Movi apache para a maquina openssl

2026-04-22 13:32:08 +01:00
parent 2fefeed0fe
commit d1ca71e53d
8 changed files with 88 additions and 29 deletions
--- a/VM_APACHE.sh
+++ b/VM_APACHE.sh
@@ -1,9 +0,0 @@
-#!/bin/sh
-
-source VM_CONFIG.sh
-if_dentro="enp0s8"
-ip_dentro="10.60.0.2"
-sudo yum install -y openssl apache
-ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
-cp conf/httpd.conf /etc/httpd/conf/
-cp conf/ssl.conf /etc/httpd/conf.d/
--- a/VM_CONFIG.sh
+++ b/VM_CONFIG.sh
@@ -7,7 +7,7 @@ if [[ "$USER" != "root" ]]; then
 fi

 yum install -y epel-release
-yum install -y openvpn iptables-services
+yum install -y openvpn iptables-services dhcp-client
 systemctl stop firewalld
 systemctl disable firewalld
 systemctl mask firewalld
--- a/VM_OPENSSL.sh
+++ b/VM_OPENSSL.sh
@@ -1,19 +0,0 @@
-#!/bin/bash
-
-# configuracao
-source VM_CONFIG.sh
-if_dentro="enp0s8"
-ip_dentro="10.60.0.1"
-ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
-cp conf/openssl.cnf /etc/pki/tls/
-
-# copiar ca para esta VM
-cp ca/index.txt $CA_DIR
-cp ca/ca.crt $CA_DIR
-cp ca/ca.key $CA_DIR
-cp ca/serial $CA_DIR
-cp ca/dh2048.pem $CA_DIR
-
-# correr oscp
-killall openssl 2>/dev/null
-openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &
--- a/VM_OPENSSL_APACHE.sh
+++ b/VM_OPENSSL_APACHE.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# configuracao
+source VM_CONFIG.sh
+
+sudo yum install -y epel-release
+sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator
+
+if_dentro="enp0s8"
+ip_dentro="10.60.0.1"
+ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
+
+cp conf/openssl.cnf /etc/pki/tls/
+
+# copiar ca para esta VM
+cp ca/index.txt $CA_DIR
+cp ca/ca.crt $CA_DIR
+cp ca/ca.key $CA_DIR
+cp ca/serial $CA_DIR
+cp ca/dh2048.pem $CA_DIR
+
+# correr oscp
+openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &
+
+
+# apache
+mkdir -p /etc/httpd/ssl
+cp ca/ca.crt /etc/httpd/ssl/
+cp ca/apache.crt /etc/httpd/ssl/
+cp ca/apache.key /etc/httpd/ssl/
+cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
+cp conf/httpd-pam /etc/pam.d/httpd-totp
+
+# NOTA(vasco) é preciso desativar home protection outra vez
+mkdir -p /etc/systemd/system/httpd.service.d
+echo -e "[Service]\nProtectHome=false" > /etc/systemd/system/httpd.service.d/override.conf
+systemctl daemon-reload
+
+# serviço !!!
+systemctl enable --now httpd
--- a/ca/create_all_keys.sh
+++ b/ca/create_all_keys.sh
@@ -3,6 +3,7 @@
 cert_ca="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=CoimbraVPN"
 cert_vpn="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=gateway"
 cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior"
+cert_apache="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=apache"

 [[ -e "serial" ]]       || echo 1000 > serial
 [[ -e "index.txt" ]]    || touch index.txt
@@ -16,3 +17,6 @@ cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior"
 [[ -e "user.key" ]]     || openssl genrsa -out user.key
 [[ -e "user.csr" ]]     || openssl req -new -key user.key -out user.csr -subj "$cert_user"
 [[ -e "user.crt" ]] 	|| openssl ca -batch -in "user.csr" -cert "ca.crt" -keyfile "ca.key" -out "user.crt" -config cheese.cfg
+[[ -e "apache.key" ]]   || openssl genrsa -out apache.key
+[[ -e "apache.csr" ]]   || openssl req -new -key apache.key -out apache.csr -subj "$cert_apache"
+[[ -e "apache.crt" ]] 	|| openssl ca -batch -in "apache.csr" -cert "ca.crt" -keyfile "ca.key" -out "apache.crt" -config cheese.cfg
--- a/conf/httpd-pam
+++ b/conf/httpd-pam
@@ -0,0 +1,3 @@
+auth    required    pam_google_authenticator.so forward_pass
+auth    required    pam_unix.so use_first_pass
+account required    pam_unix.so
--- a/conf/ssl.conf
+++ b/conf/ssl.conf
@@ -0,0 +1,28 @@
+Listen 443 https
+<VirtualHost *:443>
+    ServerName 10.60.0.2
+    DocumentRoot /var/www/html
+
+    SSLEngine on
+    SSLCertificateFile /etc/httpd/ssl/apache.crt
+    SSLCertificateKeyFile /etc/httpd/ssl/apache.key
+    SSLCACertificateFile /etc/httpd/ssl/ca.crt
+
+    # Mutual Authentication (Client Cert)
+    SSLVerifyClient require
+    SSLVerifyDepth 1
+
+    # OCSP Validation against CA
+    SSLOCSPEnable on
+    SSLOCSPDefaultResponder "http://10.60.0.1:8888"
+    SSLOCSPOverrideResponder on
+
+    # PAM + TOTP Authentication
+    <Location "/">
+        AuthType Basic
+        AuthName "Enter UNIX Password + Google Authenticator Code"
+        AuthBasicProvider PAM
+        AuthPAMService httpd-totp
+        Require valid-user
+    </Location>
+</VirtualHost>
--- a/relatorio/relatorio.tex
+++ b/relatorio/relatorio.tex
@@ -67,6 +67,18 @@ su john
 google-authenticator
 \end{lstlisting}

+\section{Revocation e OCSP}
+
+\subsection{Testar OSCP via revoke}
+1. Conectar ao VPN e ver que funciona
+2. Na maquina host, nao nas vms, na repo mesmo.
+3. revogar o certificado via openssl
+ -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt
+4.Fechae OSCP e correr VM_OPENSSL novamente (copiar index.txt e serial?)
+5. Tentar outra vez e ver que de facto falha 
+
+
+
 \section{Conclusion}
 Conclusão!!!