Question Regarding Adding SSL to Interface

[IMcPwn]

I found a tutorial for adding SSL to the Wifi Pineapple Mark V. https://github.com/hak5/wifipineapple-wiki/blob/gh-pages/add_ssl.md

To my knowledge this does not work on the Nano.

First issue appears when installing with the --dest usb option.

 * resolve_pkg_dest_list: Unknown dest name: `usb'.

I figured this was for the SD card and installed it without that parameter, no errors.

The Nginx configuration part does not work at all though following the configuration exactly. I've never used nginx before so I'm unfamilar how to fix

nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /etc/nginx/nginx.conf:61

My exact configuration is (yes the certs are valid and exist)

user root root;

worker_processes 1;



events {
worker_connections 1024;
}


http {
include mime.types;
index index.php index.html index.htm;
default_type text/html;

sendfile on;
keepalive_timeout 65;
gzip on;

gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
server {
listen 80; # Port, make sure it is not in conflict with another http daemon.
server_name www; # Change this, reference -> http://nginx.org/en/docs/http/server_names.html
error_page 404 =200 /index.php;
error_log /dev/null;
access_log /dev/null;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 32k;
fastcgi_buffers 4 32k;
fastcgi_busy_buffers_size 32k;
fastcgi_temp_file_write_size 32k;
client_body_timeout 10;
client_header_timeout 10;
send_timeout 60; # 60 sec should be enough, if experiencing alof of timeouts, increase this.
output_buffers 1 32k;
postpone_output 1460;

root /www/; # Your document root, where all public material is.

location ~ \.php$ {
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

if (-f $request_filename) {
# Only throw it at PHP-FPM if the file exists (prevents some PHP exploits)
fastcgi_pass unix:/var/run/php5-fpm.sock; # The upstream determined above
}
}
error_page 404 =200 /index.php;
}

server {
listen 1471 ssl; # Port, make sure it is not in conflict with another http daemon.
server_name pineapple; # Change this, reference -> http://nginx.org/en/docs/http/server_names.html
ssl_certificate /etc/ssl/certs/server.pem;
ssl_certificate_key /etc/ssl/certs/server.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

error_page 404 =200 /index.php;
error_log /dev/null;
access_log /dev/null;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 32k;
fastcgi_buffers 4 32k;
fastcgi_busy_buffers_size 32k;
fastcgi_temp_file_write_size 32k;
client_body_timeout 10;
client_header_timeout 10;
send_timeout 60; # 60 sec should be enough, if experiencing alof of timeouts, increase this.
output_buffers 1 32k;
postpone_output 1460;

root /pineapple/; # Your document root, where all public material is.
add_header 'Cache-Control' 'must-revalidate';

location ~ \.php$ {
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

if (-f $request_filename) {
# Only throw it at PHP-FPM if the file exists (prevents some PHP exploits)
fastcgi_pass unix:/var/run/php5-fpm.sock; # The upstream determined above
}
}
}
}

So far loving the hardware and UI, thanks Hak5!

[IMcPwn]

By the way, some paths in running

nginx -V

seem invalid.

root@Pineapple:/etc/nginx# nginx -V
nginx version: nginx/1.4.7
built by gcc 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r46581)
configure arguments: --crossbuild=Linux::mips --prefix=/usr --conf-path=/etc/nginx/nginx.conf --add-module=/home/sebkinne/raid/hak5/pineapple/nano-firmware/build_dir/target-mips_34kc_uClibc-0.9.33.2/nginx-1.4.7/nginx-naxsi/naxsi_src --without-http-cache --add-module=/home/sebkinne/raid/hak5/pineapple/nano-firmware/build_dir/target-mips_34kc_uClibc-0.9.33.2/nginx-1.4.7/nginx-syslog --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-cc=mips-openwrt-linux-uclibc-gcc --with-cc-opt='-I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/usr/include -I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/include -I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/usr/include -I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/include -Os -pipe -mno-branch-likely -mips32r2 -mtune=34kc -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -msoft-float -mips16 -minterlink-mips16' --with-ld-opt='-L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/usr/lib -L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/lib -L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/usr/lib -L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/lib'

Specifically /home/sebkinne which doesn't exist :)

[Sebkinne]

Hi IMcPwn,

The firmware is still in development, and there are some things that are not completed yet. One of which is nginx's SSL support.

Regarding the path, those are just compile time options - the path is absolutely correct. Doesn't influence the runtime at all ;)

Also, it's "--dest sd" for the WiFi Pineapple if an SD card is inserted.

Best Regards,

Sebkinne

[IMcPwn]

Thanks!

[sud0nick]

Just so you know IMcPwn, I am currently working on a module that will allow you to create and manage SSL/TLS certificates. Part of the functionality will be an automatic upgrade of the Pineapple interface to SSL. I have it working on the MKV but need to wait until I get my Tetra to start working on the front end so I can release it.

[IMcPwn]

Sounds great! Thanks for the notice!

[simonec]

I am wondering if Aardwolf Ambulance is helping also over this. Are we able to add HTTPS to the Management Web Site, yet? If not, when should we be able to?

Thank you!

[sud0nick]

Not yet. Once it's available in the next firmware update/release my module Papers will be released and you can easily add HTTPS that way.

Edited January 26, 2016 by sud0nick