maus-

## README.md

      
              2 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                maus-
                / README.md
            
            
              Created
              July 13, 2021 18:27
                — forked from mayorova/README.md
            
              
                Mutual SSL in NGINX
              
          
    Securing traffic to upstream servers with client certificates

Info: https://www.nginx.com/resources/admin-guide/nginx-https-upstreams/
Creating and Signing Your Certs

Source: http://nategood.com/client-side-certificate-authentication-in-ngi
This is SSL, so you'll need an cert-key pair for you/the server, the api users/the client and a CA pair. You will be the CA in this case (usually a role played by VeriSign, thawte, GoDaddy, etc.), signing your client's certs. There are plenty of tutorials out there on creating and signing certificates, so I'll leave the details on this to someone else and just quickly show a sample here to give a complete tutorial. NOTE: This is just a quick sample of creating certs and not intended for production.

  
## gist:35abeee32f215d42bf6306847e40e96a
### Keybase proof

I hereby claim:

  * I am maus- on github.
  * I am maus (https://keybase.io/maus) on keybase.
  * I have a public key ASCo5fum0gAHBh3riuQ-RH1ViqyF2P0F0Ne7zqMpQFsXrAo

To claim this, I am signing this object:

## .adslfkjadlsfj
adlfkjasdf

## gist:aaba8b03f7ea0ac6c11b
{
  "options": {
    "osquery_log_dir": "/var/log/osquery",
    "db_path": "/tmp/osquery.db",
    "pidfile": "/var/run/osquery.pid",
    "lockfile": "/var/lock/subsys/osquery",
    "config_retriever": "filesystem",
    "debug": "false",
    "disable_logging": "false",
    "event_pubsub": "true",

## gist:65369061eddac43b08b3
Name        : osquery                      Relocations: /usr
Version     : 1.2.2_112_gdbb7050                Vendor: facebook
Release     : 1                             Build Date: Wed 07 Jan 2015 06:14:28 PM UTC
Install Date: (not installed)               Build Host: localhost
Group       : unknown                       Source RPM: osquery-1.2.2_112_gdbb7050-1.src.rpm
Size        : 21348299                         License: unknown
Signature   : (none)
Summary     : osquery is an operating system instrumentation toolchain.
Description :
DESCRIPTION

## gist:d09efc7ad266988bc62c
Name        : osquery                      Relocations: /usr
Version     : 1.2.2                             Vendor: facebook
Release     : 1                             Build Date: Wed 17 Dec 2014 10:05:51 PM UTC
Install Date: (not installed)               Build Host: localhost
Group       : unknown                       Source RPM: osquery-1.2.2-1.src.rpm
Size        : 42855982                         License: unknown
Signature   : (none)
Summary     : osquery is an operating system instrumentation toolchain.
Description :
DESCRIPTION

## osquery
#!/bin/sh
#
# osqueryd 	Start/Stop the osquery daemon.
#
# chkconfig: 2345 90 60
# Description:
#             With osquery, you can use SQL to query low-level
#             operating system information. Under the hood, instead
#             of querying static tables, these queries dynamically execute
#             high-performance native code. The results of the

## gist:0dca6f41a3611f9c44f5
#-----------------------------------------------------
# So I've noticed there isn't a lot of consistency
# when it comes to managing data bags in chef, primarily one
# dev will prefer encrypted data bags, another will
# want to use plaintext and others chef-vault.
# This method of abstracting out data retrevial and
# and make these methods attribute driven grants devs
# flexibility without having to later refactor for a more
# secure method of data retrival. Errybody wins
# Here's an example soon to be attached in a pull request

## gist:503eebb6c8e34af29a52
<command>
  <name>firewall-drop</name>
  <executable>firewall-drop.sh</executable>
  <expect>srcip</expect>
</command>

<active-response>
  <command>firewall-drop</command>
  <location>all</location>
  <rules_id>5719,5712</rules_id>

## msfbuild.sh
#!/bin/bash
# I CAN MSF AND SO CAN YOU
LOLPASSWORD=$(strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 32 | tr -d '\n'; echo)
LOLPASSWORDTESTUSER=$(strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 32 | tr -d '\n'; echo)
RUBY_VERSION="ruby-1.9.3-p547"
MSFPATH="/opt/msf"

install_deps () {
  apt-get update;
# Obviously more than MSF.
	### Keybase proof

	I hereby claim:

	* I am maus- on github.
	* I am maus (https://keybase.io/maus) on keybase.
	* I have a public key ASCo5fum0gAHBh3riuQ-RH1ViqyF2P0F0Ne7zqMpQFsXrAo

	To claim this, I am signing this object:
	{
	"options": {
	"osquery_log_dir": "/var/log/osquery",
	"db_path": "/tmp/osquery.db",
	"pidfile": "/var/run/osquery.pid",
	"lockfile": "/var/lock/subsys/osquery",
	"config_retriever": "filesystem",
	"debug": "false",
	"disable_logging": "false",
	"event_pubsub": "true",
	Name : osquery Relocations: /usr
	Version : 1.2.2_112_gdbb7050 Vendor: facebook
	Release : 1 Build Date: Wed 07 Jan 2015 06:14:28 PM UTC
	Install Date: (not installed) Build Host: localhost
	Group : unknown Source RPM: osquery-1.2.2_112_gdbb7050-1.src.rpm
	Size : 21348299 License: unknown
	Signature : (none)
	Summary : osquery is an operating system instrumentation toolchain.
	Description :
	DESCRIPTION
	Name : osquery Relocations: /usr
	Version : 1.2.2 Vendor: facebook
	Release : 1 Build Date: Wed 17 Dec 2014 10:05:51 PM UTC
	Install Date: (not installed) Build Host: localhost
	Group : unknown Source RPM: osquery-1.2.2-1.src.rpm
	Size : 42855982 License: unknown
	Signature : (none)
	Summary : osquery is an operating system instrumentation toolchain.
	Description :
	DESCRIPTION
	#!/bin/sh
	#
	# osqueryd Start/Stop the osquery daemon.
	#
	# chkconfig: 2345 90 60
	# Description:
	# With osquery, you can use SQL to query low-level
	# operating system information. Under the hood, instead
	# of querying static tables, these queries dynamically execute
	# high-performance native code. The results of the
	#-----------------------------------------------------
	# So I've noticed there isn't a lot of consistency
	# when it comes to managing data bags in chef, primarily one
	# dev will prefer encrypted data bags, another will
	# want to use plaintext and others chef-vault.
	# This method of abstracting out data retrevial and
	# and make these methods attribute driven grants devs
	# flexibility without having to later refactor for a more
	# secure method of data retrival. Errybody wins
	# Here's an example soon to be attached in a pull request
	<command>
	<name>firewall-drop</name>
	<executable>firewall-drop.sh</executable>
	<expect>srcip</expect>
	</command>

	<active-response>
	<command>firewall-drop</command>
	<location>all</location>
	<rules_id>5719,5712</rules_id>
	#!/bin/bash
	# I CAN MSF AND SO CAN YOU
	LOLPASSWORD=$(strings /dev/urandom \| grep -o '[[:alnum:]]' \| head -n 32 \| tr -d '\n'; echo)
	LOLPASSWORDTESTUSER=$(strings /dev/urandom \| grep -o '[[:alnum:]]' \| head -n 32 \| tr -d '\n'; echo)
	RUBY_VERSION="ruby-1.9.3-p547"
	MSFPATH="/opt/msf"

	install_deps () {
	apt-get update;
	# Obviously more than MSF.