Advocate Demo

This demo uses Advocate to prevent HTTP requests from hitting anything on the LAN. Try to see if you can get the contents of /secret/hello.txt from this webserver!



        

Settings

Address Validator

autodetect_local_addresses True
ip_blacklist set([])
ip_whitelist set([])
port_whitelist set([])
port_blacklist set([8080, 22])
hostname_blacklist set(['yahoo.com', '*.yahoo.com', 'foocorp.internal', '*.foocorp.internal'])
allow_ipv6 True
allow_teredo True
allow_6to4 True
allow_dns64 True

Network Interfaces

lo {'AF_INET6': ['::1'], 'AF_INET': ['127.0.0.1']}
lxcbr0 {'AF_INET': ['10.0.3.1']}
eth0 {'AF_INET6': ['2604:a880:800:10::1d2:8001', 'fe80::601:81ff:fe8a:c801%eth0'], 'AF_INET': ['104.131.162.128', '10.17.0.7']}

Interesting files

/etc/hosts

# Your system has configured 'manage_etc_hosts' as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.tmpl
# b.) change or remove the value of 'manage_etc_hosts' in
#     /etc/cloud/cloud.cfg or cloud-config from user-data
127.0.1.1 advocate-testing advocate-testing
127.0.0.1 localhost
fe80::601:81ff:fe8a:c801%eth0 advocate-link-local

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

/etc/nginx/sites-available/advocate

geo $secret_accessible {
  127.0.0.1 1;
  ::1 1;
  # In reality, you would just bind to 127.0.0.1 and be done
  # with it if you wanted a local service, but let's keep
  # things interesting.
  104.131.162.128 1;
  2604:a880:800:10::1d2:8001 1;  
  10.17.0.7 1;
  default 0;
}

server {
  listen 80 default;
  listen [::]:80;
  client_max_body_size 512K;
  server_name _;

  keepalive_timeout 5;

  location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;

    proxy_pass   http://127.0.0.1:9000;
    proxy_set_header Cache-Control "public, max-age=240, must-revalidate";
  }

  location /secret {
    if ($secret_accessible) {
      root /home/advocate/private-www/;
    }
  }

  location /static {
    root /home/advocate/advocate_example/webapp/;
  }

  # I won't be editing these
  location ~ ^/static/.*\.min\..* {
    root /home/advocate/advocate_example/webapp/;
    add_header Cache-Control "public, max-age=3600, must-revalidate";
  }

  location = /500.html {
    root /home/advocate/advocate_example/webapp/static;
  }

  error_page 500 502 503 504 /500.html;
}