The Challenge?! • We build secure environments on AWS • These environments require a proxy to be configured • I discovered SSL Bump SSL Peek and Splice, a new feature in Squid proxy server, which we use a lot • I wanted to explore this solution and build on it • We ONLY want outgoing HTTPS to leave the network
SSL Peek and Slice • Looks inside Client Hello and Server Hello • Uses the Server Name Indication (SNI) attribute to perform the connection on the clients behalf • Supports transparent proxying of TLS connections • Enables blocking of connections based on: • Hostname filtering, *.github.com • Block based on other attributes in Client / Server Hello
l7proxify • Small Go service • Using a bit of code I had written before with some new ideas • TCP Proxy • Peeks at the TLS Client Hello and pulls out SNI (hostname) • Connects to that host and joins all the streams
l7proxify • Uses a few great libraries • github.com/spf13/cobra for command flags • github.com/spf13/viper for configuration • github.com/apex/log for logging • Some code from the crypto/tls inside Go
l7proxify • So why use code from inside Go itself: • Already decodes TLS records, albeit internally • Battle tested • Really nice code • Note always respect the licence and ensure it is included with your project!
In Summary • Keep it simple • Use libraries which make your software more amazing • Wireshark is a great piece of software • Understand what your servers are connecting to…