bubblev
/
bubble
9
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 130 Wiki Activity
Browse Source

enable node nginx http on port 1080, simplify mitmdump_monitor to switch between mitm and nginx

tags/v0.2.0
Jonathan Cobb 5 years ago
parent
4e53fb22c4
commit
5ddd7fb260
4 changed files with 28 additions and 13 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +13
    -0
      automation/roles/algo/tasks/algo_firewall.yml
  2. +11
    -11
      automation/roles/mitmproxy/files/mitmdump_monitor.sh
  3. +2
    -1
      automation/roles/nginx/templates/site_node.conf.j2
  4. +2
    -1
      automation/roles/nginx/templates/site_node_alias.conf.j2

+ 13
- 0
automation/roles/algo/tasks/algo_firewall.yml View File

@@ -37,3 +37,16 @@
jump: ACCEPT jump: ACCEPT
comment: Accept new admin SSL connections comment: Accept new admin SSL connections
become: yes become: yes

- name: Allow admin HTTP on port 1080
iptables:
chain: INPUT
action: insert
rule_num: 8
protocol: tcp
destination_port: "1080"
ctstate: NEW
syn: match
jump: ACCEPT
comment: Accept new admin SSL connections
become: yes

+ 11
- 11
automation/roles/mitmproxy/files/mitmdump_monitor.sh View File

@@ -26,22 +26,22 @@ if [[ ! -f ${ROOT_KEY_MARKER} ]] ; then
fi fi


function ensureMitmOn { function ensureMitmOn {
ok80=$(iptables -vnL PREROUTING -t nat | tail +3 | grep REDIRECT | grep -c "tcp dpt:80 redir ports 8888")
if [[ ${ok80} -eq 0 ]] ; then
log "Enabling MITM port forwarding on TCP port 80 -> 8888"
iptables -I PREROUTING 1 -t nat -p tcp --dport 80 -j REDIRECT --to-ports 8888 || log "Error enabling MITM port 80 forwarding"
fi
ok443=$(iptables -vnL PREROUTING -t nat | tail +3 | grep REDIRECT | grep -c "tcp dpt:443 redir ports 8888")
if [[ ${ok443} -eq 0 ]] ; then
log "Enabling MITM port forwarding on TCP port 443 -> 8888"
iptables -I PREROUTING 1 -t nat -p tcp --dport 443 -j REDIRECT --to-ports 8888 || log "Error enabling MITM port 443 forwarding"
fi
log "Flushing PREROUTING before enabling MITM services"
iptables -F PREROUTING -t nat || log "Error disabling MITM port forwarding"
log "Enabling MITM port forwarding on TCP port 80 -> 8888"
iptables -I PREROUTING 1 -t nat -p tcp --dport 80 -j REDIRECT --to-ports 8888 || log "Error enabling MITM port forwarding 80 -> 8888"
log "Enabling MITM port forwarding on TCP port 443 -> 8888"
iptables -I PREROUTING 1 -t nat -p tcp --dport 443 -j REDIRECT --to-ports 8888 || log "Error enabling MITM port forwarding 443 -> 8888"
echo -n on > ${ROOT_KEY_MARKER} echo -n on > ${ROOT_KEY_MARKER}
} }


function ensureMitmOff { function ensureMitmOff {
log "Disabling MITM port forwarding"
log "Flushing PREROUTING before disabling MITM services"
iptables -F PREROUTING -t nat || log "Error disabling MITM port forwarding" iptables -F PREROUTING -t nat || log "Error disabling MITM port forwarding"
log "Enabling MITM port forwarding on TCP port 80 -> 1080"
iptables -I PREROUTING 1 -t nat -p tcp --dport 80 -j REDIRECT --to-ports 1080 || log "Error enabling nginx port forwarding 80 -> 1080"
log "Enabling MITM port forwarding on TCP port 443 -> 1443"
iptables -I PREROUTING 1 -t nat -p tcp --dport 443 -j REDIRECT --to-ports 1443 || log "Error enabling nginx port forwarding 443 -> 1143"
echo -n off > ${ROOT_KEY_MARKER} echo -n off > ${ROOT_KEY_MARKER}
} }




+ 2
- 1
automation/roles/nginx/templates/site_node.conf.j2 View File

@@ -1,5 +1,6 @@
server { server {
server_name {{ server_name }}; server_name {{ server_name }};
listen 1080;
listen {{ ssl_port }} ssl http2; listen {{ ssl_port }} ssl http2;


root /home/bubble/site/; root /home/bubble/site/;
@@ -34,6 +35,6 @@ server {
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";


if ($scheme != "https") { if ($scheme != "https") {
return 301 https://$host$request_uri;
return 301 https://$host:{{ ssl_port }}$request_uri;
} }
} }

+ 2
- 1
automation/roles/nginx/templates/site_node_alias.conf.j2 View File

@@ -1,5 +1,6 @@
server { server {
server_name {{ server_alias }}; server_name {{ server_alias }};
listen 1080;
listen {{ ssl_port }} ssl http2; listen {{ ssl_port }} ssl http2;


root /home/bubble/site/; root /home/bubble/site/;
@@ -34,6 +35,6 @@ server {
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";


if ($scheme != "https") { if ($scheme != "https") {
return 301 https://$host$request_uri;
return 301 https://$host:{{ ssl_port }}$request_uri;
} }
} }

Write Preview
Loading…
Cancel
Save