Version bump

Author: Al-Azif

README.md

@@ -1,6 +1,6 @@
 # Exploit Host HTTP
 
-Purpose made HTTP Docker file setup for hosting exploits for the web browser for Sony PlayStation devices and the Nintendo WiiU/Switch. This essentially has to be used with the [Exploit Host DNS](https://github.com/Al-Azif/exploit-host-DNS) component. It's possible to use it "standalone", but will require something to make the browser send the correct `Host` header with it's HTTP(S) requests.
+Purpose made HTTP Docker file setup for hosting exploits for the web browser for Sony PlayStation devices and the Nintendo Wii/WiiU/Switch. This essentially has to be used with the [Exploit Host DNS](https://github.com/Al-Azif/exploit-host-DNS) component. It's possible to use it "standalone", but will require something to make the browser send the correct `Host` header with it's HTTP(S) requests.
 
 ## Features
 
@@ -16,7 +16,7 @@ When used in conjunction with [Exploit Host DNS](https://github.com/Al-Azif/expl
 
 ## Usage
 
-This is setup to work right out of the box with [Exploit Host DNS](https://github.com/Al-Azif/exploit-host-DNS). However there are lots of options for your individual hosting wants/needs. I'll only show the basic usage here.
+This is setup to work right out of the box with [Exploit Host DNS](https://github.com/Al-Azif/exploit-host-DNS). There are a lot of options for your individual hosting wants/needs; however, I'll only show the basic usage here.
 
 ### Command Line
 
@@ -26,7 +26,7 @@ This command will always pull the latest image from Docker Hub, run on the main
 
 ### Composer
 
-This composer file will do the same as the commands above.
+This composer file will do the same as the command above.
 
 ```yml
 ---
@@ -47,21 +47,21 @@ Start the compose file by calling `docker compose up -d` from the same location
 
 ## Options (Environment Variables)
 
-| Option                          | Default       | Type    | Info            |
-|:--------------------------------|:--------------|:--------|:----------------|
-| DEBUG                           | `false`       | boolean | Show debug output for `entrypoint.sh` in the Docker log. |
-| ROOT_DOMAIN                     | `the.gate`    | string  | |
-| NGINX_ACCESS_LOG                | `false`       | boolean | |
-| NGINX_ERROR_LOG                 | `false`       | boolean | |
-| NGINX_ERROR_LOG_LEVEL           | `warn`        | string  | |
-| REDIRECT_TYPE                   | `http`        | string  | |
-| HIJACK_URL                      | `ROOT_DOMAIN` | string  | |
-| TLS                             | `self`        | string  | |
-| CF_IP_CORRECTION                | `false`       | boolean | |
-| CF_STRICT                       | `false`       | boolean | |
-| OCSP_STAPLING                   | `false`       | boolean | |
-| SEVER_HASH_BUCKET_SIZE_OVERRIDE | `false`       | boolean | |
-| HEALTHCHECK_BYPASS              | `false`       | boolean | |
+| Option                          | Default       | Type           | Info     |
+|:--------------------------------|:--------------|:---------------|:---------|
+| DEBUG                           | `false`       | boolean        | Show debug output for `entrypoint.sh` in the Docker log. |
+| REDIRECT_TYPE                   | `http`        | string         | The protocol that is used for the hijacked landing page redirect. Valid values are `http` and `https`. |
+| ROOT_DOMAIN                     | `the.gate`    | string         | The root domain that is used for  hijacked landing page redirect. This is **ONLY** the domain itself. |
+| ROOT_DOMAIN_PATH                | none          | string         | Additional path to append to root domain for redirect. If needed you can add an alternative port here as well. |
+| HIJACK_URL                      | none          | string         | Rather than hosting the hijacked landing page just redirect the request to another domain hosted elsewhere. If this is set, `ROOT_DOMAIN` and `ROOT_DOMAIN_PATH` are ignored. |
+| NGINX_ACCESS_LOG                | `false`       | boolean        | Enables the NGINX access log, located at `/var/log/nginx/access.log` |
+| NGINX_ERROR_LOG                 | `false`       | boolean        | Enables the NGINX error log, located at `/var/log/nginx/error.log` |
+| NGINX_ERROR_LOG_LEVEL           | `warn`        | string         | The error log level for the NGINX error log. Valid values are `debug`, `info`, `notice`, `warn`, `error`, `crit`, `alert`, `emerg`. Ignored if `NGINX_ERROR_LOG` is `false` |
+| TLS                             | `self`        | string         | Valid values are `self`, `letsencrypt`, and `mount`. |
+| CF_IP_CORRECTION                | `false`       | boolean        | Automatically correct CloudFlare IP addresses to the real IP address for logging. |
+| CF_STRICT                       | `false`       | boolean        | |
+| OCSP_STAPLING                   | `false`       | boolean        | |
+| SEVER_HASH_BUCKET_SIZE_OVERRIDE | `false`       | boolean        | Overrides the `server_names_hash_bucket_size` option in NGINX to be `64`. Some systems have `32` as the default and that is not enough for our usage |
 
 ## TODO
 

entrypoint.sh

@@ -4,18 +4,17 @@ set -e
 
 # Input defaults and text to lower case
 DEBUG=${DEBUG:-"false"} && DEBUG=$(echo "$DEBUG" | tr "[:upper:]" "[:lower:]")
+REDIRECT_TYPE=${REDIRECT_TYPE:-"http"} && REDIRECT_TYPE=$(echo "$REDIRECT_TYPE" | tr "[:upper:]" "[:lower:]")
 ROOT_DOMAIN=${ROOT_DOMAIN:-"the.gate"} && ROOT_DOMAIN=$(echo "$ROOT_DOMAIN" | tr "[:upper:]" "[:lower:]")
+ROOT_DOMAIN_PATH=${ROOT_DOMAIN_PATH:-""}
 NGINX_ACCESS_LOG=${NGINX_ACCESS_LOG:-"false"} && NGINX_ACCESS_LOG=$(echo "$NGINX_ACCESS_LOG" | tr "[:upper:]" "[:lower:]")
 NGINX_ERROR_LOG=${NGINX_ERROR_LOG:-"false"} && NGINX_ERROR_LOG=$(echo "$NGINX_ERROR_LOG" | tr "[:upper:]" "[:lower:]")
 NGINX_ERROR_LOG_LEVEL=${NGINX_ERROR_LOG_LEVEL:-"warn"} && NGINX_ERROR_LOG_LEVEL=$(echo "$NGINX_ERROR_LOG_LEVEL" | tr "[:upper:]" "[:lower:]")
-REDIRECT_TYPE=${REDIRECT_TYPE:-"http"} && REDIRECT_TYPE=$(echo "$REDIRECT_TYPE" | tr "[:upper:]" "[:lower:]")
-HIJACK_URL=${HIJACK_URL:-"${ROOT_DOMAIN}"}
 TLS=${TLS:-"self"} && TLS=$(echo "$TLS" | tr "[:upper:]" "[:lower:]")
 CF_IP_CORRECTION=${CF_IP_CORRECTION:-"false"} && CF_IP_CORRECTION=$(echo "$CF_IP_CORRECTION" | tr "[:upper:]" "[:lower:]")
 CF_STRICT=${CF_STRICT:-"false"} && CF_STRICT=$(echo "$CF_STRICT" | tr "[:upper:]" "[:lower:]")
 OCSP_STAPLING=${OCSP_STAPLING:-"false"} && OCSP_STAPLING=$(echo "$OCSP_STAPLING" | tr "[:upper:]" "[:lower:]")
 SEVER_HASH_BUCKET_SIZE_OVERRIDE=${SEVER_HASH_BUCKET_SIZE_OVERRIDE:-"false"} && SEVER_HASH_BUCKET_SIZE_OVERRIDE=$(echo "$SEVER_HASH_BUCKET_SIZE_OVERRIDE" | tr "[:upper:]" "[:lower:]")
-HEALTHCHECK_BYPASS=${HEALTHCHECK_BYPASS:-"false"} && HEALTHCHECK_BYPASS=$(echo "$HEALTHCHECK_BYPASS" | tr "[:upper:]" "[:lower:]")
 
 # Input validation
 if [ "$DEBUG" != "true" ] && [ "$DEBUG" != "false" ]; then
@@ -53,20 +52,6 @@ if [ "$REDIRECT_TYPE" != "http" ] && [ "$REDIRECT_TYPE" != "https" ]; then
   exit 1
 fi
 
-if [ -n "$HTTP_REDIRECT_PORT" ]; then
-  if [ "$HTTP_REDIRECT_PORT" -lt 0 ] || [ "$HTTP_REDIRECT_PORT" -gt 65535 ]; then
-    echo "[!] Invalid option for HTTP_REDIRECT_PORT, expected 0 through 65535"
-    exit 1
-  fi
-fi
-
-if [ -n "$HTTPS_REDIRECT_PORT" ]; then
-  if [ "$HTTPS_REDIRECT_PORT" -lt 0 ] || [ "$HTTPS_REDIRECT_PORT" -gt 65535 ]; then
-    echo "[!] Invalid option for HTTPS_REDIRECT_PORT, expected 0 through 65535"
-    exit 1
-  fi
-fi
-
 if [ "$TLS" != "self" ] && [ "$TLS" != "letsencrypt" ] && [ "$TLS" != "mount" ]; then
   echo "[!] Invalid option for TLS, expected \"self\", \"letsencrypt\", \"mount\""
   exit 1
@@ -97,39 +82,22 @@ if [ "$OCSP_STAPLING" != "true" ] && [ "$OCSP_STAPLING" != "false" ]; then
   exit 1
 fi
 
-if [ "$HEALTHCHECK_BYPASS" != "true" ] && [ "$HEALTHCHECK_BYPASS" != "false" ]; then
-  echo "[!] Invalid option for HEALTHCHECK_BYPASS, expected \"true\" or \"false\""
-  exit 1
-fi
-
 if [ "$DEBUG" = "true" ]; then
   echo "=== DEBUG ====================================================="
-  if [ "$ROOT_DOMAIN" = "$HIJACK_URL" ]; then
-    echo "ROOT_DOMAIN » $ROOT_DOMAIN"
-  else
-    echo "HIJACK_URL » $HIJACK_URL"
-  fi
+  echo "REDIRECT_TYPE » $REDIRECT_TYPE"
+  echo "ROOT_DOMAIN » $ROOT_DOMAIN"
+  echo "ROOT_DOMAIN_PATH » $ROOT_DOMAIN_PATH"
   echo "NGINX_ACCESS_LOG » $NGINX_ACCESS_LOG"
   echo "NGINX_ERROR_LOG » $NGINX_ERROR_LOG"
   echo "NGINX_ERROR_LOG_LEVEL » $NGINX_ERROR_LOG_LEVEL"
   echo "SEVER_HASH_BUCKET_SIZE_OVERRIDE » $SEVER_HASH_BUCKET_SIZE_OVERRIDE"
-  if [ "$ROOT_DOMAIN" = "$HIJACK_URL" ]; then
-    echo "REDIRECT_TYPE » $REDIRECT_TYPE"
-    if [ "$REDIRECT_TYPE" != "http" ] && [ -n "$HTTP_REDIRECT_PORT" ]; then
-      echo "HTTP_REDIRECT_PORT » $HTTP_REDIRECT_PORT"
-    fi
-    if [ "$REDIRECT_TYPE" != "https" ] && [ -n "$HTTPS_REDIRECT_PORT" ]; then
-      echo "HTTPS_REDIRECT_PORT » $HTTPS_REDIRECT_PORT"
-    fi
-  fi
   echo "TLS » $TLS"
   if [ -n "$CERTBOT_EMAIL" ]; then
     echo "CERTBOT_EMAIL » $CERTBOT_EMAIL"
   fi
   echo "CF_IP_CORRECTION » $CF_IP_CORRECTION"
   echo "CF_STRICT » $CF_STRICT"
   echo "OCSP_STAPLING » $OCSP_STAPLING"
-  echo "HEALTHCHECK_BYPASS » $HEALTHCHECK_BYPASS"
   echo "==============================================================="
 fi
 
@@ -138,14 +106,8 @@ if [ -n "$REDIRECT_TYPE" ]; then
   export REDIRECT_TYPE=$REDIRECT_TYPE
 fi
 
-if [ "$ROOT_DOMAIN" = "$HIJACK_URL" ]; then
-  if [ -n "$HTTP_REDIRECT_PORT" ]; then
-    export HTTP_REDIRECT_PORT=$HTTP_REDIRECT_PORT
-  fi
-
-  if [ -n "$HTTPS_REDIRECT_PORT" ]; then
-    export HTTPS_REDIRECT_PORT=$HTTPS_REDIRECT_PORT
-  fi
+if [ -n "$ROOT_DOMAIN_PATH" ]; then
+  export ROOT_DOMAIN_PATH=$ROOT_DOMAIN_PATH
 fi
 
 # Delete all files in sites-available and sites-enabled. In case this isn't fresh instance
@@ -155,14 +117,7 @@ rm -rf /etc/nginx/sites-enabled/* 2> /dev/null || true
 # Copy (while overwriting files) from /etc/nginx/templates into /etc/nginx/
 cp -rf /etc/nginx/templates/* /etc/nginx
 
-if [ "$ROOT_DOMAIN" = "$HIJACK_URL" ]; then
-  echo "[-] Using \"$ROOT_DOMAIN\" to host"
-else
-  echo "[-] Redirecting hijacked page to \"$REDIRECT_TYPE://$HIJACK_URL\""
-  if [ -f /etc/nginx/sites-available/ROOT_DOMAIN ]; then
-    rm -f /etc/nginx/sites-available/ROOT_DOMAIN
-  fi
-fi
+echo "[-] Using \"$REDIRECT_TYPE://$ROOT_DOMAIN$ROOT_DOMAIN_PATH\" as host"
 
 # Setup Cloudflare IP correction
 if [ "$CF_IP_CORRECTION" = "false" ]; then
@@ -218,13 +173,7 @@ done
 # Replace variables in the files in the `/etc/nginx/sites-available/` directory
 echo "[-] Replacing variables in vHost files..."
 for file in /etc/nginx/sites-available/*; do
-  if [ "$ROOT_DOMAIN" = "$HIJACK_URL" ]; then
-    sed -i "s/{{ROOT_DOMAIN}}/$ROOT_DOMAIN/g" "$file"
-  else
-    # TODO: Escape all?
-    ESCAPED_URL=$(printf '%s\n' "$HIJACK_URL" | sed -e 's/[]\/$*.^[]/\\&/g');
-    sed -i "s/{{ROOT_DOMAIN}}/$ESCAPED_URL/g" "$file"
-  fi
+  sed -i "s/{{ROOT_DOMAIN}}/$ROOT_DOMAIN/g" "$file"
 
   # TODO: Bind to IPv4 interface if it's available
 

healthcheck.sh

@@ -1,10 +1,6 @@
 #!/bin/ash
 # shellcheck shell=dash
 
-if [ "$HEALTHCHECK_BYPASS" = "true" ]; then
-  exit 0
-fi
-
 # Check Nintendo Landing Pages
 
 # Check PlayStation Landing Pages

nginx/nginx.conf

@@ -8,8 +8,7 @@ pcre_jit on;
 
 # Needed to read environmental variable in hijacked-landing-pages
 env REDIRECT_TYPE;
-env HTTP_REDIRECT_PORT;
-env HTTPS_REDIRECT_PORT;
+env ROOT_DOMAIN_PATH;
 
 events {
   multi_accept on;
@@ -78,8 +77,8 @@ http {
   # Logging Settings
   ##
 
-  access_log off; # /var/log/nginx/nginx-access.log;
-  error_log /dev/null; # /var/log/nginx/nginx-error.log {{NGINX_ERROR_LOG_LEVEL}};
+  access_log off; # /var/log/nginx/access.log;
+  error_log /dev/null; # /var/log/nginx/error.log {{NGINX_ERROR_LOG_LEVEL}};
 
   ##
   # Compression Settings

nginx/vhosts/hijacked-landing-pages

@@ -26,24 +26,11 @@ server {
     return os.getenv("REDIRECT_TYPE");
   }
 
-  set_by_lua_block $HTTP_REDIRECT_PORT {
-    return os.getenv("HTTP_REDIRECT_PORT");
-  }
-  if ($HTTP_REDIRECT_PORT) {
-    set $HTTP_REDIRECT_PORT ":$HTTP_REDIRECT_PORT";
+  set_by_lua_block $ROOT_DOMAIN_PATH {
+    return os.getenv("ROOT_DOMAIN_PATH");
   }
 
-  set_by_lua_block $HTTPS_REDIRECT_PORT {
-    return os.getenv("HTTPS_REDIRECT_PORT");
-  }
-  if ($HTTPS_REDIRECT_PORT) {
-    set $HTTPS_REDIRECT_PORT ":$HTTPS_REDIRECT_PORT";
-  }
-
-  set $REDIRECT_URL "$REDIRECT_TYPE://{{ROOT_DOMAIN}}$HTTP_REDIRECT_PORT";
-  if ($REDIRECT_TYPE = https) {
-    set $REDIRECT_URL "$REDIRECT_TYPE://{{ROOT_DOMAIN}}$HTTPS_REDIRECT_PORT";
-  }
+  set $REDIRECT_URL "$REDIRECT_TYPE://{{ROOT_DOMAIN}}$ROOT_DOMAIN_PATH";
 
   set $REDIRECT "<!DOCTYPE html>";
   set $REDIRECT "${REDIRECT}<html manifest=\"/redirect.manifest\">";
@@ -107,7 +94,44 @@ server {
   }
 
   location / {
-    return 403;
+    return 444;
+  }
+
+  include general.conf;
+}
+
+server {
+  charset utf-8;
+  chunked_transfer_encoding on;
+
+  include error.conf;
+  error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 @error_html;
+
+  listen 0.0.0.0:80;
+  listen 0.0.0.0:443 ssl http2;
+  #{{IPV6}} listen [::]:80;
+  #{{IPV6}} listen [::]:443 ssl http2;
+  server_name cfh.wapp.wii.com;
+
+  ssl_certificate /etc/nginx/certs/snakeoil.crt;
+  ssl_certificate_key /etc/nginx/certs/private/snakeoil.key;
+
+  set_by_lua_block $REDIRECT_TYPE {
+    return os.getenv("REDIRECT_TYPE");
+  }
+
+  set_by_lua_block $ROOT_DOMAIN_PATH {
+    return os.getenv("ROOT_DOMAIN_PATH");
+  }
+
+  set $REDIRECT_URL "$REDIRECT_TYPE://{{ROOT_DOMAIN}}$ROOT_DOMAIN_PATH";
+
+  location ~* "^/eula/[0-9]{3}/[a-z]{2}\.html" {
+    return 302 $REDIRECT_URL/;
+  }
+
+  location / {
+    return 444;
   }
 
   include general.conf;

nginx/vhosts/ps-net-tests

@@ -56,7 +56,7 @@ server {
   }
 
   location / {
-    return 403;
+    return 444;
   }
 
   include general.conf;

nginx/vhosts/ps-sys-updates

@@ -86,7 +86,7 @@ server {
   }
 
   location / {
-    return 403;
+    return 444;
   }
 
   include general.conf;