A Pull-and-Play HTTPS Learning Lab in a Docker Container
Treq is a self-contained, educational web environment that demonstrates how data is exposed over HTTP and protected with HTTPS. Users explore hidden flags, simulate man-in-the-middle (MITM) attacks using tools like mitmproxy, and inspect how credentials and secrets behave across HTTP and HTTPS.
Learning Goals:
Understand the TLS handshake and HTTPS
See real-time differences between HTTP and HTTPS traffic
Practice intercepting and analyzing plaintext HTTP requests
Explore security headers, access control, and log interception
Docker installed locally
Optional: mitmproxy for traffic inspection
git clone https://github.com/your-username/treq.git
cd treq
Build the image:
docker build -t treq .
docker pull
Generate the required TLS files:
openssl genrsa -out treq.key 2048
openssl req -new -x509 -key treq.key -out treq.crt -days 365
openssl dhparam -out dhparam.pem 2048
Place these files in the nginx/ssl/ folder:
nginx/ssl/ ├── treq.key ├── treq.crt └── dhparam.pem
Use Docker to inject the TLS secrets without baking them into the image:
docker run -d
-p 80:80 -p 443:443
-v $(pwd)/nginx/ssl/treq.key:/etc/nginx/ssl/treq.key:ro
-v $(pwd)/nginx/ssl/treq.crt:/etc/nginx/ssl/treq.crt:ro
-v $(pwd)/nginx/ssl/dhparam.pem:/etc/nginx/ssl/dhparam.pem:ro
--name treq-server treq
Hosts File Setup
To access via https://treq.test, map the container IP in your system’s hosts file:
treq.test Visit URLs
http://treq.test → insecure version (interceptable)
https://treq.test → secure version (TLS encrypted)
📋 Help & Log Inspection /help.txt contains instructions for MITM testing using mitmproxy
/logs will show intercepted requests via HTTP (try: curl http://treq.test/logs)
Submit all discovered flags at /submit.html