 443
Include conf.d/*.conf
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

15
conf/ocsp-verify.sh
View File

@@ -1,15 +0,0 @@
#!/bin/bash
depth=$1
if [ "$depth" -eq 0 ]; then
if [ -n "$tls_serial_0" ]; then
# é preciso converter o serial para hexadecimal porque o openssl espera em hex
hex_serial=$(printf '%x' "$tls_serial_0")
status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
if echo "$status" | grep -q "good"; then
exit 0 # sucesso
fi
exit 1 # revogado ou não encontrado
fi
exit 1
fi

64
conf/ssl.conf
View File

@@ -1,64 +0,0 @@
<VirtualHost *:443>
ServerName 10.60.0.1
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key
SSLCACertificateFile /etc/httpd/ssl/ca.crt
# mutual authentication
SSLVerifyClient require
SSLVerifyDepth 1
# ocsp validation
SSLOCSPEnable on
SSLOCSPDefaultResponder "http://10.60.0.1:8888"
SSLOCSPOverrideResponder on
SSLOCSPUseRequestNonce off
# session management
Session On
SessionCookieName session path=/;HttpOnly;Secure
# proteger
<Location "/">
AuthType Form
AuthName "Coimbra VPN"
AuthFormProvider PAM
AuthPAMService httpd-totp
AuthFormLoginRequiredLocation "/login.html"
Require valid-user
</Location>
# public login page
<Location "/login.html">
AuthType None
Require all granted
</Location>
# login handler
<Location "/dologin">
SetHandler form-login-handler
AuthType Form
AuthName "Coimbra VPN"
AuthFormProvider PAM
AuthPAMService httpd-totp
Require all granted
AuthFormLoginSuccessLocation "/index.html"
AuthFormLoginRequiredLocation "/login.html?error=1"
</Location>
# logout handler
<Location "/logout">
SetHandler form-logout-handler
AuthFormLogoutLocation "/login.html?loggedout=1"
</Location>
</VirtualHost>
# redirect para https
<VirtualHost *:80>
ServerName 10.60.0.1
Redirect permanent / https://10.60.0.1/
</VirtualHost>

3
conf/totp
View File

@@ -1,3 +0,0 @@
auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
account required pam_unix.so

29
conf/vpn.conf
View File

@@ -1,29 +0,0 @@
local 193.136.212.1
port 1194
proto udp
dev tun
verb 4
# Bro is too honorable
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn.crt
key /etc/openvpn/server/vpn.key
dh /etc/openvpn/server/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
push "route 10.60.0.0 255.255.255.0"
# OCSP and Revocation
script-security 2
tls-verify /etc/openvpn/server/ocsp-verify.sh
# auth
cipher AES-256-GCM
auth SHA256
# plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so totp
tls-auth /etc/openvpn/server/ta.key 0