ssl - 如何在带有 SSL 的 nginx 反向代理后面正确运行 BeEF

Question

我目前在 Debian 10 VPS 上运行 BeEF - 版本:'0.5.0.0-alpha-pre' 使用 GitHub 存档上的标准安装脚本安装。它在配置了 SSL 的 VirtualHost 上的 nginx 反向代理后面运行(通过证书机器人)。 BeEF 正在监听内部接口(interface)(不能直接从 Internet 路由)，而 nginx 正在将请求代理到该接口(interface)的 IP。一切正常 - 管理浏览器 UI 甚至使用 http 时的钩子(Hook)。但是，当我尝试在 https 页面上嵌入钩子(Hook)时，钩子(Hook)不起作用。从浏览器控制台(Linux 上的最新 firefox)，当浏览器尝试通过 http URL 连接到钩子(Hook)/处理程序时，我反复收到消息“阻止混合事件内容”。 BeEF 的 config.yaml 文件中存在 SSL 选项，但这似乎适用于 BeEF 不在反向代理后面运行的情况。有人可以说明如何正确配置 BeEF 以在 nginx 反向代理后面运行。

我的 config.yaml 文件在下面和下面，我将粘贴我的 nginx 配置文件以及关注的特定服务器 block 。

BeEF 配置文件

beef:
    version: '0.5.0.0-alpha-pre'
    # More verbose messages (server-side)
    debug: false
    # More verbose messages (client-side)
    client_debug: false
    # Used for generating secure tokens
    crypto_default_value_length: 80

# Credentials to authenticate in BeEF.
# Used by both the RESTful API and the Admin interface
credentials:
    user:   "beef"
    passwd: "*********************"

# Interface / IP restrictions
restrictions:
    # subnet of IP addresses that can hook to the framework
    permitted_hooking_subnet: ["0.0.0.0/0", "::/0"]
    # subnet of IP addresses that can connect to the admin UI
    #permitted_ui_subnet: ["127.0.0.1/32", "::1/128"]
    permitted_ui_subnet: ["0.0.0.0/0", "::/0"]
    # slow API calls to 1 every  api_attempt_delay  seconds
    api_attempt_delay: "0.05"

# HTTP server
http:
    debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
    host: "172.17.0.1"
    port: "3000"

    # Decrease this setting to 1,000 (ms) if you want more responsiveness
    #  when sending modules and retrieving results.
    # NOTE: A poll timeout of less than 5,000 (ms) might impact performance
    #  when hooking lots of browsers (50+).
    # Enabling WebSockets is generally better (beef.websocket.enable)
    xhr_poll_timeout: 1000

    # Host Name / Domain Name
    # If you want BeEF to be accessible via hostname or domain name (ie, DynDNS),
    #   set the public hostname below:
    #public: "my.domain.org"      # public hostname/IP address

    # Reverse Proxy / NAT
    # If you want BeEF to be accessible behind a reverse proxy or NAT,
    #   set both the publicly accessible hostname/IP address and port below:
    # NOTE: Allowing the reverse proxy will enable a vulnerability where the ui/panel can be spoofed
    #   by altering the X-FORWARDED-FOR ip address in the request header.
    allow_reverse_proxy: true
    public: "my.domain.org"      # public hostname/IP address
    public_port: "443" # public port (experimental)

    # Hook
    hook_file: "/hook.js"
    hook_session_name: "BEEFHOOK"

    # Allow one or multiple origins to access the RESTful API using CORS
    # For multiple origins use: "http://browserhacker.com, http://domain2.com"
    restful_api:
        allow_cors: false
        cors_allowed_domains: "https://my.domain.org"

    # Prefer WebSockets over XHR-polling when possible.
    websocket:
        enable: false
        port: 61985 # WS: good success rate through proxies
        # Use encrypted 'WebSocketSecure'
        # NOTE: works only on HTTPS domains and with HTTPS support enabled in BeEF
        secure: true
        secure_port: 61986 # WSSecure
        ws_poll_timeout: 1000 # poll BeEF every second
        ws_connect_timeout: 500 # useful to help fingerprinting finish before establishing the WS channel

    # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
    web_server_imitation:
        enable: true
        type: "apache" # Supported: apache, iis, nginx
        hook_404: false # inject BeEF hook in HTTP 404 responses
        hook_root: false # inject BeEF hook in the server home page
    # Experimental HTTPS support for the hook / admin / all other Thin managed web services
    https:
        enable: false
        # In production environments, be sure to use a valid certificate signed for the value
        # used in beef.http.public (the domain name of the server where you run BeEF)
        key: "beef_key.pem"
        cert: "beef_cert.pem"

database:
    file: "beef.db"

# Autorun Rule Engine
autorun:
    # this is used when rule chain_mode type is nested-forward, needed as command results are checked via setInterval
    # to ensure that we can wait for async command results. The timeout is needed to prevent infinite loops or eventually
    # continue execution regardless of results.
    # If you're chaining multiple async modules, and you expect them to complete in more than 5 seconds, increase the timeout.
    result_poll_interval: 300
    result_poll_timeout: 5000

    # If the modules doesn't return status/results and timeout exceeded, continue anyway with the chain.
    # This is useful to call modules (nested-forward chain mode) that are not returning their status/results.
    continue_after_timeout: true

# Enables DNS lookups on zombie IP addresses
dns_hostname_lookup: false

# IP Geolocation
# NOTE: requires MaxMind database. Run ./updated-geoipdb to install.
geoip:
    enable: true
    database: '/opt/GeoIP/GeoLite2-City.mmdb'

# Integration with PhishingFrenzy
# If enabled BeEF will try to get the UID parameter value from the hooked URI, as this is used by PhishingFrenzy
# to uniquely identify the victims. In this way you can easily associate phishing emails with hooked browser.
integration:
    phishing_frenzy:
        enable: false

# You may override default extension configuration parameters here
# Note: additional experimental extensions are available in the 'extensions' directory
#       and can be enabled via their respective 'config.yaml' file
extension:
    admin_ui:
        enable: true
        base_path: "/ui"
    demos:
        enable: true
    events:
        enable: true
    evasion:
        enable: false
    requester:
        enable: true
    proxy:
        enable: true
    network:
        enable: true
    metasploit:
        enable: false
    social_engineering:
        enable: true
    xssrays:
        enable: true

这是该虚拟主机的 NGINX 配置

server {
            server_name my.domain.org;
            set $upstream 172.17.0.1:3000;
        location / {
        proxy_pass_header Authorization;
        proxy_pass http://$upstream;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    #    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Connection “”;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_read_timeout 36000s;
        proxy_redirect off;
        }
        listen 80;
        listen [::]:80;

        listen [::]:443 ssl; # managed by Certbot
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/my.domain.org/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/my.domain.org/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    }

我确信 SSL 设置正确，因为我已经以多种方式调试和测试了所有内容。任何帮助将不胜感激。谢谢

Answer 1

遇到完全相同的问题，您的代理配置实际上帮助我解决了我自己的一个问题。
为了让它工作，你需要修改 ./core/main/client/net.js并将发送到 javascript 处理程序的协议(protocol)硬编码为 https .这将允许整个系统在没有 SSL 的情况下运行，但仍会生成 SSL 链接供您的反向代理处理。
显然是一个黑客，但它会让它匆忙工作。
./core/main/client/net.js:

port: "<%= @beef_port %>",
hook: "<%= @beef_hook %>",
httpproto: "https",//"<%= @beef_proto %>", //<- Hardcoded to HTTPS
handler: '/dh',
chop: 500,