diff --git a/README.md b/README.md index 523d7dc..859213d 100644 --- a/README.md +++ b/README.md @@ -6,4 +6,76 @@ > this software only ***ease*** the `sniffing-process` by terminating `TLS` > in a transparent way. -## How to use the software \ No newline at end of file +## How to use the software + +- Have [Firegex](https://github.com/Pwnzer0tt1/firegex) installed on the `vulnbox` (OPTIONAL) +- Copy all keys on `ssl-sniffer/private//[key|cert].pem` +- Copy a template from one of the available templates: + - `grpc`: `cp ssl-sniffer/nginx/grpc/conf.example ssl-sniffer/nginx/grpc/.conf` + - `http`: `cp ssl-sniffer/nginx/http/conf.example ssl-sniffer/nginx/http/.conf` +- Modify the copied template +- Add a rule to hijack the port to the one specified in your conf (OPTIONAL) +- Run `docker compose up -d --build` +- Check that your service is still reachable + +> [!TIP] +> Remember to capture traffic from the `lo` interface, otherwise you won't +> see any benefit in setting such infrastructure + +## Full example + +### Cheesy Cheats-API Template + +```nginx +# CheesyAPI conf + + +# CheesyAPI TLS endpoint +server { + + # Use this to avoid port scanners to know + # what you are using + more_clear_headers Server; + + # Here put the TLS termination + # endpoint port + listen 15555 ssl; + http2 on; + + # Here put the unencrypted + # endpoint port + location / { + grpc_pass grpc://127.0.0.1:15554; + } + + # Put relevant keys here + ssl_certificate /services-keys/CheesyAPI/cert.pem; + ssl_certificate_key /services-keys/CheesyAPI/key.pem; + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + + +} + +# Example Termination endpoint +server { + + # Use this to avoid port scanners to know + # what you are using + more_clear_headers Server; + + # Here put the unencrypted + # endpoint port + listen 127.0.0.1:15554; + http2 on; + + # Here put the original + # service endpoint port + location / { + grpc_pass grpcs://127.0.0.1:5555; + } + + +} +``` + +![firegex-example-image](images\firegex-example.png) \ No newline at end of file diff --git a/images/firegex-example.png b/images/firegex-example.png new file mode 100644 index 0000000..eb01122 Binary files /dev/null and b/images/firegex-example.png differ diff --git a/nginx/grpc/conf.example b/nginx/grpc/conf.example index 27f1a5f..2327081 100644 --- a/nginx/grpc/conf.example +++ b/nginx/grpc/conf.example @@ -4,16 +4,22 @@ # Example TLS endpoint server { + # Use this to avoid port scanners to know + # what you are using more_clear_headers Server; + # Here put the TLS termination + # endpoint port listen PORT ssl; http2 on; + # Here put the unencrypted + # endpoint port location / { grpc_pass grpc://127.0.0.1:PORT; } - + # Put relevant keys here ssl_certificate /services-keys/Example/cert.pem; ssl_certificate_key /services-keys/Example/key.pem; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; @@ -24,12 +30,17 @@ server { # Example Termination endpoint server { + # Use this to avoid port scanners to know + # what you are using more_clear_headers Server; + # Here put the unencrypted + # endpoint port listen 127.0.0.1:PORT; http2 on; - # Here put the service you need + # Here put the original + # service endpoint port location / { grpc_pass grpcs://127.0.0.1:PORT; } diff --git a/nginx/http/conf.example b/nginx/http/conf.example index 0b501dc..e94ae2f 100644 --- a/nginx/http/conf.example +++ b/nginx/http/conf.example @@ -4,31 +4,46 @@ # Example TLS endpoint server { + # Use this to avoid port scanners to know + # what you are using + more_clear_headers Server; + + # Here put the TLS termination + # endpoint port listen PORT ssl; - more_clear_headers Server; + # Uncomment if http2 + # http2 on; + # Here put the unencrypted + # endpoint port location / { proxy_pass http://localhost:8080; } - - + # Put relevant keys here ssl_certificate /services-keys/Example/cert.pem; ssl_certificate_key /services-keys/Example/key.pem; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; - } # Example Termination endpoint server { + # Use this to avoid port scanners to know + # what you are using more_clear_headers Server; + # Here put the unencrypted + # endpoint port listen 127.0.0.1:8080; - # Here put the service you need + # Uncomment if http2 + # http2 on; + + # Here put the original + # service endpoint port location / { proxy_pass https://127.0.0.1:PORT; }