hkoeck
342 lines
11 KiB
HTML
342 lines
11 KiB
HTML
<!doctype html>
|
|
<html lang="de">
|
|
<head>
|
|
<meta charset="UTF-8" />
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
|
<title>HTL Workshop Solutions</title>
|
|
<style>
|
|
:root {
|
|
--bg: #081825;
|
|
--panel: #10273d;
|
|
--panel-soft: #163450;
|
|
--text: #e9f2fb;
|
|
--muted: #b7cbdf;
|
|
--accent: #4ecdc4;
|
|
--easy: #59d68a;
|
|
--medium: #ffd166;
|
|
--hard: #ff7b72;
|
|
--expert: #6fb6ff;
|
|
}
|
|
|
|
* {
|
|
box-sizing: border-box;
|
|
}
|
|
|
|
body {
|
|
margin: 0;
|
|
font-family: "Fira Sans", "Segoe UI", sans-serif;
|
|
color: var(--text);
|
|
background:
|
|
radial-gradient(circle at 100% 0%, #1f4060 0%, transparent 45%),
|
|
radial-gradient(circle at 0% 100%, #14324a 0%, transparent 35%),
|
|
var(--bg);
|
|
min-height: 100vh;
|
|
padding: 1.2rem;
|
|
}
|
|
|
|
main {
|
|
width: min(1150px, 100%);
|
|
margin: 0 auto;
|
|
display: grid;
|
|
gap: 1rem;
|
|
}
|
|
|
|
.panel {
|
|
background: var(--panel);
|
|
border: 1px solid #315678;
|
|
border-radius: 14px;
|
|
padding: 1.1rem;
|
|
}
|
|
|
|
h1,
|
|
h2,
|
|
h3 {
|
|
margin-top: 0;
|
|
}
|
|
|
|
p,
|
|
li {
|
|
color: var(--muted);
|
|
line-height: 1.5;
|
|
}
|
|
|
|
a {
|
|
color: var(--accent);
|
|
}
|
|
|
|
code {
|
|
background: #0d1f31;
|
|
border: 1px solid #2d4f6e;
|
|
border-radius: 6px;
|
|
padding: 0.1rem 0.35rem;
|
|
}
|
|
|
|
pre {
|
|
background: #0b2133;
|
|
border: 1px solid #2b5578;
|
|
border-radius: 10px;
|
|
padding: 0.7rem;
|
|
overflow: auto;
|
|
}
|
|
|
|
.top-links {
|
|
display: flex;
|
|
flex-wrap: wrap;
|
|
gap: 0.5rem;
|
|
}
|
|
|
|
.pill {
|
|
display: inline-block;
|
|
text-decoration: none;
|
|
background: #11314b;
|
|
border: 1px solid #2a5d84;
|
|
border-radius: 999px;
|
|
padding: 0.35rem 0.75rem;
|
|
}
|
|
|
|
.badge {
|
|
display: inline-block;
|
|
border-radius: 999px;
|
|
padding: 0.15rem 0.5rem;
|
|
font-size: 0.8rem;
|
|
font-weight: 700;
|
|
margin-bottom: 0.45rem;
|
|
}
|
|
|
|
.easy {
|
|
color: #08210f;
|
|
background: var(--easy);
|
|
}
|
|
|
|
.medium {
|
|
color: #312200;
|
|
background: var(--medium);
|
|
}
|
|
|
|
.hard {
|
|
color: #3b0905;
|
|
background: var(--hard);
|
|
}
|
|
|
|
.expert {
|
|
color: #031c37;
|
|
background: var(--expert);
|
|
}
|
|
|
|
details {
|
|
background: var(--panel-soft);
|
|
border: 1px solid #2d5577;
|
|
border-radius: 12px;
|
|
padding: 0.75rem 0.85rem;
|
|
margin-bottom: 0.7rem;
|
|
}
|
|
|
|
details:last-child {
|
|
margin-bottom: 0;
|
|
}
|
|
|
|
summary {
|
|
cursor: pointer;
|
|
font-weight: 700;
|
|
}
|
|
|
|
.kw {
|
|
color: #e9f2fb;
|
|
font-weight: 700;
|
|
}
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<main>
|
|
<section class="panel">
|
|
<h1>Solutions Board (detailliert)</h1>
|
|
<p>Hier stehen absichtlich konkrete Musterloesungen mit Snippets, Checks und typischen Stolperfallen.</p>
|
|
<div class="top-links">
|
|
<a class="pill" href="/">Startseite</a>
|
|
<a class="pill" href="/challenges.html">Challenges</a>
|
|
<a class="pill" href="/hints.html">Hints</a>
|
|
<a class="pill" href="/service/a">Backend A</a>
|
|
<a class="pill" href="/service/b">Backend B</a>
|
|
</div>
|
|
</section>
|
|
|
|
<section class="panel">
|
|
<h2>Easy - Musterloesungen</h2>
|
|
|
|
<details open>
|
|
<summary><span class="badge easy">Easy</span> 1) Routing verstehen</summary>
|
|
<pre><code>curl http://localhost:8080/service/a
|
|
curl http://localhost:8080/service/b</code></pre>
|
|
<p><span class="kw">Erwartete Erklaerung:</span> Nginx matched den Pfad in <code>location</code> und leitet auf den passenden <code>upstream</code> weiter.</p>
|
|
</details>
|
|
|
|
<details>
|
|
<summary><span class="badge easy">Easy</span> 2) backend-c hinzufuegen</summary>
|
|
<p><span class="kw">Compose (Beispiel):</span></p>
|
|
<pre><code>backend-c:
|
|
image: nginx:1.27-alpine
|
|
container_name: workshop-backend-c
|
|
volumes:
|
|
- ./backends/c:/usr/share/nginx/html:ro,z</code></pre>
|
|
<p><span class="kw">Nginx (Beispiel):</span></p>
|
|
<pre><code>upstream backend_c {
|
|
server backend-c:80;
|
|
}
|
|
|
|
location /service/c {
|
|
proxy_pass http://backend_c/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-Proto http;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
}</code></pre>
|
|
<p><span class="kw">Check:</span> <code>curl http://localhost:8080/service/c</code></p>
|
|
</details>
|
|
|
|
<details>
|
|
<summary><span class="badge easy">Easy</span> 3) Rewrite Route</summary>
|
|
<pre><code>location = /demo/a {
|
|
rewrite ^ /service/a break;
|
|
proxy_pass http://backend_a/;
|
|
}</code></pre>
|
|
<p><span class="kw">Check:</span> <code>curl http://localhost:8080/demo/a</code></p>
|
|
</details>
|
|
</section>
|
|
|
|
<section class="panel">
|
|
<h2>Medium - Musterloesungen</h2>
|
|
|
|
<details>
|
|
<summary><span class="badge medium">Medium</span> 4) Security Headers</summary>
|
|
<pre><code>add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-Frame-Options "DENY" always;
|
|
add_header Referrer-Policy "no-referrer" always;</code></pre>
|
|
<p><span class="kw">Check:</span> <code>curl -I http://localhost:8080/</code></p>
|
|
</details>
|
|
|
|
<details>
|
|
<summary><span class="badge medium">Medium</span> 5) Interne Route absichern</summary>
|
|
<pre><code>location /internal/status {
|
|
allow 127.0.0.1;
|
|
deny all;
|
|
default_type text/plain;
|
|
return 200 "internal ok\n";
|
|
}</code></pre>
|
|
<p><span class="kw">Check:</span> <code>curl -i http://localhost:8080/internal/status</code></p>
|
|
</details>
|
|
|
|
<details>
|
|
<summary><span class="badge medium">Medium</span> 6) Logging verbessern</summary>
|
|
<pre><code>log_format workshop '$remote_addr - $request '
|
|
'status=$status upstream=$upstream_addr '
|
|
'rt=$request_time urt=$upstream_response_time';
|
|
|
|
access_log /var/log/nginx/access.log workshop;</code></pre>
|
|
<p><span class="kw">Check:</span></p>
|
|
<pre><code>curl http://localhost:8080/service/a
|
|
./scripts/compose.sh logs reverse-proxy</code></pre>
|
|
</details>
|
|
</section>
|
|
|
|
<section class="panel">
|
|
<h2>Hard (TLS) - Musterloesungen</h2>
|
|
|
|
<details>
|
|
<summary><span class="badge hard">Hard</span> 7) HTTPS mit Easy-RSA</summary>
|
|
<pre><code>mkdir -p certs/easyrsa
|
|
cp -r /usr/share/easy-rsa/* certs/easyrsa/
|
|
cd certs/easyrsa
|
|
./easyrsa init-pki
|
|
./easyrsa build-ca nopass
|
|
./easyrsa gen-req localhost nopass
|
|
./easyrsa sign-req server localhost</code></pre>
|
|
<p><span class="kw">Compose:</span></p>
|
|
<pre><code>reverse-proxy:
|
|
ports:
|
|
- "8080:80"
|
|
- "8443:443"
|
|
volumes:
|
|
- ./certs/easyrsa/pki:/etc/nginx/pki:ro,z</code></pre>
|
|
<p><span class="kw">Check:</span> <code>curl https://localhost:8443/service/a</code> (ohne <code>-k</code> nach CA-Import)</p>
|
|
</details>
|
|
|
|
<details>
|
|
<summary><span class="badge hard">Hard</span> 8) HTTP -> HTTPS Redirect</summary>
|
|
<pre><code>server {
|
|
listen 80;
|
|
server_name _;
|
|
|
|
location = /healthz {
|
|
default_type text/plain;
|
|
return 200 "ok\n";
|
|
}
|
|
|
|
location / {
|
|
return 301 https://$host:8443$request_uri;
|
|
}
|
|
}</code></pre>
|
|
<p><span class="kw">Check:</span> <code>curl -I http://localhost:8080/service/a</code></p>
|
|
</details>
|
|
|
|
<details>
|
|
<summary><span class="badge hard">Hard</span> 9) TLS Haertung + HSTS</summary>
|
|
<pre><code>ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_prefer_server_ciphers on;
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;</code></pre>
|
|
<p><span class="kw">Check:</span></p>
|
|
<pre><code>curl -I https://localhost:8443/service/a
|
|
openssl s_client -connect localhost:8443 -servername localhost</code></pre>
|
|
<p>Vollstaendige Referenz: <code>proxy/nginx.tls.example.conf</code></p>
|
|
</details>
|
|
</section>
|
|
|
|
<section class="panel">
|
|
<h2>Bonus Expert - Wireshark (ausformulierte Referenzloesung)</h2>
|
|
|
|
<details open>
|
|
<summary><span class="badge expert">Expert</span> 10) HTTP vs HTTPS sauber analysieren</summary>
|
|
<p><span class="kw">Schritt 1 - HTTP Capture:</span></p>
|
|
<ol>
|
|
<li>Interface waehlen: lokal meist <code>lo</code>.</li>
|
|
<li>Capture starten, Filter <code>tcp.port == 8080</code>.</li>
|
|
<li>Request senden: <code>curl http://localhost:8080/service/a</code>.</li>
|
|
<li>In "Follow HTTP Stream" zeigen, dass Pfad und Header lesbar sind.</li>
|
|
</ol>
|
|
|
|
<p><span class="kw">Schritt 2 - HTTPS Capture:</span></p>
|
|
<ol>
|
|
<li>HTTPS muss vorher laufen (Challenge 7).</li>
|
|
<li>Filter auf <code>tcp.port == 8443</code> oder <code>tls</code> setzen.</li>
|
|
<li>Request senden: <code>curl https://localhost:8443/service/a</code>.</li>
|
|
<li>Pakete markieren: <code>ClientHello</code>, <code>ServerHello</code>, <code>Certificate</code>.</li>
|
|
</ol>
|
|
|
|
<p><span class="kw">Schritt 3 - Erwartete Aussagen:</span></p>
|
|
<ul>
|
|
<li>HTTP: URL, Header, Payload sind sichtbar.</li>
|
|
<li>HTTPS: Handshake sichtbar, Nutzdaten ohne Key nicht lesbar.</li>
|
|
<li>Zertifikat im Handshake zeigt, wie der Server seine Identitaet beweist.</li>
|
|
</ul>
|
|
|
|
<p><span class="kw">Optional - TLS Decrypt (nur fuer Demo):</span></p>
|
|
<pre><code>export SSLKEYLOGFILE="$HOME/sslkeys.log"</code></pre>
|
|
<ul>
|
|
<li>Browser aus derselben Shell starten.</li>
|
|
<li>In Wireshark TLS Preferences -> Key Log File setzen.</li>
|
|
<li>Capture neu laden und Unterschiede vor/nach Keylog zeigen.</li>
|
|
</ul>
|
|
|
|
<p><span class="kw">Abgabe (Muster):</span></p>
|
|
<ul>
|
|
<li>Screenshot A: HTTP Stream mit lesbaren Headern.</li>
|
|
<li>Screenshot B: TLS Handshake mit markierten Nachrichten.</li>
|
|
<li>Screenshot C (optional): entschluesselter Stream mit Keylog.</li>
|
|
<li>3-5 Bulletpoints mit eigener technischer Interpretation.</li>
|
|
</ul>
|
|
|
|
<p><span class="kw">Typische Fehler:</span> falsches Interface, kein HTTPS aktiv, Browser nicht aus Keylog-Shell gestartet.</p>
|
|
</details>
|
|
</section>
|
|
</main>
|
|
</body>
|
|
</html>
|