vasco/FSI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Movi apache para a maquina openssl

Browse Source
This commit is contained in:
Vasco
2026-04-22 13:32:08 +01:00
parent 2fefeed0fe
commit d1ca71e53d
8 changed files with 88 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
VM_APACHE.sh
View File

@@ -1,9 +0,0 @@
#!/bin/sh
source VM_CONFIG.sh
if_dentro="enp0s8"
ip_dentro="10.60.0.2"
sudo yum install -y openssl apache
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
cp conf/httpd.conf /etc/httpd/conf/
cp conf/ssl.conf /etc/httpd/conf.d/

2
VM_CONFIG.sh
View File

@@ -7,7 +7,7 @@ if [[ "$USER" != "root" ]]; then
fi fi
yum install -y epel-release yum install -y epel-release
yum install -y openvpn iptables-services yum install -y openvpn iptables-services dhcp-client
systemctl stop firewalld systemctl stop firewalld
systemctl disable firewalld systemctl disable firewalld
systemctl mask firewalld systemctl mask firewalld

19
VM_OPENSSL.sh
View File

@@ -1,19 +0,0 @@
#!/bin/bash
# configuracao
source VM_CONFIG.sh
if_dentro="enp0s8"
ip_dentro="10.60.0.1"
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
cp conf/openssl.cnf /etc/pki/tls/
# copiar ca para esta VM
cp ca/index.txt $CA_DIR
cp ca/ca.crt $CA_DIR
cp ca/ca.key $CA_DIR
cp ca/serial $CA_DIR
cp ca/dh2048.pem $CA_DIR
# correr oscp
killall openssl 2>/dev/null
openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &

40
VM_OPENSSL_APACHE.sh Normal file
View File

@@ -0,0 +1,40 @@
#!/bin/bash
# configuracao
source VM_CONFIG.sh
sudo yum install -y epel-release
sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator
if_dentro="enp0s8"
ip_dentro="10.60.0.1"
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
cp conf/openssl.cnf /etc/pki/tls/
# copiar ca para esta VM
cp ca/index.txt $CA_DIR
cp ca/ca.crt $CA_DIR
cp ca/ca.key $CA_DIR
cp ca/serial $CA_DIR
cp ca/dh2048.pem $CA_DIR
# correr oscp
openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &
# apache
mkdir -p /etc/httpd/ssl
cp ca/ca.crt /etc/httpd/ssl/
cp ca/apache.crt /etc/httpd/ssl/
cp ca/apache.key /etc/httpd/ssl/
cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
cp conf/httpd-pam /etc/pam.d/httpd-totp
# NOTA(vasco) é preciso desativar home protection outra vez
mkdir -p /etc/systemd/system/httpd.service.d
echo -e "[Service]\nProtectHome=false" > /etc/systemd/system/httpd.service.d/override.conf
systemctl daemon-reload
# serviço !!!
systemctl enable --now httpd

4
ca/create_all_keys.sh
View File

@@ -3,6 +3,7 @@
cert_ca="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=CoimbraVPN" cert_ca="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=CoimbraVPN"
cert_vpn="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=gateway" cert_vpn="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=gateway"
cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior" cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior"
cert_apache="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=apache"
[[ -e "serial" ]] || echo 1000 > serial [[ -e "serial" ]] || echo 1000 > serial
[[ -e "index.txt" ]] || touch index.txt [[ -e "index.txt" ]] || touch index.txt
@@ -16,3 +17,6 @@ cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior"
[[ -e "user.key" ]] || openssl genrsa -out user.key [[ -e "user.key" ]] || openssl genrsa -out user.key
[[ -e "user.csr" ]] || openssl req -new -key user.key -out user.csr -subj "$cert_user" [[ -e "user.csr" ]] || openssl req -new -key user.key -out user.csr -subj "$cert_user"
[[ -e "user.crt" ]] || openssl ca -batch -in "user.csr" -cert "ca.crt" -keyfile "ca.key" -out "user.crt" -config cheese.cfg [[ -e "user.crt" ]] || openssl ca -batch -in "user.csr" -cert "ca.crt" -keyfile "ca.key" -out "user.crt" -config cheese.cfg
[[ -e "apache.key" ]] || openssl genrsa -out apache.key
[[ -e "apache.csr" ]] || openssl req -new -key apache.key -out apache.csr -subj "$cert_apache"
[[ -e "apache.crt" ]] || openssl ca -batch -in "apache.csr" -cert "ca.crt" -keyfile "ca.key" -out "apache.crt" -config cheese.cfg

3
conf/httpd-pam Normal file
View File

@@ -0,0 +1,3 @@
auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
account required pam_unix.so

28
conf/ssl.conf
View File

@@ -0,0 +1,28 @@
Listen 443 https
<VirtualHost *:443>
ServerName 10.60.0.2
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key
SSLCACertificateFile /etc/httpd/ssl/ca.crt
# Mutual Authentication (Client Cert)
SSLVerifyClient require
SSLVerifyDepth 1
# OCSP Validation against CA
SSLOCSPEnable on
SSLOCSPDefaultResponder "http://10.60.0.1:8888"
SSLOCSPOverrideResponder on
# PAM + TOTP Authentication
<Location "/">
AuthType Basic
AuthName "Enter UNIX Password + Google Authenticator Code"
AuthBasicProvider PAM
AuthPAMService httpd-totp
Require valid-user
</Location>
</VirtualHost>

12
relatorio/relatorio.tex
View File

@@ -67,6 +67,18 @@ su john
google-authenticator google-authenticator
\end{lstlisting} \end{lstlisting}
\section{Revocation e OCSP}
\subsection{Testar OSCP via revoke}
1. Conectar ao VPN e ver que funciona
2. Na maquina host, nao nas vms, na repo mesmo.
3. revogar o certificado via openssl
-revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt
4.Fechae OSCP e correr VM_OPENSSL novamente (copiar index.txt e serial?)
5. Tentar outra vez e ver que de facto falha
\section{Conclusion} \section{Conclusion}
Conclusão!!! Conclusão!!!