knockrd / kichijojipm23

Transcript

1. knockrd @fujiwara 2020.07.21 ٢঵ࣉ.pm23

2. ࣗݾ঺հ @fujiwara github.com/fujiwara

3. ʮࠓ೥ͷલ൒ͷ׆ಈΛৼΓฦΔʯ

4. ςϨϫʔΫ VPN ͕ ͳ͍ͱͩΊʁ

5. VPN ૿ڧରԠ

6. ͳͥ VPN ͕ඞཁ͔ 1. ࣾ಺ωοτϫʔΫͷαʔόʹΞΫηε͢ΔͨΊ • ࢓ํͳ͍ • Ͱ΋ฐࣾʹ͸΋͏΄΅ଘࡏ͠ͳ͍ (AWS,

   G Suite...) 2. ֎෦ͷαʔό͕઀ଓݩIPΞυϨεΛ੍ݶ͍ͯ͠Δ • Θ͔Δ • Ͱ΋ਏ͍ɻͰ͖Ε͹΍Ί͍ͨ

7. IP ΞυϨε੍ݶͷͳʹ͕ਏ͍͔ ڌ఺͕͍ͬͺ͍͋Δ (ΦϑΟε͝ͱʹIPΞυϨε) ૿͑ͨΓݮͬͨΓ͢Δ (ͦͷͨͼʹ௥Ճ࡟আ໘౗) ݹ͍ΞυϨεΛফ͠๨ΕΔ (ଘࡏࣗମ๨Ε͍ͯΔ) IPΞυϨεͰ੍ݶͯ͠Δ͔ΒͬͯϢϧϢϧʹ͕ͪ͠ (ଞͷೝূΛαϘΔ)

   ϦϞʔτϫʔΫͰ͸ VPN ͕ඞཁ !!!

8. IP ΞυϨε੍ݶҎ֎ͷೝূΛֻ͚Ε͹… • github.com/oauth2-proxy/oauth2-proxy • github.com/sorah/nginx_omniauth_adapter • github.com/shogo82148/go-nginx-oauth2-adapter • AWS

   ALB طଘΞϓϦέʔγϣϯʹखΛೖΕͣʹ OAuth(OIDC)ೝূΛ௥ՃͰ͖Δɻ࠷ߴศར

9. ΍ΉΛಘͣIPΞυϨε੍ݶΛ͍ͨ͠৔໘ ϒϥ΢βҎ֎͔ΒΞΫηε͍ͨ͠Ϣʔεέʔε͕͋Δ CLI, ϒϥ΢βͰ͸ͳ͍ήʔϜͷΫϥΠΞϯτͳͲ ϒϥ΢βͰ͸ͳ͍ͨΊOAuth(OIDC)ೝূͰ͖ͳ͍ ฐࣾͰͷྫ • ։ൃதήʔϜͷσόοάAPI • αʔόϝϯςφϯεதʹಈ࡞֬ೝ

10. ͭ͘Γ·ͨ͠ knockrd github.com/fujiwara/knockrd

11. github.com/fujiwara/knockrd ϒϥ΢βͰΞΫηεͨ͠IPΞυϨε͔Βͷ઀ଓΛ ҰఆظؒڐՄ͢ΔͨΊͷιϑτ΢ΣΞ (໊લ͸ port knocking ͔ΒΠϯεύΠΞ) 1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ

    2. POST /allow → IPΞυϨεΛ DynamoDB ʹه࿥ ͜ͷઌ͸͍͔ͭ͘ͷํ๏Ͱ…

12. nginx auth_request ͱ૊Έ߹ΘͤΔ 1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ 2. POST /allow →

    IPΞυϨεΛ DynamoDB ʹه࿥ 3. ଞͷ URL ͷΞΫηεͰ͸ nginx auth_request ͕ GET /auth 4. DynamoDB ʹ͋ΔIPΞυϨεͳΒ 200 OK 5. ͳ͔ͬͨΓ Expire ͢Δͱ 401 Unauthorized
13. None

14. AWS WAFv2 / SecurityGroupͱ૊Έ߹ΘͤΔ 1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ 2. POST /allow

    → IPΞυϨεΛ DynamoDB ʹه࿥ 3. DynamoDB Stream ͔Β Lambda ͕ىಈ 4. WAF IP Set / Security Group ʹ IPΞυϨεΛొ࿥ 5. Disallow / Expire ͢Δͱ Lambda ͕ىಈ 6. WAF IP Set / Security Group ͔Β IPΞυϨεΛ࡟আ
15. None

16. ༻๏ɾ༻ྔΛक͓ͬͯ࢖͍͍ͩ͘͞ ಛఆͷIPΞυϨεΛҰఆ࣌ؒ(ઃఆՄೳ)͚ͩڐՄͰ͖Δ ࣌ݶͰࣗಈ࡟আɻ์ஔͯ͠΋ةݥ͕ӬଓԽͮ͠Β͍ ϓϩόΠμͰNAT͞Ε͍ͯΔͱͦͷIPΞυϨεΛ࢖͍ͬͯΔͷ͸ ࣗ෼͚ͩ͡Όͳ͍Մೳੑ͕͋ΔͷͰ஫ҙ (͋Δఔ౓ͷ஌͕ࣝ͋ΔΤϯδχΞ޲͚) ϒϥ΢β͚ͩͰΞΫηε͢Δ΋ͷ͸ૉ௚ʹ oauth2-proxy ͱ͔Ͱ github.com/fujiwara/knockrd