search

qsecure-labs / overlord

Overlord - Red Teaming Infrastructure Automation
https://blog.qsecure.com.cy/posts/overlord/
MIT License
615 stars 74 forks source link

Apache HTTPS Redirector instead of socat. #11

Open awakenine opened 3 years ago

awakenine commented 3 years ago

Hello Everyone. Thank you for the awesome project.

I would like to perform integration with https://github.com/outflanknl/RedELK project to have log shipping from all the components in one place. I'm faced that for using HTTPS on redirector and advanced logging of requests redirector socat is not enough, and I have to use web server (e.g. Apache) instead of socat.

I've success in running Apache HTTP proxy instead of Socat changing these lines https://github.com/qsecure-labs/overlord/blob/960d6425299a6202ae91e476ea0b7d55dcf06c13/redbaron/modules/digitalocean/http-rdir/main.tf#L28-L32

Lines that I added instead:

      "apt-get update",
      "apt-get install -y apache2",
      "a2enmod rewrite proxy proxy_http proxy_connect ssl proxy_html deflate headers",
      "echo \"\" > /etc/apache2/ports.conf",
      "wget https://gist.githubusercontent.com/awakenine/180037cebe2def828eb21546d71126cd/raw/d7aa6d72ef2cf00eaa1b5d7bf2178a8434a8139e/redelk-redir-apache.conf -O /etc/apache2/sites-available/redelk-redir-apache.conf",
      "echo \"export C2_IP=${element(var.redirect_to, count.index)}\" >> /etc/apache2/envvars",
      "echo \"export RDIR_DOMAIN=${digitalocean_droplet.http-rdir[count.index].name}\" >> /etc/apache2/envvars",
      "a2dissite 000-default.conf",
      "a2ensite redelk-redir-apache.conf",
      "systemctl restart apache2",

After that, I've tried to generate HTTPS certificate and copy it to the redirector machine. First, I've used letsencrypt module to generate certificate to redirector (that was created automatically with c2). The certificate generates successfully but was not transferred to the redirector droplet, because it uses https://github.com/qsecure-labs/overlord/blob/960d6425299a6202ae91e476ea0b7d55dcf06c13/redbaron/modules/letsencrypt/digitalocean/create-cert-dns-do/main.tf which does not have file provisioner. To use first option now I have to copy cert manually to the redirector.

Second, I've tried to generate certificate directly into the redirector with the following, but variable with subdomain + domain is not declared for http-rdir terraform config. To use second option now I have to somehow call the subdomain + domain variable from http-rdir module.

"certbot --apache --non-interactive --agree-tos --email ${var.email} --domain ${var.domain} --pre-hook 'sudo service apache2 stop' --post-hook 'sudo service apache2 start'", #--dry-run is for staging not production chage this

I would be happy if you help me with any option to achieve HTTPS redirector working on Apache, because it is much more powerful than Socat, allows collect and save logs in different formats, use conditional redirect when it only matches specific traffic rules and finally allows to setup integration with RedELK tool that is really powerful if you would like to have all logs and possible events with a full timeline in one place.

Sikkis commented 3 years ago

Hi awakenine, First of all, thank you for your kind words. I wanted to add Apache HTTP redirection for a long time but due to my busy schedule, I did not come back to the project for a while to add more features, rather we just try to fix bugs & scripts that were available.

I don't think it could be that hard to implement, let me think about it over the weekend and come back at you with some solutions.