Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building a Proxy in Go

Building a Proxy in Go

Talk I gave at the Golang meetup in Melbourne, Australia

Mark Wolfe

April 05, 2016

More Decks by Mark Wolfe

Other Decks in Technology


  1. Building a Proxy in Go How to build a minimal

    transparent TLS proxy in Go
  2. Who? • Mark Wolfe • Ops / Development at Versent

    • Versent is Hiring!
  3. The Challenge?! • We build secure environments on AWS •

    These environments require a proxy to be configured • I discovered SSL Bump SSL Peek and Splice, a new feature in Squid proxy server, which we use a lot • I wanted to explore this solution and build on it • We ONLY want outgoing HTTPS to leave the network
  4. SSL Peek and Slice • Looks inside Client Hello and

    Server Hello • Uses the Server Name Indication (SNI) attribute to perform the connection on the clients behalf • Supports transparent proxying of TLS connections • Enables blocking of connections based on: • Hostname filtering, *.github.com • Block based on other attributes in Client / Server Hello
  5. TLS 1.x Client Hello TCP 40001 <-> 443

    Server Hello TLS C S
  6. Proxy P Client Hello (serverName=S) Server Hello TLS + Proxy

    P C S TCP 40001 <-> 443 TCP 41001 <-> 443 (GW)
  7. l7proxify • Small Go service • Using a bit of

    code I had written before with some new ideas • TCP Proxy • Peeks at the TLS Client Hello and pulls out SNI (hostname) • Connects to that host and joins all the streams
  8. l7proxify • Uses a few great libraries • github.com/spf13/cobra for

    command flags • github.com/spf13/viper for configuration • github.com/apex/log for logging • Some code from the crypto/tls inside Go
  9. –Linus Torvalds “Talk is cheap. Show me the code.”

  10. l7proxify • So why use code from inside Go itself:

    • Already decodes TLS records, albeit internally • Battle tested • Really nice code • Note always respect the licence and ensure it is included with your project!
  11. In AWS L7Proxyify GW EIP ( VPC Route

    -> ELB Web Servers Private Subnet Public Subnet
  12. Demo Time

  13. In Summary • Keep it simple • Use libraries which

    make your software more amazing • Wireshark is a great piece of software • Understand what your servers are connecting to…
  14. Questions? • Mark Wolfe <[email protected]> • @wolfeidau on Twitter •

    github.com/wolfeidau • http://www.wolfe.id.au
  15. Links • https://en.wikipedia.org/wiki/ Transport_Layer_Security • http://wiki.squid-cache.org/Features/ SslPeekAndSplice • https://blogs.aws.amazon.com/security/post/ TxFRX7UFUIT2GD/How-to-Add-DNS-Filtering-to-

    Your-NAT-Instance-with-Squid • https://github.com/wolfeidau/l7proxify