Fuck...

VM_OPENSSL_APACHE.sh

@@ -7,6 +7,18 @@ sudo yum install -y epel-release
 sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator 
 sudo yum install -y mod_session
 
+# utilizador
+id -u john &>/dev/null || useradd john
+echo "password" | passwd --stdin john
+
+# dar acesso ao apache para ler o .google_authenticator
+groupadd -f totp
+usermod -aG totp apache
+usermod -aG totp john
+
+sudo chown apache:totp /home/john/.google_authenticator
+sudo chmod 660 /home/john/.google_authenticator
+
 if_dentro="enp0s8"
 ip_dentro="10.60.0.1"
 ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
@@ -34,6 +46,7 @@ cp ca/ca.crt /etc/httpd/ssl/
 cp ca/apache.crt /etc/httpd/ssl/
 cp ca/apache.key /etc/httpd/ssl/
 cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
+cp conf/httpd.conf /etc/httpd/conf/httpd.conf
 cp conf/httpd-totp /etc/pam.d/httpd-totp
 
 # NOTA(vasco) é preciso desativar home protection outra vez
@@ -51,12 +64,3 @@ cp -r www/* /var/www/html/
 chown -R apache:apache /var/www/html/
 
 systemctl enable --now httpd
-
-# acho ?????
-sudo chgrp apache /etc/shadow
-sudo chmod o+x /home/john
-sudo chown apache /home/john/.google_authenticator
-sudo chmod 400 /home/john/.google_authenticator
-sudo chmod o+x /home/user
-sudo chown apache /home/user/.google_authenticator
-sudo chmod 400 /home/user/.google_authenticator

VM_VPN_GATEWAY.sh

@@ -8,7 +8,6 @@
 source VM_CONFIG.sh
 yum install -y google-authenticator qrencode ntpsec
 
-
 # --- forwarding --- #
 if_fora="enp0s8"
 ip_fora="193.136.212.1"
@@ -23,13 +22,13 @@ ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
 echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
 sysctl -p /etc/sysctl.conf
 
-iptables -I INPUT 1  -p udp --dport 1194 -j ACCEPT # :O
+iptables -I INPUT 1  -p udp --dport 1194 -j ACCEPT
-iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT # :P
+iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT
-iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT # ;)
+iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT
-iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT # faltava isto ?
+iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT
-iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT # faltava isto ?
+iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT
-iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE # :D
+iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE
-iptables-save > /etc/sysconfig/iptables # :3
+iptables-save > /etc/sysconfig/iptables
 
 # --- vpn server --- #
 vpn_dir="/etc/openvpn/server"
@@ -42,3 +41,12 @@ cp conf/vpn.conf $vpn_dir
 cp conf/ocsp-verify.sh $vpn_dir
 cp conf/totp /etc/pam.d/
 systemctl enable --now openvpn-server@vpn.service
+
+# --- utilizador --- #
+id -u john &>/dev/null || useradd john
+echo "password" | passwd --stdin john
+groupadd -f totp
+usermod -aG totp john
+usermod -aG totp openvpn
+sudo chown john:totp /home/john/.google_authenticator
+sudo chmod 660 /home/john/.google_authenticator

conf/httpd.conf

@@ -1 +1 @@
-# LoadModule authnz_pam_module modules/mod_authnz_pam.so
+LoadModule authnz_pam_module modules/mod_authnz_pam.so

conf/ssl.conf

@@ -57,3 +57,9 @@ Listen 443 https
     </Location>
 
 </VirtualHost>
+
+# redirect para https
+<VirtualHost *:80>
+    ServerName 10.60.0.1
+    Redirect permanent / https://10.60.0.1/
+</VirtualHost>

conf/vpn.conf

@@ -3,16 +3,16 @@ port 1194
 proto udp
 dev tun
 
+verb 4
+
 # Bro is too honorable
 ca /etc/openvpn/server/ca.crt
 cert /etc/openvpn/server/vpn.crt
 key /etc/openvpn/server/vpn.key
 dh /etc/openvpn/server/dh2048.pem
 
-server 10.8.0.0 255.255.255.0
-verb 4
-
 topology subnet
+server 10.8.0.0 255.255.255.0
 push "route 10.60.0.0 255.255.255.0"
 
 # OCSP and Revocation

relatorio/relatorio.aux

@@ -24,7 +24,7 @@
 \@writefile{toc}{\contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{9}{subsection.5.2}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {5.2.1}Testes}{9}{subsubsection.5.2.1}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{9}{subsection.5.3}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.3.1}Testes}{9}{subsubsection.5.3.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.3.1}Testes}{10}{subsubsection.5.3.1}\protected@file@percent }
 \@writefile{toc}{\contentsline {section}{\numberline {6}Teste Integrado}{10}{section.6}\protected@file@percent }
 \@writefile{toc}{\contentsline {section}{\numberline {7}Conclusão}{10}{section.7}\protected@file@percent }
 \gdef \@abspage@last{10}

relatorio/relatorio.log

@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.4.13)  27 APR 2026 20:43
+This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.4.13)  27 APR 2026 22:37
 entering extended mode
  \write18 enabled.
  %&-line parsing enabled.
@@ -1221,8 +1221,13 @@ Package pdftex.def Info: google-authenticator.jpg  used on input line 314.
 \openout6 = `relatorio.listing'.
 
 
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [8 </home/raw/uni/fsi/
+(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing)
-trabalho/relatorio/google-authenticator.jpg>]
+Overfull \hbox (2.06862pt too wide) in paragraph at lines 352--356
+\T1/Raleway-OsF/m/n/10.95 Para ve-ri-fi-car que o OCSP fun-ci-ona cor-rec-ta-me
+nte, o cli-ente co-nec-tou ao ser-vi-dor OpenVPN:
+ []
+
+[8 </home/raw/uni/fsi/trabalho/relatorio/google-authenticator.jpg>]
 \openout6 = `relatorio.listing'.
 
 
@@ -1256,7 +1261,7 @@ xmf-dist/fonts/type1/impallari/raleway/Raleway-Regular.pfb></usr/share/texmf-di
 st/fonts/type1/public/cm-super/sftt0900.pfb></usr/share/texmf-dist/fonts/type1/
 public/cm-super/sftt1095.pfb>
 Output written on /home/raw/uni/fsi/trabalho/relatorio/relatorio.pdf (10 pages,
- 168978 bytes).
+ 169461 bytes).
 PDF statistics:
  387 PDF objects out of 1000 (max. 8388607)
  336 compressed objects within 4 object streams

relatorio/relatorio.tex

@@ -375,6 +375,17 @@ sudo systemctl start openvpn-client@config %para depois verificar se connecta
 
 
 
+% TODO: screenshots? dizer que erros exatos nos obtemos a cada etapa
+% TODO: erros ortograficos lol 
+
+Para verificar que o OCSP funciona correctamente, o cliente conectou ao servidor OpenVPN:
+primeiro, sem o servidor OCSP a correr, uma segunda vez com ele a correr e com o certificado correcto
+e uma terceira vez com um certificado revogado. Fizemos estes testes sabendo que o 
+cliente e o servidor já estavam correctamente configurados.
+
+Verificamos que, como é suposto: sem OCSP não é possivel autenticar; com OCSP e com certificado válido,
+podemos autenticar; e com OCSP mas com certificado revogado, a autenticação falha.
+
 \section{Servidor Apache e OCSP}
 
 \subsection{Configuração da Máquina}

relatorio/relatorio.toc

@@ -17,6 +17,6 @@
 \contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{9}{subsection.5.2}%
 \contentsline {subsubsection}{\numberline {5.2.1}Testes}{9}{subsubsection.5.2.1}%
 \contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{9}{subsection.5.3}%
-\contentsline {subsubsection}{\numberline {5.3.1}Testes}{9}{subsubsection.5.3.1}%
+\contentsline {subsubsection}{\numberline {5.3.1}Testes}{10}{subsubsection.5.3.1}%
 \contentsline {section}{\numberline {6}Teste Integrado}{10}{section.6}%
 \contentsline {section}{\numberline {7}Conclusão}{10}{section.7}%