$30 off During Our Annual Pro Sale. View Details »

knockrd / kichijojipm23

knockrd / kichijojipm23

FUJIWARA Shunichiro

July 21, 2020
Tweet

More Decks by FUJIWARA Shunichiro

Other Decks in Technology

Transcript

  1. knockrd
    @fujiwara
    2020.07.21 ٢঵ࣉ.pm23

    View Slide

  2. ࣗݾ঺հ
    @fujiwara
    github.com/fujiwara

    View Slide

  3. ʮࠓ೥ͷલ൒ͷ׆ಈΛৼΓฦΔʯ

    View Slide

  4. ςϨϫʔΫ
    VPN ͕
    ͳ͍ͱͩΊʁ

    View Slide

  5. VPN ૿ڧରԠ

    View Slide

  6. ͳͥ VPN ͕ඞཁ͔
    1. ࣾ಺ωοτϫʔΫͷαʔόʹΞΫηε͢ΔͨΊ
    • ࢓ํͳ͍
    • Ͱ΋ฐࣾʹ͸΋͏΄΅ଘࡏ͠ͳ͍ (AWS, G Suite...)
    2. ֎෦ͷαʔό͕઀ଓݩIPΞυϨεΛ੍ݶ͍ͯ͠Δ
    • Θ͔Δ
    • Ͱ΋ਏ͍ɻͰ͖Ε͹΍Ί͍ͨ

    View Slide

  7. IP ΞυϨε੍ݶͷͳʹ͕ਏ͍͔
    ڌ఺͕͍ͬͺ͍͋Δ (ΦϑΟε͝ͱʹIPΞυϨε)
    ૿͑ͨΓݮͬͨΓ͢Δ (ͦͷͨͼʹ௥Ճ࡟আ໘౗)
    ݹ͍ΞυϨεΛফ͠๨ΕΔ (ଘࡏࣗମ๨Ε͍ͯΔ)
    IPΞυϨεͰ੍ݶͯ͠Δ͔ΒͬͯϢϧϢϧʹ͕ͪ͠
    (ଞͷೝূΛαϘΔ)
    ϦϞʔτϫʔΫͰ͸ VPN ͕ඞཁ !!!

    View Slide

  8. IP ΞυϨε੍ݶҎ֎ͷೝূΛֻ͚Ε͹…
    • github.com/oauth2-proxy/oauth2-proxy
    • github.com/sorah/nginx_omniauth_adapter
    • github.com/shogo82148/go-nginx-oauth2-adapter
    • AWS ALB
    طଘΞϓϦέʔγϣϯʹखΛೖΕͣʹ
    OAuth(OIDC)ೝূΛ௥ՃͰ͖Δɻ࠷ߴศར

    View Slide

  9. ΍ΉΛಘͣIPΞυϨε੍ݶΛ͍ͨ͠৔໘
    ϒϥ΢βҎ֎͔ΒΞΫηε͍ͨ͠Ϣʔεέʔε͕͋Δ
    CLI, ϒϥ΢βͰ͸ͳ͍ήʔϜͷΫϥΠΞϯτͳͲ
    ϒϥ΢βͰ͸ͳ͍ͨΊOAuth(OIDC)ೝূͰ͖ͳ͍
    ฐࣾͰͷྫ
    • ։ൃதήʔϜͷσόοάAPI
    • αʔόϝϯςφϯεதʹಈ࡞֬ೝ

    View Slide

  10. ͭ͘Γ·ͨ͠
    knockrd github.com/fujiwara/knockrd

    View Slide

  11. github.com/fujiwara/knockrd
    ϒϥ΢βͰΞΫηεͨ͠IPΞυϨε͔Βͷ઀ଓΛ
    ҰఆظؒڐՄ͢ΔͨΊͷιϑτ΢ΣΞ
    (໊લ͸ port knocking ͔ΒΠϯεύΠΞ)
    1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ
    2. POST /allow → IPΞυϨεΛ DynamoDB ʹه࿥
    ͜ͷઌ͸͍͔ͭ͘ͷํ๏Ͱ…

    View Slide

  12. nginx auth_request ͱ૊Έ߹ΘͤΔ
    1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ
    2. POST /allow → IPΞυϨεΛ DynamoDB ʹه࿥
    3. ଞͷ URL ͷΞΫηεͰ͸ nginx auth_request ͕ GET /auth
    4. DynamoDB ʹ͋ΔIPΞυϨεͳΒ 200 OK
    5. ͳ͔ͬͨΓ Expire ͢Δͱ 401 Unauthorized

    View Slide

  13. View Slide

  14. AWS WAFv2 / SecurityGroupͱ૊Έ߹ΘͤΔ
    1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ
    2. POST /allow → IPΞυϨεΛ DynamoDB ʹه࿥
    3. DynamoDB Stream ͔Β Lambda ͕ىಈ
    4. WAF IP Set / Security Group ʹ IPΞυϨεΛొ࿥
    5. Disallow / Expire ͢Δͱ Lambda ͕ىಈ
    6. WAF IP Set / Security Group ͔Β IPΞυϨεΛ࡟আ

    View Slide

  15. View Slide

  16. ༻๏ɾ༻ྔΛक͓ͬͯ࢖͍͍ͩ͘͞
    ಛఆͷIPΞυϨεΛҰఆ࣌ؒ(ઃఆՄೳ)͚ͩڐՄͰ͖Δ
    ࣌ݶͰࣗಈ࡟আɻ์ஔͯ͠΋ةݥ͕ӬଓԽͮ͠Β͍
    ϓϩόΠμͰNAT͞Ε͍ͯΔͱͦͷIPΞυϨεΛ࢖͍ͬͯΔͷ͸
    ࣗ෼͚ͩ͡Όͳ͍Մೳੑ͕͋ΔͷͰ஫ҙ
    (͋Δఔ౓ͷ஌͕ࣝ͋ΔΤϯδχΞ޲͚)
    ϒϥ΢β͚ͩͰΞΫηε͢Δ΋ͷ͸ૉ௚ʹ oauth2-proxy ͱ͔Ͱ
    github.com/fujiwara/knockrd

    View Slide