Project

General

Profile

Tâche #31843

Scénario #31671: Eolelisation du MITM "client" sur tous les modules EOLE

Configuration du MITM proxy sur un client EOLE + mise en place

Added by Emmanuel GARETTE about 3 years ago. Updated about 3 years ago.

Status:
Fermé
Priority:
Normal
Assigned To:
Start date:
03/04/2021
Due date:
% Done:

100%

Remaining (hours):
0.0

Associated revisions

Revision 16923598 (diff)
Added by Emmanuel GARETTE about 3 years ago

télécharger, durant Maj-Auto, le certificat racine du proxy en mode MITM (ref #31843)

Revision 34f368fc (diff)
Added by Emmanuel GARETTE about 3 years ago

fonction de validation d'une fingerprint (ref #31843)

Revision aa38c13f (diff)
Added by Emmanuel GARETTE about 3 years ago

Maj-Auto : on doit pouvoir lancer des commandes avant le chargement des dépôts (ref #31843)

Revision fab1f8ac (diff)
Added by Emmanuel GARETTE about 3 years ago

Configurer le MITM avant la configuration des dépôts dans Maj-Auto (ref #31843)

Revision 64a0b62a (diff)
Added by Emmanuel GARETTE about 3 years ago

majauto_pre => majauto/pre (ref #31843)

Revision eef5e5b1 (diff)
Added by Emmanuel GARETTE about 3 years ago

majauto => majauto_pre (ref #31843)

Revision 84848fb9 (diff)
Added by Emmanuel GARETTE about 3 years ago

tester si proxy client n'est pas à non (ref #31843)

Revision 29ab4b54 (diff)
Added by Emmanuel GARETTE about 3 years ago

récupéer les adresses du proxy (ref #31843)

History

#1 Updated by Emmanuel GARETTE about 3 years ago

  • Status changed from Nouveau to Résolu
  • Assigned To set to Emmanuel GARETTE
  • % Done changed from 0 to 100

#2 Updated by Daniel Dehennin about 3 years ago

Le certificat n’est donc mis en place que par Maj-Auto, pas par reconfigure :

activer_proxy_client_mitm="oui" 
proxy_client_mitm_fingerprint_type="sha256" 
proxy_client_mitm_fingerprint="39:AB:58:0C:DF:77:DC:C5:0C:23:35:17:96:74:07:60:99:3F:D2:C9:46:E3:01:0E:FA:72:E4:11:2E:26:F8:46" 
proxy_client_mitm_fingerprint_type="sha256" 
root@scribe:~# reconfigure
[…]
root@scribe:~# curl -I https://repo.saltstack.com
HTTP/1.1 200 Connection established

curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@scribe:~# Query-Auto -D
Mise à jour le mardi 09 mars 2021 13:57:13
Exécution des scripts /usr/share/eole/majauto_pre
run-parts: executing /usr/share/eole/majauto_pre/mitm
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping duplicate certificate in eole.pem
rehash: warning: skipping duplicate certificate in ISRG_Root_X1.pem
rehash: warning: skipping duplicate certificate in ca.crt
rehash: warning: skipping duplicate certificate in ca_local.crt
5 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Replacing debian:antsv3racine.pem
Replacing debian:igca.pem
Replacing debian:ca_proxy.pem
Replacing debian:antsv3racine.pem
Replacing debian:igca.pem
done.
done.
[…]
root@scribe:~# curl -I https://repo.saltstack.com
HTTP/1.1 200 Connection established

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 76024
Date: Tue, 09 Mar 2021 08:35:36 GMT
Last-Modified: Fri, 26 Feb 2021 02:02:33 GMT
ETag: "941f2c717a0931b5c8d535189f3d8eb8" 
x-amz-meta-mtime: 1614304559.305321993
Accept-Ranges: bytes
Server: AmazonS3
Vary: Accept-Encoding
X-Cache: Hit from cloudfront
Via: 1.1 b610872a8a74821c40e2fbd7aa11d1c1.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: MRS52-C1
X-Amz-Cf-Id: hYuhGdMw4JC1zCmLYvZq4Ow4uRuT2h8hWT_xdIDpuVJ5ySt0eRingA==
Age: 15846
X-Cache: HIT from amon
X-Cache-Lookup: HIT from amon:3128
Connection: keep-alive

#3 Updated by Daniel Dehennin about 3 years ago

  • Status changed from Résolu to Fermé
  • Remaining (hours) set to 0.0

La mise en place est bien faite lors d’un Query-Auto / Maj-Auto et fonctionne correctement.

Also available in: Atom PDF