knockrd / kichijojipm23

knockrd / kichijojipm23

Ca6281fff64797dc419b78f51f25c0a5?s=128

FUJIWARA Shunichiro

July 21, 2020
Tweet

Transcript

  1. knockrd @fujiwara 2020.07.21 ٢঵ࣉ.pm23

  2. ࣗݾ঺հ @fujiwara github.com/fujiwara

  3. ʮࠓ೥ͷલ൒ͷ׆ಈΛৼΓฦΔʯ

  4. ςϨϫʔΫ VPN ͕ ͳ͍ͱͩΊʁ

  5. VPN ૿ڧରԠ

  6. ͳͥ VPN ͕ඞཁ͔ 1. ࣾ಺ωοτϫʔΫͷαʔόʹΞΫηε͢ΔͨΊ • ࢓ํͳ͍ • Ͱ΋ฐࣾʹ͸΋͏΄΅ଘࡏ͠ͳ͍ (AWS,

    G Suite...) 2. ֎෦ͷαʔό͕઀ଓݩIPΞυϨεΛ੍ݶ͍ͯ͠Δ • Θ͔Δ • Ͱ΋ਏ͍ɻͰ͖Ε͹΍Ί͍ͨ
  7. IP ΞυϨε੍ݶͷͳʹ͕ਏ͍͔ ڌ఺͕͍ͬͺ͍͋Δ (ΦϑΟε͝ͱʹIPΞυϨε) ૿͑ͨΓݮͬͨΓ͢Δ (ͦͷͨͼʹ௥Ճ࡟আ໘౗) ݹ͍ΞυϨεΛফ͠๨ΕΔ (ଘࡏࣗମ๨Ε͍ͯΔ) IPΞυϨεͰ੍ݶͯ͠Δ͔ΒͬͯϢϧϢϧʹ͕ͪ͠ (ଞͷೝূΛαϘΔ)

    ϦϞʔτϫʔΫͰ͸ VPN ͕ඞཁ !!!
  8. IP ΞυϨε੍ݶҎ֎ͷೝূΛֻ͚Ε͹… • github.com/oauth2-proxy/oauth2-proxy • github.com/sorah/nginx_omniauth_adapter • github.com/shogo82148/go-nginx-oauth2-adapter • AWS

    ALB طଘΞϓϦέʔγϣϯʹखΛೖΕͣʹ OAuth(OIDC)ೝূΛ௥ՃͰ͖Δɻ࠷ߴศར
  9. ΍ΉΛಘͣIPΞυϨε੍ݶΛ͍ͨ͠৔໘ ϒϥ΢βҎ֎͔ΒΞΫηε͍ͨ͠Ϣʔεέʔε͕͋Δ CLI, ϒϥ΢βͰ͸ͳ͍ήʔϜͷΫϥΠΞϯτͳͲ ϒϥ΢βͰ͸ͳ͍ͨΊOAuth(OIDC)ೝূͰ͖ͳ͍ ฐࣾͰͷྫ • ։ൃதήʔϜͷσόοάAPI • αʔόϝϯςφϯεதʹಈ࡞֬ೝ

  10. ͭ͘Γ·ͨ͠ knockrd github.com/fujiwara/knockrd

  11. github.com/fujiwara/knockrd ϒϥ΢βͰΞΫηεͨ͠IPΞυϨε͔Βͷ઀ଓΛ ҰఆظؒڐՄ͢ΔͨΊͷιϑτ΢ΣΞ (໊લ͸ port knocking ͔ΒΠϯεύΠΞ) 1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ

    2. POST /allow → IPΞυϨεΛ DynamoDB ʹه࿥ ͜ͷઌ͸͍͔ͭ͘ͷํ๏Ͱ…
  12. nginx auth_request ͱ૊Έ߹ΘͤΔ 1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ 2. POST /allow →

    IPΞυϨεΛ DynamoDB ʹه࿥ 3. ଞͷ URL ͷΞΫηεͰ͸ nginx auth_request ͕ GET /auth 4. DynamoDB ʹ͋ΔIPΞυϨεͳΒ 200 OK 5. ͳ͔ͬͨΓ Expire ͢Δͱ 401 Unauthorized
  13. None
  14. AWS WAFv2 / SecurityGroupͱ૊Έ߹ΘͤΔ 1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ 2. POST /allow

    → IPΞυϨεΛ DynamoDB ʹه࿥ 3. DynamoDB Stream ͔Β Lambda ͕ىಈ 4. WAF IP Set / Security Group ʹ IPΞυϨεΛొ࿥ 5. Disallow / Expire ͢Δͱ Lambda ͕ىಈ 6. WAF IP Set / Security Group ͔Β IPΞυϨεΛ࡟আ
  15. None
  16. ༻๏ɾ༻ྔΛक͓ͬͯ࢖͍͍ͩ͘͞ ಛఆͷIPΞυϨεΛҰఆ࣌ؒ(ઃఆՄೳ)͚ͩڐՄͰ͖Δ ࣌ݶͰࣗಈ࡟আɻ์ஔͯ͠΋ةݥ͕ӬଓԽͮ͠Β͍ ϓϩόΠμͰNAT͞Ε͍ͯΔͱͦͷIPΞυϨεΛ࢖͍ͬͯΔͷ͸ ࣗ෼͚ͩ͡Όͳ͍Մೳੑ͕͋ΔͷͰ஫ҙ (͋Δఔ౓ͷ஌͕ࣝ͋ΔΤϯδχΞ޲͚) ϒϥ΢β͚ͩͰΞΫηε͢Δ΋ͷ͸ૉ௚ʹ oauth2-proxy ͱ͔Ͱ github.com/fujiwara/knockrd