Quantcast

Config advice / wireshark

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Config advice / wireshark

Joel Parker
I currently have a config that allows me to terminate TLSv1.2 and decrypt it. Then it re-encrypts the packets with a different cert before sending to the upstream servers. I want to "look" at the decrypted packets before they are encrypted but I am not sure the best way to accomplish this.

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Config advice / wireshark

Robert Paprocki
Unless wireshark has access to the private key (and PFC isn't enabled), you're best bet would be to log the data from nginx directly, rather than trying to examine the raw bytes on the wire.

> On Apr 21, 2017, at 08:10, Joel Parker <[hidden email]> wrote:
>
> I currently have a config that allows me to terminate TLSv1.2 and decrypt it. Then it re-encrypts the packets with a different cert before sending to the upstream servers. I want to "look" at the decrypted packets before they are encrypted but I am not sure the best way to accomplish this.
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Config advice / wireshark

Joel Parker
Is it compatible with something like log2pcap ? or I just need to set the format somehow to be compatible with it.

Joel Parker

On Fri, Apr 21, 2017 at 10:21 AM, Robert Paprocki <[hidden email]> wrote:
Unless wireshark has access to the private key (and PFC isn't enabled), you're best bet would be to log the data from nginx directly, rather than trying to examine the raw bytes on the wire.

> On Apr 21, 2017, at 08:10, Joel Parker <[hidden email]> wrote:
>
> I currently have a config that allows me to terminate TLSv1.2 and decrypt it. Then it re-encrypts the packets with a different cert before sending to the upstream servers. I want to "look" at the decrypted packets before they are encrypted but I am not sure the best way to accomplish this.
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Config advice / wireshark

Robert Paprocki
Is what compatible? Nginx logging? I don't think so, Nginx logs are intended to be human readable. Related docs: http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format

On Fri, Apr 21, 2017 at 8:25 AM, Joel Parker <[hidden email]> wrote:
Is it compatible with something like log2pcap ? or I just need to set the format somehow to be compatible with it.

Joel Parker

On Fri, Apr 21, 2017 at 10:21 AM, Robert Paprocki <[hidden email]> wrote:
Unless wireshark has access to the private key (and PFC isn't enabled), you're best bet would be to log the data from nginx directly, rather than trying to examine the raw bytes on the wire.

> On Apr 21, 2017, at 08:10, Joel Parker <[hidden email]> wrote:
>
> I currently have a config that allows me to terminate TLSv1.2 and decrypt it. Then it re-encrypts the packets with a different cert before sending to the upstream servers. I want to "look" at the decrypted packets before they are encrypted but I am not sure the best way to accomplish this.
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Config advice / wireshark

Joel Parker
The only other thing I was thinking of was to double proxy through localhost. i.e. user -> proxy -> localhost proxy -> upstream server. Seems like it is pretty convoluted but is it still possible ?


On Fri, Apr 21, 2017 at 10:30 AM, Robert Paprocki <[hidden email]> wrote:
Is what compatible? Nginx logging? I don't think so, Nginx logs are intended to be human readable. Related docs: http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format

On Fri, Apr 21, 2017 at 8:25 AM, Joel Parker <[hidden email]> wrote:
Is it compatible with something like log2pcap ? or I just need to set the format somehow to be compatible with it.

Joel Parker

On Fri, Apr 21, 2017 at 10:21 AM, Robert Paprocki <[hidden email]> wrote:
Unless wireshark has access to the private key (and PFC isn't enabled), you're best bet would be to log the data from nginx directly, rather than trying to examine the raw bytes on the wire.

> On Apr 21, 2017, at 08:10, Joel Parker <[hidden email]> wrote:
>
> I currently have a config that allows me to terminate TLSv1.2 and decrypt it. Then it re-encrypts the packets with a different cert before sending to the upstream servers. I want to "look" at the decrypted packets before they are encrypted but I am not sure the best way to accomplish this.
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Config advice / wireshark

Joel Parker
I guess logging would work I just need to capture the full request and response to replay later. Is there a standard way to do this or plugin available ?



On Fri, Apr 21, 2017 at 10:42 AM, Joel Parker <[hidden email]> wrote:
The only other thing I was thinking of was to double proxy through localhost. i.e. user -> proxy -> localhost proxy -> upstream server. Seems like it is pretty convoluted but is it still possible ?


On Fri, Apr 21, 2017 at 10:30 AM, Robert Paprocki <[hidden email]> wrote:
Is what compatible? Nginx logging? I don't think so, Nginx logs are intended to be human readable. Related docs: http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format

On Fri, Apr 21, 2017 at 8:25 AM, Joel Parker <[hidden email]> wrote:
Is it compatible with something like log2pcap ? or I just need to set the format somehow to be compatible with it.

Joel Parker

On Fri, Apr 21, 2017 at 10:21 AM, Robert Paprocki <[hidden email]> wrote:
Unless wireshark has access to the private key (and PFC isn't enabled), you're best bet would be to log the data from nginx directly, rather than trying to examine the raw bytes on the wire.

> On Apr 21, 2017, at 08:10, Joel Parker <[hidden email]> wrote:
>
> I currently have a config that allows me to terminate TLSv1.2 and decrypt it. Then it re-encrypts the packets with a different cert before sending to the upstream servers. I want to "look" at the decrypted packets before they are encrypted but I am not sure the best way to accomplish this.
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx



_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Loading...