htl-reverse-proxy-tls-lab/proxy/html/solutions.html

<!doctype html>
<html lang="de">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>HTL Workshop Solutions</title>
    <style>
      :root {
        --bg: #f3f3f6;
        --surface: #ffffff;
        --text: #16161a;
        --muted: #65656e;
        --magenta: #e20074;
        --magenta-soft: #fbe3f0;
        --line: #e5e5ea;
        --code-bg: #f4f4f7;
        --code-line: #e2e2e8;
        --radius: 16px;
        --shadow: 0 1px 2px rgba(20, 20, 40, 0.04), 0 10px 30px rgba(20, 20, 40, 0.06);
      }

      * {
        box-sizing: border-box;
      }

      body {
        margin: 0;
        font-family: "TeleNeo", "Segoe UI", system-ui, -apple-system, sans-serif;
        color: var(--text);
        background: var(--bg);
        min-height: 100vh;
        padding: 2.2rem 1.2rem 3rem;
        line-height: 1.55;
      }

      main {
        width: min(1150px, 100%);
        margin: 0 auto;
        display: grid;
        gap: 1.25rem;
      }

      .panel {
        background: var(--surface);
        border: 1px solid var(--line);
        border-radius: var(--radius);
        padding: 1.5rem 1.6rem;
        box-shadow: var(--shadow);
      }

      .hero {
        position: relative;
        overflow: hidden;
      }

      .hero::before {
        content: "";
        position: absolute;
        top: 0;
        bottom: 0;
        left: 0;
        width: 5px;
        background: var(--magenta);
      }

      h1,
      h2,
      h3 {
        margin-top: 0;
        font-weight: 800;
        letter-spacing: -0.01em;
        color: var(--text);
      }

      h1 {
        font-size: 1.95rem;
      }

      h2 {
        font-size: 1.3rem;
      }

      p,
      li {
        color: var(--muted);
        line-height: 1.55;
      }

      a {
        color: var(--magenta);
        text-decoration: none;
        font-weight: 600;
      }

      a:hover {
        text-decoration: underline;
      }

      code {
        font-family: "JetBrains Mono", "Fira Code", "Consolas", "Liberation Mono", monospace;
        font-size: 0.9em;
        background: var(--code-bg);
        border: 1px solid var(--code-line);
        border-radius: 6px;
        padding: 0.1rem 0.35rem;
        color: #2a2a30;
      }

      pre {
        background: var(--code-bg);
        border: 1px solid var(--code-line);
        border-radius: 12px;
        padding: 0.9rem 1rem;
        overflow-x: auto;
        margin: 0.7rem 0 0;
      }

      pre code {
        display: block;
        background: transparent;
        border: 0;
        border-radius: 0;
        padding: 0;
        font-size: 0.88rem;
        line-height: 1.5;
        white-space: pre;
        color: #2a2a30;
      }

      .brand {
        display: flex;
        align-items: center;
        gap: 0.65rem;
        margin-bottom: 1rem;
      }

      .tmark {
        display: inline-flex;
        align-items: center;
        gap: 3px;
      }

      .tmark b {
        font-size: 1.55rem;
        font-weight: 800;
        color: var(--magenta);
        margin: 0 1px;
        line-height: 1;
      }

      .brand span {
        font-size: 0.82rem;
        font-weight: 700;
        letter-spacing: 0.12em;
        text-transform: uppercase;
        color: var(--muted);
      }

      .nav {
        display: flex;
        flex-wrap: wrap;
        gap: 0.5rem;
        margin-top: 1.2rem;
      }

      .nav a {
        text-decoration: none;
        color: var(--text);
        font-weight: 600;
        font-size: 0.92rem;
        background: var(--surface);
        border: 1px solid var(--line);
        border-radius: 999px;
        padding: 0.45rem 0.95rem;
        transition:
          color 0.15s ease,
          border-color 0.15s ease;
      }

      .nav a:hover {
        border-color: var(--magenta);
        color: var(--magenta);
        text-decoration: none;
      }

      .badge {
        display: inline-block;
        border-radius: 999px;
        padding: 0.2rem 0.6rem;
        font-size: 0.7rem;
        font-weight: 700;
        letter-spacing: 0.05em;
        text-transform: uppercase;
      }

      .easy {
        color: #245c00;
        background: #e4f3d6;
      }

      .medium {
        color: #7a4d00;
        background: #fdeecb;
      }

      .hard {
        color: #8a0010;
        background: #fbdcdc;
      }

      .expert {
        color: #004b66;
        background: #d6eef7;
      }

      details {
        background: var(--surface);
        border: 1px solid var(--line);
        border-radius: 12px;
        padding: 1rem 1.15rem;
        margin-bottom: 0.8rem;
        transition: border-color 0.15s ease;
      }

      details[open] {
        border-color: #d8d8df;
        box-shadow: var(--shadow);
      }

      details:last-child {
        margin-bottom: 0;
      }

      summary {
        cursor: pointer;
        font-weight: 700;
        color: var(--text);
        list-style: none;
        display: flex;
        align-items: center;
        gap: 0.6rem;
      }

      summary::-webkit-details-marker {
        display: none;
      }

      summary::after {
        content: "+";
        margin-left: auto;
        color: var(--magenta);
        font-weight: 800;
        font-size: 1.15rem;
        line-height: 1;
      }

      details[open] summary::after {
        content: "\2013";
      }

      .kw {
        color: var(--text);
        font-weight: 700;
      }
    </style>
  </head>
  <body>
    <main>
      <section class="panel hero">
        <div class="brand">
          <span class="tmark"><b>T</b></span>
          <span>Telekom Security</span>
        </div>
        <h1>Solutions Board (detailliert)</h1>
        <p>Hier stehen absichtlich konkrete Musterloesungen mit Snippets, Checks und typischen Stolperfallen.</p>
        <p><span class="kw">Workflow:</span> Nach jeder Konfig-Aenderung mindestens <code>./scripts/lab.sh proxy-reload</code>, bei Compose-Aenderungen <code>./scripts/lab.sh redeploy</code>.</p>
        <nav class="nav">
          <a href="/">Startseite</a>
          <a href="/challenges.html">Challenges</a>
          <a href="/hints.html">Hints</a>
          <a href="/solutions.html">Solutions</a>
          <a href="/service/a">Backend A</a>
          <a href="/service/b">Backend B</a>
          <a href="/challenges.html#challenge-2-backend-c">Backend C (ab C2)</a>
        </nav>
      </section>

      <section class="panel">
        <h2>Easy - Musterloesungen</h2>

        <details>
          <summary><span class="badge easy">Easy</span> 1) Routing verstehen</summary>
          <p><span class="kw">Dateien:</span> nur lesen: <code>proxy/nginx.conf</code></p>
          <p><span class="kw">Commands noetig:</span> ja</p>
          <pre><code>curl http://localhost:8080/service/a
curl http://localhost:8080/service/b</code></pre>
          <p><span class="kw">Erwartete Erklaerung:</span> Nginx matched den Pfad in <code>location</code> und leitet auf den passenden <code>upstream</code> weiter.</p>
        </details>

        <details>
          <summary><span class="badge easy">Easy</span> 2) backend-c hinzufuegen</summary>
          <p><span class="kw">Dateien:</span> <code>docker-compose.yml</code>, <code>proxy/nginx.conf</code>, <code>backends/c/index.html</code></p>
          <p><span class="kw">Commands noetig:</span> ja</p>
          <p><span class="kw">Compose (Beispiel):</span></p>
          <pre><code>backend-c:
  image: nginx:1.27-alpine
  container_name: workshop-backend-c
  volumes:
    - ./backends/c:/usr/share/nginx/html:ro,z</code></pre>
          <p><span class="kw">Nginx (Beispiel):</span></p>
          <pre><code>upstream backend_c {
  server backend-c:80;
}

location /service/c {
  proxy_pass http://backend_c/;
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-Proto http;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}</code></pre>
          <p><span class="kw">Check:</span> <code>curl http://localhost:8080/service/c</code></p>
          <p><span class="kw">Hinweis:</span> Stelle sicher, dass <code>backends/c/index.html</code> existiert (Starterdatei liegt bereits im Repo).</p>
        </details>

        <details>
          <summary><span class="badge easy">Easy</span> 3) Alias-Route /demo/a</summary>
          <p><span class="kw">Dateien:</span> <code>proxy/nginx.conf</code></p>
          <p><span class="kw">Commands noetig:</span> ja</p>
          <pre><code>location = /demo/a {
  proxy_pass http://backend_a/;
}</code></pre>
          <p><span class="kw">Check:</span> <code>curl http://localhost:8080/demo/a</code></p>
        </details>
      </section>

      <section class="panel">
        <h2>Medium - Musterloesungen</h2>

        <details>
          <summary><span class="badge medium">Medium</span> 4) Security Headers</summary>
          <p><span class="kw">Dateien:</span> <code>proxy/nginx.conf</code></p>
          <p><span class="kw">Commands noetig:</span> ja</p>
          <pre><code>add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;</code></pre>
          <p><span class="kw">Platzierung:</span> in den <code>server {}</code>-Block, damit alle Locations sie erben. Sobald eine Location ein eigenes <code>add_header</code> hat, verwirft Nginx dort die Server-Header und sie muessen wiederholt werden.</p>
          <p><span class="kw">Optional CSP (statisch, inline styles erlaubt):</span></p>
          <pre><code>add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; base-uri 'none'; frame-ancestors 'none'" always;</code></pre>
          <p><span class="kw">Check:</span> <code>curl -I http://localhost:8080/</code></p>
        </details>

        <details>
          <summary><span class="badge medium">Medium</span> 5) Interne Route absichern</summary>
          <p><span class="kw">Dateien:</span> <code>proxy/nginx.conf</code></p>
          <p><span class="kw">Commands noetig:</span> ja</p>
          <pre><code>location /internal/status {
  allow 127.0.0.1;
  deny all;
  default_type text/plain;
  return 200 "internal ok\n";
}</code></pre>
          <p><span class="kw">Check (Host):</span> <code>curl -i http://localhost:8080/internal/status</code> (typisch 403)</p>
          <p><span class="kw">Check (Container-intern):</span></p>
          <pre><code>./scripts/compose.sh exec -T reverse-proxy sh -lc "wget -qO- http://127.0.0.1/internal/status"</code></pre>
        </details>

        <details>
          <summary><span class="badge medium">Medium</span> 6) Logging verbessern</summary>
          <p><span class="kw">Dateien:</span> <code>proxy/nginx.conf</code></p>
          <p><span class="kw">Commands noetig:</span> ja</p>
          <p><span class="kw">Platzierung:</span> <code>log_format</code> muss in den <code>http {}</code>-Block (sonst startet Nginx nicht). <code>access_log</code> darf in <code>http</code>, <code>server</code> oder <code>location</code>.</p>
          <pre><code>log_format workshop '$remote_addr - $request '
                   'status=$status upstream=$upstream_addr '
                   'rt=$request_time urt=$upstream_response_time';

access_log /var/log/nginx/access.log workshop;</code></pre>
          <p><span class="kw">Check:</span></p>
          <pre><code>curl http://localhost:8080/service/a
./scripts/compose.sh logs reverse-proxy</code></pre>
        </details>

        <details>
          <summary><span class="badge medium">Medium</span> 7) Load Balancing</summary>
          <p><span class="kw">Dateien:</span> <code>docker-compose.yml</code>, <code>proxy/nginx.conf</code>, <code>backends/a2/index.html</code></p>
          <p><span class="kw">Commands noetig:</span> ja</p>
          <p><span class="kw">Compose (backend-a2):</span></p>
          <pre><code>backend-a2:
  image: nginx:1.27-alpine
  container_name: workshop-backend-a2
  volumes:
    - ./backends/a2:/usr/share/nginx/html:ro,z</code></pre>
          <p><span class="kw">Nginx (upstream erweitern):</span></p>
          <pre><code>upstream backend_a {
  server backend-a:80;
  server backend-a2:80;
}</code></pre>
          <p><span class="kw">Check:</span></p>
          <pre><code>for i in $(seq 1 8); do
  curl -s http://localhost:8080/service/a | grep -o "INSTANCE=[A-Za-z0-9]*"
done</code></pre>
          <p><span class="kw">Marker:</span> Backend A/A2 enthalten unsichtbar <code>&lt;!-- INSTANCE=A --&gt;</code> bzw. <code>INSTANCE=A2</code>. <code>[A-Za-z0-9]*</code> matched das ganze Token (kein Prefix-Problem A vs. A2).</p>
        </details>

        <details>
          <summary><span class="badge medium">Medium</span> 8) Response Header Minimization</summary>
          <p><span class="kw">Dateien:</span> <code>proxy/nginx.conf</code></p>
          <p><span class="kw">Commands noetig:</span> ja</p>
          <p><span class="kw">Abgrenzung zu #4:</span> #4 fuegt Schutz-Header hinzu, #8 entfernt unnoetige Upstream-Metadaten.</p>
          <p><span class="kw">Gut zu wissen:</span> <code>proxy_hide_header</code> ist kein <code>add_header</code> &rarr; es loest die Vererbungsfalle aus #4 nicht aus. Die Server-Header bleiben in dieser Location erhalten.</p>
          <pre><code>location /service/a {
  proxy_pass http://backend_a/;
  proxy_hide_header ETag;
  proxy_hide_header Last-Modified;
}</code></pre>
          <p><span class="kw">Check:</span> <code>curl -I http://localhost:8080/service/a</code></p>
        </details>

        <details>
          <summary><span class="badge medium">Medium</span> 9) Debugging Challenge</summary>
          <p><span class="kw">Dateien:</span> <code>proxy/nginx.broken.conf</code>, <code>proxy/nginx.conf</code></p>
          <p><span class="kw">Commands noetig:</span> ja</p>
          <p><span class="kw">Ablauf:</span> Zuerst die eigene Config sichern (diese Challenge ueberschreibt sie!), dann die kaputte aktivieren, Fehler beheben und am Ende die eigene Config wiederherstellen.</p>
          <pre><code>cp proxy/nginx.conf proxy/nginx.conf.bak      # 1. eigene Config sichern
cp proxy/nginx.broken.conf proxy/nginx.conf   # 2. kaputte aktivieren
./scripts/lab.sh proxy-reload
./scripts/compose.sh logs reverse-proxy        # 3. Fehler finden + fixen</code></pre>
          <p><span class="kw">Am Ende eigene Config zurueck:</span></p>
          <pre><code>cp proxy/nginx.conf.bak proxy/nginx.conf
./scripts/lab.sh proxy-reload</code></pre>
          <p><span class="kw">Konkrete Fehler und Fixes:</span></p>
          <ol>
            <li><span class="kw">Upstream-Mismatch:</span> <code>backend_a_typo</code> ist definiert, aber <code>backend_a</code> wird referenziert -> Namen angleichen.</li>
            <li><span class="kw">Falscher Port:</span> <code>backend-a:8080</code> -> auf <code>backend-a:80</code> korrigieren.</li>
            <li><span class="kw">Pfadfehler:</span> in <code>/service/b</code> fehlt der Trailing Slash bei <code>proxy_pass</code> -> <code>proxy_pass http://backend_b/;</code>.</li>
          </ol>
          <p><span class="kw">Check:</span> beide Routen funktionieren wieder.</p>
          <pre><code>curl http://localhost:8080/service/a
curl http://localhost:8080/service/b
./scripts/compose.sh logs reverse-proxy</code></pre>
        </details>
      </section>

      <section class="panel">
        <h2>Hard (TLS) - Musterloesungen</h2>

        <details>
          <summary><span class="badge hard">Hard</span> 10) HTTPS mit Easy-RSA</summary>
          <p><span class="kw">Dateien:</span> <code>docker-compose.yml</code>, <code>proxy/nginx.conf</code>, <code>certs/easyrsa/*</code></p>
          <p><span class="kw">Commands noetig:</span> ja</p>
          <pre><code>mkdir -p certs/easyrsa
cp -r /usr/share/easy-rsa/* certs/easyrsa/
cd certs/easyrsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req localhost nopass
./easyrsa --subject-alt-name="DNS:localhost,IP:127.0.0.1" sign-req server localhost</code></pre>
          <p><span class="kw">Compose:</span></p>
          <pre><code>reverse-proxy:
  ports:
    - "8080:80"
    - "8443:443"
  volumes:
    - ./certs/live:/etc/nginx/certs:ro,z</code></pre>
          <p><span class="kw">Wichtig:</span> Nicht die komplette PKI in den Container mounten. Nur Runtime-Zertifikat + Key bereitstellen.</p>
          <p><span class="kw">Deploy:</span> Port- und Volume-Aenderungen sind Compose-Aenderungen &rarr; <code>./scripts/lab.sh redeploy</code> (nicht <code>./scripts/lab.sh proxy-reload</code>), sonst greift der neue Port nicht.</p>
          <p><span class="kw">Nginx TLS-Pfade:</span> <code>ssl_certificate /etc/nginx/certs/localhost.crt;</code> und <code>ssl_certificate_key /etc/nginx/certs/localhost.key;</code></p>
          <p><span class="kw">Check:</span> <code>curl https://localhost:8443/service/a</code> (ohne <code>-k</code> nach CA-Import)</p>
        </details>

        <details>
          <summary><span class="badge hard">Hard</span> 11) HTTP -&gt; HTTPS Redirect</summary>
          <p><span class="kw">Voraussetzung:</span> Challenge 10 abgeschlossen (gleiches Config-File weiterverwenden).</p>
          <p><span class="kw">Dateien:</span> <code>proxy/nginx.conf</code></p>
          <p><span class="kw">Commands noetig:</span> ja</p>
          <pre><code>server {
  listen 80;
  server_name _;

  location = /healthz {
    default_type text/plain;
    return 200 "ok\n";
  }

  location / {
    return 301 https://$host:8443$request_uri;
  }
}</code></pre>
          <p><span class="kw">Check:</span> <code>curl -I http://localhost:8080/service/a</code></p>
        </details>

        <details>
          <summary><span class="badge hard">Hard</span> 12) TLS Haertung + HSTS</summary>
          <p><span class="kw">Voraussetzung:</span> Challenge 10 und 11 abgeschlossen.</p>
          <p><span class="kw">Dateien:</span> <code>proxy/nginx.conf</code></p>
          <p><span class="kw">Commands noetig:</span> ja</p>
          <pre><code>ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=3600; includeSubDomains" always;</code></pre>
          <p><span class="kw">Check:</span></p>
          <pre><code>curl -I https://localhost:8443/service/a
openssl s_client -connect localhost:8443 -servername localhost</code></pre>
          <p>Vollstaendige Referenz: <code>proxy/nginx.tls.example.conf</code></p>
        </details>
      </section>

      <section class="panel">
        <h2>Bonus Expert - Wireshark (ausformulierte Referenzloesung)</h2>

        <details>
          <summary><span class="badge expert">Expert</span> 13) HTTP vs HTTPS sauber analysieren</summary>
          <p><span class="kw">Dateien:</span> keine Pflicht-Datei; optional Wireshark Settings und Keylog-Datei</p>
          <p><span class="kw">Commands noetig:</span> ja</p>
          <p><span class="kw">Schritt 1 - HTTP Capture:</span></p>
          <ol>
            <li>Interface waehlen: lokal meist <code>lo</code>.</li>
            <li>Capture starten, Filter <code>tcp.port == 8080</code>.</li>
            <li>Request senden: <code>curl http://localhost:8080/service/a</code>.</li>
            <li>In "Follow HTTP Stream" zeigen, dass Pfad und Header lesbar sind.</li>
          </ol>

          <p><span class="kw">Schritt 2 - HTTPS Capture:</span></p>
          <ol>
            <li>HTTPS muss vorher laufen (Challenge 10).</li>
            <li>Filter auf <code>tcp.port == 8443</code> oder <code>tls</code> setzen.</li>
            <li>Request senden: <code>curl https://localhost:8443/service/a</code>.</li>
            <li>Pakete markieren: <code>ClientHello</code>, <code>ServerHello</code>, <code>Certificate</code>.</li>
          </ol>

          <p><span class="kw">Schritt 3 - Erwartete Aussagen:</span></p>
          <ul>
            <li>HTTP: URL, Header, Payload sind sichtbar.</li>
            <li>HTTPS: Handshake sichtbar, Nutzdaten ohne Key nicht lesbar.</li>
            <li>Zertifikat im Handshake zeigt, wie der Server seine Identitaet beweist.</li>
          </ul>

          <p><span class="kw">Optional - TLS Decrypt (nur fuer Demo):</span></p>
          <pre><code>export SSLKEYLOGFILE="$HOME/sslkeys.log"</code></pre>
          <ul>
            <li>Browser aus derselben Shell starten.</li>
            <li>In Wireshark TLS Preferences -> Key Log File setzen.</li>
            <li>Capture neu laden und Unterschiede vor/nach Keylog zeigen.</li>
          </ul>

          <p><span class="kw">Abgabe (Muster):</span></p>
          <ul>
            <li>Screenshot A: HTTP Stream mit lesbaren Headern.</li>
            <li>Screenshot B: TLS Handshake mit markierten Nachrichten.</li>
            <li>Screenshot C (optional): entschluesselter Stream mit Keylog.</li>
            <li>3-5 Bulletpoints mit eigener technischer Interpretation.</li>
          </ul>

          <p><span class="kw">Typische Fehler:</span> falsches Interface, kein HTTPS aktiv, Browser nicht aus Keylog-Shell gestartet.</p>
        </details>
      </section>
    </main>
  </body>
</html>