knockrd@fujiwara2020.07.21 ٢ࣉ.pm23
View Slide
ࣗݾհ@fujiwaragithub.com/fujiwara
ʮࠓͷલͷ׆ಈΛৼΓฦΔʯ
ςϨϫʔΫVPN ͕ͳ͍ͱͩΊʁ
VPN ૿ڧରԠ
ͳͥ VPN ͕ඞཁ͔1. ࣾωοτϫʔΫͷαʔόʹΞΫηε͢ΔͨΊ• ํͳ͍• Ͱฐࣾʹ͏΄΅ଘࡏ͠ͳ͍ (AWS, G Suite...)2. ֎෦ͷαʔό͕ଓݩIPΞυϨεΛ੍ݶ͍ͯ͠Δ• Θ͔Δ• Ͱਏ͍ɻͰ͖ΕΊ͍ͨ
IP ΞυϨε੍ݶͷͳʹ͕ਏ͍͔ڌ͕͍ͬͺ͍͋Δ (ΦϑΟε͝ͱʹIPΞυϨε)૿͑ͨΓݮͬͨΓ͢Δ (ͦͷͨͼʹՃআ໘)ݹ͍ΞυϨεΛফ͠ΕΔ (ଘࡏࣗମΕ͍ͯΔ)IPΞυϨεͰ੍ݶͯ͠Δ͔ΒͬͯϢϧϢϧʹ͕ͪ͠(ଞͷೝূΛαϘΔ)ϦϞʔτϫʔΫͰ VPN ͕ඞཁ !!!
IP ΞυϨε੍ݶҎ֎ͷೝূΛֻ͚Ε…• github.com/oauth2-proxy/oauth2-proxy• github.com/sorah/nginx_omniauth_adapter• github.com/shogo82148/go-nginx-oauth2-adapter• AWS ALBطଘΞϓϦέʔγϣϯʹखΛೖΕͣʹOAuth(OIDC)ೝূΛՃͰ͖Δɻ࠷ߴศར
ΉΛಘͣIPΞυϨε੍ݶΛ͍ͨ͠໘ϒϥβҎ֎͔ΒΞΫηε͍ͨ͠Ϣʔεέʔε͕͋ΔCLI, ϒϥβͰͳ͍ήʔϜͷΫϥΠΞϯτͳͲϒϥβͰͳ͍ͨΊOAuth(OIDC)ೝূͰ͖ͳ͍ฐࣾͰͷྫ• ։ൃதήʔϜͷσόοάAPI• αʔόϝϯςφϯεதʹಈ࡞֬ೝ
ͭ͘Γ·ͨ͠knockrd github.com/fujiwara/knockrd
github.com/fujiwara/knockrdϒϥβͰΞΫηεͨ͠IPΞυϨε͔ΒͷଓΛҰఆظؒڐՄ͢ΔͨΊͷιϑτΣΞ(໊લ port knocking ͔ΒΠϯεύΠΞ)1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ2. POST /allow → IPΞυϨεΛ DynamoDB ʹه͜ͷઌ͍͔ͭ͘ͷํ๏Ͱ…
nginx auth_request ͱΈ߹ΘͤΔ1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ2. POST /allow → IPΞυϨεΛ DynamoDB ʹه3. ଞͷ URL ͷΞΫηεͰ nginx auth_request ͕ GET /auth4. DynamoDB ʹ͋ΔIPΞυϨεͳΒ 200 OK5. ͳ͔ͬͨΓ Expire ͢Δͱ 401 Unauthorized
AWS WAFv2 / SecurityGroupͱΈ߹ΘͤΔ1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ2. POST /allow → IPΞυϨεΛ DynamoDB ʹه3. DynamoDB Stream ͔Β Lambda ͕ىಈ4. WAF IP Set / Security Group ʹ IPΞυϨεΛొ5. Disallow / Expire ͢Δͱ Lambda ͕ىಈ6. WAF IP Set / Security Group ͔Β IPΞυϨεΛআ
༻๏ɾ༻ྔΛक͓͍͍ͬͯͩ͘͞ಛఆͷIPΞυϨεΛҰఆ࣌ؒ(ઃఆՄೳ)͚ͩڐՄͰ͖Δ࣌ݶͰࣗಈআɻ์ஔͯ͠ةݥ͕ӬଓԽͮ͠Β͍ϓϩόΠμͰNAT͞Ε͍ͯΔͱͦͷIPΞυϨεΛ͍ͬͯΔͷ͚ࣗͩ͡Όͳ͍Մೳੑ͕͋ΔͷͰҙ(͋Δఔͷ͕ࣝ͋ΔΤϯδχΞ͚)ϒϥβ͚ͩͰΞΫηε͢Δͷૉʹ oauth2-proxy ͱ͔Ͱgithub.com/fujiwara/knockrd