Estimated Execution Time: 1 hour
Difficulty: Advanced
- Working knowledge of PKI Structure required
- Knowledge of SSH required
- Knowledge of either SFTP or SCP required
- Basic Linux understanding recommended
Target System: Debian 12
- Project constructed using Debian 12
- Project HAS been reproduced
- Documentation peer review pending
Problem
Setting up HTTPS with internal services can be difficult, especially where properly validated SSL certificates are required for proper functionality. This is a requirement to ensure that traffic between AMP servers is properly encrypted. Assigning an internal certificate is insufficient as the application will validate the certificate against the operating system. This is expected behavior and can be solved by installing the Certificate Authority certificates onto the host
The challenge arised in getting the Docker containers to accept and use the CA certs. When AMP first creates the server, it sets up the host CA certs for the initial launch, allowing configuration of the instance for a short period of time. Once the server reboots, it resets the state of the docker container and incorporates the docker image’s CA certs. This results in a loss of trust due to lack of certificates in the container.
Solution
To make the server accept the Certificate Authority certificates after each relaunch, the AMP host must create a copy of its /etc/ssl folder to a separate location. The folder must have permissions assigned to the amp user. The certificates folder must then be added at a mount bind to the instance at creation or through AMP host presets.
Requirements
Operating System and Software
This configuration has been tested on Debian 12. Instructions for Debian-based systems should be equivalent. Package names may differ between different repositories.
NGINX is used as the local reverse proxy server for the AMP hosts. A public-facing NGINX reverse proxy connects back to the AMP hosts. This creates a segmented network allowing for better access control between the DMZ and the server network.
This documentation assumes NGINX has already been set up for AMP and just needs modification.
PKI Certificates
Obtain a copy of the CA cert chain. The certificate should be in Base64 format with a .crt extension to guarantee compatibility with Linux.
A certificate with a Server Authentication purpose must be created for each AMP host. The certificate must be in a format NGINX or any other preferred proxy supports.
Network Structure
This project assumes two AMP hosts, a Controller and a Target. This creates a complete approach to setting up the internal certificates. Each AMP host instance is configured with HTTP. A local reverse proxy is added to each AMP host to support HTTPS with the internal certificate. A final public-facing reverse proxy uses Let’s Encrypt for public trust, and internal CA trust to connect back to the AMP hosts.
Installation
CA Certificates
For each target server, connect to the host and copy the certificate either through SCP or SFTP. SFTP software such as WinSCP provides a GUI to upload files. Log in with a username and password. If using a certificate, refer to documentation for your operating system’s version of scp for certificate support. WinSCP supports certificates under its advanced configuration
Log into the server and run the appropriate commands to copy the files to the local CA certificates folder. The command below is for Debian 12. You should see a notice that a certificate was added to the trusted authorities list. Perform this step for each system directly interacting with the AMP hosts.
cp CA.crt /usr/local/share/ca-certificates/
update-ca-certificates
Server Certificate Storage
Export the server certificate as two separate Base64 objects. The key should end in .key or .pem and the certificate in either .cer, .crt, or .pem.
scp server.cer admin@127.0.0.1:~/
scp server.key admin@127.0.0.1:~/
Move the certificates to a safe location. I tend to set up a folder at /etc/nginx/certs and store the certificates there. You may configure as needed. I assign the least amount of privileges on the folder to reduce key leakage opportunity.
mkdir -p /etc/nginx/certs
mv ~/server.* /etc/nginx/certs/
chmod 700 /etc/nginx/certs
chown -R www-data:www-data /etc/nginx/certs
NGINX Configuration
Move the certificates to a safe location. I tend to set up a folder at /etc/nginx/certs and store the certificates there. You may configure as needed. I assign the least amount of privileges on the folder to reduce key leakage opportunity.
Local NGINX Configuration File
server {
server_name AMPHost.ephemeralintel.local;
client_max_body_size 100M;
proxy_request_buffering off;
proxy_buffering off;
proxy_pass_request_body on;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-AMP-Scheme $scheme;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
client_max_body_size 10240M;
error_page 502 503 504 /NotRunning.html;
location = /NotRunning.html {
if ($http_accept ~ json) {
return 502 "{'Status': false, 'Reason':'This AMP instance is offline or in maintainence mode.','ErrorCode': 502, 'success': false, 'resultReason':'The authentication server is offline or in maintainence mode.'}";
}
root /opt/cubecoders/amp/shared/WebRoot;
internal;
}
location /shared/ {
alias /opt/cubecoders/amp/shared/WebRoot/;
}
}
listen [::]:443 ssl http2; # Internal CA server
listen 443 ssl http2;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key; # Internal CA server
}
server {
if ($host = AMPHost.ephemeralintel.local) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name AMPHost.ephemeralintel.local;
return 301 https://$host$request_uri;
}
Public NGINX Configuration File
server {
listen 80;
listen [::]:80;
server_name controller.ephemeralintel.com; # Add public FQDN here
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name controller.ephemeralintel.com;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /etc/letsencrypt/live/controller.ephemeralintel.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/controller.ephemeralintel.com/privkey.pem;
location / {
proxy_pass https://controller.ephemeralintel.local;
proxy_set_header Host controller.ephemeralintel.local; # Redirects traffic to .local domain. Otherwise controller rejects .com domain.
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
}
Trusted CA Copy
Creating a copy of the trusted Certificate Authority store is straightforward. For the purposes of this guide, we will install the certs at AMP’s home folder. We will again write the permissions to least privilege and set the ampdata user as the owner.
mkdir -p /home/ampdata/ssl
cp -a /etc/ssl/. /home/ampdata/ssl/
chmod 700 /home/ampdata/ssl
chown -R ampdata:ampdata /home/ampdata/ssl
Docker Deployment Defaults
Log into the AMP target, or go through the controller and select “Manage” on the AMP target’s name. Do note that this is not the game instance itself, but the host.
On the left hand side, navigate to Configuration > Instance Deployment. Select Deployment Defaults at the top.
Navigate to Mount Bindings and on the host path, enter /home/ampdata/ssl followed by /etc/ssl on the container path
Contributors
Edward Anguiano
Estimated Execution Time: 1 hour
Difficulty: Advanced
- Working knowledge of PKI Structure required
- Knowledge of SSH required
- Knowledge of either SFTP or SCP required
- Basic Linux understanding recommended
Target System: Debian 12
- Project constructed using Debian 12
- Project HAS been reproduced
