NOPROXY
=========
.. panels::
:container: container pb-4
:column: col-lg-12 p-2
:card: shadow
Topics in this section,
* :ref:`Learnings in this section <NOPROXY_step1>`
* :ref:`Terminology <NOPROXY_step2>`
* :ref:`Version Info <NOPROXY_step3>`
* :ref:`Protocol Details <NOPROXY_step32>`
* :ref:`Use case curl with HTTPS <NOPROXY_step24>`
* :ref:`Use case wget with HTTPS <NOPROXY_step25>`
* :ref:`Use case curl with HTTP <NOPROXY_step26>`
* :ref:`Use case wget with HTTP <NOPROXY_step27>`
* :ref:`Setup custom webserver on ubuntu <NOPROXY_step29>`
* :ref:`Configure custom webserver details on ubuntu machine using certificates <NOPROXY_step30>`
* :ref:`Decrypting HTTPS traffic in wireshark using curl <NOPROXY_step28>`
* :ref:`Meaning of cert filenames <NOPROXY_step31>`
* :ref:`FAQs <NOPROXY_step18>`
* :ref:`Reference links <NOPROXY_step19>`
.. _NOPROXY_step1:
.. tab-set::
.. tab-item:: Learnings in this section
* In this section, you are going to learn
.. _NOPROXY_step2:
.. tab-set::
.. tab-item:: Terminology
* Terminology
.. _NOPROXY_step3:
.. tab-set::
.. tab-item:: Version Info
* Version Info
.. _NOPROXY_step32:
.. tab-set::
.. tab-item:: Protocol Details
.. csv-table::
:file: ./NOPROXY/protocol.csv
:widths: 20,20,25,25,20,10,25,1
.. _NOPROXY_step24:
.. tab-set::
.. tab-item:: Use case curl with HTTPS
.. code-block:: shell
test:~$ curl https://c-pointers.com
* Expected output:The HTML source code of the webpage hosted at https://c-pointers.com
* Step-1 : wireshark captures
* client side
:download:`Download capture <NOPROXY/wireshark_captures/curl_https_client.pcapng>`
* Step-2 : screenshots
* client side
.. image:: NOPROXY/wireshark_screenshots/curl_https_client.png
:width: 2000
.. _NOPROXY_step25:
.. tab-set::
.. tab-item:: Use case wget with HTTPS
.. code-block:: shell
test:~$ wget https://c-pointers.com
* Expected output:The HTML content of the webpage at https://c-pointers.com
* Step-1 : wireshark captures
* client side
:download:`Download capture <NOPROXY/wireshark_captures/wget_https_client.pcapng>`
* Step-2 : screenshots
* client side
.. image:: NOPROXY/wireshark_screenshots/wget_https_client.png
:width: 2000
.. _NOPROXY_step26:
.. tab-set::
.. tab-item:: Use case curl with HTTP
.. code-block:: shell
test:~$ curl http://c-pointers.com
* Expected output:The HTML source code of the webpage hosted at http://c-pointers.com
* Step-1 : wireshark captures
* client side
:download:`Download capture <NOPROXY/wireshark_captures/curl_http_client.pcapng>`
* Step-2 : screenshots
* client side
.. image:: NOPROXY/wireshark_screenshots/curl_http_client.png
:width: 2000
.. _NOPROXY_step27:
.. tab-set::
.. tab-item:: Use case wget with HTTP
.. code-block:: shell
test:~$ wget http://c-pointers.com
* Expected output:The HTML content of the webpage at http://c-pointers.com
* Step-1 : wireshark captures
* client side
:download:`Download capture <NOPROXY/wireshark_captures/wget_http_client.pcapng>`
* Step-2 : screenshots
* client side
.. image:: NOPROXY/wireshark_screenshots/wget_http_client.png
:width: 2000
.. _NOPROXY_step29:
.. tab-set::
.. tab-item:: Setup custom webserver on ubuntu
* Step-1: Install Apache Web Server
.. code-block:: shell
test:~$ sudo apt update
test:~$ sudo apt install apache2 -y
* Step-2: Adjust the Firewall
1.Check available apache UFW profiles:
.. code-block:: shell
test:~$ sudo ufw app list
Available applications:
Apache
Apache Full
Apache Secure
2.You want to allow both http and https,so Apache Full is a good choice.
.. code-block:: shell
test:~$ sudo ufw allow 'Apache Full'
* Step-3: Verify apache service
.. code-block:: shell
test:~$ sudo systemctl start apache2
test:~$ sudo systemctl enable apache2
test:~$ sudo systemctl status apache2
* Step-4: Test your Webserver
* Open your webserver and navigate to your server's IP address like http://10.91.239.125
* To check in terminal also
.. code-block:: shell
test:~$ curl -v http://10.91.239.125
* You should see the default apache ubuntu page.This confirms that apache is installed and running correctly.
.. note::
* 10.91.239.125 is the your's server IP address of Ubuntu Machine.
* Step-5: Lets create your own domain.com
1. Create a directory for your domain:
.. code-block:: shell
test:~$ sudo mkdir -p /var/www/myuniqueproxy.com/html
.. note::
* myuniqueproxy.com is my own domain.com.You can replace with this your's actual domain.com.
2. Create a sample index.html file
.. code-block:: shell
test:~$ sudo nano /var/www/myuniqueproxy.com/html/index.html
<!DOCTYPE html>
<html>
<head>
<title>Welcome to myuniqueproxy.com domain</title>
</head>
<body>
<h1>Hello from my own web server!</h1>
<p>This page is hosted on Apache running on Ubuntu.</p>
</body>
</html>
* Save the file (Ctrl+O, Enter, Ctrl+X).
.. note::
* You want to add some more context.You can add in index.html file.
* Step-6: Set Proper permissions
.. code-block:: shell
test:~$ sudo chown -R www-data:www-data /var/www/myuniqueproxy.com/html
test:~$ sudo chmod -R 755 /var/www/myuniqueproxy.com
* Step-7: Enable SSL module and default SSL site
.. code-block:: shell
test:~$ sudo a2enmod ssl
test:~$ sudo a2ensite default-ssl
test:~$ sudo systemctl reload apache2
* Step-8: Generate a Self-Signed SSL Certificate
1.Create a directory to store your certificate
.. code-block:: shell
test:~$ sudo mkdir -p /etc/apache2/ssl
2.Now generate the certificate and private key
.. code-block:: shell
test:~$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache-selfsigned.key -out /etc/apache2/ssl/apache-selfsigned.crt
.. note::
* You will be prompted to enter values like country, state, etc.Common name section you enter your server IP address.These will appear in your certificate.
* Step-9: Configure Apache to Use Your Certificate
* Edit the default SSL site:
.. code-block:: shell
test:~$ sudo nano /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/myuniqueproxy.com/html
# ServerName is optional for IP-based access
# ServerName your-domain.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# SSL Configuration
SSLEngine on
SSLProtocol -all +TLSV1.2
SSLCipherSuite RSA+AESGCM
SSLCertificateFile /etc/apache2/ssl/apache-selfsigned.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache-selfsigned.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# Optional security headers
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection "1; mode=block"
# Optional SSL settings (hardened)
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
</VirtualHost>
</IfModule>
* Save and exit (Ctrl+O, Enter, then Ctrl+X).
.. note::
* SSLProtocol -all +TLSV1.2 ,SSLCipherSuite RSA+AESGCM these two lines are support for TLSV1.2 protocol.
* If you comment these two lines then it support for TLSV1.3 protocol.
* Step-10: Restart Apache
.. code-block:: shell
test:~$ sudo systemctl restart apache2
* Step-11: Test Your Server
* Open a browser and go to:
* https://10.91.239.125
.. note::
* You’ll see a warning that the certificate is not trusted — this is expected with a self-signed certificate. You can proceed anyway.
* After you observe the your index.html page.
* 10.91.239.125 is the server IP address
.. _NOPROXY_step30:
.. tab-set::
.. tab-item:: Configure custom webserver details on ubuntu machine using certificates
* Step -1 : obtain the custom webserver's certificate
.. code-block:: shell
test:~$ echo | openssl s_client -showcerts -connect 10.91.239.125:443
* This will show you the certificate chain the custom webserver is presenting.copy the certificate from the output (the blocking starting with ----begin certificate----and ending with ---END CERTIFICATE---).
* save it to a file,e.g., ownwebserver.crt
* step-2 : ADD the custom webserver certificate to trusted CA store
1.copy the custom webserver certificate to /usr/local/share/ca-certificates/
.. code-block:: shell
test:~$ sudo cp ownwebserver.crt /usr/local/share/ca-certificates/
2.update the certificate store
.. code-block:: shell
test:~$ sudo update-ca-certificates
* this will add the custom webserver's self-signed certificate to the list of trusted certificates.
.. _NOPROXY_step28:
.. tab-set::
.. tab-item:: Decrypting HTTPS traffic in wireshark using curl
.. note::
* 10.91.239.125 is the IP address of custom webserver.
1.Set SSLKEYLOGFILE Environment Variable
* Set this environment variable to capture the session keys.
.. code-block:: shell
test:~$ export SSLKEYLOGFILE=~/noproxy_sslkeys.log
.. note::
* This tells supported TLS libraries to log pre-master secrets into that file.
* This only works if the TLS library used by curl supports it (like OpenSSL with debug support or NSS).
2.RUN the curl command
.. code-block:: shell
test:~$ curl -v https://10.91.239.125
3.Start a Wireshark capture
- Open Wireshark.
- Select the network interface that your traffic goes through (e.g., eth0, wlan0).
- Apply a capture filter if you want, or just start the capture.
- Run your curl command while capturing is active.
.. code-block:: shell
test:~$ curl -v https://10.91.239.125
4.Configure Wireshark to use the SSL key log
- Go to Edit > Preferences > Protocols > TLS.
- Find the field for:
- (Pre)-Master-Secret log filename
- Set it to the path of your sslkeys.log file, e.g.,/home/user/noproxy_sslkeys.log
- Click OK.
- Then,Wireshark will use the session keys to decrypt HTTPS traffic.
5.View decrypted traffic
- You should now see decrypted HTTP requests and responses in plain text!
:download:`Download capture <NOPROXY/decrypted_captures/noproxy_ownwebserver.pcapng>`
:download:`Download sslkeylogfile <NOPROXY/decrypted_captures/noproxy_sslkeys.log>`
.. _NOPROXY_step31:
.. tab-set::
.. tab-item:: Meaning of cert filenames
.. csv-table::
:file: ./NOPROXY/meaning_of_filenames.csv
:widths: 20,40,60
.. _NOPROXY_step18:
.. tab-set::
.. tab-item:: FAQs
* FAQs
.. _NOPROXY_step19:
.. tab-set::
.. tab-item:: Reference links
* Reference links