ΠΌΠΎΠΆΠ΅Ρ ΠΏΡΠΎΠΊΡΠΈΡΠΎΠ²Π°ΡΡ Π½Π΅ ΡΠΎΠ»ΡΠΊΠΎ http, Π½ΠΎ ΠΈ tcp/udp/ssh.. ΡΡΠ°ΡΠΈΠΊ
ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° ΠΏΠΎ ΠΊΠ½ΠΎΠΏΠΎΡΠΊΠ°ΠΌ: ΠΏΡΠΎΠ΅ΠΊΡ NginxConfig β
Path Traversal in misconfig aliases:
Π‘ΠΆΠ°ΡΠΈΠ΅
ΠΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° HTTP/2
ΠΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ ΠΏΡΠΎΠ³ΡΡΠΆΠ°ΡΡ ΠΊΠΎΠ½ΡΠ΅Π½Ρ Π² ΠΊΡΡΡ ΠΏΠΎΡΠΎΠΊΠΎΠ² (Π΄Π»Ρ HTTP/1.1 Π±ΡΠ°ΡΠ·Π΅Ρ ΠΎΠ³ΡΠ°Π½ΠΈΡΠΈΠ²Π°Π΅Ρ ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ ΠΏΠΎΡΠΎΠΊΠΎΠ²)
Preload and HTTP/2 Push
Preload β ΠΏΠΎΠ΄Π³ΡΡΠΆΠ°Π΅Ρ ΡΠ°ΠΉΠ»Ρ ΡΡΠ°ΡΠΈΠΊΠΈ Π΅ΡΠ΅ Π² ΠΌΠΎΠΌΠ΅Π½Ρ Π·Π°Π³ΡΡΠ·ΠΊΠΈ Π·Π°Π³ΠΎΠ»ΠΎΠ²ΠΊΠΎΠ² (ΠΊΠ°ΠΊ ΡΠΎ ΠΏΠΎΠ΄ΡΠΎΠ²ΡΠ²Π°Π΅Ρ)
HTTP/2 Push (ΠΎΠ±ΡΡΠ²Π»Π΅Π½ΠΎ deprecated, Π½ΠΎ Π΅ΡΠ΅ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°ΡΡΡΡ)
ΠΡΠΎΠΊΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΡΡΠ°ΡΠΈΠΊΠ° Π½Π° Π΄ΡΡΠ³ΠΎΠΉ ΡΠ΅ΡΠ²ΠΈΡ ΠΈΠ»ΠΈ ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅Ρ
somedir/
nginx/
certs/ β ΡΡΠΎ ΡΠ΅ΡΡ Π΄Π»Ρ TLS (ΠΌΠΎΠΆΠ΅Ρ Π±ΡΡΡ Π»ΡΠ±ΠΎΠΉ Π²ΠΎΠΎΠ±ΡΠ΅, Π»ΠΈΡΡ Π±Ρ Π±ΡΠ»)
cert.crt
cert.key
domain.csr
nginx.conf
stunnel/ β proxy-server Π΄Π»Ρ ΠΏΠΎΡΡΡΠΎΠ΅Π½ΠΈΡ ΡΡΠ½Π½Π΅Π»Ρ (ΠΌΠΎΠΆΠ΅Ρ Π±ΡΡΡ Π»ΡΠ±ΠΎΠΉ ΡΠ΅ΡΠ²ΠΈΡ, Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ flask)
certs/
...
Dockerfile
stunnel.txt
docker-compose.yml
nginx.conf: ΠΏΠΎ ΡΠ°ΠΊΡΡ Π³ΠΎΠ²ΠΎΡΠΈΠΌ, ΡΡΠΎ Π² Π·Π°Π²ΠΈΡΠΈΠΌΠΎΡΡΠΈ ΠΎΡ Host-Π·Π°Π³ΠΎΠ²ΠΊΠ° ΡΡΠ°ΡΠΈΠΊ Π±ΡΠ΄Π΅Ρ ΠΏΠ΅ΡΠ΅Π½Π°ΠΏΡΠ°Π²Π»Π΅Π½ Π»ΠΈΠ±ΠΎ Π½Π° http Π»ΠΈΠ±ΠΎ Π½Π° stunnel (Π² ΡΡΠΎΠΌ ΠΏΡΠΈΠΌΠ΅ΡΠ΅)
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/certs/cert.crt;
ssl_certificate_key /etc/nginx/certs/cert.key;
location / {
proxy_pass http://example.com:80/;
error_log /var/log/front_end_errors.log;
}
}
server {
listen 443 ssl;
server_name evil.com;
ssl_certificate /etc/nginx/certs/cert.crt;
ssl_certificate_key /etc/nginx/certs/cert.key;
location / {
proxy_pass http://evil.com:80/;
error_log /var/log/front_end_errors.log;
}
}
server {
listen 443 ssl;
server_name somesite.com;
ssl_certificate /etc/nginx/certs/cert.crt;
ssl_certificate_key /etc/nginx/certs/cert.key;
location / {
proxy_pass http://stunnel:5555/;
proxy_set_header Host somesite.com;
error_log /var/log/front_end_errors.log;
}
}
docker-compose.yml:
version: "3"
services:
nginx:
image: nginx
ports:
- "443:443"
volumes:
- ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf
- ./nginx/certs:/etc/nginx/certs
stunnel:
build: stunnel
dns:
- 8.8.8.8