AlexBa16/htl-reverse-proxy-tls-lab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initialize reverse proxy and TLS workshop lab setup

Browse Source
This commit is contained in:
hkoeck
2026-03-07 17:21:22 +01:00
commit 3047413a41
22 changed files with 2062 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
+1
View File
@@ -0,0 +1 @@
HTTP_PORT=8080
.gitignore
+4
View File
@@ -0,0 +1,4 @@
.env
certs/*
!certs/.gitkeep
__pycache__/
Makefile
+26
View File
@@ -0,0 +1,26 @@
.PHONY: bootstrap up down logs redeploy proxy-reload reset reset-hard
bootstrap:
./scripts/bootstrap.sh
up:
./scripts/compose.sh up -d --build
redeploy:
./scripts/compose.sh up -d --build --remove-orphans
./scripts/compose.sh restart reverse-proxy
proxy-reload:
./scripts/compose.sh restart reverse-proxy
down:
./scripts/compose.sh down
logs:
./scripts/compose.sh logs -f
reset:
./scripts/reset-lab.sh
reset-hard:
./scripts/reset-lab.sh --hard
README.md
+118
View File
@@ -0,0 +1,118 @@
# HTL Workshop - Reverse Proxy & TLS Lab
Dieses Repo ist ein **leichtes HTTP-Basissetup** fuer einen Workshop mit Fokus auf:
- Reverse Proxy Grundlagen (Nginx)
- Routing auf mehrere Backends
- TLS/HTTPS manuell umsetzen (z. B. Easy-RSA)
- Security-Hardening im Proxy
Die Aufgaben sind absichtlich auf **manuelle Konfiguration** ausgelegt, nicht auf App-Entwicklung.
## Architektur
- `reverse-proxy` (Nginx, Port `8080`)
- `backend-a` (einfaches statisches Backend)
- `backend-b` (einfaches statisches Backend)
Basisrouten nach dem Start:
- `http://localhost:8080/` -> Startseite
- `http://localhost:8080/service/a` -> Backend A via Proxy
- `http://localhost:8080/service/b` -> Backend B via Proxy
## WebUI Struktur
- `http://localhost:8080/` -> Ueberblick + Navigation
- `http://localhost:8080/challenges.html` -> Detaillierte Challenges
- `http://localhost:8080/hints.html` -> Hint Cheatsheet
- `http://localhost:8080/solutions.html` -> Musterloesungen
## Voraussetzungen (WSL oder Linux)
1. Docker + Compose (`docker compose` oder `docker-compose`)
2. Bei Windows: Docker Desktop + WSL Integration aktiv
3. Optional fuer TLS-Challenges: `easy-rsa`, `openssl`, `wireshark`
## Schnellstart
```bash
./scripts/bootstrap.sh
```
### Start auf Windows
Empfohlen: ueber WSL starten (nicht nativ in PowerShell ohne WSL).
Option A (WSL Terminal):
```bash
./scripts/bootstrap.sh
```
Option B (PowerShell Wrapper):
```powershell
./scripts/workshop.ps1 -Action bootstrap
```
Der PowerShell-Wrapper braucht kein `make` und ruft die Linux-Skripte direkt in WSL auf.
Falls PowerShell das Script blockiert:
```powershell
Set-ExecutionPolicy -Scope Process Bypass
```
Weitere Aktionen aus PowerShell:
```powershell
./scripts/workshop.ps1 -Action redeploy
./scripts/workshop.ps1 -Action proxy-reload
./scripts/workshop.ps1 -Action reset
```
Wenn mehrere Distros installiert sind:
```powershell
./scripts/workshop.ps1 -Action bootstrap -Distro Ubuntu-24.04
```
Der Script:
- prueft Docker + Compose
- erstellt `.env` aus `.env.example` (falls nicht vorhanden)
- startet den Stack
## Neu deployen / resetten
```bash
make redeploy
make proxy-reload
make reset
```
- `redeploy`: build + restart aller Services
- `proxy-reload`: nur Reverse Proxy restart
- `reset`: Container/Netzwerk/Volumes aufraeumen
Hinweis: `make redeploy` startet zusaetzlich den Reverse Proxy neu, damit Nginx-Config-Aenderungen sicher aktiv sind.
## Kurz testen
```bash
curl http://localhost:8080/service/a
curl http://localhost:8080/service/b
```
## Fokus im Workshop
Die Basis ist bewusst nur HTTP. HTTPS ist Teil der Aufgaben:
- CA + Server-Zertifikat selbst erstellen
- Nginx auf 443 erweitern
- Root-CA importieren
- HSTS und TLS-Haertung umsetzen
- TLS mitschneiden und analysieren
Vollstaendige TLS-Beispielkonfiguration mit HSTS: `proxy/nginx.tls.example.conf`.
backends/a/index.html
+74
View File
@@ -0,0 +1,74 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Backend A</title>
<style>
:root {
--bg: #0f1b2e;
--card: #173252;
--line: #3a6e96;
--text: #e9f2fb;
--muted: #b6cce0;
--accent: #4ecdc4;
}
* {
box-sizing: border-box;
}
body {
margin: 0;
min-height: 100vh;
display: grid;
place-items: center;
padding: 1rem;
font-family: "Fira Sans", "Segoe UI", sans-serif;
color: var(--text);
background: radial-gradient(circle at top right, #22456b, var(--bg) 60%);
}
main {
width: min(760px, 100%);
background: var(--card);
border: 1px solid var(--line);
border-radius: 14px;
padding: 1.1rem;
}
h1 {
margin-top: 0;
}
p {
color: var(--muted);
}
code {
background: #0f2438;
border: 1px solid #2d587a;
border-radius: 6px;
padding: 0.1rem 0.35rem;
}
.tag {
display: inline-block;
background: var(--accent);
color: #072420;
border-radius: 999px;
padding: 0.15rem 0.55rem;
font-weight: 700;
font-size: 0.85rem;
}
</style>
</head>
<body>
<main>
<span class="tag">Backend A</span>
<h1>Reverse Proxy Target A</h1>
<p>This page is served by backend A and reached through Nginx reverse proxy.</p>
<p>Route example: <code>/service/a</code></p>
</main>
</body>
</html>
backends/b/index.html
+74
View File
@@ -0,0 +1,74 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Backend B</title>
<style>
:root {
--bg: #1e1308;
--card: #3a2412;
--line: #8a5b34;
--text: #fff4ea;
--muted: #f0d5bf;
--accent: #ffd166;
}
* {
box-sizing: border-box;
}
body {
margin: 0;
min-height: 100vh;
display: grid;
place-items: center;
padding: 1rem;
font-family: "Fira Sans", "Segoe UI", sans-serif;
color: var(--text);
background: radial-gradient(circle at top left, #5a371d, var(--bg) 60%);
}
main {
width: min(760px, 100%);
background: var(--card);
border: 1px solid var(--line);
border-radius: 14px;
padding: 1.1rem;
}
h1 {
margin-top: 0;
}
p {
color: var(--muted);
}
code {
background: #2a190d;
border: 1px solid #7d4f29;
border-radius: 6px;
padding: 0.1rem 0.35rem;
}
.tag {
display: inline-block;
background: var(--accent);
color: #3a2300;
border-radius: 999px;
padding: 0.15rem 0.55rem;
font-weight: 700;
font-size: 0.85rem;
}
</style>
</head>
<body>
<main>
<span class="tag">Backend B</span>
<h1>Reverse Proxy Target B</h1>
<p>This page is served by backend B and reached through Nginx reverse proxy.</p>
<p>Route example: <code>/service/b</code></p>
</main>
</body>
</html>
certs/.gitkeep
View File
challenges/README.md
+229
View File
@@ -0,0 +1,229 @@
# Workshop Challenges (Reverse Proxy + TLS Focus)
Diese Aufgaben sind auf **manuelle Proxy-Konfiguration** ausgelegt.
Abgabe pro Aufgabe:
- kurzer Demo-Run (1-3 Minuten)
- Done-Check Command
- 2-3 Saetze: Was wurde geaendert und warum?
## Arbeitsmodus
1. Datei anpassen (`proxy/nginx.conf`, `docker-compose.yml`).
2. Deployen mit `make redeploy` oder `make proxy-reload`.
3. Testen mit `curl`/`openssl`.
4. Wenn etwas kaputt ist: `./scripts/compose.sh logs reverse-proxy`.
---
## Easy
### 1) Routing verstehen
**Ziel**
- Reverse Proxy leitet Requests auf unterschiedliche Backends.
**Muss**
- `service/a` und `service/b` aufrufen.
- Unterschiede in den Antworten erklaeren.
**Done-Check**
```bash
curl http://localhost:8080/service/a
curl http://localhost:8080/service/b
```
### 2) Drittes Backend manuell hinzufuegen
**Ziel**
- Proxy auf ein neues Backend erweitern.
**Dateien**
- `docker-compose.yml`
- `proxy/nginx.conf`
**Muss**
- Service `backend-c` anlegen.
- Upstream + Route `/service/c` konfigurieren.
**Done-Check**
```bash
curl http://localhost:8080/service/c
```
### 3) Eigene Route mit Rewrite
**Ziel**
- URL-Struktur im Proxy gestalten.
**Datei**
- `proxy/nginx.conf`
**Muss**
- Route `/demo/a` soll intern auf Backend A zeigen.
- Implementierung ueber `rewrite` oder eigene `location`.
**Done-Check**
```bash
curl http://localhost:8080/demo/a
```
---
## Medium
### 4) Security Headers setzen
**Ziel**
- Grundlegende Header-Haertung im Proxy.
**Datei**
- `proxy/nginx.conf`
**Muss**
- Setze mindestens:
- `X-Content-Type-Options: nosniff`
- `X-Frame-Options: DENY`
- `Referrer-Policy: no-referrer`
**Done-Check**
```bash
curl -I http://localhost:8080/
```
### 5) Interne Route absichern
**Ziel**
- Route nur lokal erreichbar machen.
**Datei**
- `proxy/nginx.conf`
**Muss**
- Neue Route `/internal/status` bauen.
- Nur `127.0.0.1` erlauben, alle anderen verbieten.
**Done-Check**
```bash
curl -i http://localhost:8080/internal/status
```
### 6) Logging verbessern
**Ziel**
- Proxy-Debugging ueber bessere Logs.
**Datei**
- `proxy/nginx.conf`
**Muss**
- Eigenes `log_format` mit Upstream-Infos erstellen.
- Access Log auf dieses Format umstellen.
**Done-Check**
```bash
curl http://localhost:8080/service/a
./scripts/compose.sh logs reverse-proxy
```
---
## Hard (TLS)
### 7) HTTPS von 0 mit Easy-RSA
**Ziel**
- Eigene CA + Server-Zertifikat fuer `localhost`.
**Dateien**
- `docker-compose.yml`
- `proxy/nginx.conf`
**Muss**
- Cert fuer `localhost` erzeugen.
- Proxy auf `443` aktivieren (z. B. `8443:443`).
- Root-CA importieren.
**Done-Check**
```bash
curl https://localhost:8443/service/a
```
### 8) HTTP -> HTTPS Redirect
**Ziel**
- Klarer Redirect-Flow.
**Datei**
- `proxy/nginx.conf`
**Muss**
- HTTP Requests auf HTTPS umleiten.
- `/healthz` darf optional auf HTTP bleiben.
**Done-Check**
```bash
curl -I http://localhost:8080/service/a
```
### 9) TLS Haertung + Chain Check
**Ziel**
- Bessere TLS-Defaults + saubere Validierung.
**Datei**
- `proxy/nginx.conf`
**Muss**
- TLS auf 1.2/1.3 beschraenken.
- HSTS aktivieren (`Strict-Transport-Security`).
- Zertifikatskette pruefen.
Hinweis: Im HTTP-Basissetup ist HSTS absichtlich **noch nicht** aktiv. Das ist Teil der Aufgabe.
**Done-Check**
```bash
curl -I https://localhost:8443/service/a
openssl s_client -connect localhost:8443 -servername localhost
```
---
## Bonus Expert
### 10) Wireshark: HTTP vs HTTPS
**Ziel**
- Sichtbar machen, was verschluesselt ist und was nicht.
**Muss**
- HTTP Traffic auf `8080` mitschneiden.
- HTTPS Traffic auf `8443` mitschneiden.
- TLS Handshake markieren (`ClientHello`, `ServerHello`, `Certificate`).
- Technisch erklaeren, warum HTTP lesbar ist und HTTPS nicht.
**Vorgehen (empfohlen)**
1. Capture auf `lo` (oder passendes Interface) starten, Filter `tcp.port == 8080`.
2. `curl http://localhost:8080/service/a` senden und HTTP-Stream zeigen.
3. Capture auf `tcp.port == 8443` oder `tls` umstellen.
4. `curl https://localhost:8443/service/a` senden.
5. Handshake-Pakete markieren und kurz erklaeren.
**Optional**
- TLS Decrypt mit `SSLKEYLOGFILE`.
**Done-Check**
- 3-4 Screenshots + 3-5 Bulletpoints Auswertung.
**Typische Fehler**
- falsches Interface gewaehlt
- HTTPS noch nicht korrekt aktiv
- Keylog gesetzt, aber Browser nicht aus derselben Shell gestartet
---
## Zusatz-Hints
- `challenges/easyrsa-hints.md`
- `challenges/wireshark-hints.md`
challenges/easyrsa-hints.md
+125
View File
@@ -0,0 +1,125 @@
# Easy-RSA Hint Card (optional)
Diese Hinweise koennen Teams nutzen, wenn sie bei der HTTPS-Challenge feststecken.
## 1) Easy-RSA installieren (WSL/Linux)
Fedora:
```bash
sudo dnf install -y easy-rsa openssl
```
Ubuntu/WSL:
```bash
sudo apt update
sudo apt install -y easy-rsa openssl
```
## 2) PKI vorbereiten
```bash
mkdir -p certs/easyrsa
cp -r /usr/share/easy-rsa/* certs/easyrsa/
cd certs/easyrsa
./easyrsa init-pki
```
## 3) CA erstellen
```bash
./easyrsa build-ca nopass
```
## 4) Server-Zertifikat fuer localhost
```bash
./easyrsa gen-req localhost nopass
./easyrsa sign-req server localhost
```
## 5) Dateien fuer Nginx bereitstellen
Typische Dateien:
- `pki/issued/localhost.crt`
- `pki/private/localhost.key`
- `pki/ca.crt`
Danach in `proxy/nginx.conf` TLS aktivieren und in `docker-compose.yml` Port `443` mappen.
### Compose-Mindestbeispiel
```yaml
services:
reverse-proxy:
ports:
- "8080:80"
- "8443:443"
volumes:
- ./proxy/nginx.conf:/etc/nginx/nginx.conf:ro,z
- ./proxy/html:/usr/share/nginx/html:ro,z
- ./certs/easyrsa/pki:/etc/nginx/pki:ro,z
```
### Nginx-Mindestbeispiel
```nginx
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/pki/issued/localhost.crt;
ssl_certificate_key /etc/nginx/pki/private/localhost.key;
ssl_protocols TLSv1.2 TLSv1.3;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location /service/a {
proxy_pass http://backend_a/;
}
}
```
## 6) Root-CA importieren (Trust Store)
Fedora:
```bash
sudo cp pki/ca.crt /etc/pki/ca-trust/source/anchors/htl-workshop-root-ca.crt
sudo update-ca-trust
```
Ubuntu/Debian:
```bash
sudo cp pki/ca.crt /usr/local/share/ca-certificates/htl-workshop-root-ca.crt
sudo update-ca-certificates
```
Windows (PowerShell als Admin, optional):
```powershell
certutil -addstore -f Root C:\path\to\ca.crt
```
## 7) Test ohne -k
Nach Import sollte HTTPS ohne Insecure-Flag funktionieren:
```bash
curl https://localhost:8443/service/a
```
Falls CA nicht global importiert ist:
```bash
curl --cacert pki/ca.crt https://localhost:8443/service/a
```
## 8) Typische Fehlerbilder
- `curl: (60) SSL certificate problem` -> Root-CA nicht importiert oder falsche CA.
- Browser war offen waehrend CA-Import -> Browser neu starten.
- `permission denied` beim Nginx-Config-Mount (Fedora/SELinux) -> Volumes mit `:z` mounten.
- Zertifikat ohne `localhost` -> SAN/CN passt nicht zum Hostnamen.
challenges/wireshark-hints.md
+116
View File
@@ -0,0 +1,116 @@
# Wireshark Hint Card (optional)
Diese Hinweise helfen bei der Bonus-Challenge mit Paketmitschnitt.
## 1) Installation
Fedora:
```bash
sudo dnf install -y wireshark wireshark-cli
```
Ubuntu/WSL:
```bash
sudo apt update
sudo apt install -y wireshark tshark
```
## 2) Interface waehlen
- Linux lokal: meist `lo` (Loopback) fuer `localhost`
- Docker-Welt: ggf. `docker0` bzw. Bridge-Interface
## 3) HTTP zuerst (Klartext)
1. Mitschnitt starten
2. Request senden:
```bash
curl http://localhost:8080/service/a
```
3. In Wireshark nach `http` oder `tcp.port == 8080` filtern
## 4) Root-CA importieren und HTTPS ohne -k testen
Voraussetzung: HTTPS-Challenge umgesetzt (Port `8443` aktiv).
Fedora:
```bash
sudo cp certs/easyrsa/pki/ca.crt /etc/pki/ca-trust/source/anchors/htl-workshop-root-ca.crt
sudo update-ca-trust
```
Ubuntu/Debian:
```bash
sudo cp certs/easyrsa/pki/ca.crt /usr/local/share/ca-certificates/htl-workshop-root-ca.crt
sudo update-ca-certificates
```
Test:
```bash
curl https://localhost:8443/service/a
```
## 5) HTTPS danach mitschneiden (verschluesselt)
Filter:
```text
tcp.port == 8443
```
oder
```text
tls
```
Handshake schnell finden:
```text
tls.handshake
```
Nur Zertifikats-Nachrichten:
```text
tls.handshake.type == 11
```
## 6) Optional: TLS in Wireshark entschluesseln
1. Vor Browser-Start setzen:
```bash
export SSLKEYLOGFILE="$HOME/sslkeys.log"
```
2. Browser aus derselben Shell starten und HTTPS-Request erzeugen.
3. In Wireshark unter TLS-Preferences `sslkeys.log` als Key Log File setzen.
4. Mitschnitt erneut laden.
CLI-Alternative mit tshark (optional):
```bash
tshark -i lo -f "tcp port 8443"
```
## 7) Was ihr zeigen sollt
- HTTP-Mitschnitt: URL/Headers lesbar
- HTTPS-Mitschnitt: TLS Handshake sichtbar, Nutzdaten nicht im Klartext
- Nach CA-Import funktioniert `curl https://localhost:8443/...` ohne `-k`
- Optional: Mit Key Log koennen HTTP-Details im TLS-Stream sichtbar werden
## 8) Erwartete Abgabe (kurz)
- Screenshot 1: HTTP-Request mit lesbaren Daten
- Screenshot 2: HTTPS-Request mit TLS-Handshake
- Screenshot 3 (optional): entschluesselter TLS-Stream via Key Log
- 3 Bulletpoints: Unterschied HTTP vs HTTPS in euren eigenen Worten
docker-compose.yml
+26
View File
@@ -0,0 +1,26 @@
name: htl-workshop
services:
reverse-proxy:
image: nginx:1.27-alpine
container_name: workshop-proxy
depends_on:
- backend-a
- backend-b
ports:
- "${HTTP_PORT:-8080}:80"
volumes:
- ./proxy/nginx.conf:/etc/nginx/nginx.conf:ro,z
- ./proxy/html:/usr/share/nginx/html:ro,z
backend-a:
image: nginx:1.27-alpine
container_name: workshop-backend-a
volumes:
- ./backends/a:/usr/share/nginx/html:ro,z
backend-b:
image: nginx:1.27-alpine
container_name: workshop-backend-b
volumes:
- ./backends/b:/usr/share/nginx/html:ro,z
proxy/html/challenges.html
+333
View File
@@ -0,0 +1,333 @@
<!doctype html>
<html lang="de">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>HTL Workshop Challenges</title>
<style>
:root {
--bg: #081825;
--panel: #10273d;
--panel-soft: #163450;
--text: #e9f2fb;
--muted: #b7cbdf;
--accent: #4ecdc4;
--easy: #59d68a;
--medium: #ffd166;
--hard: #ff7b72;
--expert: #6fb6ff;
}
* {
box-sizing: border-box;
}
body {
margin: 0;
font-family: "Fira Sans", "Segoe UI", sans-serif;
color: var(--text);
background:
radial-gradient(circle at 100% 0%, #1f4060 0%, transparent 45%),
radial-gradient(circle at 0% 100%, #14324a 0%, transparent 35%),
var(--bg);
min-height: 100vh;
padding: 1.2rem;
}
main {
width: min(1150px, 100%);
margin: 0 auto;
display: grid;
gap: 1rem;
}
.panel {
background: var(--panel);
border: 1px solid #315678;
border-radius: 14px;
padding: 1.1rem;
}
h1,
h2,
h3 {
margin-top: 0;
}
p,
li {
color: var(--muted);
line-height: 1.5;
}
a {
color: var(--accent);
}
code {
background: #0d1f31;
border: 1px solid #2d4f6e;
border-radius: 6px;
padding: 0.1rem 0.35rem;
}
pre {
background: #0b2133;
border: 1px solid #2b5578;
border-radius: 10px;
padding: 0.7rem;
overflow: auto;
}
.top-links {
display: flex;
flex-wrap: wrap;
gap: 0.5rem;
}
.pill {
display: inline-block;
text-decoration: none;
background: #11314b;
border: 1px solid #2a5d84;
border-radius: 999px;
padding: 0.35rem 0.75rem;
}
.badge {
display: inline-block;
border-radius: 999px;
padding: 0.15rem 0.5rem;
font-size: 0.8rem;
font-weight: 700;
margin-bottom: 0.45rem;
}
.easy {
color: #08210f;
background: var(--easy);
}
.medium {
color: #312200;
background: var(--medium);
}
.hard {
color: #3b0905;
background: var(--hard);
}
.expert {
color: #031c37;
background: var(--expert);
}
details {
background: var(--panel-soft);
border: 1px solid #2d5577;
border-radius: 12px;
padding: 0.75rem 0.85rem;
margin-bottom: 0.7rem;
}
details:last-child {
margin-bottom: 0;
}
summary {
cursor: pointer;
font-weight: 700;
}
.kw {
color: #e9f2fb;
font-weight: 700;
}
</style>
</head>
<body>
<main>
<section class="panel">
<h1>Challenges - Reverse Proxy & TLS</h1>
<p>Fokus: manuelle Proxy-Konfiguration, saubere Security-Entscheidungen, TLS von Grund auf.</p>
<div class="top-links">
<a class="pill" href="/">Startseite</a>
<a class="pill" href="/hints.html">Hints</a>
<a class="pill" href="/solutions.html">Solutions</a>
<a class="pill" href="/service/a">Backend A</a>
<a class="pill" href="/service/b">Backend B</a>
</div>
</section>
<section class="panel">
<h2>Abgabe-Format (fuer jede Challenge)</h2>
<ul>
<li><span class="kw">1) Demo:</span> 1-3 Minuten, live zeigen.</li>
<li><span class="kw">2) Check:</span> Done-Check Command ausfuehren.</li>
<li><span class="kw">3) Erklaerung:</span> 2-3 Saetze: was, warum, Sicherheitswirkung.</li>
</ul>
</section>
<section class="panel">
<h2>Easy</h2>
<details open>
<summary><span class="badge easy">Easy</span> 1) Routing verstehen</summary>
<p><span class="kw">Ziel:</span> Verstehen, wie der Reverse Proxy Requests anhand des Pfads verteilt.</p>
<p><span class="kw">Muss:</span></p>
<ul>
<li><code>/service/a</code> und <code>/service/b</code> aufrufen.</li>
<li>Unterschied der Antworten erklaeren.</li>
<li>In 1 Satz erklaeren, welche <code>location</code> auf welchen <code>upstream</code> zeigt.</li>
</ul>
<p><span class="kw">Done-Check:</span></p>
<pre><code>curl http://localhost:8080/service/a
curl http://localhost:8080/service/b</code></pre>
</details>
<details>
<summary><span class="badge easy">Easy</span> 2) backend-c manuell hinzufuegen</summary>
<p><span class="kw">Ziel:</span> Proxy-Setup sinnvoll erweitern, ohne bestehenden Traffic zu brechen.</p>
<p><span class="kw">Dateien:</span> <code>docker-compose.yml</code>, <code>proxy/nginx.conf</code></p>
<p><span class="kw">Muss:</span></p>
<ul>
<li>Service <code>backend-c</code> in Compose anlegen.</li>
<li>In Nginx <code>upstream backend_c</code> und <code>location /service/c</code> konfigurieren.</li>
<li>Routing fuer A/B darf danach nicht kaputt sein.</li>
</ul>
<p><span class="kw">Done-Check:</span></p>
<pre><code>curl http://localhost:8080/service/c
curl http://localhost:8080/service/a
curl http://localhost:8080/service/b</code></pre>
</details>
<details>
<summary><span class="badge easy">Easy</span> 3) Eigene Route mit Rewrite</summary>
<p><span class="kw">Ziel:</span> URL-Design vom Backend entkoppeln.</p>
<p><span class="kw">Muss:</span></p>
<ul>
<li>Neue public Route (z. B. <code>/demo/a</code>) einbauen.</li>
<li>Intern auf bestehenden Backend-Pfad umbiegen (Rewrite oder eigene Route).</li>
<li>In der Demo erklaeren, warum solche Pfad-Abstraktion nuetzlich ist.</li>
</ul>
<p><span class="kw">Done-Check:</span></p>
<pre><code>curl http://localhost:8080/demo/a</code></pre>
</details>
</section>
<section class="panel">
<h2>Medium</h2>
<details>
<summary><span class="badge medium">Medium</span> 4) Security Headers setzen</summary>
<p><span class="kw">Ziel:</span> Browser-Schutzmechanismen bewusst aktivieren.</p>
<p><span class="kw">Muss:</span></p>
<ul>
<li><code>X-Content-Type-Options: nosniff</code></li>
<li><code>X-Frame-Options: DENY</code></li>
<li><code>Referrer-Policy: no-referrer</code></li>
</ul>
<p><span class="kw">Done-Check:</span></p>
<pre><code>curl -I http://localhost:8080/</code></pre>
<p><span class="kw">Abgabe:</span> kurz erklaeren, welchen Angriff jeder Header erschwert.</p>
</details>
<details>
<summary><span class="badge medium">Medium</span> 5) Interne Route absichern</summary>
<p><span class="kw">Ziel:</span> Zugangskontrolle direkt im Proxy umsetzen.</p>
<p><span class="kw">Muss:</span></p>
<ul>
<li>Route <code>/internal/status</code> einbauen.</li>
<li>Nur <code>127.0.0.1</code> erlauben, alle anderen verbieten.</li>
<li>Sinn der Route erklaeren (z. B. intern fuer Ops/Monitoring).</li>
</ul>
<p><span class="kw">Done-Check:</span></p>
<pre><code>curl -i http://localhost:8080/internal/status</code></pre>
</details>
<details>
<summary><span class="badge medium">Medium</span> 6) Logging verbessern</summary>
<p><span class="kw">Ziel:</span> Fehler schneller eingrenzen koennen.</p>
<p><span class="kw">Muss:</span></p>
<ul>
<li>Eigenes <code>log_format</code> mit Upstream-Daten erstellen.</li>
<li>Mindestens enthalten: <code>status</code>, <code>upstream_addr</code>, Timing.</li>
<li>Access Log auf das neue Format stellen.</li>
</ul>
<p><span class="kw">Done-Check:</span></p>
<pre><code>curl http://localhost:8080/service/a
./scripts/compose.sh logs reverse-proxy</code></pre>
</details>
</section>
<section class="panel">
<h2>Hard (TLS)</h2>
<details>
<summary><span class="badge hard">Hard</span> 7) HTTPS von 0 (Easy-RSA)</summary>
<p><span class="kw">Ziel:</span> Eigene PKI und TLS-Endpoint fuer den Proxy aufbauen.</p>
<p><span class="kw">Muss:</span></p>
<ul>
<li>Server-Zertifikat fuer <code>localhost</code> erstellen.</li>
<li>Proxy auf <code>443</code> erweitern (z. B. <code>8443:443</code>).</li>
<li>Root-CA importieren und ohne <code>-k</code> testen.</li>
</ul>
<p><span class="kw">Done-Check:</span></p>
<pre><code>curl https://localhost:8443/service/a</code></pre>
</details>
<details>
<summary><span class="badge hard">Hard</span> 8) HTTP -&gt; HTTPS Redirect</summary>
<p><span class="kw">Ziel:</span> Client sauber auf TLS umleiten.</p>
<p><span class="kw">Muss:</span></p>
<ul>
<li>Alle HTTP Requests nach HTTPS redirecten.</li>
<li><code>/healthz</code> darf optional auf HTTP bleiben.</li>
<li>Redirect-Statuscode + Location Header erklaeren.</li>
</ul>
<p><span class="kw">Done-Check:</span></p>
<pre><code>curl -I http://localhost:8080/service/a</code></pre>
</details>
<details>
<summary><span class="badge hard">Hard</span> 9) TLS Haertung + Chain Check + HSTS</summary>
<p><span class="kw">Ziel:</span> TLS nicht nur aktivieren, sondern sinnvoll haerten.</p>
<p><span class="kw">Muss:</span></p>
<ul>
<li>TLS auf 1.2/1.3 beschraenken.</li>
<li>HSTS Header setzen: <code>Strict-Transport-Security</code>.</li>
<li>Zertifikatskette pruefen und in der Demo erklaeren.</li>
</ul>
<p><span class="kw">Hinweis:</span> Im HTTP-Basissetup ist HSTS absichtlich noch nicht aktiv.</p>
<p><span class="kw">Done-Check:</span></p>
<pre><code>curl -I https://localhost:8443/service/a
openssl s_client -connect localhost:8443 -servername localhost</code></pre>
</details>
</section>
<section class="panel">
<h2>Bonus Expert</h2>
<details open>
<summary><span class="badge expert">Expert</span> 10) Wireshark: HTTP vs HTTPS sauber ausarbeiten</summary>
<p><span class="kw">Ziel:</span> Nachweisbar zeigen, was bei HTTP lesbar und bei HTTPS geschuetzt ist.</p>
<p><span class="kw">Muss:</span></p>
<ol>
<li>HTTP Capture auf Port <code>8080</code>, Request erzeugen, Klartext markieren.</li>
<li>HTTPS Capture auf Port <code>8443</code>, TLS Handshake markieren.</li>
<li>Pakete mit <code>ClientHello</code>, <code>ServerHello</code>, <code>Certificate</code> zeigen.</li>
<li>Kurze Analyse: Was sieht ein Angreifer im HTTP-Fall vs im HTTPS-Fall?</li>
</ol>
<p><span class="kw">Optional:</span> TLS Decrypt via <code>SSLKEYLOGFILE</code> und Unterschied vorher/nachher erklaeren.</p>
<p><span class="kw">Done-Check / Abgabe:</span></p>
<ul>
<li>Mindestens 3 Screenshots mit Markierungen.</li>
<li>3-5 Bulletpoints als technische Schlussfolgerung.</li>
<li>Ein Satz zu Grenzen der Methode (z. B. nur mit Keylog decryption).</li>
</ul>
</details>
</section>
</main>
</body>
</html>
proxy/html/hints.html
+198
View File
@@ -0,0 +1,198 @@
<!doctype html>
<html lang="de">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>HTL Workshop Hint Cheatsheet</title>
<style>
:root {
--bg: #081825;
--panel: #10273d;
--panel-soft: #163450;
--text: #e9f2fb;
--muted: #b7cbdf;
--accent: #4ecdc4;
}
* {
box-sizing: border-box;
}
body {
margin: 0;
font-family: "Fira Sans", "Segoe UI", sans-serif;
color: var(--text);
background:
radial-gradient(circle at 100% 0%, #1f4060 0%, transparent 45%),
radial-gradient(circle at 0% 100%, #14324a 0%, transparent 35%),
var(--bg);
min-height: 100vh;
padding: 1.2rem;
}
main {
width: min(1100px, 100%);
margin: 0 auto;
display: grid;
gap: 1rem;
}
.panel {
background: var(--panel);
border: 1px solid #315678;
border-radius: 14px;
padding: 1.1rem;
}
.grid {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(260px, 1fr));
gap: 0.8rem;
}
.card {
background: var(--panel-soft);
border: 1px solid #2d5577;
border-radius: 12px;
padding: 0.9rem;
}
h1,
h2,
h3 {
margin-top: 0;
}
p,
li {
color: var(--muted);
line-height: 1.5;
}
a {
color: var(--accent);
}
code {
background: #0d1f31;
border: 1px solid #2d4f6e;
border-radius: 6px;
padding: 0.1rem 0.35rem;
}
pre {
background: #0b2133;
border: 1px solid #2b5578;
border-radius: 10px;
padding: 0.7rem;
overflow: auto;
}
.top-links {
display: flex;
flex-wrap: wrap;
gap: 0.5rem;
}
.pill {
display: inline-block;
text-decoration: none;
background: #11314b;
border: 1px solid #2a5d84;
border-radius: 999px;
padding: 0.35rem 0.75rem;
}
</style>
</head>
<body>
<main>
<section class="panel">
<h1>Hint Cheatsheet</h1>
<p>
Kompakte Hilfe fuer Setup, TLS und Wireshark. Fuer komplette Aufgaben siehe das
<a href="/challenges.html">Challenge Board</a> und fuer Korrekturhilfe das
<a href="/solutions.html">Solutions Board</a>.
</p>
<div class="top-links">
<a class="pill" href="/">Startseite</a>
<a class="pill" href="/challenges.html">Challenges</a>
<a class="pill" href="/solutions.html">Solutions</a>
</div>
</section>
<section class="panel">
<h2>Deploy & Reset</h2>
<div class="grid">
<article class="card">
<h3>Start</h3>
<pre><code>./scripts/bootstrap.sh
./scripts/compose.sh ps</code></pre>
<p>Windows PowerShell: <code>./scripts/workshop.ps1 -Action bootstrap</code></p>
</article>
<article class="card">
<h3>Neu deployen</h3>
<pre><code>make redeploy
make proxy-reload</code></pre>
<p>PowerShell: <code>./scripts/workshop.ps1 -Action redeploy</code></p>
</article>
<article class="card">
<h3>Reset</h3>
<pre><code>make reset
make bootstrap</code></pre>
<p>PowerShell: <code>./scripts/workshop.ps1 -Action reset</code></p>
</article>
</div>
</section>
<section class="panel">
<h2>Easy-RSA & CA Import</h2>
<div class="grid">
<article class="card">
<h3>PKI Quickstart</h3>
<pre><code>mkdir -p certs/easyrsa
cp -r /usr/share/easy-rsa/* certs/easyrsa/
cd certs/easyrsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req localhost nopass
./easyrsa sign-req server localhost</code></pre>
</article>
<article class="card">
<h3>Fedora CA Import</h3>
<pre><code>sudo cp certs/easyrsa/pki/ca.crt \
/etc/pki/ca-trust/source/anchors/htl-workshop-root-ca.crt
sudo update-ca-trust</code></pre>
</article>
<article class="card">
<h3>HTTPS Check</h3>
<pre><code>curl https://localhost:8443/service/a
curl -I https://localhost:8443/service/a
openssl s_client -connect localhost:8443 -servername localhost</code></pre>
<p>Bei TLS-Haertung auf <code>Strict-Transport-Security</code> im Header achten.</p>
<p>Komplettes TLS-Beispiel: <code>proxy/nginx.tls.example.conf</code></p>
</article>
</div>
</section>
<section class="panel">
<h2>Wireshark Quick Hints</h2>
<div class="grid">
<article class="card">
<h3>Filter</h3>
<ul>
<li><code>http</code></li>
<li><code>tcp.port == 8443</code></li>
<li><code>tls.handshake</code></li>
<li><code>tls.handshake.type == 11</code></li>
</ul>
</article>
<article class="card">
<h3>TLS Decrypt (optional)</h3>
<pre><code>export SSLKEYLOGFILE="$HOME/sslkeys.log"</code></pre>
<p>Browser aus derselben Shell starten und Datei in Wireshark als TLS Key Log setzen.</p>
</article>
</div>
</section>
</main>
</body>
</html>
proxy/html/index.html
+157
View File
@@ -0,0 +1,157 @@
<!doctype html>
<html lang="de">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>HTL Reverse Proxy Lab</title>
<style>
:root {
--bg: #081825;
--panel: #10273d;
--panel-soft: #163450;
--text: #e9f2fb;
--muted: #b7cbdf;
--accent: #4ecdc4;
--line: #315678;
}
* {
box-sizing: border-box;
}
body {
margin: 0;
font-family: "Fira Sans", "Segoe UI", sans-serif;
color: var(--text);
background:
radial-gradient(circle at 100% 0%, #1f4060 0%, transparent 45%),
radial-gradient(circle at 0% 100%, #14324a 0%, transparent 35%),
var(--bg);
min-height: 100vh;
padding: 1.2rem;
}
main {
width: min(1100px, 100%);
margin: 0 auto;
display: grid;
gap: 1rem;
}
.panel {
background: var(--panel);
border: 1px solid var(--line);
border-radius: 14px;
padding: 1.1rem;
}
h1,
h2,
h3 {
margin-top: 0;
}
p,
li {
color: var(--muted);
line-height: 1.5;
}
code {
background: #0d1f31;
border: 1px solid #2d4f6e;
border-radius: 6px;
padding: 0.1rem 0.35rem;
}
a {
color: var(--accent);
}
.links {
display: flex;
flex-wrap: wrap;
gap: 0.5rem;
}
.pill {
display: inline-block;
text-decoration: none;
background: #11314b;
border: 1px solid #2a5d84;
border-radius: 999px;
padding: 0.35rem 0.75rem;
}
.grid {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(240px, 1fr));
gap: 0.8rem;
}
.card {
background: var(--panel-soft);
border: 1px solid #2d5577;
border-radius: 12px;
padding: 0.9rem;
}
</style>
</head>
<body>
<main>
<section class="panel">
<h1>HTL Reverse Proxy & TLS Lab</h1>
<p>
Basis läuft mit HTTP. Ziel im Workshop: Reverse Proxy verstehen und HTTPS/TLS manuell
aufbauen.
</p>
<div class="links">
<a class="pill" href="/service/a">Backend A</a>
<a class="pill" href="/service/b">Backend B</a>
<a class="pill" href="/challenges.html">Challenges</a>
<a class="pill" href="/hints.html">Hints</a>
<a class="pill" href="/solutions.html">Solutions</a>
</div>
</section>
<section class="panel">
<h2>Setup Quickcheck</h2>
<ul>
<li><code>curl http://localhost:8080/service/a</code></li>
<li><code>curl http://localhost:8080/service/b</code></li>
<li><code>./scripts/compose.sh ps</code></li>
</ul>
</section>
<section class="panel">
<h2>Saubere Struktur</h2>
<div class="grid">
<article class="card">
<h3>Challenges</h3>
<ul>
<li>Aufgaben mit Ziel und Anforderungen</li>
<li>Done-Checks pro Aufgabe</li>
<li>Fokus: Reverse Proxy + TLS</li>
</ul>
</article>
<article class="card">
<h3>Hints</h3>
<ul>
<li>Kompakte Hilfe fuer Blocker</li>
<li>Easy-RSA / CA Import</li>
<li>Wireshark Filter</li>
</ul>
</article>
<article class="card">
<h3>Solutions</h3>
<ul>
<li>Konkrete Musterloesungen</li>
<li>Snippets fuer Nginx/Compose</li>
<li>Korrekturhilfe</li>
</ul>
</article>
</div>
</section>
</main>
</body>
</html>
proxy/html/solutions.html
+341
View File
@@ -0,0 +1,341 @@
<!doctype html>
<html lang="de">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>HTL Workshop Solutions</title>
<style>
:root {
--bg: #081825;
--panel: #10273d;
--panel-soft: #163450;
--text: #e9f2fb;
--muted: #b7cbdf;
--accent: #4ecdc4;
--easy: #59d68a;
--medium: #ffd166;
--hard: #ff7b72;
--expert: #6fb6ff;
}
* {
box-sizing: border-box;
}
body {
margin: 0;
font-family: "Fira Sans", "Segoe UI", sans-serif;
color: var(--text);
background:
radial-gradient(circle at 100% 0%, #1f4060 0%, transparent 45%),
radial-gradient(circle at 0% 100%, #14324a 0%, transparent 35%),
var(--bg);
min-height: 100vh;
padding: 1.2rem;
}
main {
width: min(1150px, 100%);
margin: 0 auto;
display: grid;
gap: 1rem;
}
.panel {
background: var(--panel);
border: 1px solid #315678;
border-radius: 14px;
padding: 1.1rem;
}
h1,
h2,
h3 {
margin-top: 0;
}
p,
li {
color: var(--muted);
line-height: 1.5;
}
a {
color: var(--accent);
}
code {
background: #0d1f31;
border: 1px solid #2d4f6e;
border-radius: 6px;
padding: 0.1rem 0.35rem;
}
pre {
background: #0b2133;
border: 1px solid #2b5578;
border-radius: 10px;
padding: 0.7rem;
overflow: auto;
}
.top-links {
display: flex;
flex-wrap: wrap;
gap: 0.5rem;
}
.pill {
display: inline-block;
text-decoration: none;
background: #11314b;
border: 1px solid #2a5d84;
border-radius: 999px;
padding: 0.35rem 0.75rem;
}
.badge {
display: inline-block;
border-radius: 999px;
padding: 0.15rem 0.5rem;
font-size: 0.8rem;
font-weight: 700;
margin-bottom: 0.45rem;
}
.easy {
color: #08210f;
background: var(--easy);
}
.medium {
color: #312200;
background: var(--medium);
}
.hard {
color: #3b0905;
background: var(--hard);
}
.expert {
color: #031c37;
background: var(--expert);
}
details {
background: var(--panel-soft);
border: 1px solid #2d5577;
border-radius: 12px;
padding: 0.75rem 0.85rem;
margin-bottom: 0.7rem;
}
details:last-child {
margin-bottom: 0;
}
summary {
cursor: pointer;
font-weight: 700;
}
.kw {
color: #e9f2fb;
font-weight: 700;
}
</style>
</head>
<body>
<main>
<section class="panel">
<h1>Solutions Board (detailliert)</h1>
<p>Hier stehen absichtlich konkrete Musterloesungen mit Snippets, Checks und typischen Stolperfallen.</p>
<div class="top-links">
<a class="pill" href="/">Startseite</a>
<a class="pill" href="/challenges.html">Challenges</a>
<a class="pill" href="/hints.html">Hints</a>
<a class="pill" href="/service/a">Backend A</a>
<a class="pill" href="/service/b">Backend B</a>
</div>
</section>
<section class="panel">
<h2>Easy - Musterloesungen</h2>
<details open>
<summary><span class="badge easy">Easy</span> 1) Routing verstehen</summary>
<pre><code>curl http://localhost:8080/service/a
curl http://localhost:8080/service/b</code></pre>
<p><span class="kw">Erwartete Erklaerung:</span> Nginx matched den Pfad in <code>location</code> und leitet auf den passenden <code>upstream</code> weiter.</p>
</details>
<details>
<summary><span class="badge easy">Easy</span> 2) backend-c hinzufuegen</summary>
<p><span class="kw">Compose (Beispiel):</span></p>
<pre><code>backend-c:
image: nginx:1.27-alpine
container_name: workshop-backend-c
volumes:
- ./backends/c:/usr/share/nginx/html:ro,z</code></pre>
<p><span class="kw">Nginx (Beispiel):</span></p>
<pre><code>upstream backend_c {
server backend-c:80;
}
location /service/c {
proxy_pass http://backend_c/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}</code></pre>
<p><span class="kw">Check:</span> <code>curl http://localhost:8080/service/c</code></p>
</details>
<details>
<summary><span class="badge easy">Easy</span> 3) Rewrite Route</summary>
<pre><code>location = /demo/a {
rewrite ^ /service/a break;
proxy_pass http://backend_a/;
}</code></pre>
<p><span class="kw">Check:</span> <code>curl http://localhost:8080/demo/a</code></p>
</details>
</section>
<section class="panel">
<h2>Medium - Musterloesungen</h2>
<details>
<summary><span class="badge medium">Medium</span> 4) Security Headers</summary>
<pre><code>add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "no-referrer" always;</code></pre>
<p><span class="kw">Check:</span> <code>curl -I http://localhost:8080/</code></p>
</details>
<details>
<summary><span class="badge medium">Medium</span> 5) Interne Route absichern</summary>
<pre><code>location /internal/status {
allow 127.0.0.1;
deny all;
default_type text/plain;
return 200 "internal ok\n";
}</code></pre>
<p><span class="kw">Check:</span> <code>curl -i http://localhost:8080/internal/status</code></p>
</details>
<details>
<summary><span class="badge medium">Medium</span> 6) Logging verbessern</summary>
<pre><code>log_format workshop '$remote_addr - $request '
'status=$status upstream=$upstream_addr '
'rt=$request_time urt=$upstream_response_time';
access_log /var/log/nginx/access.log workshop;</code></pre>
<p><span class="kw">Check:</span></p>
<pre><code>curl http://localhost:8080/service/a
./scripts/compose.sh logs reverse-proxy</code></pre>
</details>
</section>
<section class="panel">
<h2>Hard (TLS) - Musterloesungen</h2>
<details>
<summary><span class="badge hard">Hard</span> 7) HTTPS mit Easy-RSA</summary>
<pre><code>mkdir -p certs/easyrsa
cp -r /usr/share/easy-rsa/* certs/easyrsa/
cd certs/easyrsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req localhost nopass
./easyrsa sign-req server localhost</code></pre>
<p><span class="kw">Compose:</span></p>
<pre><code>reverse-proxy:
ports:
- "8080:80"
- "8443:443"
volumes:
- ./certs/easyrsa/pki:/etc/nginx/pki:ro,z</code></pre>
<p><span class="kw">Check:</span> <code>curl https://localhost:8443/service/a</code> (ohne <code>-k</code> nach CA-Import)</p>
</details>
<details>
<summary><span class="badge hard">Hard</span> 8) HTTP -&gt; HTTPS Redirect</summary>
<pre><code>server {
listen 80;
server_name _;
location = /healthz {
default_type text/plain;
return 200 "ok\n";
}
location / {
return 301 https://$host:8443$request_uri;
}
}</code></pre>
<p><span class="kw">Check:</span> <code>curl -I http://localhost:8080/service/a</code></p>
</details>
<details>
<summary><span class="badge hard">Hard</span> 9) TLS Haertung + HSTS</summary>
<pre><code>ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;</code></pre>
<p><span class="kw">Check:</span></p>
<pre><code>curl -I https://localhost:8443/service/a
openssl s_client -connect localhost:8443 -servername localhost</code></pre>
<p>Vollstaendige Referenz: <code>proxy/nginx.tls.example.conf</code></p>
</details>
</section>
<section class="panel">
<h2>Bonus Expert - Wireshark (ausformulierte Referenzloesung)</h2>
<details open>
<summary><span class="badge expert">Expert</span> 10) HTTP vs HTTPS sauber analysieren</summary>
<p><span class="kw">Schritt 1 - HTTP Capture:</span></p>
<ol>
<li>Interface waehlen: lokal meist <code>lo</code>.</li>
<li>Capture starten, Filter <code>tcp.port == 8080</code>.</li>
<li>Request senden: <code>curl http://localhost:8080/service/a</code>.</li>
<li>In "Follow HTTP Stream" zeigen, dass Pfad und Header lesbar sind.</li>
</ol>
<p><span class="kw">Schritt 2 - HTTPS Capture:</span></p>
<ol>
<li>HTTPS muss vorher laufen (Challenge 7).</li>
<li>Filter auf <code>tcp.port == 8443</code> oder <code>tls</code> setzen.</li>
<li>Request senden: <code>curl https://localhost:8443/service/a</code>.</li>
<li>Pakete markieren: <code>ClientHello</code>, <code>ServerHello</code>, <code>Certificate</code>.</li>
</ol>
<p><span class="kw">Schritt 3 - Erwartete Aussagen:</span></p>
<ul>
<li>HTTP: URL, Header, Payload sind sichtbar.</li>
<li>HTTPS: Handshake sichtbar, Nutzdaten ohne Key nicht lesbar.</li>
<li>Zertifikat im Handshake zeigt, wie der Server seine Identitaet beweist.</li>
</ul>
<p><span class="kw">Optional - TLS Decrypt (nur fuer Demo):</span></p>
<pre><code>export SSLKEYLOGFILE="$HOME/sslkeys.log"</code></pre>
<ul>
<li>Browser aus derselben Shell starten.</li>
<li>In Wireshark TLS Preferences -> Key Log File setzen.</li>
<li>Capture neu laden und Unterschiede vor/nach Keylog zeigen.</li>
</ul>
<p><span class="kw">Abgabe (Muster):</span></p>
<ul>
<li>Screenshot A: HTTP Stream mit lesbaren Headern.</li>
<li>Screenshot B: TLS Handshake mit markierten Nachrichten.</li>
<li>Screenshot C (optional): entschluesselter Stream mit Keylog.</li>
<li>3-5 Bulletpoints mit eigener technischer Interpretation.</li>
</ul>
<p><span class="kw">Typische Fehler:</span> falsches Interface, kein HTTPS aktiv, Browser nicht aus Keylog-Shell gestartet.</p>
</details>
</section>
</main>
</body>
</html>
proxy/nginx.conf
+47
View File
@@ -0,0 +1,47 @@
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
server_tokens off;
upstream backend_a {
server backend-a:80;
}
upstream backend_b {
server backend-b:80;
}
server {
listen 80;
server_name _;
location / {
root /usr/share/nginx/html;
try_files $uri $uri/ /index.html;
}
location /service/a {
proxy_pass http://backend_a/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /service/b {
proxy_pass http://backend_b/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /healthz {
default_type text/plain;
return 200 "ok\n";
}
}
}
proxy/nginx.tls.example.conf
+66
View File
@@ -0,0 +1,66 @@
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
server_tokens off;
upstream backend_a {
server backend-a:80;
}
upstream backend_b {
server backend-b:80;
}
server {
listen 80;
server_name _;
location = /healthz {
default_type text/plain;
return 200 "ok\n";
}
location / {
return 301 https://$host:8443$request_uri;
}
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/pki/issued/localhost.crt;
ssl_certificate_key /etc/nginx/pki/private/localhost.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "no-referrer" always;
location / {
root /usr/share/nginx/html;
try_files $uri $uri/ /index.html;
}
location /service/a {
proxy_pass http://backend_a/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /service/b {
proxy_pass http://backend_b/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
scripts/bootstrap-wsl.sh
Executable
+36
View File
@@ -0,0 +1,36 @@
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd -- "$SCRIPT_DIR/.." && pwd)"
cd "$PROJECT_ROOT"
if ! command -v docker >/dev/null 2>&1; then
echo "[error] docker nicht gefunden. Bitte Docker installieren (Linux) oder Docker Desktop + WSL Integration aktivieren."
exit 1
fi
if ! docker info >/dev/null 2>&1; then
echo "[error] Docker Daemon nicht erreichbar. Bitte Docker starten."
exit 1
fi
if ! "$SCRIPT_DIR/compose.sh" version >/dev/null 2>&1; then
echo "[error] Weder docker compose noch docker-compose verfuegbar."
exit 1
fi
if [[ ! -f .env ]]; then
cp .env.example .env
echo "[ok] .env aus .env.example erstellt"
else
echo "[skip] .env existiert bereits"
fi
"$SCRIPT_DIR/compose.sh" up -d --build
echo
echo "[ok] Workshop-Stack laeuft"
echo " Landing Page: http://localhost:8080"
echo " Test (backend-a): curl http://localhost:8080/service/a"
scripts/bootstrap.sh
Executable
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
"$SCRIPT_DIR/bootstrap-wsl.sh"
scripts/compose.sh
Executable
+11
View File
@@ -0,0 +1,11 @@
#!/usr/bin/env bash
set -euo pipefail
if docker compose version >/dev/null 2>&1; then
docker compose "$@"
elif command -v docker-compose >/dev/null 2>&1; then
docker-compose "$@"
else
echo "[error] Weder 'docker compose' noch 'docker-compose' verfuegbar."
exit 1
fi
scripts/reset-lab.sh
Executable
+32
View File
@@ -0,0 +1,32 @@
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd -- "$SCRIPT_DIR/.." && pwd)"
cd "$PROJECT_ROOT"
HARD_RESET="${1:-}"
echo "[info] Stoppe und entferne Container, Netzwerke, Volumes"
"$SCRIPT_DIR/compose.sh" down -v --remove-orphans
echo "[info] Entferne ungenutzte lokale Images"
docker image prune -f >/dev/null 2>&1 || true
if [[ "$HARD_RESET" == "--hard" ]]; then
if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
if git rev-parse --verify HEAD >/dev/null 2>&1; then
echo "[info] Git Hard Reset: stelle Dateien auf HEAD zurueck"
git restore --source=HEAD --staged --worktree .
else
echo "[warn] Git-Repo ohne Commit-Historie, Datei-Restore wird uebersprungen"
fi
git clean -fd
else
echo "[warn] Kein Git-Repo erkannt, --hard wird uebersprungen"
fi
fi
echo "[ok] Lab wurde zurueckgesetzt"
echo "[hint] Neu starten mit: ./scripts/bootstrap.sh"
scripts/workshop.ps1
+43
View File
@@ -0,0 +1,43 @@
param(
[ValidateSet("bootstrap", "up", "redeploy", "proxy-reload", "down", "logs", "reset")]
[string]$Action = "bootstrap",
[string]$Distro = ""
)
if (-not (Get-Command wsl.exe -ErrorAction SilentlyContinue)) {
Write-Error "WSL wurde nicht gefunden. Bitte WSL installieren und konfigurieren."
exit 1
}
$repoWinPath = (Resolve-Path (Join-Path $PSScriptRoot "..")).Path
$repoWslPath = (& wsl.exe wslpath -a "$repoWinPath").Trim()
if (-not $repoWslPath) {
Write-Error "Konnte den WSL Pfad fuer das Repo nicht ermitteln."
exit 1
}
switch ($Action) {
"bootstrap" { $linuxCommand = "./scripts/bootstrap.sh" }
"up" { $linuxCommand = "./scripts/compose.sh up -d --build" }
"redeploy" { $linuxCommand = "./scripts/compose.sh up -d --build --remove-orphans && ./scripts/compose.sh restart reverse-proxy" }
"proxy-reload" { $linuxCommand = "./scripts/compose.sh restart reverse-proxy" }
"down" { $linuxCommand = "./scripts/compose.sh down" }
"logs" { $linuxCommand = "./scripts/compose.sh logs -f" }
"reset" { $linuxCommand = "./scripts/reset-lab.sh" }
}
$wslArgs = @()
if ($Distro) {
$wslArgs += "-d"
$wslArgs += $Distro
}
$wslArgs += "-e"
$wslArgs += "bash"
$wslArgs += "-lc"
$wslArgs += "cd '$repoWslPath' && $linuxCommand"
Write-Host "[info] Running in WSL: $linuxCommand"
& wsl.exe @wslArgs
exit $LASTEXITCODE