cnsa 小白教程 2023-03-11

Regardless of regret (the difference between intranet penetration and reverse proxy), intranet penetration solution, intranet penetration chapter 3: safe intranet penetration nanny level tutorial, using nginx reverse proxy to achieve two-way ssl authentication for intranet devices, and preventing certificateless users from brute force cracking nas,

Author: Geek plaything foreword, will you have such a problem? After using intranet penetration, other devices such as nas in the home intranet always have unknown ip attempts to break the login by force. Although your strong password makes them unable to login successfully, they are always attacked. Recently, I will also deploy an intranet penetration environment to complement the virtual network penetration I use now.

For the convenience of the family members who do not use the virtual network tools, that is, directly access the solution on the browser without adding other operations. For example, the nps penetration solution is a way of directly exposing to the public network. Anyone who knows the domain name can access my home intranet, and the domain name is not a very confidential thing.

It is a very bad experience to be violently cracked by unknown IP every day. Is there any way to avoid it? We know that https can identify the identity of the server through a certificate. This is called ssl one-way authentication. Since there is one-way authentication, there is two-way authentication. In ssl two-way authentication, the server will also require the client to show the certificate. If the certificate passes the authentication server and the client, the communication will be established. If the certificate does not pass the authentication server, the connection request of the client will be rejected.

Therefore, we can configure ssl two-way authentication so that the allowed users can access nas and so on. Other http-based intranet services and other disallowed users do not have connection permissions, so as to protect the security of intranet devices to a certain extent. 1. A domain name, which needs to support universal resolution

2. Public IP, or public cloud server, or other intranet penetration means 3. An intranet device that allows dockers, such as Qunhui, openwrt, and unreid, will work. 4. An ssl certificate, self-signed or issued by a ca agency, will work. Start with the tutorial 1. nginx webui container deployment

Nginx webui is a graphical nginx written by Chen Yimeng. nginx is configured through the graphical web management interface. It is very convenient for novices to get started with the automatic application and renewal function of ssl certificates, which greatly facilitates our group of intranet penetration players to use the docker version of nginx webui in this tutorial, in order to monopolize ports 80 and 443.

You need to use macvl nginxWEBUI as an independent IP. First, check whether the Docker has deployed macvlan network. Enter the following command Docker network ls to get the following output root@Tower :~# docker network ls

NETWORK ID NAME DRIVER SCOPEc9b49d7dffff br0 macvlan local

0464aacdffff bridge bridge local07c5c1d0ffff host host local

a059f37effff none null localroot@Tower :~# You can see that there is a macvlan network named br0

If there is no macvlan network, first create a macvlan network. Enter the following command to view the name of the network card being used ifconfig and obtain the following output. Find the network card with your background management interface ip. For example, my background ip is 10.100.50.5, and the network card with this IP is br0. Remember br0.

bond0: flags=5443 mtu 1500 inet6 fe80::2f1:ffff:fef0:5aba prefixlen 64 scopeid 0x20 ether 00:ff:ff:ff:ff:ff txqueuelen 1000 (Ethernet)

RX packets 15361454 bytes 5485436605 (5.1 GiB) RX errors 0 dropped 773911 overruns 0 frame 0

TX packets 14499561 bytes 9878246997 (9.1 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

br0: flags=4163 mtu 1500 inet 10.100.50.5 netmask 255.255.255.0 broadcast 0.0.0.0 inet6 fe80::2f1:ffff:fef0:5aba prefixlen 64 scopeid 0x20

Inet6 123f: fff: fff: acc0:2f1: ffff: fef0:5aba prefixlen 64 scopeid 0x0 Enter the following command to enable network card mixing. Note that my network card name here is br0. If your name is not br0, please change the br0 in the command to your network card name.

IP link set eth0 promise on docker creates a macvlan network named vlan1. Please change the name of the network card, gateway and network segment to your own. My network card is br0, and my network segment is 10.100.50.0/24 gateway 10.100.50.1

Docker network create – d macvlan — subnet=10.100.50.0/24 — gateway=10.100.50.1 – o parent=br0 vlan1 Pull nginx webgui container image

Docker pull cym1102/nginxwebui: the latest starts the container. Here, specify a macvlan network named “vlan1” created in the previous step for the container and configure the IP address to modify the command according to your actual situation. You cannot copy it.

docker run -itd -v /home/nginxWebUI:/home/nginxWebUI -e BOOT_ OPTIONS=”–server.port=8080″ –privileged=true –net=vlan1 –ip=10.100.50.81 cym1102/nginxwebui:latest

After the container is started, access it directly http://ip:8080 。 You can open the nginx web ui management interface.

Of course, we don’t have to worry about setting up nginx webui first. We still need to do a lot of preparatory work to make ngixwebui better. Second, configure the container network and allow nginx webui container to communicate with the host. Because of the security mechanism of docker, containers using macvlan can’t communicate with the host.

After all, many all in one users will install functional containers, such as the emby media server, which generally use the host port forwarding mode, and use the host IP address, so they can’t access these containers. Isn’t this a lonely breakthrough? So this section is to solve the problem of accessing the host through the Macvlan network.

The host and the container using macvlan cannot communicate with each other, even in the same network segment, but the macvlan container can communicate with each other. Therefore, we can add a macvlan virtual network card to the host. Through this virtual network card and the macvlan container to communicate, my host’s network card name is br0, ip is 10.100.50.5, and the container’s ip is 10.100.50.81.

Enter the following command in the host computer to create a virtual network card named “macvlan2” and assign it to the host computer. Use ip link add macvlan2 link br0 type macvlan mode bridge to assign an ip to the virtual network card

Ip addr add 10.100.50.3 dev macvlan2 starts the virtual network card ip link set macvlan2 up to set routing rules. Through this virtual network card and container communication, several routing rules are set for several containers that need communication

IP route add 10.100.50.81 dev macvlan2 # The target IP address is modified according to the actual situation, so that we can make the container and the host communicate. The host accesses the container through the container’s IP, and the container accesses the host through the host’s macvlan2.

For example, here the container needs to ping the host, that is, ping 10.100.50.3 3, configure nginx webui and openssl self-signed ssl certificate 1. oepnssl self-signed certificate and apply for free ssl certificate. Here we need to configure two certificates, one server’s ssl certificate.

This can be obtained from the ssl certificate issuing authority, such as Alibaba Cloud, or the certificate of the self-signed certificate client configured with openssl needs to be configured with self-signature through openssl. First, configure the server’s ssl certificate, and then issue the branch certificate and opessl self-signature (1). Agency signing – take Alibaba Cloud as an example

First of all, you need to create an Alibaba Cloud ram access user to apply for and automatically update ssl certificates. Open the Alibaba Cloud console, place the mouse on the top right corner of the avatar and the following menu will appear. Click to enter accesskey management. After entering, he will prompt you to create a sub-ram user.

After that, we open the ram sub-user management interface, click Add a user, set the user name and check the openapi option, and then the sub-user will be established. At this time, you can see that the AccessKey ID and AccessKey of the sub-user can not be used directly, and you have to add corresponding permissions to the sub-user.

We need to add three permissions to the sub-user: “Manage Yundun certificate service permissions”, “Manage cloud resolution (DNS) permissions”, “Manage domain name service permissions”. At this time, the ram sub-user configuration is complete

Fill the sub-user id and key into the certificate management of nginx web ui in one step to automatically apply for certificates and renew them.

(2) The openssl self-signed certificate nginx webui comes with the openssl tool, so we need to self-sign directly in the container. First, we need to connect to the terminal of nginx webui. For unarid, we need to select the connection terminal in the container management. For Qunhui and openwrt, we need a container.

Due to the limited space, let’s briefly talk about the deployment of the container Docker pull 6053537/portainer-ce # Pull the image of the Chinese version of the container Docker run – p 9000:9000 — name container — restart=always – v/var/run/docker.sock:/var/run/docker.sock – v/container_ Data:/data – d 6053537/portainer-ce # Run the portainer image and set the 9000 port access.

Openssl self-signed service certificate is very troublesome to use, so I don’t recommend you to use it. Here, I will simply talk about the process of self-signed certificate opening/home/nginxWebUI. This target is mapped to the/home directory of the host, and then create a new folder, openssl, and enter the new folder

Cd/home/nginxWebUImkdir opensslcd openssl generate ca private key, generate ca root certificate openssl genrsa – out ca.key 4096 openssl req – new – x509 – days 3650 – key ca.key – out ca.crt

When creating a ca certificate, you will enter some necessary information://Enter the name of the country://Enter the name of the province or state with two letters at most://Enter the name of the city://Enter the name of the organization://Enter the name of the organization://Enter the name of the common name://Enter the name randomly

Email://Enter freely to create the ca certificate. Create the server’s certificate and private key openssl genrsa – out server.key 4096 openssl req – new – key server.key – out server.csr

The process of creating a server certificate is similar to that of creating a ca root certificate Common Name: This option cannot be filled in casually. The domain name or ip universal domain name of the server should be written as *. If you enter a “A challenge password” after entering your domain name, it is required to create a password for the ca certificate.

Do not enter anything, press Enter to skip, and then enter the following command to sign the server certificate openssl x509 – req – in server.csr – CA ca.crt – CAkey ca.key – CACreateserial – out server.crt – days 3650

At this time, the server certificate has been signed. Transfer the server certificate and private key to nginx webui, and install the self-signed ca root certificate on the required device. (3) The client certificate production is different from the self-signed server certificate above. This time, the last ca private key and ca root certificate are used to sign the client certificate.

If you are the student who uses the ssl certificate issued by the organization to skip the service self-signed certificate, you can refer to the previous step to produce the ca private key and ca root certificate openssl genrsa – out client.key 4096 openssl req – new – key client.key – out client.csr

The steps are the same as generating the root certificate. After entering some necessary information and entering the mailbox, a “A challenge password” is required. This is to create a password for the ca certificate. Do not enter anything. Enter the carriage return and skip entering the following command to sign the client certificate openssl x509 – req – in client.csr – CA ca.crt – CAkey ca.key – CACreateserial – out client.crt – days 3650.

Enter the following command to package the client certificate and private key into the p12 format openssl pkcs12 – export – inkey ssl/client.key – in ssl/client.crt – out ssl/client.pfx//The next step will require you to set a password for the p12 certificate

All generated files will be located in/home/n of the hostginxWebUI中.2.配置nginxwebui反向代理和ssl双向认证首次登陆后会有账户密码的设置界面，设置好以后登陆到nginxwebui的管理界面第一步选择http参数配置，第二步选择简易配置向导，之后会打开配置界面，使用默认的配置就可以了

然后打开反向代理选项卡，在这个界面上可以看的到已经配置的反向代理，点击添加反向代理按钮之后会开发新建反向代理的界面因为我们这篇教程是需要使用https，所以在开启ssl选项上选择是，监听端口443，开启htpp2，开启http转https，跳转端口80。

这样子我们就可以浏览器直接输入域名跳转到https接下来就是重点内通了，域名监听设置首先我们申请的域名一般都是这种格式“b.a”我们一般都不会直接使用顶级域名，一般会弄一个二级域名用于解析ip，比如说“c.b.a”这个域名解析给“1.1.1.1”，“d.b.a”给“1.1.1.2”。

有些时候需要整一级域名解析给一个ip，就是泛解析记为”*.b.a”，二级域名泛解析则为“*.f.b.a”对于阿里云的设置，在解析记录的主机记录上写上“*.”那么所有“c.b.a” , “d.b.a”……….”z.b.a”都会解解析给同一个ip。

在解析记录的主机记录上写上“*.home”，那么所有的“a.home.b.a” , “b.home.b.a”……..”z.home.b.a”都会解析给同一个ip因为nginx的http反向代理是通过域名来识别目标的，所以我们需要把一个域名泛解析给nginx。

我在这里用一个二级域名解析给nginx所有的“*home.b.a”都会解析给nginx，然后nginx在根据完整的域名代理访问内网的主机比如我的群晖管理后台的完整域名为“ds.home.b.a”，nginx就会根据这个完整域名找到内网中的群晖主机。

同理openwrt的完整域名是“rope.home.b.a”,nginx就是根据这个完整域名找到内网中的openwrt主机域名监听设置好以后，我们需要在添加一个代理目标，让nginx可以找到内网的主机监控路径不用管，http代理类型选择“动态http”，目标路径和端口根据实际选择。

比如我的群晖IP是“10.100.50.200”端口为“5000”，那么目标地址就为“http://10.100.50.200:5000″,比如我群晖上的seaflie网盘的ip为“10.100.50.200”端口为“8000”，那么目标地址就为“http://10.100.50.200:8000”。

比如我的openwrt的ip是“10.100.50.15”端口默认为“80”，那么目标地址就为“http://10.100.50.15:80”注意一个域名的代理目标是可以添加多个的，但是在这里不建议最好一个域名对应一个代理ip:端口，比如群晖管理是一个域名，sea file是一个域名，openwrt是一域名，这样才不会导致解析错误。

接下来配置https使用的ssl证书，对于已经申请ssl证书只需要在中选择即可对于自签证书就需要主机上传证书和私钥配置以后点击“提交”一个带有ssl的http转https的反向代理就配置成功过了，下一步就是使配置生效。

在侧边栏选择启用配置选项卡，之后后打开下图的界面先点击“检验文件”选项卡，检验成功后选择“停止nginx”选项卡，依次“替换文件”，“启动nginx”这样的反向代理就启动成功了，可以直接使用了如果要配置双向ssl，要将下面这两条配置插入到相应反向代理配置文件中，插入位置如下图。

比如我这里插入的是群晖的反向代理配置中每一方向代理域名都需要单独配置，并插入到对应的位置中“ssl_client_certificate /home/nginxWebUI/openssl2/ca.crt;”中的“/home/nginxWebUI/openssl2/ca.crt”是刚才openssl生成的自签名ssl ca证书，可以根据自己的实际情况的进行配置。

配置好以后重复上一步：“检验文件” “停止nginx”的步骤就配置好ssl双向认证了ssl_client_certificate /home/nginxWebUI/openssl2/ca.crt;ssl_verify_client on;。

好了，现在可以在浏览器上访问刚才配置好的网址，然后直接看到了下面的提示。这是因为没有配置好客户端的ssl证书和私钥，服务器没有正确验证客户端证书，所以直接拒绝了链接。

3.设备配置客户端证书1.Windows先要安装openssl自签的ca证书，然后安装打包好的p12证书和私钥，并输入打包p12时的密码要是不安装ca证书会提示p12证书未进过验证之后访问对应需要的双向认证的网页，选择对应的客户端证书就可以了。

2.安卓安卓直接安装p12证书就可以了之后访问对应需要的双向认证的网页，选择对应的客户端证书就可以了3.macos和Windows一样需要先安装自签名的ca证书，然后在安装p12证书macos在安装完ca证书后，需要在“钥匙串访问”——“系统钥匙串-系统”——“证书“双击刚才安装的ca证书，在新打开的窗口选择“信任“选项卡——勾选始终信任。

这样子p12证书和自签名的ca证书就生效了之后访问对应需要的双向认证的网页，选择对应的客户端证书就可以了

4.ios也要先安装openssl的自签ca证书，当然ios安装ca证书和p12证书比较麻烦我的解决办法就是将ca证书和p12客户端证书传到群晖或者unraid上，用它们充当简单的http下载服务器在ios自带的safari登陆群晖在file station上选中证书，长按打开菜单选择下载就可以安装描述文件。

对于unraid就更简单了，打开存储证书的磁盘，找到证书存储的位置直接击就可以下载安装描述文件ios要先安装ca证书，然后在“设置”——“通用”——“描述文件和设备管理”——验证刚才安装的ca证书然后在“通用”——“关于本机”——“证书信任设置”信任刚才的ca证书。

然后安装p12证书，输入密码安装成功后，也要在“设置”——“通用”——“描述文件和设备管理”——验证刚才安装的p12客户证书不过ios有限制，只有自带的safari浏览器才能使用ssl双向验证打开需要的双向ssl的网页时，浏览器就会跳出客户端证书选择界面，选择对应的证书就可以访问了，就不会出现nginx 400错误。