Enabling DHE cipher on nginx (for IE 11 compatibility)

# generated 2020-10-27, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.0.2k, intermediate configuration, no HSTS, no OCSP
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.0.2k&hsts=false&ocsp=false&guideline=5.6

ssl_dhparam /path/to/dhparam;

# intermediate configuration
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
}

To add support on IE 11 on Windows 7 / 8.1, add the following ciphers to the ssl_ciphers list.

ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384

Realize that dhparam is a must for nginx to enable DHE Cipher, oopsie…

Foward traffic (filter by source ip and dst port) to other public ip

Check it on Gist: https://gist.github.com/richardevs/355d24b25f6c19b698b7134504843dc6

# run all these on the bastion vm
# iptables can not directly route traffic to public ip ( in my test )
# so I insert a socat here to help get the job done

iptables -t nat -F # flush all the current NAT rule ( be careful )
iptables -t nat -A PREROUTING -s 1.1.1.1 -p tcp --dport 443 -j DNAT --to-destination :4433 # all traffic to port 443 from 1.1.1.1 get routed to port 4433
iptables -t nat -A POSTROUTING -j MASQUERADE # let iptables do the NAT work
iptables -t nat -nL # double check if iptables are correctly showing the rules

nohup socat TCP4-LISTEN:4433,reuseaddr,fork TCP4:2.2.2.2:443 & # use socat to forward traffic to final destination, in the demo here, 2.2.2.2:443

【GPG Key Rotation Notice】

– 330CDE83C3337CEADA44CE70BB180B9415CDC81B 已停止使用並遞交 Revoke
– Superseeded by 8C095E600D83C696586E0BAAF41C815ACDD22938
– 新舊 Key 之間存在相互簽名
– Keybase 情報已同步更新
– 新 Key 主要使用 SubKey 進行簽名,SubKey 四年有效期,MasterKey 永久有效

– 330CDE83C3337CEADA44CE70BB180B9415CDC81B has ceased operation and revoked
– Superseeded by 8C095E600D83C696586E0BAAF41C815ACDD22938
– They are cross-signed
– Keybase has all the updated information
– Future operations will mainly be using the SubKey with 4-year validity, while MasterKey never expires

最近感覺被掃描,TCP 通信模式固定如下:

SYN -> PUSH -> FIN

跟正常的通信比對後,發現正常的通信會在所有 TCP 包中帶上 OPTIONS,而不會像這裡一樣只有 SYN 包加了 OPTIONS,而且這個 OPTIONS 值永遠不變。不知道能不能拿這個 OPTIONS 做攔截參數。

Flags [S], seq 1799944867, win 65535, options [mss 1440,nop,nop,sackOK,nop,wscale 8], length 0
Flags [.], ack 4104578379, win 16384, length 0
Flags [P.], seq 0:32, ack 1, win 517, length 32
Flags [.], ack 2, win 517, length 0
Flags [F.], seq 205, ack 2, win 517, length 0