Jump to content

Question Regarding Adding SSL to Interface


IMcPwn

Recommended Posts

I found a tutorial for adding SSL to the Wifi Pineapple Mark V. https://github.com/hak5/wifipineapple-wiki/blob/gh-pages/add_ssl.md

To my knowledge this does not work on the Nano.

First issue appears when installing with the --dest usb option.

 * resolve_pkg_dest_list: Unknown dest name: `usb'.

I figured this was for the SD card and installed it without that parameter, no errors.

The Nginx configuration part does not work at all though following the configuration exactly. I've never used nginx before so I'm unfamilar how to fix

nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /etc/nginx/nginx.conf:61

My exact configuration is (yes the certs are valid and exist)

user root root;

worker_processes 1;



events {
worker_connections 1024;
}


http {
include mime.types;
index index.php index.html index.htm;
default_type text/html;

sendfile on;
keepalive_timeout 65;
gzip on;

gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
server {
listen 80; # Port, make sure it is not in conflict with another http daemon.
server_name www; # Change this, reference -> http://nginx.org/en/docs/http/server_names.html
error_page 404 =200 /index.php;
error_log /dev/null;
access_log /dev/null;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 32k;
fastcgi_buffers 4 32k;
fastcgi_busy_buffers_size 32k;
fastcgi_temp_file_write_size 32k;
client_body_timeout 10;
client_header_timeout 10;
send_timeout 60; # 60 sec should be enough, if experiencing alof of timeouts, increase this.
output_buffers 1 32k;
postpone_output 1460;

root /www/; # Your document root, where all public material is.

location ~ \.php$ {
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

if (-f $request_filename) {
# Only throw it at PHP-FPM if the file exists (prevents some PHP exploits)
fastcgi_pass unix:/var/run/php5-fpm.sock; # The upstream determined above
}
}
error_page 404 =200 /index.php;
}

server {
listen 1471 ssl; # Port, make sure it is not in conflict with another http daemon.
server_name pineapple; # Change this, reference -> http://nginx.org/en/docs/http/server_names.html
ssl_certificate /etc/ssl/certs/server.pem;
ssl_certificate_key /etc/ssl/certs/server.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

error_page 404 =200 /index.php;
error_log /dev/null;
access_log /dev/null;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 32k;
fastcgi_buffers 4 32k;
fastcgi_busy_buffers_size 32k;
fastcgi_temp_file_write_size 32k;
client_body_timeout 10;
client_header_timeout 10;
send_timeout 60; # 60 sec should be enough, if experiencing alof of timeouts, increase this.
output_buffers 1 32k;
postpone_output 1460;

root /pineapple/; # Your document root, where all public material is.
add_header 'Cache-Control' 'must-revalidate';

location ~ \.php$ {
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

if (-f $request_filename) {
# Only throw it at PHP-FPM if the file exists (prevents some PHP exploits)
fastcgi_pass unix:/var/run/php5-fpm.sock; # The upstream determined above
}
}
}
}

So far loving the hardware and UI, thanks Hak5!

Link to comment
Share on other sites

By the way, some paths in running

nginx -V

seem invalid.

root@Pineapple:/etc/nginx# nginx -V
nginx version: nginx/1.4.7
built by gcc 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r46581)
configure arguments: --crossbuild=Linux::mips --prefix=/usr --conf-path=/etc/nginx/nginx.conf --add-module=/home/sebkinne/raid/hak5/pineapple/nano-firmware/build_dir/target-mips_34kc_uClibc-0.9.33.2/nginx-1.4.7/nginx-naxsi/naxsi_src --without-http-cache --add-module=/home/sebkinne/raid/hak5/pineapple/nano-firmware/build_dir/target-mips_34kc_uClibc-0.9.33.2/nginx-1.4.7/nginx-syslog --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-cc=mips-openwrt-linux-uclibc-gcc --with-cc-opt='-I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/usr/include -I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/include -I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/usr/include -I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/include -Os -pipe -mno-branch-likely -mips32r2 -mtune=34kc -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -msoft-float -mips16 -minterlink-mips16' --with-ld-opt='-L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/usr/lib -L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/lib -L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/usr/lib -L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/lib'

Specifically /home/sebkinne which doesn't exist :)

Link to comment
Share on other sites

Hi IMcPwn,

The firmware is still in development, and there are some things that are not completed yet. One of which is nginx's SSL support.

Regarding the path, those are just compile time options - the path is absolutely correct. Doesn't influence the runtime at all ;)

Also, it's "--dest sd" for the WiFi Pineapple if an SD card is inserted.

Best Regards,

Sebkinne

Link to comment
Share on other sites

  • 2 weeks later...

Just so you know IMcPwn, I am currently working on a module that will allow you to create and manage SSL/TLS certificates. Part of the functionality will be an automatic upgrade of the Pineapple interface to SSL. I have it working on the MKV but need to wait until I get my Tetra to start working on the front end so I can release it.

  • Upvote 2
Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...