enable node nginx http on port 1080, simplify mitmdump_monitor to switch between mitm and nginx

5 年前 · 5ddd7fb260
--- a/automation/roles/algo/tasks/algo_firewall.yml
+++ b/automation/roles/algo/tasks/algo_firewall.yml
@@ -37,3 +37,16 @@
    jump: ACCEPT
    comment: Accept new admin SSL connections
  become: yes

 - name: Allow admin HTTP on port 1080
  iptables:
    chain: INPUT
    action: insert
    rule_num: 8
    protocol: tcp
    destination_port: "1080"
    ctstate: NEW
    syn: match
    jump: ACCEPT
    comment: Accept new admin SSL connections
  become: yes
--- a/automation/roles/mitmproxy/files/mitmdump_monitor.sh
+++ b/automation/roles/mitmproxy/files/mitmdump_monitor.sh
@@ -26,22 +26,22 @@ if [[ ! -f ${ROOT_KEY_MARKER} ]] ; then
 fi

 function ensureMitmOn {
  ok80=$(iptables -vnL PREROUTING  -t nat | tail +3 | grep REDIRECT | grep -c "tcp dpt:80 redir ports 8888")
  if [[ ${ok80} -eq 0 ]] ; then
    log "Enabling MITM port forwarding on TCP port 80 -> 8888"
    iptables -I PREROUTING 1 -t nat -p tcp --dport 80 -j REDIRECT --to-ports 8888 || log "Error enabling MITM port 80 forwarding"
  fi
  ok443=$(iptables -vnL PREROUTING  -t nat | tail +3 | grep REDIRECT | grep -c "tcp dpt:443 redir ports 8888")
  if [[ ${ok443} -eq 0 ]] ; then
    log "Enabling MITM port forwarding on TCP port 443 -> 8888"
    iptables -I PREROUTING 1 -t nat -p tcp --dport 443 -j REDIRECT --to-ports 8888 || log "Error enabling MITM port 443 forwarding"
  fi
  log "Flushing PREROUTING before enabling MITM services"
  iptables -F PREROUTING  -t nat || log "Error disabling MITM port forwarding"
  log "Enabling MITM port forwarding on TCP port 80 -> 8888"
  iptables -I PREROUTING 1 -t nat -p tcp --dport 80 -j REDIRECT --to-ports 8888 || log "Error enabling MITM port forwarding 80 -> 8888"
  log "Enabling MITM port forwarding on TCP port 443 -> 8888"
  iptables -I PREROUTING 1 -t nat -p tcp --dport 443 -j REDIRECT --to-ports 8888 || log "Error enabling MITM port forwarding 443 -> 8888"
  echo -n on > ${ROOT_KEY_MARKER}
 }

 function ensureMitmOff {
  log "Disabling MITM port forwarding"
  log "Flushing PREROUTING before disabling MITM services"
  iptables -F PREROUTING  -t nat || log "Error disabling MITM port forwarding"
  log "Enabling MITM port forwarding on TCP port 80 -> 1080"
  iptables -I PREROUTING 1 -t nat -p tcp --dport 80 -j REDIRECT --to-ports 1080 || log "Error enabling nginx port forwarding 80 -> 1080"
  log "Enabling MITM port forwarding on TCP port 443 -> 1443"
  iptables -I PREROUTING 1 -t nat -p tcp --dport 443 -j REDIRECT --to-ports 1443 || log "Error enabling nginx port forwarding 443 -> 1143"
  echo -n off > ${ROOT_KEY_MARKER}
 }

--- a/automation/roles/nginx/templates/site_node.conf.j2
+++ b/automation/roles/nginx/templates/site_node.conf.j2
@@ -1,5 +1,6 @@
 server {
    server_name {{ server_name }};
    listen 1080;
    listen {{ ssl_port }} ssl http2;

    root  /home/bubble/site/;
@@ -34,6 +35,6 @@ server {
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
        return 301 https://$host:{{ ssl_port }}$request_uri;
    }
 }
--- a/automation/roles/nginx/templates/site_node_alias.conf.j2
+++ b/automation/roles/nginx/templates/site_node_alias.conf.j2
@@ -1,5 +1,6 @@
 server {
    server_name {{ server_alias }};
    listen 1080;
    listen {{ ssl_port }} ssl http2;

    root  /home/bubble/site/;
@@ -34,6 +35,6 @@ server {
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
        return 301 https://$host:{{ ssl_port }}$request_uri;
    }
 }