l7proxify

package module

v0.0.0-...-d90df8a Latest Latest Go to latest Published: Apr 13, 2016 License: BSD-3-Clause, MIT Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/wolfeidau/l7proxify

Links

Open Source Insights

README ¶

l7proxyify

l7proxyify is designed to transparently proxy TLS traffic traversing a NAT host. It uses the Server Name Indicator attribute (SNI) in the ClientHello msg of TLS request to proxy a connection to it's destination.

Further reading on this idea is squid-cache SSL Peek and Splice.

Background

Check out my presentation Build a proxy with Go which I presented at the golang meetup in Melbourne, AU.

Usage

L7 Proxy server

Usage:
  l7proxify [flags]

Flags:
      --debug              Log debug information.
      --localAddr string   Local listen address. (default "localhost:13131")

Configuration

# globals
debug = true

[logging]
json = false

[rules]

[rules.001]
match = "amazonaws.com$"
action = "allow"

[rules.002]
match = "^github.com$"
action = "allow"

[rules.003]
match = ".*"
action = "deny"

TODO

Implement Server Hello parsing
Enhance the rules with more options around which attributes to look at
Add tracing for auditing
Add metrics and health check endpoint

References

Traffic Analysis of an SSL/TLS Session

Disclaimer

This is a work in progress, I released the code to demonstrate how it works and will continue development on it to add a lot more features over the coming months.

License

This code is released under the MIT license see the LICENSE.md file for more details.

Documentation ¶

Index ¶

Constants
func ListenAndServe(addr string, handler Handler) error
func LoadRuleset(rules map[string]interface{}) error
type Conn
- func NewConn(conn *net.TCPConn) *Conn
- func (c *Conn) WritePeak(w io.Writer) (int, error)
type CurveID
type Handler
type Rule
type RuleMatch
- func MatchRule(host string) *RuleMatch
type Server
type Session
- func NewSession(lconn *net.TCPConn) *Session
- func (s *Session) Start()
type TLSHandler
- func (tlsh *TLSHandler) ProxyConnection(cin *net.TCPConn)

Constants ¶

View Source

const (
	// ActionReject reject the connection
	ActionReject = iota
	// ActionAccept accept the connection
	ActionAccept
)

Variables ¶

This section is empty.

Functions ¶

func ListenAndServe ¶

func ListenAndServe(addr string, handler Handler) error

ListenAndServe listen and start proxying connections

func LoadRuleset ¶

func LoadRuleset(rules map[string]interface{}) error

LoadRuleset load the rule set supplied by configuration

Need to rejig this to return a list of errors as it will be a pain for larger rule sets.

Types ¶

type Conn ¶

type Conn struct {
	*net.TCPConn

	Log log.Interface
	// contains filtered or unexported fields
}

Conn used within l7proxify

func NewConn ¶

func NewConn(conn *net.TCPConn) *Conn

NewConn new l7proxify connection

func (*Conn) WritePeak ¶

func (c *Conn) WritePeak(w io.Writer) (int, error)

WritePeak write the current peak buffer to the supplied writer and reset the peack buffers.

type CurveID ¶

type CurveID uint16

CurveID is the type of a TLS identifier for an elliptic curve. See http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8

type Handler ¶

type Handler interface {
	ProxyConnection(cin *net.TCPConn)
}

A Handler responds to an incoming proxy connection.

type Rule ¶

type Rule struct {
	Name    string
	Match   string
	Action  string
	Enabled bool
	// contains filtered or unexported fields
}

Rule a filter rule for hosts

type RuleMatch ¶

type RuleMatch struct {
	Action int
	Rule   *Rule
}

RuleMatch match information returned for a given rule scan

func MatchRule ¶

func MatchRule(host string) *RuleMatch

MatchRule run through the ruleset looking for matches

This routine will loop over the ruleset and if a rule matches then return the corresponding action, otherwise return nil which enables the caller to decide on the default action

type Server ¶

type Server struct {
}

Server the core of the proxy server

type Session ¶

type Session struct {
	Log log.Interface
	// contains filtered or unexported fields
}

Session state for a client

func NewSession ¶

func NewSession(lconn *net.TCPConn) *Session

NewSession new proxy session

func (*Session) Start ¶

func (s *Session) Start()

Start processing data through the proxied connection

This will attempt to parse the SSL handshake client hello and retrieve the hostname out of the SNI attribute to use as the endpoint for connection.

It will pass this hostname to the rule matcher and take the action returned, or if nil is the result reject the connection.

type TLSHandler ¶

type TLSHandler struct {
}

TLSHandler pulls apart and proxies TLS connections using the client hello SNI field.

func (*TLSHandler) ProxyConnection ¶

func (tlsh *TLSHandler) ProxyConnection(cin *net.TCPConn)

ProxyConnection proxy a TLS connection

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cmd
l7proxify

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL