From b259316fb8798b19c002767a7815eaa882db56e0 Mon Sep 17 00:00:00 2001 From: max-telega Date: Mon, 9 Feb 2026 16:08:09 +0300 Subject: [PATCH 1/2] docs: add PR template --- .github/pull_request_template.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .github/pull_request_template.md diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..4a0e1c27 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,16 @@ +## Goal + + +## Changes + + +## Testing + + +## Artifacts & Screenshots + + +## Checklist +- [ ] Clear title +- [ ] Docs updated +- [ ] No secrets in code From 7df538656d4d54491fdf4f87378a078767134cf5 Mon Sep 17 00:00:00 2001 From: Dart-NEW Date: Thu, 7 May 2026 09:43:44 +0300 Subject: [PATCH 2/2] docs: add lab11 nginx hardening --- labs/lab11/analysis/cert-details.txt | 6 + labs/lab11/analysis/docker-compose-ps.txt | 3 + labs/lab11/analysis/headers-http.txt | 15 ++ labs/lab11/analysis/headers-https.txt | 21 ++ labs/lab11/analysis/http-redirect-status.txt | 1 + labs/lab11/analysis/nginx-error-tail.txt | 50 ++++ labs/lab11/analysis/rate-limit-access-log.txt | 6 + labs/lab11/analysis/rate-limit-summary.txt | 2 + labs/lab11/analysis/rate-limit-test.txt | 12 + labs/lab11/analysis/testssl-clean.txt | 227 ++++++++++++++++++ labs/lab11/analysis/testssl.txt | 227 ++++++++++++++++++ labs/lab11/logs/access.log | 21 ++ labs/lab11/logs/error.log | 55 +++++ labs/lab11/reverse-proxy/certs/.gitignore | 3 + labs/submission11.md | 165 +++++++++++++ 15 files changed, 814 insertions(+) create mode 100644 labs/lab11/analysis/cert-details.txt create mode 100644 labs/lab11/analysis/docker-compose-ps.txt create mode 100644 labs/lab11/analysis/headers-http.txt create mode 100644 labs/lab11/analysis/headers-https.txt create mode 100644 labs/lab11/analysis/http-redirect-status.txt create mode 100644 labs/lab11/analysis/nginx-error-tail.txt create mode 100644 labs/lab11/analysis/rate-limit-access-log.txt create mode 100644 labs/lab11/analysis/rate-limit-summary.txt create mode 100644 labs/lab11/analysis/rate-limit-test.txt create mode 100644 labs/lab11/analysis/testssl-clean.txt create mode 100644 labs/lab11/analysis/testssl.txt create mode 100644 labs/lab11/logs/access.log create mode 100644 labs/lab11/logs/error.log create mode 100644 labs/lab11/reverse-proxy/certs/.gitignore create mode 100644 labs/submission11.md diff --git a/labs/lab11/analysis/cert-details.txt b/labs/lab11/analysis/cert-details.txt new file mode 100644 index 00000000..9d35ccd7 --- /dev/null +++ b/labs/lab11/analysis/cert-details.txt @@ -0,0 +1,6 @@ +subject=CN = localhost +issuer=CN = localhost +notBefore=May 7 06:38:43 2026 GMT +notAfter=May 7 06:38:43 2027 GMT +X509v3 Subject Alternative Name: + DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1 diff --git a/labs/lab11/analysis/docker-compose-ps.txt b/labs/lab11/analysis/docker-compose-ps.txt new file mode 100644 index 00000000..213345e8 --- /dev/null +++ b/labs/lab11/analysis/docker-compose-ps.txt @@ -0,0 +1,3 @@ +NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS +lab11-juice-1 bkimminich/juice-shop:v19.0.0 "/nodejs/bin/node /j…" juice 9 seconds ago Up 9 seconds 3000/tcp +lab11-nginx-1 nginx:stable-alpine "/docker-entrypoint.…" nginx 9 seconds ago Up 9 seconds 0.0.0.0:8080->8080/tcp, [::]:8080->8080/tcp, 80/tcp, 0.0.0.0:8443->8443/tcp, [::]:8443->8443/tcp diff --git a/labs/lab11/analysis/headers-http.txt b/labs/lab11/analysis/headers-http.txt new file mode 100644 index 00000000..3cce2c8e --- /dev/null +++ b/labs/lab11/analysis/headers-http.txt @@ -0,0 +1,15 @@ +HTTP/1.1 308 Permanent Redirect +Server: nginx +Date: Thu, 07 May 2026 06:39:14 GMT +Content-Type: text/html +Content-Length: 164 +Connection: keep-alive +Location: https://localhost:8443/ +X-Frame-Options: DENY +X-Content-Type-Options: nosniff +Referrer-Policy: strict-origin-when-cross-origin +Permissions-Policy: camera=(), geolocation=(), microphone=() +Cross-Origin-Opener-Policy: same-origin +Cross-Origin-Resource-Policy: same-origin +Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' + diff --git a/labs/lab11/analysis/headers-https.txt b/labs/lab11/analysis/headers-https.txt new file mode 100644 index 00000000..7ad3bf05 --- /dev/null +++ b/labs/lab11/analysis/headers-https.txt @@ -0,0 +1,21 @@ +HTTP/2 200 +server: nginx +date: Thu, 07 May 2026 06:39:14 GMT +content-type: text/html; charset=UTF-8 +content-length: 75002 +feature-policy: payment 'self' +x-recruiting: /#/jobs +accept-ranges: bytes +cache-control: public, max-age=0 +last-modified: Thu, 07 May 2026 06:39:08 GMT +etag: W/"124fa-19e01295da7" +vary: Accept-Encoding +strict-transport-security: max-age=31536000; includeSubDomains; preload +x-frame-options: DENY +x-content-type-options: nosniff +referrer-policy: strict-origin-when-cross-origin +permissions-policy: camera=(), geolocation=(), microphone=() +cross-origin-opener-policy: same-origin +cross-origin-resource-policy: same-origin +content-security-policy-report-only: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' + diff --git a/labs/lab11/analysis/http-redirect-status.txt b/labs/lab11/analysis/http-redirect-status.txt new file mode 100644 index 00000000..090193fb --- /dev/null +++ b/labs/lab11/analysis/http-redirect-status.txt @@ -0,0 +1 @@ +HTTP 308 diff --git a/labs/lab11/analysis/nginx-error-tail.txt b/labs/lab11/analysis/nginx-error-tail.txt new file mode 100644 index 00000000..56b6f407 --- /dev/null +++ b/labs/lab11/analysis/nginx-error-tail.txt @@ -0,0 +1,50 @@ +2026/05/07 06:39:35 [crit] 31#31: *50 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:36 [crit] 31#31: *51 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:36 [crit] 31#31: *52 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:37 [crit] 33#33: *53 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:37 [crit] 33#33: *55 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:38 [crit] 33#33: *56 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:39 [crit] 33#33: *60 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:39 [crit] 33#33: *61 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:40 [crit] 33#33: *62 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:41 [crit] 32#32: *69 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:41 [crit] 32#32: *70 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:41 [crit] 32#32: *71 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:42 [crit] 32#32: *74 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:43 [crit] 32#32: *75 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:44 [crit] 32#32: *78 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:45 [crit] 32#32: *79 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:46 [crit] 32#32: *80 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:51 [crit] 34#34: *95 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:54 [crit] 35#35: *101 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:56 [crit] 35#35: *108 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:08 [crit] 36#36: *133 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:08 [crit] 36#36: *134 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:09 [crit] 36#36: *135 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:09 [crit] 37#37: *136 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:10 [crit] 37#37: *137 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:10 [crit] 37#37: *138 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:11 [crit] 37#37: *139 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:11 [crit] 37#37: *140 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:11 [crit] 37#37: *141 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:14 [crit] 37#37: *148 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:15 [crit] 37#37: *149 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:15 [crit] 37#37: *150 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:16 [crit] 37#37: *151 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:16 [crit] 38#38: *152 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:17 [crit] 38#38: *154 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:17 [crit] 38#38: *155 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:18 [crit] 38#38: *156 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:18 [crit] 38#38: *157 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:19 [crit] 38#38: *158 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:19 [crit] 38#38: *159 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:20 [crit] 38#38: *161 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:21 [crit] 38#38: *162 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:21 [crit] 38#38: *163 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:22 [crit] 38#38: *165 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:34 [warn] 39#39: *181 limiting requests, excess: 5.983 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2026/05/07 06:40:34 [warn] 39#39: *182 limiting requests, excess: 5.982 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2026/05/07 06:40:34 [warn] 39#39: *183 limiting requests, excess: 5.980 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2026/05/07 06:40:34 [warn] 39#39: *184 limiting requests, excess: 5.978 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2026/05/07 06:40:34 [warn] 39#39: *185 limiting requests, excess: 5.977 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2026/05/07 06:40:34 [warn] 39#39: *186 limiting requests, excess: 5.975 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" diff --git a/labs/lab11/analysis/rate-limit-access-log.txt b/labs/lab11/analysis/rate-limit-access-log.txt new file mode 100644 index 00000000..31ccb242 --- /dev/null +++ b/labs/lab11/analysis/rate-limit-access-log.txt @@ -0,0 +1,6 @@ +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.5.0" rt=0.000 uct=- urt=- diff --git a/labs/lab11/analysis/rate-limit-summary.txt b/labs/lab11/analysis/rate-limit-summary.txt new file mode 100644 index 00000000..d9afd5c6 --- /dev/null +++ b/labs/lab11/analysis/rate-limit-summary.txt @@ -0,0 +1,2 @@ +401 6 +429 6 diff --git a/labs/lab11/analysis/rate-limit-test.txt b/labs/lab11/analysis/rate-limit-test.txt new file mode 100644 index 00000000..aec8f668 --- /dev/null +++ b/labs/lab11/analysis/rate-limit-test.txt @@ -0,0 +1,12 @@ +401 +401 +401 +401 +401 +401 +429 +429 +429 +429 +429 +429 diff --git a/labs/lab11/analysis/testssl-clean.txt b/labs/lab11/analysis/testssl-clean.txt new file mode 100644 index 00000000..6ca2b859 --- /dev/null +++ b/labs/lab11/analysis/testssl-clean.txt @@ -0,0 +1,227 @@ + +##################################################################### + testssl.sh version 3.2.3 from https://testssl.sh/ + + This program is free software. Distribution and modification under + GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! + + Please file bugs @ https://testssl.sh/bugs/ +##################################################################### + + Using OpenSSL 1.0.2-bad (Mar 28 2025) [~183 ciphers] + on McLaren:/home/testssl/bin/openssl.Linux.x86_64 + + Start 2026-05-07 06:39:27 -->> 127.0.0.1:8443 (localhost) <<-- + + A record via: /etc/hosts + rDNS (127.0.0.1): localhost. + Service detected: HTTP + + Testing protocols via sockets except NPN+ALPN + + SSLv2 not offered (OK) + SSLv3 not offered (OK) + TLS 1 not offered + TLS 1.1 not offered + TLS 1.2 offered (OK) + TLS 1.3 offered (OK): final + NPN/SPDY not offered + ALPN/HTTP2 h2, http/1.1 (offered) + + Testing cipher categories + + NULL ciphers (no encryption) not offered (OK) + Anonymous NULL Ciphers (no authentication) not offered (OK) + Export ciphers (w/o ADH+NULL) not offered (OK) + LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) + Triple DES Ciphers / IDEA not offered + Obsoleted CBC ciphers (AES, ARIA etc.) not offered + Strong encryption (AEAD ciphers) with no FS not offered + Forward Secrecy strong encryption (AEAD ciphers) offered (OK) + + + Testing server's cipher preferences + +Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) +----------------------------------------------------------------------------------------------------------------------------- +SSLv2 + - +SSLv3 + - +TLSv1 + - +TLSv1.1 + - +TLSv1.2 (server order) + xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +TLSv1.3 (server order) + x1302 TLS_AES_256_GCM_SHA384 ECDH/MLKEM AESGCM 256 TLS_AES_256_GCM_SHA384 + x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH/MLKEM ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 + x1301 TLS_AES_128_GCM_SHA256 ECDH/MLKEM AESGCM 128 TLS_AES_128_GCM_SHA256 + + Has server cipher order? yes (OK) -- TLS 1.3 and below + + + Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 + + FS is offered (OK) TLS_AES_256_GCM_SHA384 + TLS_CHACHA20_POLY1305_SHA256 + ECDHE-RSA-AES256-GCM-SHA384 + TLS_AES_128_GCM_SHA256 + ECDHE-RSA-AES128-GCM-SHA256 + KEMs offered X25519MLKEM768 + Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448 + Finite field group: ffdhe2048 ffdhe3072 + TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 + RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 + RSA+SHA512 RSA+SHA224 + TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 + RSA-PSS-RSAE+SHA512 + + Testing server defaults (Server Hello) + + TLS extensions (standard) "server name/#0" "max fragment length/#1" + "supported_groups/#10" "EC point formats/#11" + "application layer protocol negotiation/#16" + "extended master secret/#23" "session ticket/#35" + "supported versions/#43" "key share/#51" + "renegotiation info/#65281" + Session Ticket RFC 5077 hint 600 seconds, session tickets keys seems to be rotated < daily + SSL Session ID support yes + Session Resumption Tickets: yes, ID: yes + TLS clock skew Random values, no fingerprinting possible + Certificate Compression none + Client Authentication none + Signature Algorithm SHA256 with RSA + Server key size RSA 2048 bits (exponent is 65537) + Server key usage -- + Server extended key usage -- + Serial 32F848D7041002BE265AF13A055CA5C7073A4E54 (OK: length 20) + Fingerprints SHA1 9A4E45871487D4853744D2CA17607B38F95DED40 + SHA256 A1F6715E4A02FA17867ED74810352C55C2F7BD751C58579242B79EAEF2B270F9 + Common Name (CN) localhost + subjectAltName (SAN) localhost 127.0.0.1 0:0:0:0:0:0:0:1 + Trust (hostname) Ok via SAN and CN (same w/o SNI) + Chain of trust NOT ok (self signed) + EV cert (experimental) no + Certificate Validity (UTC) 364 >= 60 days (2026-05-07 06:38 --> 2027-05-07 06:38) + ETS/"eTLS", visibility info not present + Certificate Revocation List -- + OCSP URI -- + NOT ok -- neither CRL nor OCSP URI provided + OCSP stapling not offered + OCSP must staple extension -- + DNS CAA RR (experimental) not offered + Certificate Transparency -- + Certificates provided 1 + Issuer localhost + Intermediate Bad OCSP (exp.) Ok + + + Testing HTTP header response @ "/" + + HTTP Status Code 200 OK + HTTP clock skew 0 sec from localtime + Strict Transport Security 365 days=31536000 s, includeSubDomains, preload + Public Key Pinning -- + Server banner nginx + Application banner -- + Cookie(s) (none issued at "/") + Security headers X-Frame-Options: DENY + X-Content-Type-Options: nosniff + Content-Security-Policy-Report-Only: default-src + 'self'; img-src 'self' data:; script-src 'self' + 'unsafe-inline' 'unsafe-eval'; style-src 'self' + 'unsafe-inline' + Permissions-Policy: camera=(), geolocation=(), + microphone=() + Cross-Origin-Opener-Policy: same-origin + Cross-Origin-Resource-Policy: same-origin + Permissions-Policy: camera=(), geolocation=(), + microphone=() + Referrer-Policy: strict-origin-when-cross-origin + Cache-Control: public, max-age=0 + Reverse Proxy banner -- + + + Testing vulnerabilities + + Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension + CCS (CVE-2014-0224) not vulnerable (OK) + Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) + ROBOT Server does not support any cipher suites that use RSA key transport + Secure Renegotiation (RFC 5746) supported (OK) + Secure Client-Initiated Renegotiation not vulnerable (OK) + CRIME, TLS (CVE-2012-4929) not vulnerable (OK) + BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested + POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support + TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered + SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) + FREAK (CVE-2015-0204) not vulnerable (OK) + DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) + make sure you don't use this certificate elsewhere with SSLv2 enabled services, see + https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=A1F6715E4A02FA17867ED74810352C55C2F7BD751C58579242B79EAEF2B270F9 + LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 + BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 + LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) + Winshock (CVE-2014-6321), experimental not vulnerable (OK) + RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) + + + Running client simulations (HTTP) via sockets + + Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy +------------------------------------------------------------------------------------------------ + Android 7.0 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 253 bit ECDH (X25519) + Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 11/12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 13/14 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 15 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768 + Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768 + Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Firefox 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768 + IE 8 Win 7 No connection + IE 11 Win 7 No connection + IE 11 Win 8.1 No connection + IE 11 Win Phone 8.1 No connection + IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 253 bit ECDH (X25519) + Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Edge 133 Win 11 23H2 TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768 + Safari 18.4 (iOS 18.4) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Safari 18.4 (macOS 15.4) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Java 7u25 No connection + Java 8u442 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 256 bit ECDH (P-256) + Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Java 21.0.6 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + LibreSSL 3.3.6 (macOS) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + OpenSSL 3.0.15 (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768 + Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + + + Rating (experimental) + + Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16) + Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide + Protocol Support (weighted) 0 (0) + Key Exchange (weighted) 0 (0) + Cipher Strength (weighted) 0 (0) + Final Score 0 + Overall Grade T + Grade cap reasons Grade capped to T. Issues with chain of trust + (self signed) + + Done 2026-05-07 06:40:22 [ 57s] -->> 127.0.0.1:8443 (localhost) <<-- + + diff --git a/labs/lab11/analysis/testssl.txt b/labs/lab11/analysis/testssl.txt new file mode 100644 index 00000000..08ce51f2 --- /dev/null +++ b/labs/lab11/analysis/testssl.txt @@ -0,0 +1,227 @@ + +##################################################################### + testssl.sh version 3.2.3 from https://testssl.sh/ + + This program is free software. Distribution and modification under + GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! + + Please file bugs @ https://testssl.sh/bugs/ +##################################################################### + + Using OpenSSL 1.0.2-bad (Mar 28 2025) [~183 ciphers] + on McLaren:/home/testssl/bin/openssl.Linux.x86_64 + + Start 2026-05-07 06:39:27 -->> 127.0.0.1:8443 (localhost) <<-- + + A record via: /etc/hosts + rDNS (127.0.0.1): localhost. + Service detected: HTTP + + Testing protocols via sockets except NPN+ALPN  + + SSLv2 not offered (OK) + SSLv3 not offered (OK) + TLS 1 not offered + TLS 1.1 not offered + TLS 1.2 offered (OK) + TLS 1.3 offered (OK): final + NPN/SPDY not offered + ALPN/HTTP2 h2, http/1.1 (offered) + + Testing cipher categories  + + NULL ciphers (no encryption) not offered (OK) + Anonymous NULL Ciphers (no authentication) not offered (OK) + Export ciphers (w/o ADH+NULL) not offered (OK) + LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) + Triple DES Ciphers / IDEA not offered + Obsoleted CBC ciphers (AES, ARIA etc.) not offered + Strong encryption (AEAD ciphers) with no FS not offered + Forward Secrecy strong encryption (AEAD ciphers) offered (OK) + + + Testing server's cipher preferences  + +Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) +----------------------------------------------------------------------------------------------------------------------------- +SSLv2 + - +SSLv3 + - +TLSv1 + - +TLSv1.1 + - +TLSv1.2 (server order) + xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +TLSv1.3 (server order) + x1302 TLS_AES_256_GCM_SHA384 ECDH/MLKEM AESGCM 256 TLS_AES_256_GCM_SHA384 + x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH/MLKEM ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 + x1301 TLS_AES_128_GCM_SHA256 ECDH/MLKEM AESGCM 128 TLS_AES_128_GCM_SHA256 + + Has server cipher order? yes (OK) -- TLS 1.3 and below + + + Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4  + + FS is offered (OK)  TLS_AES_256_GCM_SHA384 + TLS_CHACHA20_POLY1305_SHA256 + ECDHE-RSA-AES256-GCM-SHA384 + TLS_AES_128_GCM_SHA256 + ECDHE-RSA-AES128-GCM-SHA256 + KEMs offered X25519MLKEM768 + Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448 + Finite field group: ffdhe2048 ffdhe3072 + TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 + RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 + RSA+SHA512 RSA+SHA224 + TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 + RSA-PSS-RSAE+SHA512 + + Testing server defaults (Server Hello)  + + TLS extensions (standard) "server name/#0" "max fragment length/#1" + "supported_groups/#10" "EC point formats/#11" + "application layer protocol negotiation/#16" + "extended master secret/#23" "session ticket/#35" + "supported versions/#43" "key share/#51" + "renegotiation info/#65281" + Session Ticket RFC 5077 hint 600 seconds, session tickets keys seems to be rotated < daily + SSL Session ID support yes + Session Resumption Tickets: yes, ID: yes + TLS clock skew Random values, no fingerprinting possible + Certificate Compression none + Client Authentication none + Signature Algorithm SHA256 with RSA + Server key size RSA 2048 bits (exponent is 65537) + Server key usage -- + Server extended key usage -- + Serial 32F848D7041002BE265AF13A055CA5C7073A4E54 (OK: length 20) + Fingerprints SHA1 9A4E45871487D4853744D2CA17607B38F95DED40 + SHA256 A1F6715E4A02FA17867ED74810352C55C2F7BD751C58579242B79EAEF2B270F9 + Common Name (CN) localhost  + subjectAltName (SAN) localhost 127.0.0.1 0:0:0:0:0:0:0:1  + Trust (hostname) Ok via SAN and CN (same w/o SNI) + Chain of trust NOT ok (self signed) + EV cert (experimental) no + Certificate Validity (UTC) 364 >= 60 days (2026-05-07 06:38 --> 2027-05-07 06:38) + ETS/"eTLS", visibility info not present + Certificate Revocation List -- + OCSP URI -- + NOT ok -- neither CRL nor OCSP URI provided + OCSP stapling not offered + OCSP must staple extension -- + DNS CAA RR (experimental) not offered + Certificate Transparency -- + Certificates provided 1 + Issuer localhost + Intermediate Bad OCSP (exp.) Ok + + + Testing HTTP header response @ "/"  + + HTTP Status Code  200 OK + HTTP clock skew 0 sec from localtime + Strict Transport Security 365 days=31536000 s, includeSubDomains, preload + Public Key Pinning -- + Server banner nginx + Application banner -- + Cookie(s) (none issued at "/") + Security headers X-Frame-Options: DENY + X-Content-Type-Options: nosniff + Content-Security-Policy-Report-Only: default-src + 'self'; img-src 'self' data:; script-src 'self' + 'unsafe-inline' 'unsafe-eval'; style-src 'self' + 'unsafe-inline' + Permissions-Policy: camera=(), geolocation=(), + microphone=() + Cross-Origin-Opener-Policy: same-origin + Cross-Origin-Resource-Policy: same-origin + Permissions-Policy: camera=(), geolocation=(), + microphone=() + Referrer-Policy: strict-origin-when-cross-origin + Cache-Control: public, max-age=0 + Reverse Proxy banner -- + + + Testing vulnerabilities  + + Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension + CCS (CVE-2014-0224) not vulnerable (OK) + Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) + ROBOT Server does not support any cipher suites that use RSA key transport + Secure Renegotiation (RFC 5746) supported (OK) + Secure Client-Initiated Renegotiation not vulnerable (OK) + CRIME, TLS (CVE-2012-4929) not vulnerable (OK) + BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/" tested + POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support + TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered + SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) + FREAK (CVE-2015-0204) not vulnerable (OK) + DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) + make sure you don't use this certificate elsewhere with SSLv2 enabled services, see + https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=A1F6715E4A02FA17867ED74810352C55C2F7BD751C58579242B79EAEF2B270F9 + LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 + BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 + LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) + Winshock (CVE-2014-6321), experimental not vulnerable (OK) + RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) + + + Running client simulations (HTTP) via sockets  + + Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy +------------------------------------------------------------------------------------------------ + Android 7.0 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 253 bit ECDH (X25519) + Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 11/12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 13/14 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 15 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768 + Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768 + Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Firefox 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768 + IE 8 Win 7 No connection + IE 11 Win 7 No connection + IE 11 Win 8.1 No connection + IE 11 Win Phone 8.1 No connection + IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 253 bit ECDH (X25519) + Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Edge 133 Win 11 23H2 TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768 + Safari 18.4 (iOS 18.4) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Safari 18.4 (macOS 15.4) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Java 7u25 No connection + Java 8u442 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 256 bit ECDH (P-256) + Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Java 21.0.6 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + LibreSSL 3.3.6 (macOS) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + OpenSSL 3.0.15 (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768 + Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + + + Rating (experimental)  + + Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16) + Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide + Protocol Support (weighted) 0 (0) + Key Exchange (weighted) 0 (0) + Cipher Strength (weighted) 0 (0) + Final Score 0 + Overall Grade T + Grade cap reasons Grade capped to T. Issues with chain of trust + (self signed) + + Done 2026-05-07 06:40:22 [ 57s] -->> 127.0.0.1:8443 (localhost) <<-- + + diff --git a/labs/lab11/logs/access.log b/labs/lab11/logs/access.log new file mode 100644 index 00000000..e4380994 --- /dev/null +++ b/labs/lab11/logs/access.log @@ -0,0 +1,21 @@ +172.18.0.1 - - [07/May/2026:06:39:14 +0000] "GET / HTTP/1.1" 308 164 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +172.18.0.1 - - [07/May/2026:06:39:14 +0000] "HEAD / HTTP/1.1" 308 0 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +172.18.0.1 - - [07/May/2026:06:39:14 +0000] "HEAD / HTTP/2.0" 200 0 "-" "curl/8.5.0" rt=0.010 uct=0.000 urt=0.009 +172.18.0.1 - - [07/May/2026:06:39:27 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.005 uct=0.000 urt=0.005 +172.18.0.1 - - [07/May/2026:06:39:56 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.003 uct=0.000 urt=0.002 +172.18.0.1 - - [07/May/2026:06:39:57 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.002 uct=0.000 urt=0.002 +172.18.0.1 - - [07/May/2026:06:40:03 +0000] "GET / HTTP/1.1" 200 75002 "https://google.com/" "TLS tester from https://testssl.sh/" rt=0.003 uct=0.001 urt=0.003 +172.18.0.1 - - [07/May/2026:06:40:33 +0000] "HEAD / HTTP/1.1" 308 0 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +172.18.0.1 - - [07/May/2026:06:40:33 +0000] "HEAD / HTTP/2.0" 200 0 "-" "curl/8.5.0" rt=0.002 uct=0.000 urt=0.001 +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.5.0" rt=0.020 uct=0.001 urt=0.021 +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.5.0" rt=0.009 uct=0.001 urt=0.010 +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.5.0" rt=0.007 uct=0.001 urt=0.008 +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.5.0" rt=0.006 uct=0.001 urt=0.006 +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.5.0" rt=0.006 uct=0.001 urt=0.007 +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.5.0" rt=0.009 uct=0.000 urt=0.009 +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.5.0" rt=0.000 uct=- urt=- diff --git a/labs/lab11/logs/error.log b/labs/lab11/logs/error.log new file mode 100644 index 00000000..9dd4aef6 --- /dev/null +++ b/labs/lab11/logs/error.log @@ -0,0 +1,55 @@ +2026/05/07 06:39:27 [crit] 33#33: *6 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:32 [crit] 31#31: *40 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:33 [crit] 31#31: *41 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:33 [crit] 31#31: *42 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:34 [crit] 31#31: *43 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:35 [crit] 31#31: *50 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:36 [crit] 31#31: *51 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:36 [crit] 31#31: *52 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:37 [crit] 33#33: *53 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:37 [crit] 33#33: *55 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:38 [crit] 33#33: *56 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:39 [crit] 33#33: *60 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:39 [crit] 33#33: *61 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:40 [crit] 33#33: *62 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:41 [crit] 32#32: *69 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:41 [crit] 32#32: *70 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:41 [crit] 32#32: *71 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:42 [crit] 32#32: *74 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:43 [crit] 32#32: *75 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:44 [crit] 32#32: *78 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:45 [crit] 32#32: *79 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:46 [crit] 32#32: *80 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:51 [crit] 34#34: *95 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:54 [crit] 35#35: *101 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:39:56 [crit] 35#35: *108 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:08 [crit] 36#36: *133 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:08 [crit] 36#36: *134 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:09 [crit] 36#36: *135 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:09 [crit] 37#37: *136 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:10 [crit] 37#37: *137 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:10 [crit] 37#37: *138 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:11 [crit] 37#37: *139 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:11 [crit] 37#37: *140 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:11 [crit] 37#37: *141 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:14 [crit] 37#37: *148 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:15 [crit] 37#37: *149 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:15 [crit] 37#37: *150 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:16 [crit] 37#37: *151 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:16 [crit] 38#38: *152 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:17 [crit] 38#38: *154 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:17 [crit] 38#38: *155 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:18 [crit] 38#38: *156 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:18 [crit] 38#38: *157 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:19 [crit] 38#38: *158 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:19 [crit] 38#38: *159 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:20 [crit] 38#38: *161 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:21 [crit] 38#38: *162 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:21 [crit] 38#38: *163 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:22 [crit] 38#38: *165 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2026/05/07 06:40:34 [warn] 39#39: *181 limiting requests, excess: 5.983 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2026/05/07 06:40:34 [warn] 39#39: *182 limiting requests, excess: 5.982 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2026/05/07 06:40:34 [warn] 39#39: *183 limiting requests, excess: 5.980 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2026/05/07 06:40:34 [warn] 39#39: *184 limiting requests, excess: 5.978 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2026/05/07 06:40:34 [warn] 39#39: *185 limiting requests, excess: 5.977 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2026/05/07 06:40:34 [warn] 39#39: *186 limiting requests, excess: 5.975 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" diff --git a/labs/lab11/reverse-proxy/certs/.gitignore b/labs/lab11/reverse-proxy/certs/.gitignore new file mode 100644 index 00000000..d662be3f --- /dev/null +++ b/labs/lab11/reverse-proxy/certs/.gitignore @@ -0,0 +1,3 @@ +*.crt +*.key +!.gitignore diff --git a/labs/submission11.md b/labs/submission11.md new file mode 100644 index 00000000..021ad9e6 --- /dev/null +++ b/labs/submission11.md @@ -0,0 +1,165 @@ +# Lab 11 Submission - Reverse Proxy Hardening with Nginx + +## Task 1 - Reverse Proxy Compose Setup + +Juice Shop was deployed behind an Nginx reverse proxy using `labs/lab11/docker-compose.yml`. Nginx is the only service with host-published ports, while Juice Shop is reachable only on the internal Docker network via `expose: 3000`. + +Reverse proxies are valuable security control points because they can terminate TLS, inject security headers, centralize access logging, apply request filtering/rate limiting, and keep application containers off the public host interface. Hiding the direct app port reduces attack surface because scanners and attackers hit the hardened proxy first instead of the raw Node.js application. + +Command evidence: + +```text +$ docker compose ps +NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS +lab11-juice-1 bkimminich/juice-shop:v19.0.0 "/nodejs/bin/node /j..." juice ... Up ... 3000/tcp +lab11-nginx-1 nginx:stable-alpine "/docker-entrypoint...." nginx ... Up ... 0.0.0.0:8080->8080/tcp, [::]:8080->8080/tcp, 80/tcp, 0.0.0.0:8443->8443/tcp, [::]:8443->8443/tcp +``` + +HTTP redirects to HTTPS as expected: + +```text +HTTP 308 +``` + +Artifacts: + +- `labs/lab11/analysis/docker-compose-ps.txt` +- `labs/lab11/analysis/http-redirect-status.txt` +- `labs/lab11/analysis/cert-details.txt` + +## Task 2 - Security Headers + +Relevant HTTPS response headers from `labs/lab11/analysis/headers-https.txt`: + +```text +strict-transport-security: max-age=31536000; includeSubDomains; preload +x-frame-options: DENY +x-content-type-options: nosniff +referrer-policy: strict-origin-when-cross-origin +permissions-policy: camera=(), geolocation=(), microphone=() +cross-origin-opener-policy: same-origin +cross-origin-resource-policy: same-origin +content-security-policy-report-only: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' +``` + +Header analysis: + +- **X-Frame-Options**: `DENY` prevents the application from being embedded in frames, reducing clickjacking risk. +- **X-Content-Type-Options**: `nosniff` tells browsers not to MIME-sniff responses, reducing script/style execution through content-type confusion. +- **Strict-Transport-Security (HSTS)**: forces future browser access over HTTPS for one year and includes subdomains; it is configured only on the HTTPS server block. +- **Referrer-Policy**: `strict-origin-when-cross-origin` limits sensitive URL leakage while preserving useful same-origin referrer behavior. +- **Permissions-Policy**: disables browser access to camera, geolocation, and microphone for this app surface. +- **COOP/CORP**: `same-origin` isolation reduces cross-origin data exposure and helps defend against browser side-channel and embedding issues. +- **CSP-Report-Only**: records likely CSP violations without enforcing blocking. Report-only is appropriate for Juice Shop because a strict CSP could break existing inline scripts/styles during a proxy-only hardening lab. + +HSTS was verified as HTTPS-only: `headers-https.txt` contains `strict-transport-security`, while `headers-http.txt` does not. + +Artifacts: + +- `labs/lab11/analysis/headers-http.txt` +- `labs/lab11/analysis/headers-https.txt` + +## Task 3 - TLS, HSTS, Rate Limiting, and Timeouts + +TLS was scanned with `testssl.sh` against `https://localhost:8443`. + +TLS protocol support: + +```text +SSLv2 not offered (OK) +SSLv3 not offered (OK) +TLS 1 not offered +TLS 1.1 not offered +TLS 1.2 offered (OK) +TLS 1.3 offered (OK): final +``` + +Supported cipher suites: + +```text +TLSv1.2: +ECDHE-RSA-AES256-GCM-SHA384 / TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +ECDHE-RSA-AES128-GCM-SHA256 / TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + +TLSv1.3: +TLS_AES_256_GCM_SHA384 +TLS_CHACHA20_POLY1305_SHA256 +TLS_AES_128_GCM_SHA256 +``` + +TLSv1.2+ is required because SSLv2, SSLv3, TLSv1.0, and TLSv1.1 are obsolete and carry known downgrade, cipher, and protocol risks. TLSv1.3 is preferred because it removes legacy cryptography, simplifies negotiation, and improves handshake security/performance. + +Notable `testssl.sh` findings: + +- Forward secrecy is offered. +- Heartbleed, CCS, Ticketbleed, ROBOT, CRIME, POODLE, SWEET32, FREAK, DROWN, LOGJAM, BEAST, LUCKY13, Winshock, and RC4 checks were not vulnerable/OK. +- Expected local-certificate warnings were present: chain of trust is `NOT ok (self signed)`, no CRL/OCSP URI is provided, OCSP stapling is not offered, and CAA is not offered. These are acceptable for a localhost self-signed lab certificate; production should use a trusted CA such as Let's Encrypt and enable OCSP stapling. + +Rate limiting was tested against `/rest/user/login` with 12 rapid login attempts: + +```text +401 +401 +401 +401 +401 +401 +429 +429 +429 +429 +429 +429 +``` + +Summary: + +```text +401 6 +429 6 +``` + +The initial `401` responses are expected because the credentials are invalid but still allowed through the burst window. The later `429` responses confirm Nginx rate limiting blocked excessive login attempts. + +Relevant access log lines: + +```text +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +172.18.0.1 - - [07/May/2026:06:40:34 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.5.0" rt=0.000 uct=- urt=- +``` + +Rate-limit configuration: + +- `limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;` +- `limit_req zone=login burst=5 nodelay;` +- `limit_req_status 429;` + +The `rate=10r/m` baseline slows brute-force attempts per source IP. `burst=5` allows short legitimate bursts, such as a user retrying credentials or a browser resubmitting quickly, while `nodelay` rejects excess traffic immediately instead of queueing requests. These values are intentionally conservative for a lab; production values should be tuned with traffic baselines and account lockout/step-up authentication behavior. + +Timeout configuration and trade-offs: + +- `client_body_timeout 10s`: limits slow request-body uploads and helps reduce slowloris-style abuse, but very slow clients may fail on large forms. +- `client_header_timeout 10s`: limits slow header transmission; good for DoS resistance, but hostile to very poor network conditions. +- `proxy_read_timeout 30s`: bounds how long Nginx waits for upstream responses; protects worker capacity, but long-running endpoints may need exceptions. +- `proxy_send_timeout 30s`: bounds upstream send time; prevents stuck upstream communication, but large uploads or slow upstream reads may require tuning. +- `proxy_connect_timeout 5s`: fails fast when the upstream app is unavailable. +- `keepalive_timeout 10s` and `send_timeout 10s`: reduce idle connection resource use while preserving normal browser behavior. + +Artifacts: + +- `labs/lab11/analysis/testssl.txt` +- `labs/lab11/analysis/testssl-clean.txt` +- `labs/lab11/analysis/rate-limit-test.txt` +- `labs/lab11/analysis/rate-limit-summary.txt` +- `labs/lab11/analysis/rate-limit-access-log.txt` +- `labs/lab11/analysis/nginx-error-tail.txt` +- `labs/lab11/logs/access.log` +- `labs/lab11/logs/error.log` + +## Submission Checklist + +- [x] Task 1 - Reverse proxy compose setup completed. +- [x] Task 2 - Security headers verified over HTTP and HTTPS. +- [x] Task 3 - TLS, HSTS, rate limiting, logs, and timeout trade-offs documented. +- [x] Local private key was not committed; certificate metadata is captured in `analysis/cert-details.txt`.