Skip to content

Latest commit

 

History

History
308 lines (250 loc) · 7.55 KB

Development.md

File metadata and controls

308 lines (250 loc) · 7.55 KB

Development and Testing

Testing

go test ./...

Running locally

This section describes how to run Smokescreen locally with different scenarios and using curl as a client.

HTTP Proxy

Configurations

# config.yaml
---
allow_missing_role: true  # skip mTLS client validation (use default ACL)
# acl.yaml
---
version: v1
services: []
default:
  name: default
  project: security
  action: enforce
  allowed_domains: 
    - example.com

Run

# Run smokescreen (in a different shell)
go run . --config-file config.yaml --egress-acl-file acl.yaml

# Curl
curl -x localhost:4750 http://example.com
# Curl with ALL_PROXY
ALL_PROXY=localhost:4750 curl -v http://example.com

HTTP CONNECT Proxy

Configurations

# config.yaml
---
allow_missing_role: true  # skip mTLS client validation (use default ACL)
# acl.yaml
---
version: v1
services: []
default:
  name: default
  project: security
  action: enforce
  allowed_domains: 
    - api.github.com

Run

# Run smokescreen (in a different shell)
go run . --config-file config.yaml --egress-acl-file acl.yaml

# Curl
curl --proxytunnel -x localhost:4750 https://api.github.com/zen
# Curl with HTTPS_PROXY
HTTPS_PROXY=localhost:4750 curl https://api.github.com/zen

Monitor metrics Smokescreen emits

Configurations

# config.yaml
---
allow_missing_role: true  # skip mTLS client validation (use default ACL)
statsd_address: 127.0.0.1:8200
# acl.yaml
---
version: v1
services: []
default:
  name: default
  project: security
  action: enforce
  allowed_domains: 
    - api.github.com

Run

# Listen to a local port with nc (in a different shell)
nc -uklv 127.0.0.1 8200

# Run smokescreen (in a different shell)
go run . --config-file config.yaml --egress-acl-file acl.yaml

# Curl
curl --proxytunnel -x localhost:4750 https://api.github.com/zen
# Curl with HTTPS_PROXY
HTTPS_PROXY=localhost:4750 curl https://api.github.com/zen

HTTP CONNECT Proxy over TLS

Set-up

Generate certificates
mkdir -p mtls_setup
# Private keys for CAs
openssl genrsa -out mtls_setup/server-ca.key 2048
openssl genrsa -out mtls_setup/client-ca.key 2048

# Generate client and server CA certificates
openssl req -new -x509 -nodes -days 1000 -key mtls_setup/server-ca.key -out mtls_setup/server-ca.crt \
    -subj "/C=AQ/ST=Petrel Island/L=Dumont-d'Urville
/O=Penguin/OU=Publishing house/CN=server CA"
    
openssl req -new -x509 -nodes -days 1000 -key mtls_setup/client-ca.key -out mtls_setup/client-ca.crt \
    -subj "/C=MA/ST=Tarfaya/L=Tarfaya/O=Fennec/OU=Aviator/CN=Client CA"

# Generate a certificate signing request (client CN is localhost which is used by smokescreen as the service name by default)
openssl req -newkey rsa:2048 -nodes -keyout mtls_setup/server.key -out mtls_setup/server.req \
    -subj "/C=AQ/ST=Petrel Island/L=Dumont-d'Urville/O=Chionis/OU=Publishing house/CN=server req"
openssl req -newkey rsa:2048 -nodes -keyout mtls_setup/client.key -out mtls_setup/client.req \
    -subj "/C=MA/ST=Tarfaya/L=Tarfaya/O=Addax/OU=Writer/CN=localhost"

# Have the CA sign the certificate requests and output the certificates.
echo "authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
" > mtls_setup/localhost.ext

openssl x509 -req -in mtls_setup/server.req -days 1000 -CA mtls_setup/server-ca.crt -CAkey mtls_setup/server-ca.key -set_serial 01 -out mtls_setup/server.crt -extfile mtls_setup/localhost.ext

openssl x509 -req -in mtls_setup/client.req -days 1000 -CA mtls_setup/client-ca.crt -CAkey mtls_setup/client-ca.key -set_serial 01 -out mtls_setup/client.crt
Configurations
# config.yaml
---
tls:
  cert_file: "mtls_setup/server.crt"
  key_file: "mtls_setup/server.key"
  client_ca_files:
    - "mtls_setup/client-ca.crt"
# acl.yaml
---
version: v1
services:
  - name: localhost
    project: github
    action: enforce
    allowed_domains:
      - api.github.com
default:
  name: default
  project: security
  action: enforce
  allowed_domains: []

Run

# Run smokescreen (in a different shell)
go run . --config-file config.yaml --egress-acl-file acl.yaml

# Curl
curl --proxytunnel -x https://localhost:4750 --proxy-cacert mtls_setup/server-ca.crt --proxy-cert mtls_setup/client.crt --proxy-key mtls_setup/client.key https://api.github.com/zen
# Curl with HTTPS_PROXY
HTTPS_PROXY=https://localhost:4750 curl --proxy-cacert mtls_setup/server-ca.crt --proxy-cert mtls_setup/client.crt --proxy-key mtls_setup/client.key https://api.github.com/zen

MITM (Man in the middle) Proxy

Set-up

# config.yaml
---
allow_missing_role: true  # skip mTLS client validation (use default ACL)
# Re-using goproxy library CA and key
mitm_ca_cert_file: "vendor/github.com/stripe/goproxy/ca.pem"
mitm_ca_key_file: "vendor/github.com/stripe/goproxy/key.pem"
# acl.yaml
---
version: v1
services: []
default:
  name: default
  project: security
  action: enforce
  allowed_domains:
    - wttr.in
  mitm_domains:
  - domain: wttr.in
    add_headers:
      Accept-Language: el
    detailed_http_logs: true
    detailed_http_logs_full_headers:
      - User-Agent

Run

# Run smokescreen (in a different shell)
go run . --config-file config.yaml --egress-acl-file acl.yaml

# Curl (weather should be in Greek since we set the Accept-Language header)
curl --proxytunnel -x localhost:4750 --cacert vendor/github.com/stripe/goproxy/ca.pem https://wttr.in
# Curl with HTTPS_PROXY
HTTPS_PROXY=localhost:4750 curl --cacert vendor/github.com/stripe/goproxy/ca.pem https://wttr.in

MITM (Man in the middle) Proxy over TLS

Set-up

Please generate the certificates from the TLS Generate certificates section.

# config.yaml
---
tls:
  cert_file: "mtls_setup/server.crt"
  key_file: "mtls_setup/server.key"
  client_ca_files:
    - "mtls_setup/client-ca.crt"
# Re-using goproxy library CA and key
mitm_ca_cert_file: "vendor/github.com/stripe/goproxy/ca.pem"
mitm_ca_key_file: "vendor/github.com/stripe/goproxy/key.pem"
# acl.yaml
---
version: v1
services:
  - name: localhost
    project: github
    action: enforce
    allowed_domains:
      - wttr.in
    mitm_domains:
      - domain: wttr.in
        add_headers:
          Accept-Language: el
        detailed_http_logs: true
        detailed_http_logs_full_headers:
          - User-Agent
default:
  name: default
  project: security
  action: enforce
  allowed_domains: []

Run

# Run smokescreen (in a different shell)
go run . --config-file config.yaml --egress-acl-file acl.yaml

# Curl (weather should be in Greek since we set the Accept-Language header)
curl --proxytunnel -x https://localhost:4750 --cacert vendor/github.com/stripe/goproxy/ca.pem --proxy-cacert mtls_setup/server-ca.crt --proxy-cert mtls_setup/client.crt --proxy-key mtls_setup/client.key https://wttr.in
# Curl with HTTPS_PROXY
HTTPS_PROXY=https://localhost:4750 curl --cacert vendor/github.com/stripe/goproxy/ca.pem --proxy-cacert mtls_setup/server-ca.crt --proxy-cert mtls_setup/client.crt --proxy-key mtls_setup/client.key https://wttr.in