Initialize reverse proxy and TLS workshop lab setup
This commit is contained in:
hkoeck
@@ -0,0 +1,116 @@
|
||||
# Wireshark Hint Card (optional)
|
||||
|
||||
Diese Hinweise helfen bei der Bonus-Challenge mit Paketmitschnitt.
|
||||
|
||||
## 1) Installation
|
||||
|
||||
Fedora:
|
||||
|
||||
```bash
|
||||
sudo dnf install -y wireshark wireshark-cli
|
||||
```
|
||||
|
||||
Ubuntu/WSL:
|
||||
|
||||
```bash
|
||||
sudo apt update
|
||||
sudo apt install -y wireshark tshark
|
||||
```
|
||||
|
||||
## 2) Interface waehlen
|
||||
|
||||
- Linux lokal: meist `lo` (Loopback) fuer `localhost`
|
||||
- Docker-Welt: ggf. `docker0` bzw. Bridge-Interface
|
||||
|
||||
## 3) HTTP zuerst (Klartext)
|
||||
|
||||
1. Mitschnitt starten
|
||||
2. Request senden:
|
||||
|
||||
```bash
|
||||
curl http://localhost:8080/service/a
|
||||
```
|
||||
|
||||
3. In Wireshark nach `http` oder `tcp.port == 8080` filtern
|
||||
|
||||
## 4) Root-CA importieren und HTTPS ohne -k testen
|
||||
|
||||
Voraussetzung: HTTPS-Challenge umgesetzt (Port `8443` aktiv).
|
||||
|
||||
Fedora:
|
||||
|
||||
```bash
|
||||
sudo cp certs/easyrsa/pki/ca.crt /etc/pki/ca-trust/source/anchors/htl-workshop-root-ca.crt
|
||||
sudo update-ca-trust
|
||||
```
|
||||
|
||||
Ubuntu/Debian:
|
||||
|
||||
```bash
|
||||
sudo cp certs/easyrsa/pki/ca.crt /usr/local/share/ca-certificates/htl-workshop-root-ca.crt
|
||||
sudo update-ca-certificates
|
||||
```
|
||||
|
||||
Test:
|
||||
|
||||
```bash
|
||||
curl https://localhost:8443/service/a
|
||||
```
|
||||
|
||||
## 5) HTTPS danach mitschneiden (verschluesselt)
|
||||
|
||||
Filter:
|
||||
|
||||
```text
|
||||
tcp.port == 8443
|
||||
```
|
||||
|
||||
oder
|
||||
|
||||
```text
|
||||
tls
|
||||
```
|
||||
|
||||
Handshake schnell finden:
|
||||
|
||||
```text
|
||||
tls.handshake
|
||||
```
|
||||
|
||||
Nur Zertifikats-Nachrichten:
|
||||
|
||||
```text
|
||||
tls.handshake.type == 11
|
||||
```
|
||||
|
||||
## 6) Optional: TLS in Wireshark entschluesseln
|
||||
|
||||
1. Vor Browser-Start setzen:
|
||||
|
||||
```bash
|
||||
export SSLKEYLOGFILE="$HOME/sslkeys.log"
|
||||
```
|
||||
|
||||
2. Browser aus derselben Shell starten und HTTPS-Request erzeugen.
|
||||
3. In Wireshark unter TLS-Preferences `sslkeys.log` als Key Log File setzen.
|
||||
4. Mitschnitt erneut laden.
|
||||
|
||||
CLI-Alternative mit tshark (optional):
|
||||
|
||||
```bash
|
||||
tshark -i lo -f "tcp port 8443"
|
||||
```
|
||||
|
||||
## 7) Was ihr zeigen sollt
|
||||
|
||||
- HTTP-Mitschnitt: URL/Headers lesbar
|
||||
- HTTPS-Mitschnitt: TLS Handshake sichtbar, Nutzdaten nicht im Klartext
|
||||
- Nach CA-Import funktioniert `curl https://localhost:8443/...` ohne `-k`
|
||||
- Optional: Mit Key Log koennen HTTP-Details im TLS-Stream sichtbar werden
|
||||
|
||||
## 8) Erwartete Abgabe (kurz)
|
||||
|
||||
- Screenshot 1: HTTP-Request mit lesbaren Daten
|
||||
- Screenshot 2: HTTPS-Request mit TLS-Handshake
|
||||
- Screenshot 3 (optional): entschluesselter TLS-Stream via Key Log
|
||||
- 3 Bulletpoints: Unterschied HTTP vs HTTPS in euren eigenen Worten
|
||||
Reference in New Issue
Block a user