Práctica 7 - Redes de Computadoras 2022-2#

Equipo-BASJ-MAMM-MELE-MOGJ#

  • Bautista Sandoval Juan Carlos 314275541
  • Martínez Mendoza Miguel Angel 314133225
  • Mendoza López Edgar Omar 308341209
  • Monter Gallardo Jessica 305116941

Dominio e IP#

  • redes.bigtown.com.mx
  • 20.211.99.164

Instalación de Apache#

root@redes:~# systemctl status apache2
● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-06-09 00:00:34 CDT; 16s ago
       Docs: https://httpd.apache.org/docs/2.4/
   Main PID: 6935 (apache2)
      Tasks: 55 (limit: 1074)
     Memory: 9.4M
        CPU: 27ms
     CGroup: /system.slice/apache2.service
             ├─6935 /usr/sbin/apache2 -k start
             ├─6937 /usr/sbin/apache2 -k start
             └─6938 /usr/sbin/apache2 -k start

Jun 09 00:00:34 redes.bigtown.com.mx systemd[1]: Starting The Apache HTTP Server...
Jun 09 00:00:34 redes.bigtown.com.mx systemd[1]: Started The Apache HTTP Server.

Apache escucha en el puerto 80#

root@redes:~# netstat -ntulp | grep apache2
tcp6       0      0 :::80                   :::*                    LISTEN      6935/apache2

root@redes:~# apachectl -S
VirtualHost configuration:
*:80                   redes.bigtown.com.mx (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Configuración de ServerName#


root@redes:~# nano /etc/apache2/conf-available/servername.conf
root@redes:~# cat /etc/apache2/conf-available/servername.conf
ServerName redes.bigtown.com.mx

Configuración de seguridad para Apache HTTPD#

Cambio en las directivas a los siguientes valores

ServerTokens ProductOnly
ServerSignature Off
TraceEnable Off

Estos valores son los recomendados ya que:

  • ServerTokens: Controla si el campo de encabezado de respuesta del servidor, que se envía de vuelta a los clientes, incluye una descripción del tipo de sistema operativo genérico del servidor, así como información sobre los módulos compilados.
  • ServerSignature: Activado agrega una línea con el número de versión del servidor y el Nombre del servidor del servidor virtual de servicio.
  • TraceEnable: Activado permite el problema de rastreo entre sitios y potencialmente permite el robo de información como cookies.

Configuración de DirectoryMatch

<DirectoryMatch "/\.git">
   Require all denied
</DirectoryMatch>

Este bloque significa para encapsular las configuraciones que aplicarán a un determinado grupo de directorios y sus subdirectorios de la misma forma que <Directory>, pero esta directiva acepta regex.

Configuración de SSL/TLS en Apache HTTP#

root@redes:~# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  systemctl restart apache2
root@redes:~# a2ensite default-ssl
Enabling site default-ssl.
To activate the new configuration, you need to run:
  systemctl reload apache2
root@redes:~# apachectl -t
Syntax OK
root@redes:~# systemctl reload apache2
root@redes:~#

Virtual hosts habilitados

root@redes:~# ls -la /etc/apache2/sites-enabled
total 8
drwxr-xr-x 2 root root 4096 Jun  9 00:17 .
drwxr-xr-x 8 root root 4096 Jun  9 00:00 ..
lrwxrwxrwx 1 root root   35 Jun  9 00:00 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root   35 Jun  9 00:17 default-ssl.conf -> ../sites-available/default-ssl.conf

Apache escucha en los puertos 80 y 443
root@redes:~# netstat -ntulp | grep apache2
tcp6       0      0 :::80                   :::*                    LISTEN      590/apache2
tcp6       0      0 :::443                  :::*                    LISTEN      590/apache2
root@redes:~#

Configuración de los VirtualHosts predeterminados#

  • referencia a files/000-default
  • referencia a files/default-ssl-conf

Ruta de la raíz del sitio web#

root@redes:~# grep 'DocumentRoot' /etc/apache2/sites-enabled/*.conf
/etc/apache2/sites-enabled/000-default.conf:    DocumentRoot /var/www/html
/etc/apache2/sites-enabled/default-ssl.conf:        DocumentRoot /var/www/html

Trámite del certificado SSL con Let's Encrypt#

certbot --authenticator manual --installer apache --domain 'redes.bigtown.com.mx' --domain '*.redes.bigtown.com.mx'

Salida

root@redes:~# certbot --authenticator manual --installer apache --domain 'redes.bigtown.com.mx' --domain '*.redes.bigtown.com.mx'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/redes.bigtown.com.mx.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/default-ssl.conf

Which VirtualHosts would you like to install the wildcard certificate for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/apache2/sites-enabled/default-ssl.conf
Addresses: _default_:443
Names: *.redes.bigtown.com.mx, redes.bigtown.com.mx
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/default-ssl.conf
Enabled Apache rewrite module
Failed redirect for redes.bigtown.com.mx
Unable to set enhancement redirect for redes.bigtown.com.mx
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

IMPORTANT NOTES:
 - We were unable to set up enhancement redirect for your server,
   however, we successfully installed your certificate.

Validación del servidor y dominio#

root@redes:~# dig TXT _acme-challenge.redes.bigtown.com.mx

; <<>> DiG 9.16.27-Debian <<>> TXT _acme-challenge.redes.bigtown.com.mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59041
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1224
;; QUESTION SECTION:
;_acme-challenge.redes.bigtown.com.mx. IN TXT

;; ANSWER SECTION:
_acme-challenge.redes.bigtown.com.mx. 300 IN TXT "-UYJVNlk8PmgKHNWaX5bAfMtCiT7dQM0gS8bathx_4A"

;; Query time: 168 msec
;; SERVER: 168.63.129.16#53(168.63.129.16)
;; WHEN: Thu Jun 09 15:28:57 CDT 2022
;; MSG SIZE  rcvd: 121

Redirección del tráfico HTTP a HTTPS#

Verificación de instalación de certificado SSL

root@redes:~# tree /etc/letsencrypt/archive
/etc/letsencrypt/archive
`-- redes.bigtown.com.mx
    |-- cert1.pem
    |-- chain1.pem
    |-- fullchain1.pem
    `-- privkey1.pem

1 directory, 4 files

root@redes:~# tree /etc/letsencrypt/live
/etc/letsencrypt/live
|-- README
`-- redes.bigtown.com.mx
    |-- cert.pem -> ../../archive/redes.bigtown.com.mx/cert1.pem
    |-- chain.pem -> ../../archive/redes.bigtown.com.mx/chain1.pem
    |-- fullchain.pem -> ../../archive/redes.bigtown.com.mx/fullchain1.pem
    |-- privkey.pem -> ../../archive/redes.bigtown.com.mx/privkey1.pem
    `-- README

1 directory, 6 files

Verificación de uso de los certificados en el VirtualHost

root@redes:~# egrep -i '^\s*SSLCertificate(Key)?File' /etc/apache2/sites-enabled/*.conf
/etc/apache2/sites-enabled/default-ssl.conf:        SSLCertificateFile /etc/letsencrypt/live/redes.bigtown.com.mx/fullchain.pem
/etc/apache2/sites-enabled/default-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/redes.bigtown.com.mx/privkey.pem

Configuración de VirtualHosts para HTTP y HTTPS#

redes@redes:~$ dig docs.redes.bigtown.com.mx

; <<>> DiG 9.16.27-Debian <<>> docs.redes.bigtown.com.mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43572
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1224
;; QUESTION SECTION:
;docs.redes.bigtown.com.mx. IN  A

;; ANSWER SECTION:
docs.redes.bigtown.com.mx. 300  IN  A   20.211.99.164

;; Query time: 168 msec
;; SERVER: 168.63.129.16#53(168.63.129.16)
;; WHEN: Thu Jun 09 16:05:46 CDT 2022
;; MSG SIZE  rcvd: 70
redes@redes:~$ dig kernel.redes.bigtown.com.mx

; <<>> DiG 9.16.27-Debian <<>> kernel.redes.bigtown.com.mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64079
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1224
;; QUESTION SECTION:
;kernel.redes.bigtown.com.mx.   IN  A

;; ANSWER SECTION:
kernel.redes.bigtown.com.mx. 300 IN A   20.211.99.164

;; Query time: 164 msec
;; SERVER: 168.63.129.16#53(168.63.129.16)
;; WHEN: Thu Jun 09 16:06:28 CDT 2022
;; MSG SIZE  rcvd: 72

Virtual host para el documentación del kernel de Linux#

``` root@redes:/etc/apache2/sites-available# a2ensite docs.conf Enabling site docs. To activate the new configuration, you need to run: systemctl reload apache2




root@redes:/etc/apache2/sites-available# ls -la /etc/apache2/sites-available/docs.conf /etc/apache2/sites-enabled/docs.conf -rw-r--r-- 1 root root 1495 Jun 12 20:34 /etc/apache2/sites-available/docs.conf lrwxrwxrwx 1 root root 28 Jun 12 20:34 /etc/apache2/sites-enabled/docs.conf -> ../sites-available/docs.conf


Al intentar validar la configuración de Apache, nos surgió un error:

root@redes:/etc/apache2/sites-available# apachectl -t AH00526: Syntax error on line 11 of /etc/apache2/sites-enabled/docs.conf: Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration Action '-t' failed. The Apache error log may have more information.


que resolvimos al habilitar el módulo de rewrite

root@redes:/etc/apache2/sites-available# a2enmod rewrite Enabling module rewrite. To activate the new configuration, you need to run: systemctl restart apache2


root@redes:/etc/apache2/sites-available# apachectl -S VirtualHost configuration: :80 is a NameVirtualHost default server redes.bigtown.com.mx (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost redes.bigtown.com.mx (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost docs.redes.bigtown.com.mx (/etc/apache2/sites-enabled/docs.conf:1) alias kernel.redes.bigtown.com.mx :443 is a NameVirtualHost default server redes.bigtown.com.mx (/etc/apache2/sites-enabled/default-ssl.conf:2) port 443 namevhost redes.bigtown.com.mx (/etc/apache2/sites-enabled/default-ssl.conf:2) port 443 namevhost docs.redes.bigtown.com.mx (/etc/apache2/sites-enabled/docs.conf:31) alias kernel.redes.bigtown.com.mx ServerRoot: "/etc/apache2" Main DocumentRoot: "/var/www/html" Main ErrorLog: "/var/log/apache2/error.log" Mutex ssl-stapling: using_defaults Mutex ssl-cache: using_defaults Mutex default: dir="/var/run/apache2/" mechanism=default Mutex watchdog-callback: using_defaults Mutex rewrite-map: using_defaults Mutex ssl-stapling-refresh: using_defaults PidFile: "/var/run/apache2/apache2.pid" Define: DUMP_VHOSTS Define: DUMP_RUN_CFG User: name="www-data" id=33 Group: name="www-data" id=33


## Verificación de acceso a la documentación en las ligas habilitadas

- liga docs.png
- liga kernel.png

## VirtualHosts para el repositorio de tareas

- liga sitio.conf

## Agregar permisos al usuario de redes

root@redes:/# chown -c root:redes /srv changed ownership of '/srv' from root:root to root:redes root@redes:/# chmod -c 0775 /srv mode of '/srv' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x) root@redes:/# ls -lAd /srv drwxrwxr-x 2 root redes 4096 May 2 23:23 /srv


redes@redes:/srv/repositorio$ ls -lA public total 52 -rw-r--r-- 1 redes redes 5951 Jun 12 21:03 404.html drwxr-xr-x 2 redes redes 4096 Jun 12 21:03 css drwxr-xr-x 2 redes redes 4096 Jun 12 21:03 fonts drwxr-xr-x 2 redes redes 4096 Jun 12 21:03 img -rw-r--r-- 1 redes redes 12443 Jun 12 21:03 index.html drwxr-xr-x 2 redes redes 4096 Jun 12 21:03 js -rw-r--r-- 1 redes redes 865 Jun 12 21:03 sitemap.xml -rw-r--r-- 1 redes redes 259 Jun 12 21:03 sitemap.xml.gz drwxr-xr-x 5 redes redes 4096 Jun 12 21:03 workflow


### Habilita sitio

root@redes:/etc/apache2/sites-available# a2ensite sitio.conf Enabling site sitio. To activate the new configuration, you need to run: systemctl reload apache2


root@redes:/etc/apache2/sites-available# ls -la /etc/apache2/sites-available/sitio.conf /etc/apache2/sites-enabled/sitio.conf -rw-r--r-- 1 root root 1276 Jun 12 21:42 /etc/apache2/sites-available/sitio.conf lrwxrwxrwx 1 root root 29 Jun 12 21:44 /etc/apache2/sites-enabled/sitio.conf -> ../sites-available/sitio.conf


root@redes:/etc/apache2/sites-available# apachectl -S VirtualHost configuration: :80 is a NameVirtualHost default server redes.bigtown.com.mx (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost redes.bigtown.com.mx (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost docs.redes.bigtown.com.mx (/etc/apache2/sites-enabled/docs.conf:1) alias kernel.redes.bigtown.com.mx port 80 namevhost sitio.redes.bigtown.com.mx (/etc/apache2/sites-enabled/sitio.conf:1) alias tareas.redes.bigtown.com.mx :443 is a NameVirtualHost default server redes.bigtown.com.mx (/etc/apache2/sites-enabled/default-ssl.conf:2) port 443 namevhost redes.bigtown.com.mx (/etc/apache2/sites-enabled/default-ssl.conf:2) port 443 namevhost docs.redes.bigtown.com.mx (/etc/apache2/sites-enabled/docs.conf:27) alias kernel.redes.bigtown.com.mx port 443 namevhost sitio.redes.bigtown.com.mx (/etc/apache2/sites-enabled/sitio.conf:28) alias tareas.redes.bigtown.com.mx ServerRoot: "/etc/apache2" Main DocumentRoot: "/var/www/html" Main ErrorLog: "/var/log/apache2/error.log" Mutex watchdog-callback: using_defaults Mutex rewrite-map: using_defaults Mutex ssl-stapling-refresh: using_defaults Mutex ssl-stapling: using_defaults Mutex ssl-cache: using_defaults Mutex default: dir="/var/run/apache2/" mechanism=default PidFile: "/var/run/apache2/apache2.pid" Define: DUMP_VHOSTS Define: DUMP_RUN_CFG User: name="www-data" id=33 Group: name="www-data" id=33


## Revisión de redirección correcta

root@redes:/etc/apache2/sites-available# curl -v "http://sitio.redes.bigtown.com.mx/" * Trying 20.211.99.164:80... * Connected to sitio.redes.bigtown.com.mx (20.211.99.164) port 80 (#0)

GET / HTTP/1.1 Host: sitio.redes.bigtown.com.mx User-Agent: curl/7.74.0 Accept: /

  • Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently < Date: Mon, 13 Jun 2022 02:47:00 GMT < Server: Apache < Location: https://sitio.redes.bigtown.com.mx/ < Content-Length: 243 < Content-Type: text/html; charset=iso-8859-1 <

301 Moved Permanently

Moved Permanently

The document has moved here.

* Connection #0 to host sitio.redes.bigtown.com.mx left intact


root@redes:/etc/apache2/sites-available# curl -v "http://20.211.99.164" * Trying 20.211.99.164:80... * Connected to 20.211.99.164 (20.211.99.164) port 80 (#0)

GET / HTTP/1.1 Host: 20.211.99.164 User-Agent: curl/7.74.0 Accept: /

  • Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently < Date: Mon, 13 Jun 2022 02:48:39 GMT < Server: Apache < Location: https://redes.bigtown.com.mx/ < Content-Length: 237 < Content-Type: text/html; charset=iso-8859-1 <

301 Moved Permanently

Moved Permanently

The document has moved here.

* Connection #0 to host 20.211.99.164 left intact


root@redes:/etc/apache2/sites-available# curl -v "http://redes.bigtown.com.mx" * Trying 20.211.99.164:80... * Connected to redes.bigtown.com.mx (20.211.99.164) port 80 (#0)

GET / HTTP/1.1 Host: redes.bigtown.com.mx User-Agent: curl/7.74.0 Accept: /

  • Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently < Date: Mon, 13 Jun 2022 02:49:17 GMT < Server: Apache < Location: https://redes.bigtown.com.mx/ < Content-Length: 237 < Content-Type: text/html; charset=iso-8859-1 <

301 Moved Permanently

Moved Permanently

The document has moved here.

* Connection #0 to host redes.bigtown.com.mx left intact


root@redes:/etc/apache2/sites-available# curl -v "http://docs.redes.bigtown.com.mx" * Trying 20.211.99.164:80... * Connected to docs.redes.bigtown.com.mx (20.211.99.164) port 80 (#0)

GET / HTTP/1.1 Host: docs.redes.bigtown.com.mx User-Agent: curl/7.74.0 Accept: /

  • Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently < Date: Mon, 13 Jun 2022 02:49:38 GMT < Server: Apache < Location: https://docs.redes.bigtown.com.mx/ < Content-Length: 242 < Content-Type: text/html; charset=iso-8859-1 <

301 Moved Permanently

Moved Permanently

The document has moved here.

* Connection #0 to host docs.redes.bigtown.com.mx left intact


root@redes:/etc/apache2/sites-available# curl -v "http://kernel.redes.bigtown.com.mx" * Trying 20.211.99.164:80... * Connected to kernel.redes.bigtown.com.mx (20.211.99.164) port 80 (#0)

GET / HTTP/1.1 Host: kernel.redes.bigtown.com.mx User-Agent: curl/7.74.0 Accept: /

  • Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently < Date: Mon, 13 Jun 2022 02:49:54 GMT < Server: Apache < Location: https://kernel.redes.bigtown.com.mx/ < Content-Length: 244 < Content-Type: text/html; charset=iso-8859-1 <

301 Moved Permanently

Moved Permanently

The document has moved here.

* Connection #0 to host kernel.redes.bigtown.com.mx left intact


root@redes:/etc/apache2/sites-available# curl -v "http://sitio.redes.bigtown.com.mx" * Trying 20.211.99.164:80... * Connected to sitio.redes.bigtown.com.mx (20.211.99.164) port 80 (#0)

GET / HTTP/1.1 Host: sitio.redes.bigtown.com.mx User-Agent: curl/7.74.0 Accept: /

  • Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently < Date: Mon, 13 Jun 2022 02:50:19 GMT < Server: Apache < Location: https://sitio.redes.bigtown.com.mx/ < Content-Length: 243 < Content-Type: text/html; charset=iso-8859-1 <

301 Moved Permanently

Moved Permanently

The document has moved here.

* Connection #0 to host sitio.redes.bigtown.com.mx left intact


root@redes:/etc/apache2/sites-available# curl -v "http://tareas.redes.bigtown.com.mx" * Trying 20.211.99.164:80... * Connected to tareas.redes.bigtown.com.mx (20.211.99.164) port 80 (#0)

GET / HTTP/1.1 Host: tareas.redes.bigtown.com.mx User-Agent: curl/7.74.0 Accept: /

  • Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently < Date: Mon, 13 Jun 2022 02:50:36 GMT < Server: Apache < Location: https://tareas.redes.bigtown.com.mx/ < Content-Length: 244 < Content-Type: text/html; charset=iso-8859-1 <

301 Moved Permanently

Moved Permanently

The document has moved here.

* Connection #0 to host tareas.redes.bigtown.com.mx left intact ```

Archivos de configuración#

Archivos de bitácora#

Archivos de datos#

Archivo de datos registros-dns.txt donde vengan las consultas de todos los nombres DNS que generaste#

Archivo de datos con el diagnóstico de consultas HTTP y HTTPS a la dirección IP y nombres DNS de los VirtualHosts#

Archivo de datos con el diagnóstico de certificados SSL que regresa cada VirtualHost configurado#

Configuracion por default#