AlexBa16/htl-reverse-proxy-tls-lab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refine workshop UI navigation and hardening guidance

Browse Source
This commit is contained in:
hkoeck
2026-03-07 19:21:13 +01:00
parent 314b63242f
commit 92a833ec50
10 changed files with 205 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files
proxy/html/solutions.html
+54 -6
View File
@@ -65,6 +65,8 @@
}
code {
font-family: "JetBrains Mono", "Fira Code", "Consolas", "Liberation Mono", monospace;
font-size: 0.92em;
background: #0d1f31;
border: 1px solid #2d4f6e;
border-radius: 6px;
@@ -75,8 +77,20 @@
background: #0b2133;
border: 1px solid #2b5578;
border-radius: 10px;
padding: 0.7rem;
overflow: auto;
padding: 0.75rem 0.85rem;
overflow-x: auto;
margin: 0.65rem 0;
}
pre code {
display: block;
background: transparent;
border: 0;
border-radius: 0;
padding: 0;
font-size: 0.92rem;
line-height: 1.45;
white-space: pre;
}
.top-links {
@@ -151,10 +165,12 @@
<section class="panel">
<h1>Solutions Board (detailliert)</h1>
<p>Hier stehen absichtlich konkrete Musterloesungen mit Snippets, Checks und typischen Stolperfallen.</p>
<p><span class="kw">Workflow:</span> Nach jeder Konfig-Aenderung mindestens <code>make proxy-reload</code>, bei Compose-Aenderungen <code>make redeploy</code>.</p>
<div class="top-links">
<a class="pill" href="/">Startseite</a>
<a class="pill" href="/challenges.html">Challenges</a>
<a class="pill" href="/hints.html">Hints</a>
<a class="pill" href="/solutions.html">Solutions</a>
<a class="pill" href="/service/a">Backend A</a>
<a class="pill" href="/service/b">Backend B</a>
</div>
@@ -163,8 +179,10 @@
<section class="panel">
<h2>Easy - Musterloesungen</h2>
<details open>
<details>
<summary><span class="badge easy">Easy</span> 1) Routing verstehen</summary>
<p><span class="kw">Dateien:</span> nur lesen: <code>proxy/nginx.conf</code></p>
<p><span class="kw">Commands noetig:</span> ja</p>
<pre><code>curl http://localhost:8080/service/a
curl http://localhost:8080/service/b</code></pre>
<p><span class="kw">Erwartete Erklaerung:</span> Nginx matched den Pfad in <code>location</code> und leitet auf den passenden <code>upstream</code> weiter.</p>
@@ -172,6 +190,8 @@ curl http://localhost:8080/service/b</code></pre>
<details>
<summary><span class="badge easy">Easy</span> 2) backend-c hinzufuegen</summary>
<p><span class="kw">Dateien:</span> <code>docker-compose.yml</code>, <code>proxy/nginx.conf</code>, <code>backends/c/index.html</code></p>
<p><span class="kw">Commands noetig:</span> ja</p>
<p><span class="kw">Compose (Beispiel):</span></p>
<pre><code>backend-c:
image: nginx:1.27-alpine
@@ -195,6 +215,8 @@ location /service/c {
<details>
<summary><span class="badge easy">Easy</span> 3) Rewrite Route</summary>
<p><span class="kw">Dateien:</span> <code>proxy/nginx.conf</code></p>
<p><span class="kw">Commands noetig:</span> ja</p>
<pre><code>location = /demo/a {
proxy_pass http://backend_a/;
}</code></pre>
@@ -207,14 +229,23 @@ location /service/c {
<details>
<summary><span class="badge medium">Medium</span> 4) Security Headers</summary>
<p><span class="kw">Dateien:</span> <code>proxy/nginx.conf</code></p>
<p><span class="kw">Commands noetig:</span> ja</p>
<pre><code>add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "no-referrer" always;</code></pre>
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;</code></pre>
<p><span class="kw">Optional CSP (statisch, inline styles erlaubt):</span></p>
<pre><code>add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; base-uri 'none'; frame-ancestors 'none'" always;</code></pre>
<p><span class="kw">Check:</span> <code>curl -I http://localhost:8080/</code></p>
</details>
<details>
<summary><span class="badge medium">Medium</span> 5) Interne Route absichern</summary>
<p><span class="kw">Dateien:</span> <code>proxy/nginx.conf</code></p>
<p><span class="kw">Commands noetig:</span> ja</p>
<pre><code>location /internal/status {
allow 127.0.0.1;
deny all;
@@ -228,6 +259,8 @@ add_header Referrer-Policy "no-referrer" always;</code></pre>
<details>
<summary><span class="badge medium">Medium</span> 6) Logging verbessern</summary>
<p><span class="kw">Dateien:</span> <code>proxy/nginx.conf</code></p>
<p><span class="kw">Commands noetig:</span> ja</p>
<pre><code>log_format workshop '$remote_addr - $request '
'status=$status upstream=$upstream_addr '
'rt=$request_time urt=$upstream_response_time';
@@ -240,6 +273,8 @@ access_log /var/log/nginx/access.log workshop;</code></pre>
<details>
<summary><span class="badge medium">Medium</span> 6a) Load Balancing</summary>
<p><span class="kw">Dateien:</span> <code>docker-compose.yml</code>, <code>proxy/nginx.conf</code>, <code>backends/a2/index.html</code></p>
<p><span class="kw">Commands noetig:</span> ja</p>
<p><span class="kw">Compose (backend-a2):</span></p>
<pre><code>backend-a2:
image: nginx:1.27-alpine
@@ -258,7 +293,10 @@ done</code></pre>
</details>
<details>
<summary><span class="badge medium">Medium</span> 6b) Header Stripping</summary>
<summary><span class="badge medium">Medium</span> 6b) Response Header Minimization</summary>
<p><span class="kw">Dateien:</span> <code>proxy/nginx.conf</code></p>
<p><span class="kw">Commands noetig:</span> ja</p>
<p><span class="kw">Abgrenzung zu #4:</span> #4 fuegt Schutz-Header hinzu, #6b entfernt unnoetige Upstream-Metadaten.</p>
<pre><code>location /service/a {
proxy_pass http://backend_a/;
proxy_hide_header ETag;
@@ -269,6 +307,8 @@ done</code></pre>
<details>
<summary><span class="badge medium">Medium</span> 6c) Debugging Challenge</summary>
<p><span class="kw">Dateien:</span> <code>proxy/nginx.broken.conf</code>, <code>proxy/nginx.conf</code></p>
<p><span class="kw">Commands noetig:</span> ja</p>
<p>Kopiere testweise <code>proxy/nginx.broken.conf</code> auf <code>proxy/nginx.conf</code>, behebe die Fehler und stelle danach die funktionierende Konfiguration wieder her.</p>
<pre><code>cp proxy/nginx.broken.conf proxy/nginx.conf
make proxy-reload
@@ -282,6 +322,8 @@ make proxy-reload
<details>
<summary><span class="badge hard">Hard</span> 7) HTTPS mit Easy-RSA</summary>
<p><span class="kw">Dateien:</span> <code>docker-compose.yml</code>, <code>proxy/nginx.conf</code>, <code>certs/easyrsa/*</code></p>
<p><span class="kw">Commands noetig:</span> ja</p>
<pre><code>mkdir -p certs/easyrsa
cp -r /usr/share/easy-rsa/* certs/easyrsa/
cd certs/easyrsa
@@ -302,6 +344,8 @@ cd certs/easyrsa
<details>
<summary><span class="badge hard">Hard</span> 8) HTTP -&gt; HTTPS Redirect</summary>
<p><span class="kw">Voraussetzung:</span> Challenge 7 abgeschlossen (gleiches Config-File weiterverwenden).</p>
<p><span class="kw">Dateien:</span> <code>proxy/nginx.conf</code></p>
<p><span class="kw">Commands noetig:</span> ja</p>
<pre><code>server {
listen 80;
server_name _;
@@ -321,6 +365,8 @@ cd certs/easyrsa
<details>
<summary><span class="badge hard">Hard</span> 9) TLS Haertung + HSTS</summary>
<p><span class="kw">Voraussetzung:</span> Challenge 7 und 8 abgeschlossen.</p>
<p><span class="kw">Dateien:</span> <code>proxy/nginx.conf</code></p>
<p><span class="kw">Commands noetig:</span> ja</p>
<pre><code>ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;</code></pre>
@@ -334,8 +380,10 @@ openssl s_client -connect localhost:8443 -servername localhost</code></pre>
<section class="panel">
<h2>Bonus Expert - Wireshark (ausformulierte Referenzloesung)</h2>
<details open>
<details>
<summary><span class="badge expert">Expert</span> 10) HTTP vs HTTPS sauber analysieren</summary>
<p><span class="kw">Dateien:</span> keine Pflicht-Datei; optional Wireshark Settings und Keylog-Datei</p>
<p><span class="kw">Commands noetig:</span> ja</p>
<p><span class="kw">Schritt 1 - HTTP Capture:</span></p>
<ol>
<li>Interface waehlen: lokal meist <code>lo</code>.</li>