###### tags: `finished`
:::success
# CIA 6st Lab (Web + LDAP)
:::
## Section 1: Web Server
### Task 1 - Install & Configure Virtual Hosts
:::info
1. Fetch, verify, build and install the webserver daemon from the source.
2. Define the root directory and then two virtual hosts
:::
Okey, let's start by installing everything we need:
```
sudo apt-get install certbot
sudo apt install nginx
```
The first attempts to launch certbot were not very successful, because I had errors in the nsd config. Therefore, we immediately update everything to make sure there is no system error.
```
sudo apt-get update
sudo add-apt-repository ppa:certbot/certbot
#It's out of desperation, well, I'm not looking for easy ways.
sudo apt install snapd
sudo snap install core
sudo snap refresh core
sudo apt remove certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
```
<center>
Figure 1 - So, a start has been made!
</center>
I use the name ns.st7.sne21.ru because at that time, the updated config had not yet been accepted by all DNSSec circles. Then we do everything manually:
```
sudo systemctl start nginx
sudo vim /etc/nginx/sites-available/ns.st7.sne21.ru
```
<center>
Figure 2 - Template for certbot
</center>
```
sudo ln -s /etc/nginx/sites-available/ns.st7.sne21.ru /etc/nginx/sites-enabled/
sudo nginx -t
```
<center>
Figure 4 - Checking and restarting the server
</center>
You also need to remember to open the AWS dashboard on which the server is located, and open ports 80 and 443 for http and https, respectively.
:::info
3. Create a simple, unique HTML page for each virtual host to make sure that the server can correctly serve it.
:::
```
sudo mkdir -p /var/www/ns.st7.sne21.ru/html
sudo chmod -R 755 /var/www
sudo vim /var/www/ns.st7.sne21.ru/html/index.html
sudo rm /etc/nginx/sites-enabled/default
sudo systemctl restart nginx
```
<center>
Figure 3 - Welcome Page
</center>
***
I finished the item with the second host after some time. Copy ns:
```
cp /etc/nginx/sites-available/ns.st7.sne21.ru /etc/nginx/sites-available/cat.st7.sne21.ru
sudo ln -s /etc/nginx/sites-available/cat.st7.sne21.ru /etc/nginx/sites-enabled/
mkdir -p /var/www/cat.st7.sne21.ru/html
chmod -R 755 /var/www
sudo vim /var/www/cat.st7.sne21.ru/html/index.html
```
Adding as the displayed page:
```
<html>
<head>
<title>cat.st7.sne21.ru</title>
</head>
<body>
<h1>Success: You Have Set Up a Virtual Host CAT</h1>
</body>
</html>
```
Сheck with the `nginx -t` command and return to another file:
```
vim /etc/nginx/sites-available/cat.st7.sne21.ru
```
We delete everything from the file and add a typical configuration there so that certbot can process it and so that the conflict of listening ports disappears:
```
server {
listen 80; # Specify the listening port
listen [::]:80; # The same thing for IPv6
root /var/www/cat.st7.sne21.ru/html; # The path to the website files
index index.html index.htm; # Files to display if only the domain name is specified in the address
server_name cat.st7.sne21.ru; # Domain name of this site
location / {
try_files $uri $uri/ =404;
}
}
```
`nginx -t` and `nginx -s reload` for verification. And we give it to certbot to eat, let him set up the signature himself:
<center>
Figure 4 - Work of certbot
</center>
:::info
4. Check the configuration syntax, start the daemon and enable it at boot time (`apachectl −t, nginx −t and lighttpd −t respectively`).
:::
NGINX checks the configuration for the correct syntax, and then tries to open the files specified in the configuration, in case of an error, it shows its priority (warning or emerge, for example). I used this command all the time, as you can see in the screenshots and commands above.
:::info
5. Use curl to display the contents of a full HTTP/1.1 session served by your server
:::
<center>
Figure 5 - Result of using curl
</center>
:::info
6. Explain the meaning of each request and reply header.
:::
I used the details of the curl command, and to be honest, I saw something similar in the error log when I turned on the debugging function.
That is, we see the process of the client contacting the server. First we check the public address and port, as you can see - this is port 443 (HTTPS). The location of the SSL certificates is confirmed. And only after the connection security check is over, the handshaking process begins. External TLS handshake is a greeting from the client. Then the server sends a return greeting and encrypts all subsequent handshake messages (this is a feature of 1.3).This TLS protocol is used by the client and server when communicating with each other for the first time. Once the handshake is completed, the peers use the installed keys to protect the application-level traffic.
Next, we can see that the server has accepted the use of http/1.1 and see its certificate, in which we see the canonical name of the server as the subject - ns.st7.sne21.ru . The start date of the certificate and the date when it ceases to be valid (December 31). Alternative names of my server, although they are the same. C=US, O=Let's Encrypt, CN=R3 - this line is about the fact that the certificate was issued by Let's Encrypt, and "R3" indicates an intermediate RSA link certificate. Next, we go up to the application level to HTTP/1.1. Here you can find information about the host, as well as information that the client and server exchange session tickets. This is a method in which TLS sessions are resumed using key material previously stored on the hosts. This reduces the number of handshakes. This is followed by information about the server, connection time, information about the transmitted content and its length. You can also see two debug messages, they were necessary for me to track the work of GeoIP. Below is the page body itself.
### Task 2 - SSL/TLS
:::info
1. Enable SSL/TLS and tune the various settings to make it as secure as possible.
2. Describe how you created your own certificate(s) e.g. with Let’s encrypt (certbot) or self-signed and re-validate every virtual-host . Explain your security tuning process.
:::
Certbot makes the necessary settings by itself (added https certificates). We see that he activated port 443 for the server and certified it:
<center>
Figure 6 - Certbot
Figure 7 - Check ns.st7.sne21.ru after certbot
</center>
### Task 3 - Choose one of the options from the following:
:::info
4. GeoIP Enable GeoIP on your chosen web-server (is only NGINX capable to do this?) and show how to take advantage of it with real examples.
:::
I install the module, find out that I don't have it and go to look for an active download mirror. Unpacking and transferring information by configs.
```
sudo mkdir /usr/share/GeoIP
cd /usr/share/GeoIP/
/usr/share/GeoIP$ sudo wget https://mirrors-cdn.liferay.com/geolite.maxmind.com/download/geoip/database/GeoIP.dat.gz
sudo gunzip GeoIP.dat.gz
```
<center>
Figure 8 - The mirror is working
</center>
```
sudo vim /etc/nginx/include/block.map.include
```
```
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default yes;
CN no;
VN no;
TW no;
DE no;
RO no;
}
```
Adding a line to the nginx configuration file `vim /etc/nginx/nginx.conf`:
```
include include/block.map.include;
```
<center>
Figure 9 - Modify nginx.conf
</center>
I find out that there is no necessary module. Will have to install:
<center>
Figure 10 - `nginx - V`
</center>
If you need to add any module, then you need to rebuild nginx manually. We are installing a new version.
```
#unpacked nginx again
cd /root
mkdir nginx
cd ./nginx
wget http://nginx.org/download/nginx-1.21.2.tar.gz
tar -xvf nginx-1.21.2.tar.gz
#install a pre-installed set of modules
cd nginx-1.21.2
nginx-1.21.2# bash <(curl -f -L -sS https://ngxpagespeed.com/install) \
> --nginx-version 1.21.2
#save all modules
bash <(curl -f -L -sS https://ngxpagespeed.com/install) -m
```
<center>
Figure 11 - Pre-installed set of modules
</center>
We use the arguments configure from the `nginx -V` output with `./configure`:
<center>
Figure 12 - Modules
</center>
These modules were not found, I had to install:
```
sudo apt-get install libssl-dev
sudo apt-get install libxml2-dev
sudo apt-get install libxslt-dev
sudo apt-get install php7.4-gd
apt install unzip build-essential libpcre3 libpcre3-dev openssl libssl-dev zlib1g zlib1g-dev libxslt-dev libgd-dev libgeoip-dev
```
<center>
Figure 13 - Successful result
</center>
Finally, everything was found, you can collect using the `make` command. And after check our modules.
<center>
Figure 14 - Сollect everything into a single whole
</center>
We stop the service and replace the exe:
```
service nginx stop
mv /usr/sbin/nginx /usr/sbin/nginx_back
mv /usr/share/nginx/sbin/nginx /usr/sbin/nginx
```
<center>
Figure 15 - End
</center>
After that, add to the file `/etc/nginx/sites-available# in ns.st7.sne21.ru` in server section:
```
if ($allowed_country = no) {
return 404;
}
```
Now updating the configuration, check the operation of the settings. Additionally, I used `add_header X-debug-message 2 $geoip_country_code always;` to see if everything was ok with rules for root zone. To check, just use something for a free proxy, I used Windscribe. Select a country that is not included in the allowed list: China, Taiwan, Vietnam, Germany, Romania.
<center>
Figure 15 - 404
</center>
:::danger
**for test (just ns.st7 works with GeoIP):**
https://cat.st7.sne21.ru/
https://ns.st7.sne21.ru/
:::
## References:
1. [Adding nginx modules to Linux](https://fornex.com/help/module-nginx-linux/)
2. [Nginx + GeoIP](https://fornex.com/help/settings-nginx-geoip/)
3. [RFC8446](https://datatracker.ietf.org/doc/html/rfc8446)
4. [Intermediate Certificates](https://letsencrypt.org/certificates/)
Sign in with Wallet
Connect another wallet