Building a Proxy in Go - Speaker Deck

Slide 1

Slide 1 text

Building a Proxy in Go How to build a minimal transparent TLS proxy in Go

Slide 2

Slide 2 text

Who? • Mark Wolfe • Ops / Development at Versent • Versent is Hiring!

Slide 3

Slide 3 text

The Challenge?! • We build secure environments on AWS • These environments require a proxy to be conﬁgured • I discovered SSL Bump SSL Peek and Splice, a new feature in Squid proxy server, which we use a lot • I wanted to explore this solution and build on it • We ONLY want outgoing HTTPS to leave the network

Slide 4

Slide 4 text

SSL Peek and Slice • Looks inside Client Hello and Server Hello • Uses the Server Name Indication (SNI) attribute to perform the connection on the clients behalf • Supports transparent proxying of TLS connections • Enables blocking of connections based on: • Hostname ﬁltering, *.github.com • Block based on other attributes in Client / Server Hello

Slide 5

Slide 5 text

TLS 1.x Client Hello 1.1.1.1 2.2.2.2 TCP 40001 <-> 443 Server Hello TLS C S

Slide 6

Slide 6 text

Proxy P Client Hello (serverName=S) Server Hello TLS + Proxy P C S TCP 40001 <-> 443 TCP 41001 <-> 443 1.1.1.1 1.1.1.254 (GW) 2.2.2.2

Slide 7

Slide 7 text

l7proxify • Small Go service • Using a bit of code I had written before with some new ideas • TCP Proxy • Peeks at the TLS Client Hello and pulls out SNI (hostname) • Connects to that host and joins all the streams

Slide 8

Slide 8 text

l7proxify • Uses a few great libraries • github.com/spf13/cobra for command flags • github.com/spf13/viper for conﬁguration • github.com/apex/log for logging • Some code from the crypto/tls inside Go

Slide 9

Slide 9 text

–Linus Torvalds “Talk is cheap. Show me the code.”

Slide 10

Slide 10 text

l7proxify • So why use code from inside Go itself: • Already decodes TLS records, albeit internally • Battle tested • Really nice code • Note always respect the licence and ensure it is included with your project!

Slide 11

Slide 11 text

In AWS L7Proxyify GW 10.0.0.1/24 EIP (205.0.1.1) VPC Route 0.0.0.0/0 -> 10.0.0.1 ELB Web Servers 10.1.0.1/24 10.1.0.2/24 Private Subnet Public Subnet

Slide 12

Slide 12 text

Demo Time

Slide 13

Slide 13 text

In Summary • Keep it simple • Use libraries which make your software more amazing • Wireshark is a great piece of software • Understand what your servers are connecting to…

Slide 14

Slide 14 text

Questions? • Mark Wolfe • @wolfeidau on Twitter • github.com/wolfeidau • http://www.wolfe.id.au

Slide 15

Slide 15 text

Links • https://en.wikipedia.org/wiki/ Transport_Layer_Security • http://wiki.squid-cache.org/Features/ SslPeekAndSplice • https://blogs.aws.amazon.com/security/post/ TxFRX7UFUIT2GD/How-to-Add-DNS-Filtering-to- Your-NAT-Instance-with-Squid • https://github.com/wolfeidau/l7proxify