diff --git a/labs/lab11/analysis/headers-http.txt b/labs/lab11/analysis/headers-http.txt new file mode 100644 index 00000000..caf08437 --- /dev/null +++ b/labs/lab11/analysis/headers-http.txt @@ -0,0 +1,14 @@ +HTTP/1.1 308 Permanent Redirect +Server: nginx +Date: Mon, 03 Nov 2025 20:57:19 GMT +Content-Type: text/html +Content-Length: 164 +Connection: keep-alive +Location: https://localhost:8443/ +X-Frame-Options: DENY +X-Content-Type-Options: nosniff +Referrer-Policy: strict-origin-when-cross-origin +Permissions-Policy: camera=(), geolocation=(), microphone=() +Cross-Origin-Opener-Policy: same-origin +Cross-Origin-Resource-Policy: same-origin +Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' diff --git a/labs/lab11/analysis/headers-https.txt b/labs/lab11/analysis/headers-https.txt new file mode 100644 index 00000000..5aa17d12 --- /dev/null +++ b/labs/lab11/analysis/headers-https.txt @@ -0,0 +1,20 @@ +HTTP/2 200 +server: nginx +date: Mon, 03 Nov 2025 20:57:35 GMT +content-type: text/html; charset=UTF-8 +content-length: 75002 +feature-policy: payment 'self' +x-recruiting: /#/jobs +accept-ranges: bytes +cache-control: public, max-age=0 +last-modified: Mon, 03 Nov 2025 20:54:59 GMT +etag: W/"124fa-19a4b806d51" +vary: Accept-Encoding +strict-transport-security: max-age=31536000; includeSubDomains; preload +x-frame-options: DENY +x-content-type-options: nosniff +referrer-policy: strict-origin-when-cross-origin +permissions-policy: camera=(), geolocation=(), microphone=() +cross-origin-opener-policy: same-origin +cross-origin-resource-policy: same-origin +content-security-policy-report-only: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' diff --git a/labs/lab11/analysis/rate-limit-test.txt b/labs/lab11/analysis/rate-limit-test.txt new file mode 100644 index 00000000..aec8f668 --- /dev/null +++ b/labs/lab11/analysis/rate-limit-test.txt @@ -0,0 +1,12 @@ +401 +401 +401 +401 +401 +401 +429 +429 +429 +429 +429 +429 diff --git a/labs/lab11/analysis/testssl.txt b/labs/lab11/analysis/testssl.txt new file mode 100644 index 00000000..0e2fc8cd --- /dev/null +++ b/labs/lab11/analysis/testssl.txt @@ -0,0 +1,225 @@ +##################################################################### + testssl.sh version 3.2.2 from https://testssl.sh/ + + This program is free software. Distribution and modification under + GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! + + Please file bugs @ https://testssl.sh/bugs/ +##################################################################### + + Using OpenSSL 1.0.2-bad (Mar 28 2025) [~183 ciphers] + on fad5bba9a81b:/home/testssl/bin/openssl.Linux.x86_64 + + Start 2025-11-03 21:01:11 -->> 192.168.65.254:8443 (host.docker.internal) <<-- + + Further IP addresses: fdc4:f303:9324::254 + rDNS (192.168.65.254): -- + Service detected: HTTP + + Testing protocols via sockets except NPN+ALPN + + SSLv2 not offered (OK) + SSLv3 not offered (OK) + TLS 1 not offered + TLS 1.1 not offered + TLS 1.2 offered (OK) + TLS 1.3 offered (OK): final + NPN/SPDY not offered + ALPN/HTTP2 h2, http/1.1 (offered) + + Testing cipher categories + + NULL ciphers (no encryption) not offered (OK) + Anonymous NULL Ciphers (no authentication) not offered (OK) + Export ciphers (w/o ADH+NULL) not offered (OK) + LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) + Triple DES Ciphers / IDEA not offered + Obsoleted CBC ciphers (AES, ARIA etc.) not offered + Strong encryption (AEAD ciphers) with no FS not offered + Forward Secrecy strong encryption (AEAD ciphers) offered (OK) + + + Testing server's cipher preferences + +Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) +----------------------------------------------------------------------------------------------------------------------------- +SSLv2 + - +SSLv3 + - +TLSv1 + - +TLSv1.1 + - +TLSv1.2 (server order) + xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +TLSv1.3 (server order) + x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 + x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 + x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 + + Has server cipher order? yes (OK) -- TLS 1.3 and below + + + Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 + + FS is offered (OK) TLS_AES_256_GCM_SHA384 + TLS_CHACHA20_POLY1305_SHA256 + ECDHE-RSA-AES256-GCM-SHA384 + TLS_AES_128_GCM_SHA256 + ECDHE-RSA-AES128-GCM-SHA256 + Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448 + Finite field group: ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192 + TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 + RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 + RSA+SHA512 RSA+SHA224 + TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 + RSA-PSS-RSAE+SHA512 + + Testing server defaults (Server Hello) + + TLS extensions (standard) "server name/#0" "max fragment length/#1" + "supported_groups/#10" "EC point formats/#11" + "application layer protocol negotiation/#16" + "extended master secret/#23" "session ticket/#35" + "supported versions/#43" "key share/#51" + "renegotiation info/#65281" + Session Ticket RFC 5077 hint 600 seconds, session tickets keys seems to be rotated < daily + SSL Session ID support yes + Session Resumption Tickets: yes, ID: yes + TLS clock skew Random values, no fingerprinting possible + Certificate Compression none + Client Authentication none + Signature Algorithm SHA256 with RSA + Server key size RSA 2048 bits (exponent is 65537) + Server key usage -- + Server extended key usage -- + Serial 15ECBD98D2847CC46619AD8FFD52040B9CD4718D (OK: length 20) + Fingerprints SHA1 404D7517DAF3A4C63748CDF87FE4BCCDC0BB7615 + SHA256 EB970983500361B6777449C3AC8CE37F9A8D47ACF7A26E4AFA584B747F3721F0 + Common Name (CN) localhost + subjectAltName (SAN) localhost 127.0.0.1 0:0:0:0:0:0:0:1 + Trust (hostname) certificate does not match supplied URI (same w/o SNI) + Chain of trust NOT ok (self signed) + EV cert (experimental) no + Certificate Validity (UTC) 364 >= 60 days (2025-11-03 20:54 --> 2026-11-03 20:54) + ETS/"eTLS", visibility info not present + Certificate Revocation List -- + OCSP URI -- + NOT ok -- neither CRL nor OCSP URI provided + OCSP stapling not offered + OCSP must staple extension -- + DNS CAA RR (experimental) not offered + Certificate Transparency -- + Certificates provided 1 + Issuer localhost + Intermediate Bad OCSP (exp.) Ok + + + Testing HTTP header response @ "/" + + HTTP Status Code 200 OK + HTTP clock skew 0 sec from localtime + Strict Transport Security 365 days=31536000 s, includeSubDomains, preload + Public Key Pinning -- + Server banner nginx + Application banner -- + Cookie(s) (none issued at "/") + Security headers X-Frame-Options: DENY + X-Content-Type-Options: nosniff + Content-Security-Policy-Report-Only: default-src + 'self'; img-src 'self' data:; script-src 'self' + 'unsafe-inline' 'unsafe-eval'; style-src 'self' + 'unsafe-inline' + Permissions-Policy: camera=(), geolocation=(), + microphone=() + Cross-Origin-Opener-Policy: same-origin + Cross-Origin-Resource-Policy: same-origin + Permissions-Policy: camera=(), geolocation=(), + microphone=() + Referrer-Policy: strict-origin-when-cross-origin + Cache-Control: public, max-age=0 + Reverse Proxy banner -- + + + Testing vulnerabilities + + Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension + CCS (CVE-2014-0224) not vulnerable (OK) + Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) + ROBOT Server does not support any cipher suites that use RSA key transport + Secure Renegotiation (RFC 5746) supported (OK) + Secure Client-Initiated Renegotiation not vulnerable (OK) + CRIME, TLS (CVE-2012-4929) not vulnerable (OK) + BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested + POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support + TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered + SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) + FREAK (CVE-2015-0204) not vulnerable (OK) + DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) + make sure you don't use this certificate elsewhere with SSLv2 enabled services, see + https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=EB970983500361B6777449C3AC8CE37F9A8D47ACF7A26E4AFA584B747F3721F0 + LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 + BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 + LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) + Winshock (CVE-2014-6321), experimental not vulnerable (OK) + RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) + + + Running client simulations (HTTP) via sockets + + Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy +------------------------------------------------------------------------------------------------ + Android 7.0 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 253 bit ECDH (X25519) + Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 11/12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 13/14 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 15 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Firefox 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + IE 8 Win 7 No connection + IE 11 Win 7 No connection + IE 11 Win 8.1 No connection + IE 11 Win Phone 8.1 No connection + IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 253 bit ECDH (X25519) + Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Edge 133 Win 11 23H2 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Safari 18.4 (iOS 18.4) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Safari 18.4 (macOS 15.4) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Java 7u25 No connection + Java 8u442 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 256 bit ECDH (P-256) + Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Java 21.0.6 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + LibreSSL 3.3.6 (macOS) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + OpenSSL 3.0.15 (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + + + Rating (experimental) + + Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16) + Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide + Protocol Support (weighted) 0 (0) + Key Exchange (weighted) 0 (0) + Cipher Strength (weighted) 0 (0) + Final Score 0 + Overall Grade T + Grade cap reasons Grade capped to T. Issues with chain of trust + (self signed) + Grade capped to + M. Domain name mismatch + + Done 2025-11-03 21:02:45 [ 107s] -->> 192.168.65.254:8443 (host.docker.internal) <<-- \ No newline at end of file diff --git a/labs/lab11/logs/access.log b/labs/lab11/logs/access.log new file mode 100644 index 00000000..d706070c --- /dev/null +++ b/labs/lab11/logs/access.log @@ -0,0 +1,26 @@ +172.18.0.1 - - [03/Nov/2025:20:55:14 +0000] "GET / HTTP/1.1" 308 164 "-" "curl/8.7.1" rt=0.000 uct=- urt=- +172.18.0.1 - - [03/Nov/2025:20:55:23 +0000] "GET / HTTP/1.1" 308 164 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15" rt=0.000 uct=- urt=- +172.18.0.1 - - [03/Nov/2025:20:55:24 +0000] "GET / HTTP/1.1" 308 164 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15" rt=0.000 uct=- urt=- +172.18.0.1 - - [03/Nov/2025:20:55:31 +0000] "GET / HTTP/1.1" 308 164 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15" rt=0.000 uct=- urt=- +172.18.0.1 - - [03/Nov/2025:20:57:19 +0000] "HEAD / HTTP/1.1" 308 0 "-" "curl/8.7.1" rt=0.000 uct=- urt=- +172.18.0.1 - - [03/Nov/2025:20:57:35 +0000] "HEAD / HTTP/2.0" 200 0 "-" "curl/8.7.1" rt=0.030 uct=0.003 urt=0.030 +172.18.0.1 - - [03/Nov/2025:20:58:50 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.008 uct=0.001 urt=0.008 +172.18.0.1 - - [03/Nov/2025:20:59:40 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.005 uct=0.002 urt=0.006 +172.18.0.1 - - [03/Nov/2025:20:59:41 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.002 uct=0.000 urt=0.001 +172.18.0.1 - - [03/Nov/2025:20:59:51 +0000] "GET / HTTP/1.1" 200 75002 "https://google.com/" "TLS tester from https://testssl.sh/" rt=0.004 uct=0.002 urt=0.004 +172.18.0.1 - - [03/Nov/2025:21:01:12 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.005 uct=0.000 urt=0.005 +172.18.0.1 - - [03/Nov/2025:21:02:03 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.005 uct=0.000 urt=0.004 +172.18.0.1 - - [03/Nov/2025:21:02:04 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.002 uct=0.000 urt=0.002 +172.18.0.1 - - [03/Nov/2025:21:02:14 +0000] "GET / HTTP/1.1" 200 75002 "https://google.com/" "TLS tester from https://testssl.sh/" rt=0.003 uct=0.000 urt=0.003 +172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 200 26 "-" "curl/8.7.1" rt=0.065 uct=0.003 urt=0.065 +172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 200 26 "-" "curl/8.7.1" rt=0.009 uct=0.000 urt=0.009 +172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 200 26 "-" "curl/8.7.1" rt=0.009 uct=0.000 urt=0.008 +172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 200 26 "-" "curl/8.7.1" rt=0.011 uct=0.000 urt=0.011 +172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 200 26 "-" "curl/8.7.1" rt=0.011 uct=0.000 urt=0.010 +172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 200 26 "-" "curl/8.7.1" rt=0.006 uct=0.000 urt=0.007 +172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=- +172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=- +172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=- +172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=- +172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=- +172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=- diff --git a/labs/lab11/logs/error.log b/labs/lab11/logs/error.log new file mode 100644 index 00000000..5518924c --- /dev/null +++ b/labs/lab11/logs/error.log @@ -0,0 +1,108 @@ +2025/11/03 20:58:50 [crit] 31#31: *15 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:00 [crit] 34#34: *49 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:00 [crit] 34#34: *50 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:01 [crit] 32#32: *51 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:01 [crit] 32#32: *52 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:03 [crit] 32#32: *59 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:04 [crit] 32#32: *60 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:04 [crit] 32#32: *61 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:05 [crit] 32#32: *62 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:06 [crit] 32#32: *64 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:07 [crit] 32#32: *65 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:08 [crit] 35#35: *69 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:08 [crit] 35#35: *70 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:09 [crit] 35#35: *71 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:11 [crit] 35#35: *78 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:11 [crit] 35#35: *79 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:13 [crit] 35#35: *82 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:13 [crit] 37#37: *83 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:14 [crit] 37#37: *84 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:15 [crit] 37#37: *85 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:15 [crit] 37#37: *86 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:17 [crit] 37#37: *88 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:19 [crit] 37#37: *89 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:20 [crit] 37#37: *90 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:30 [crit] 31#31: *105 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:34 [crit] 31#31: *111 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:37 [crit] 30#30: *118 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:57 [crit] 36#36: *143 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:58 [crit] 36#36: *144 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 20:59:59 [crit] 36#36: *145 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:00 [crit] 36#36: *146 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:00 [crit] 36#36: *147 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:01 [crit] 36#36: *148 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:02 [crit] 36#36: *149 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:03 [crit] 33#33: *150 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:03 [crit] 33#33: *151 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:08 [crit] 33#33: *158 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:09 [crit] 33#33: *159 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:09 [crit] 33#33: *160 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:10 [crit] 33#33: *161 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:11 [crit] 33#33: *162 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:12 [crit] 33#33: *164 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:13 [crit] 33#33: *165 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:14 [crit] 34#34: *166 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:14 [crit] 34#34: *167 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:15 [crit] 34#34: *168 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:16 [crit] 34#34: *169 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:17 [crit] 34#34: *171 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:18 [crit] 34#34: *172 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:19 [crit] 34#34: *173 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:00:20 [crit] 34#34: *175 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:11 [crit] 34#34: *177 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:22 [crit] 35#35: *211 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:22 [crit] 35#35: *212 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:23 [crit] 35#35: *213 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:24 [crit] 35#35: *214 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:26 [crit] 37#37: *221 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:26 [crit] 37#37: *222 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:27 [crit] 37#37: *223 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:28 [crit] 37#37: *224 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:29 [crit] 37#37: *226 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:30 [crit] 37#37: *227 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:31 [crit] 31#31: *231 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:31 [crit] 31#31: *232 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:32 [crit] 31#31: *233 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:34 [crit] 31#31: *240 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:34 [crit] 31#31: *241 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:36 [crit] 31#31: *244 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:36 [crit] 31#31: *245 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:37 [crit] 31#31: *246 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:38 [crit] 30#30: *247 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:38 [crit] 30#30: *248 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:40 [crit] 30#30: *250 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:42 [crit] 30#30: *251 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:43 [crit] 30#30: *252 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:52 [crit] 36#36: *267 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:57 [crit] 36#36: *273 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:01:59 [crit] 33#33: *280 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:21 [crit] 34#34: *305 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:21 [crit] 34#34: *306 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:22 [crit] 34#34: *307 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:23 [crit] 34#34: *308 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:24 [crit] 34#34: *309 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:24 [crit] 34#34: *310 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:25 [crit] 34#34: *311 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:26 [crit] 34#34: *312 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:27 [crit] 34#34: *313 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:31 [crit] 32#32: *320 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:32 [crit] 32#32: *321 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:33 [crit] 32#32: *322 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:34 [crit] 32#32: *323 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:34 [crit] 32#32: *324 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:36 [crit] 32#32: *326 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:36 [crit] 32#32: *327 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:37 [crit] 32#32: *328 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:38 [crit] 32#32: *329 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:39 [crit] 35#35: *330 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:39 [crit] 35#35: *331 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:41 [crit] 35#35: *333 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:41 [crit] 35#35: *334 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:42 [crit] 35#35: *335 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:02:44 [crit] 35#35: *337 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:8443 +2025/11/03 21:07:23 [warn] 35#35: *350 limiting requests, excess: 5.970 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2025/11/03 21:07:23 [warn] 35#35: *351 limiting requests, excess: 5.968 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2025/11/03 21:07:23 [warn] 37#37: *352 limiting requests, excess: 5.965 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2025/11/03 21:07:23 [warn] 37#37: *353 limiting requests, excess: 5.963 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2025/11/03 21:07:23 [warn] 37#37: *354 limiting requests, excess: 5.960 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2025/11/03 21:07:23 [warn] 37#37: *355 limiting requests, excess: 5.958 by zone "login", client: 172.18.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" diff --git a/labs/lab11/reverse-proxy/certs/localhost.crt b/labs/lab11/reverse-proxy/certs/localhost.crt new file mode 100644 index 00000000..329cebed --- /dev/null +++ b/labs/lab11/reverse-proxy/certs/localhost.crt @@ -0,0 +1,3 @@ +-----BEGIN CERTIFICATE----- +... +-----END CERTIFICATE----- diff --git a/labs/lab11/reverse-proxy/certs/localhost.key b/labs/lab11/reverse-proxy/certs/localhost.key new file mode 100644 index 00000000..804502d6 --- /dev/null +++ b/labs/lab11/reverse-proxy/certs/localhost.key @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +... +-----END PRIVATE KEY----- diff --git a/labs/submission11.md b/labs/submission11.md new file mode 100644 index 00000000..21169199 --- /dev/null +++ b/labs/submission11.md @@ -0,0 +1,123 @@ +# Task 1 — Reverse Proxy Compose Setup + +## Why reverse proxies are valuable for security + +The reverse proxy handles SSL/TLS encryption, offloading the main application from resource-intensive encryption/decryption operations. The proxy can automatically add important security headers (HSTS, CSP, X-Frame Options, etc.) to all responses, has the ability to block malicious requests, DDoS attacks, SQL injections at the proxy level until reaching the main application, and simplifies access control, monitoring, and logging of all incoming traffic. + +## Why hiding direct app ports reduces attack surface + +The direct ports of the application are not visible from the outside, which eliminates the possibility of direct attacks on vulnerabilities in the application itself. All requests pass through a secure proxy layer with additional validation, reducing the number of open ports on the host, which reduces the overall attack surface and makes it possible to hide the real version and technology stack of the backend application. + +## ```docker compose ps``` output showing only Nginx has published host ports + +```bash +lab11-nginx-1 nginx:stable-alpine "/docker-entrypoint.…" nginx 41 minutes ago Up 41 minutes 0.0.0.0:8080->8080/tcp, 80/tcp, 0.0.0.0:8443->8443/tcp +``` + +--- + +# Task 2 — Security Headers + +## Relevant security headers from ```headers-https.txt``` + +1. X-Frame-Options: DENY + - Prohibits the display of the page in frame, iframe, object, or embed, preventing attacks when the user clicks on invisible elements. + +2. X-Content-Type-Options: nosniff + - The browser will only follow the specified Content-Type and will not attempt to automatically detect the type of content, which prevents scripts from being executed from files disguised as other types. + +3. Strict-Transport-Security (HSTS) + - Forcibly uses HTTPS connection for 1 year, enables all subdomains and allows preloading to browsers + +4. Referrer-Policy: strict-origin-when-cross-origin + - Sends a full referrer for same-origin requests, but only origin (without path) for cross-origin requests, balancing security and functionality. + +5. Permissions-Policy: camera=(), geolocation=(), microphone=() + - Blocks access to the camera, geolocation, and microphone for all sources, preventing web page surveillance. + +6. Cross-Origin-Opener-Policy: same-origin + - Isolates the window/tab from other origin + +7. Cross-Origin-Resource-Policy: same-origin + - Prohibits cross-origin access to resources + +8. Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' + - The content security policy in report-only mode, which allows downloading resources only from the same origin, allows images with URI data, allows inline scripts and eval, allows inline styles, and collects reports on violations without blocking content + +--- + +# Task 3 — TLS, HSTS, Rate Limiting & Timeouts + +## TLS/testssl summary + +1. Summarize TLS protocol support from testssl scan: + - SSLv2 not offered + - SSLv3 not offered + - TLS 1 not offered + - TLS 1.1 not offered + - TLS 1.2 offered + - TLS 1.3 offered + +2. List cipher suites that are supported: + - TLS 1.2: + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES128-GCM-SHA256 + + - TLS 1.3: + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - TLS_AES_128_GCM_SHA256 + +3. Why TLSv1.2+ is required: + - TLSv1.0 and TLSv1.1 have known vulnerabilities (POODLE, BEAST) + - TLSv1.3 provides improved security and performance + - Outdated protocols do not support modern cryptographic algorithms + - Compliance with modern safety standards + +4. Warnings or vulnerabilities from testssl output: + - Heartbleed + - CCS + - Ticketbleed + - POODLE + - BEAST + - CRIME + - BREACH + - DROWN + - LOGJAM + - etc. + +5. Confirm HSTS header appears only on HTTPS responses (not HTTP): + + The HSTS header appears only on HTTPS responses: ```strict-transport-security: max-age=31536000; includeSubDomains; preload```. + + There is no HSTS on HTTP responses (```HTTP/1.1 308 Permanent Redirect```). + +## Rate limiting & timeouts + +1. Rate-limit test output: + + Response 200 (6) vs. Response 429 (6) + +2. Rate limit configuration + + - ```rate=10r/m``` - 10 requests per minute is the base limit. + - ```burst=5``` - allows up to 5 additional requests over the limit + + These conifigurations protect against brute-force login attacks, allow legitimate users multiple login attempts, and block automated attacks without violating the UX. + +3. Timeout settings in ```nginx.conf```: + + - Short timeouts protect against Slowloris/DDoS attacks + - Timeouts that are too short may break legitimate slow connections. + - A balance between security and accessibility for slow internet users + +4. Relevant lines from ```access.log``` showing 429 responses: + + ```bash + 172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=- + 172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=- + 172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=- + 172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=- + 172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=- + 172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=- + ``` \ No newline at end of file