Hai, Habr. Sebagai bagian dari kursus "Insinyur Jaringan", kami menyiapkan artikel penulis.
Kami juga mengundang semua orang untuk menonton webinar terbuka dengan topik "NAT bukanlah Firewall" . Di dalamnya, para peserta bersama dengan seorang ahli akan mempelajari NAT dan penggunaannya, dan memahami mengapa NAT! = Firewall. Selain itu, kami akan mempertimbangkan jenis konfigurasi yang berbeda untuk situasi yang berbeda.
Enkripsi adalah metode paling populer untuk mengamankan komunikasi jaringan. Artikel ini akan memberi tahu Anda tentang metode saat ini untuk mendekripsi data yang dikirimkan selama interaksi dengan aplikasi web. Contoh dekripsi akan dipertimbangkan tergantung pada kondisi awal (keberadaan kunci enkripsi, sertifikat dan kerentanan dalam skema transfer informasi).
Masalah dan sejarah
. , , , SSL TLS. HTTPS. , . :
-
HSTS — Strict Transport Security , HTTPS .
, , — , Wiki .
. :
Virtual Box;
Windows 8.1;
Ubuntu Server 20.04
iPhon SE.
"NAT Network". . , , , . .
SQUID
Squid — , . HTTP , , HTTPS . . , squid , :
```sh wget http://www.squid-cache.org/Versions/v4/squid-4.5.tar.gz
tar -xvzf squid-4.5.tar.gz
cd squid-4.5
./configure --with-openssl --enable-ssl-crtd --prefix=/usr/local/squid
make
make all
make install
```
— , :
```sh
cd /etc/squid
mkdir ssl_cert
chown squid:squid -R ssl_cert
chmod 700 ssl_cert
cd ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out myCA.pem
openssl x509 -in myCA.pem -outform DER -out myCA.der
```
myCA.der . squid.
squid:
```sh
ln -s /usr/local/squid/sbin/squid /usr/local/bin/squid
```
:
```
/usr/local/squid/libexec/security_file_certgen -c -s /var/lib/ssl_db -M 4MB
chown squid:squid -R /var/lib/ssl_db
```
:
```sh
nano /usr/local/squid/etc/squid.conf
```
:
```sh
acl SSL_ports port 443
acl CONNECT method CONNECT
acl manager proto cache_object
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
coredump_dir /usr/local/squid/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern -i youtube.com/.* 10080 90% 43200
refresh_pattern (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
http_port 3128 ssl-bump \
cert=/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek all
ssl_bump stare all
ssl_bump bump all
cache allow all
access_log stdio:/usr/local/squid/var/logs/access.log combined
cache_store_log stdio:/usr/local/squid/var/logs/store.log
cache_log stdio:/usr/local/squid/var/logs/cache.log
```
squid:
```sh
squid -d 10 && tail -f /usr/local/squid/var/logs/access.log
```
:
CharlesProxy
WiFi iPhone SE. . charlesProxy. , . "Proxy > Start SSL Proxying":
, :
, . . , .
«Network engineer».
«NAT — Firewall».