I'm currently setting up an PROXY SSL Infrastructure based on Squid Proxy and Firefox Browser, things that I can't change (not dependinig on me).
After several test i'm wondering those questions:
- Apparently, FF can't natively process SSL crypting; we can only specify in settings the way by which will through the flow already encrypted. Am I true or not? Is there any way to make FF crypt the flow in SSL?
- consequently, I had to use a proxy.pac file, based on a HTTP apache server (using TCP/80), in which in specified "return HTTPS $IP:$port". It seems to work, but honnestly I don't really understand why, in comparison with my 1st statement... Could you explain it to me
- Of course all certificate has been generated and correcly set into the browser
Thanks for you help
Kondor76
Related
These days I am researching on capturing and decoding SSL traffic from apk files, I have learned that it is possible to use Fiddler to do that, I have done all the steps in the following link
Cannot configure Fiddler proxy in Android to decrypt HTTPS
But my situation is a little different, I can decode some SSL traffic from apk files, but some SSL traffic seems does not go through WLAN, not like the situation in above links, it does not appear in Fiddler capturing window(maybe the code in apk deliberately set to not go through WLAN to avoid being captured?)
so I tried proxydroid to make all traffic go to my fiddler proxy, It succeeded, now it appears in fiddler capturing window, but it seems not using fiddler root cert like those traffic which goes through WLAN as default, so I can only see "connect to xxx" in Fiddler window, but no decryption
I even tried xpose framework and JustTrustMe, still no use(although I think the problem does not lie there)
So in such a situation, Is there a way to decode? I think the key is to both direct SSL traffic to fiddler proxy and use root cert simultaneously, but How?
UPDATE:
not to mention this specific problem, currently Could someone give me some information about how a SSL cert is used in android system, why those https links which use WLAN as default will use cert automatically, I guess it's because those links which use WLAN as default is just like use https link in browser , while cert is trusted by browser when you installed this root cert, but those links which do not use WLAN as default actually do not trigger https link like in browser, so even using some tool to redirect those links to fiddler proxy can not make it trust the cert, so they just do not use this root cert?? if my guess is right, then maybe there is no easy solution to solve this problem??
UPDATE2:
I have posted another topic, which tries to solve this problem from another perspective, it provided specific apk link, so if someone is interested, you can visit that topic to get more info
I'm using authlib in my project. I have a local IDP setup using http atm.
For testing, this code is blocking me because my dev environment is http.
https://github.com/lepture/authlib/blob/master/authlib/client/oauth2.py#L155
I can carry on by commenting out the line. But, i think having a way to turn of https check is neater.
So, dose anyway know a way to turn off https check in Authlib ?
It can be solved by setting an environment:
AUTHLIB_INSECURE_TRANSPORT=true
This is not documented on client sections, it is documented on the server parts like https://docs.authlib.org/en/latest/flask/oauth2.html
How do we by pass this issue with SonarQube server v5.1 and firefox? Chrome & IE are working fine but firefox is not allowing to access the server in https mode. I looked at https://weakdh.org/sysadmin.html but I am not sure what server SonarQube uses and how to implement fix for this problem. Any help is appreciated. Thanks.
When a user wants to enable (or restrict) access to a SonarQube instance over HTTPS, the recommended way is to put it behind another WebServer she configures at will.
So, the way to go here, is to add an Apache, Nginx or whatever in front of the SQ instance and configure it according to the recommendations in the link you provided and generate a "safe" server certificate.
I fixed it by setting the following property in sonar.properties file.
sonar.web.https.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA
I have set up an Apache Web Server 2.4 to act as a proxy for Apache Tomcat 7, communicating via the AJP protocol (mod_proxy_ajp on the Apache side and an AJP connector on the Tomcat side). Everything works great for basic functionality.
Now, I am looking to set some specific AJP attributes, but can't quite get it to work...
Looking at the mod_proxy_ajp page (http://httpd.apache.org/docs/current/mod/mod_proxy_ajp.html), under the Request Packet Structure section, I see a listing of attributes. These attributes include the likes of remote_user, and ssl_cert (code values 0x03 and 0x07, respectively). There is also an "everything else" attribute called req_attribute with code value 0x0A that can be used to set any arbitrary attribute in an AJP request.
Further, on the same page, under the Environment Variables section, it states the following:
Environment variables whose names have the prefix AJP_ are forwarded to the origin server as AJP request attributes (with the AJP_ prefix removed from the name of the key).
This seems straightforward enough, and indeed, I am easily able to set an arbitrary AJP attribute such as "doug-attribute" by setting an Apache environment variable called "AJP_doug-attribute", and assigning a relevant value. After doing such, I can analyze the traffic using Wireshark, and see the "doug-attribute" field show up in the dissected AJP block, prefixed with a hex value of 0x0A (the "req_attribute" type listed above). So far so good.
Now I want to try to set the ssl_cert attribute. In the same fashion, I set an environment variable called "AJP_ssl_cert". Doing so, it does show up in Wireshark, but with prefix code "0x0A". Further, my Java application that wants to read the "javax.servlet.request.x509certificate" does not find the certificate.
However, I also notice some other attributes in the Wireshark capture that are listed on the website, like ssl_cipher and ssl_key_size. But in the capture, they show up as "SSL-Cipher" and "SSL-Key-Size" (and have the appropriate "0x08" and "0x0B" prefix codes). So, I try setting the cert attribute again, this time as "SSL-Cert", but I get the same results as before.
To compare, I altered the Apache configuration to require client certificates, and then provided one in the browser when visiting the associated web page. At this point, I look at the Wireshark capture, and sure enough, there is now an attribute named "SSL-Cert", with code "0x07", and my web application in Tomcat is successfully able to find the certificate.
Is there any way that I can manually set the attributes listed on the mod_proxy_ajp page, or does the module handle them differently from other arbitrary request attributes (like "doug-attribute")? I feel like there must be something I am missing here.
As some background, the reason that I am trying to do this is that I have a configuration with multiple Apache web servers proxying each other, and then at the end, an Apache web server proxying to a Tomcat instance via AJP. All the Apache web servers use SSL and require client certificates. With just one Apache server, Tomcat can receive the user's certificate just fine without any special configuration on my part. However, with multiple, it ultimately receives the server certificate of the previous Apache proxy (set on that machine using the SSLProxyMachineCertificateFile directive).
What I am hoping to do is place the original user's certificate into the headers of the intermediate proxied requests, and then manually set that certificate in the AJP attributes at the back end so that the web application in Tomcat can read the certificate and use it to perform its authorization stuff (this part is already set in stone, otherwise I would just add the certificate as a header and make the Java app read the header).
EDIT: of course, if there is an easier way to accomplish passing the user's certificate through the proxy chain, I'd be more than happy to hear it! :)
I'm looking for a mod_auth_tkt for Nginx? I have multiple applications using auth_tkt compatible cookies and would like to have SSO. I don't want to use apache2 mod_auth_tkt, since I have nginx already running. Is there a auth_tkt compatible module for nginx?
I came across this challenge today (multi-domain SSO using Nginx), so I suppose an answer is better late than never.
I was coming from having used auth_tkt with Apache2.
Ultimately I ended up with an implementation of Pubcookie, for which somebody wrote and documented an Nginx module.
The setup is very similar:
A CGI script intercepts the request and performs login procedure for the user using whatever mechanism is configured
Upon successful authentication:
a. A cookie is set on the enterprise_domain
b. User is redirected to the originally requested resources
Some warning though, I had to hack the source a fair bit for pubcookie and the nginx module to get it to work with non-SSL sites - it seems to have been written with SSL as a fixed assumption.