Shulou(Shulou.com)06/02 Report--

This article is reproduced from the Wechat official account "Zheng Haishan dump" (ID:zhsdump), author: Zheng Haishan

My leader asked me to deploy 100 servers a month. I just spent a day writing an automated script. Now I am sitting in the workplace, blowing the air conditioner, drinking coffee, brushing Douyin and watching Ansible type orders for me. Am I very inhumane? This is the only way I can play for the next 29 days. should I tell the leader?

Note: Ansible is not a colleague's English name, but an automated deployment tool, as well as Puppet, Chef, Salt, and so on. I'll introduce you later if you're interested.

Scope of application of this Git code

Suppose you have an old Web site http://dog.xmu.edu.cn, IP address is IPv4 1.2.3.4, you provide a configuration of IPv6 Ubuntu 18.04 LTS server, Clone my code, run a command, will help you configure HTTPS and HTTP/2 all, and then you test normal, modify the DNS, point the dog.xmu.edu.cn to the new IPv4 and IPv6 address.

The middle is seamless, clean and well tested. The time is five minutes.

Concrete steps

● installs a Ubuntu 18.04LTS and configures the IPv6 address.

The ● Clone code https://github.com/haishanzheng/nginx-install/tree/ansible, which ends up PR to https://github.com/bg6cq/nginx-install.

● cp hosts.template hosts.real, configure your server IP address, controller IP, domain name, upstream original IP, etc.

● run ansible-playbook site.yml-I hosts.real-- ask-become-pass,5 minute installation is complete

● run certbot-nginx certonly to apply for a free Lets Encrypt certificate.

● then runs the Ansible script to add HTTPS support. Because the Ansible script is idempotent, you can run it thousands of times.

● runs the curl test to force the domain name to point to the new IP address and test IPv6. Curl-- resolve dog.xmu.edu.cn:443:2001:da8:e800::42-I-- http2 https://dog.xmu.edu.cn-6-v

● if the curl is correct, change the DNS. Reinsurance point, change the DNS locally, and test using a browser.

● can consider submitting the website to Zhang Huanjie's test site https://ipv6.ustc.edu.cn/, which must be more than 100 points.

Code

Code fork from the University of Science and Technology Zhang Huanjie https://github.com/bg6cq/nginx-install, PR has not been submitted, teacher Zhang Huanjie's document reinforced the Nginx, the system configuration optimization, can be used as a step-by-step operation manual to understand the internal specific configuration mechanism, Zhang Huanjie also brought a sh automation deployment script, less dependent. Ansible directory for my mindless automation deployment script, relying on Python3, repeatable, idempotent, will irregularly synchronize Zhang Huanjie's configuration.

Ansible runs like this:

Take a specific look at the README.md document, if someone really uses it, I will consider updating it again, adding GoAccess statistics and so on.

If you ask me what to do, I will tell you to buy application delivery equipment from big factories, enable one-click disconnection, purchase complete maintenance services, receive regular updates and threat intelligence from manufacturers, and eventually throw the pot at equipment and manufacturers after security problems, so as not to regret your stinginess and unprofessionalism for the rest of your life.

Why? Take my repo as an example, if you really replace your school's website, then this server must be in compliance with the third class, you need to install anti-virus, malicious code detection, integrity check, monitoring, resource restrictions, audit, your log needs to be kept remotely for 3 months, you must always update security patches to prevent CVE vulnerabilities, and you must check changelog and turn off unnecessary features after the new version of Nginx is released. In order to prevent a single point of failure, you should need 2 inverters, which are installed with Keepalived to make them highly available. In order to facilitate analysis, you also need to analyze the log.

I can change the code for you to finish in 10 minutes, but did you audit my code yourself? Do I know all the pits? Will I secretly insert some code that controls your entire site? For example, to update the free HTTPS certificate, you can download a .sh file on the reverse generation and run away. Is it safe? If I were to isolate this risk, I would use an immutable server, deploy it regularly for 3 months and get him running, use DNS challenge, scp to the reverse generation after finally getting the certificate, and destroy that server. Why not just spend a few thousand yuan on a higher-grade EV certificate valid for a year?

Even if you trust me, I am not monolithic. What if I am hacked?

So unless you have enough self-confidence, otherwise do not recommend, of course, Zhang Huanjie and my documents, repo is not useless, at least you can use this to uncover the mystery behind the generation.

After pouring cold water, let's continue to learn about other pits. The writing is relatively scattered, where you want to write, strive for the end of this series.

Deployment counter-generation is not non-invasive

IP address passing

It is necessary to deploy inversion. Because of the working principle of inversion, your application cannot get the real client IP address, so inversion usually passes parameters such as X-Forwarded-For and X-Real-IP to the application, and because this parameter is placed in Header, you must deal with the problem of forgery.

And inversion is sometimes multi-level, so inversion must find its own location, when to reset X-Forwarded-For and X-Real-IP fields, and when to accept fields that trust superiors. On the other hand, the application must change its own mechanism to obtain the client IP address and only receive the Header sent by trust. At the end of last year, I wrote a case in which the application was deceived into breaking the IP address authorization verification based on the forged X-Forwarded-For field.

The Web server log configuration of the application must also be modified, otherwise you can only get the reverse address. Some of the online configuration of X-Forwarded-For is wrong. Some are simply and rudely replacing% h with X-Forwarded-For, such as

LogFormat "h% l% u% t\"% r\ "% > s% b" common

LogFormat "{X-Forwarded-For} I% l% u% t\" r\ "% > s% b" common

But this can not solve the problem of counterfeiting X-Forwarded-For, so for the convenience of statistical analysis, it is not recommended that you directly change the Log format, it is suggested that you should generate 2 logs, one is% h, the other is% {X-Forwarded-For} I. Analyze separately.

And if you configure in the system such as fail2ban, security software, etc., according to the IP to block all must be adjusted accordingly.

HTTP/2

Instead of Nginx, Nginx ignores the back-end backend HTTP/2 protocol, which is due to the nature of the HTTP/2 protocol. So your anti-generation must clean up all the Header related to the connection sent by backend. For example:

Suppose you use Chrome to use the HTTP/2 protocol to retrieve a backend web page, and then use HTTP/1.1 to backend the web page instead. At this time, backend who supports HTTP/2 finds that the reverse protocol is so old and will send the reverse generation the header "upgrade: H3Magin H3C", which tells the reverse generation that you are out of date and it is time to upgrade. If your reverse generation does not clean up the header proxy_hide_header, then your Chrome will get this field. He'll find it baffling.

IPv6

In fact, I think that the deployment of reverse generation to solve the IPv6 problem is a "policy and strategy" approach, which will damage the development of IPv6 in the long run. When will the data center dare to go to a pure IPv6 environment?

Or the real promotion of IPv6 needs the help of application vendors, such as a system that claims to support IPv6 a long time ago, and is deployed in many schools, but basically does not use IPv6, I do not know what the problem is. Indeed, one more road is a little more risky, and being on IPv6 won't make you fly, so people won't have the motivation to push it.

Speaking of this system, let's go on to talk about the security of the system, some of which are deployment issues and some are implementation issues. I am not specifically responsible for this system, and I only found it when I used it sporadically. So don't let me see or use your system, I will find some messy problems that embarrass both you and me.

The design of ● password to prevent brute force cracking is very strange. If your password for an account exceeds a certain threshold, it does not tell you that you are locked, but whether you enter the right or wrong password, it tells you that the password is wrong, disturbing to the user, and unfriendly to the attacker. I have written to consult in the hope that we can change the way or provide a switch for us to choose, but there is nothing below.

● directly adds authentication information to URL, similar to http://dog.xmu.edu.cn/index.php?login-user-hash-is=GUID, which is also very insecure. Although this is cookiless-friendly, without HTTPS, the address can be easily sniffed, and the address will be added to the Log of the Web server, and it won't even prevent someone standing behind you to take pictures of your screen and pass it to others. As pointed out later, a verification of the same source IP address is added, that is, even if you get the address, you must be in the same IP to access it. But this is also unreliable, it is still possible to be attacked in the same physical NAT environment or dial the same VPN. And Referrer Policy is not specified in the deployment or code, the default Referrer Policy of the browser is no-referrer-when-downgrade, that is, you click on the link in the system and send the GUID to the hacker's Web server. And then Cookie was added, and it was safe. In fact, I do not quite understand why there is that login-user-hash-is after having Cookie, maybe it is to be compatible with the API calls of old applications.

The ● administrator interface and API calls are bound to the same Web server port for ordinary users. If your super user password is strong, there is no problem with the system itself. This is not a problem. For insurance, we have added a layer of administrator IP restrictions, which are not available in many schools. And API authentication mode is to use IP address authentication.

I hope that in the future, this system can really sort out the security of the deployment and improve the security of each school.

With regard to IPv6 address planning, I am not engaged in the network, I am engaged in applications, so I do not quite understand. Song Yanchuan wrote a https://www.ipv6-cn.com/tutorials/ipv6-address-allocation-n-assignment.html to learn, which I can not understand, but if you use IPv4 to map out the IPv6 address, it is simple, but the feeling can be changed.

The problem with IPv6's huge address pool is that the previous methods of using IP addresses to determine the uniqueness of IP addresses, such as voting IP addresses, are a bit ineffective. The judgment strategy for non-brute force cracking of the attack source IP also needs to be changed.

HTTPS

HTTPS can provide confidentiality and integrity. Simply adding a HTTPS to the Web website can solve most of the problems. If you want to go up a few more layers, there are other improvements:

The authoritative server of ● DNS needs to go to DNSSEC to prevent DNS from being tampered with.

In order to prevent ● from letting users install their root certificates, such as previous vendors, and then being hacked to cause MTTM attacks, you can add CAA to DNS, allowing only certain CA to sign your domain name.

● browsers currently access port 80 by default, which may change in the future, so the general practice of websites is to visit HTTP and then 301 to HTTPS, in which it is possible to be attacked. So you should add HSTS, hsts preload list, STS-in-DNS and so on to change this process.

If HSTS is added to the ● page for one year, but hackers can use the NTP attack to delay the client computer by one year so that HSTS is invalid. Is anyone so bored? Take it all into account anyway.

The ● HTTP server is configured to prevent SSL protocol and encryption method degradation attacks.

HTTP/2

There are a lot of introductions about HTTP/2 on the network, so I will not carry them. It has changed a lot. Basically, there must be HTTPS in front of HTTP/2 at present, so some debugging skills have failed, and some of the optimization tricks of HTTP/1.1 that you have mastered before are useless. Learn again.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.