如何在带有 SSL 的 nginx 反向代理后面正确运行 BeEF
Posted
技术标签:
【中文标题】如何在带有 SSL 的 nginx 反向代理后面正确运行 BeEF【英文标题】:How to run BeEF behind an nginx reverse proxy with SSL correctly 【发布时间】:2020-06-07 03:39:38 【问题描述】:我目前在 Debian 10 VPS 上运行 BeEF - 版本:'0.5.0.0-alpha-pre' 使用 GitHub 存档上的标准安装脚本安装。它在带有 SSL 的 VirtualHost 上的 nginx 反向代理后面运行配置(通过 certbot)。 BeEF 正在侦听内部接口(不能直接从 Internet 路由),而 nginx 正在将请求代理到该接口的 IP。一切正常 - 管理浏览器 UI 甚至使用 http 时的钩子。但是,当我尝试在 https 页面上嵌入钩子时,钩子不起作用。从浏览器控制台(Linux 上最新的 firefox),当浏览器尝试通过 http URL 连接到钩子/处理程序时,我反复收到消息“阻止混合活动内容”。 BeEF 的 config.yaml 文件中存在 SSL 选项,但这似乎适用于 BeEF 不在反向代理后面运行的情况。有人可以说明如何正确配置 BeEF 以在 nginx 反向代理后面运行。
我的 config.yaml 文件在下面,我将粘贴我的 nginx 配置文件以及关注的特定服务器块。
BeEF 配置文件
beef:
version: '0.5.0.0-alpha-pre'
# More verbose messages (server-side)
debug: false
# More verbose messages (client-side)
client_debug: false
# Used for generating secure tokens
crypto_default_value_length: 80
# Credentials to authenticate in BeEF.
# Used by both the RESTful API and the Admin interface
credentials:
user: "beef"
passwd: "*********************"
# Interface / IP restrictions
restrictions:
# subnet of IP addresses that can hook to the framework
permitted_hooking_subnet: ["0.0.0.0/0", "::/0"]
# subnet of IP addresses that can connect to the admin UI
#permitted_ui_subnet: ["127.0.0.1/32", "::1/128"]
permitted_ui_subnet: ["0.0.0.0/0", "::/0"]
# slow API calls to 1 every api_attempt_delay seconds
api_attempt_delay: "0.05"
# HTTP server
http:
debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
host: "172.17.0.1"
port: "3000"
# Decrease this setting to 1,000 (ms) if you want more responsiveness
# when sending modules and retrieving results.
# NOTE: A poll timeout of less than 5,000 (ms) might impact performance
# when hooking lots of browsers (50+).
# Enabling WebSockets is generally better (beef.websocket.enable)
xhr_poll_timeout: 1000
# Host Name / Domain Name
# If you want BeEF to be accessible via hostname or domain name (ie, DynDNS),
# set the public hostname below:
#public: "my.domain.org" # public hostname/IP address
# Reverse Proxy / NAT
# If you want BeEF to be accessible behind a reverse proxy or NAT,
# set both the publicly accessible hostname/IP address and port below:
# NOTE: Allowing the reverse proxy will enable a vulnerability where the ui/panel can be spoofed
# by altering the X-FORWARDED-FOR ip address in the request header.
allow_reverse_proxy: true
public: "my.domain.org" # public hostname/IP address
public_port: "443" # public port (experimental)
# Hook
hook_file: "/hook.js"
hook_session_name: "BEEFHOOK"
# Allow one or multiple origins to access the RESTful API using CORS
# For multiple origins use: "http://browserhacker.com, http://domain2.com"
restful_api:
allow_cors: false
cors_allowed_domains: "https://my.domain.org"
# Prefer WebSockets over XHR-polling when possible.
websocket:
enable: false
port: 61985 # WS: good success rate through proxies
# Use encrypted 'WebSocketSecure'
# NOTE: works only on HTTPS domains and with HTTPS support enabled in BeEF
secure: true
secure_port: 61986 # WSSecure
ws_poll_timeout: 1000 # poll BeEF every second
ws_connect_timeout: 500 # useful to help fingerprinting finish before establishing the WS channel
# Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
web_server_imitation:
enable: true
type: "apache" # Supported: apache, iis, nginx
hook_404: false # inject BeEF hook in HTTP 404 responses
hook_root: false # inject BeEF hook in the server home page
# Experimental HTTPS support for the hook / admin / all other Thin managed web services
https:
enable: false
# In production environments, be sure to use a valid certificate signed for the value
# used in beef.http.public (the domain name of the server where you run BeEF)
key: "beef_key.pem"
cert: "beef_cert.pem"
database:
file: "beef.db"
# Autorun Rule Engine
autorun:
# this is used when rule chain_mode type is nested-forward, needed as command results are checked via setInterval
# to ensure that we can wait for async command results. The timeout is needed to prevent infinite loops or eventually
# continue execution regardless of results.
# If you're chaining multiple async modules, and you expect them to complete in more than 5 seconds, increase the timeout.
result_poll_interval: 300
result_poll_timeout: 5000
# If the modules doesn't return status/results and timeout exceeded, continue anyway with the chain.
# This is useful to call modules (nested-forward chain mode) that are not returning their status/results.
continue_after_timeout: true
# Enables DNS lookups on zombie IP addresses
dns_hostname_lookup: false
# IP Geolocation
# NOTE: requires MaxMind database. Run ./updated-geoipdb to install.
geoip:
enable: true
database: '/opt/GeoIP/GeoLite2-City.mmdb'
# Integration with PhishingFrenzy
# If enabled BeEF will try to get the UID parameter value from the hooked URI, as this is used by PhishingFrenzy
# to uniquely identify the victims. In this way you can easily associate phishing emails with hooked browser.
integration:
phishing_frenzy:
enable: false
# You may override default extension configuration parameters here
# Note: additional experimental extensions are available in the 'extensions' directory
# and can be enabled via their respective 'config.yaml' file
extension:
admin_ui:
enable: true
base_path: "/ui"
demos:
enable: true
events:
enable: true
evasion:
enable: false
requester:
enable: true
proxy:
enable: true
network:
enable: true
metasploit:
enable: false
social_engineering:
enable: true
xs-s-rays:
enable: true
这是我为该虚拟主机配置的 NGINX 配置
server
server_name my.domain.org;
set $upstream 172.17.0.1:3000;
location /
proxy_pass_header Authorization;
proxy_pass http://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection “”;
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
listen 80;
listen [::]:80;
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/my.domain.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.domain.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
我确信 SSL 设置正确,因为我已经以多种方式调试和测试了所有内容。任何帮助将不胜感激。谢谢
【问题讨论】:
我对 BEEF 不熟悉,但是 BEEF 后端如何知道 SSL 是否在使用?您的后端应该有两个未加密的 HTTP 端口,一个用于正常流量,另一个用于终止的 SSL 流量。这样,您的后端将正确执行非 SSL 到 SSL 的重定向。 @Geoffrey 这很有意义。我认为当前形式的 BeEF 框架不支持您所说的内容。它可以使用 SSL,但只能直接使用,不能在 SSL 被终止的反向代理后面使用。我可以写一些 Ruby 来解决这个问题,但我确信有一种更优雅的方式,特别是因为 BeEF 的作者已经提到它应该在生产模式下运行在反向代理后面。一个廉价的解决方法是简单地将处理程序 URL 从代码更改为 https。我确信这会解决“阻止混合活动内容”错误。 beef 标签不适用于浏览器开发框架。 【参考方案1】:遇到了完全相同的问题,您的代理配置实际上帮助我解决了我自己的一个问题。
为了使其工作,您需要修改./core/main/client/net.js 并将发送到javascript 处理程序的协议硬编码为https。这将允许整个系统在没有 SSL 的情况下运行,但仍会生成 SSL 链接供您的反向代理处理。
显然是一个 hack,但它会很快让它工作。
./core/main/client/net.js:
port: "<%= @beef_port %>",
hook: "<%= @beef_hook %>",
httpproto: "https",//"<%= @beef_proto %>", //<- Hardcoded to HTTPS
handler: '/dh',
chop: 500,
【讨论】:
请考虑输入代码,因为它会更容易复制 - 过去 - 搜索...以上是关于如何在带有 SSL 的 nginx 反向代理后面正确运行 BeEF的主要内容,如果未能解决你的问题,请参考以下文章
带有两种 SSL 到 weblogic 的 nginx 反向代理
设置好 NGINX 反向代理后,如何在引入 NGINX 反向代理的 NGINX 上配置 SSL 直通? [复制]
在带有协议升级的 nginx 反向代理后面运行 daphne 总是路由到 http 而不是 websocket