$30 off During Our Annual Pro Sale. View Details »

Building a Proxy in Go

Building a Proxy in Go

Talk I gave at the Golang meetup in Melbourne, Australia

Mark Wolfe

April 05, 2016
Tweet

More Decks by Mark Wolfe

Other Decks in Technology

Transcript

  1. Building a Proxy in Go
    How to build a minimal transparent TLS proxy in Go

    View Slide

  2. Who?
    • Mark Wolfe
    • Ops / Development at Versent
    • Versent is Hiring!

    View Slide

  3. The Challenge?!
    • We build secure environments on AWS
    • These environments require a proxy to be configured
    • I discovered SSL Bump SSL Peek and Splice, a new
    feature in Squid proxy server, which we use a lot
    • I wanted to explore this solution and build on it
    • We ONLY want outgoing HTTPS to leave the network

    View Slide

  4. SSL Peek and Slice
    • Looks inside Client Hello and Server Hello
    • Uses the Server Name Indication (SNI) attribute to
    perform the connection on the clients behalf
    • Supports transparent proxying of TLS connections
    • Enables blocking of connections based on:
    • Hostname filtering, *.github.com
    • Block based on other attributes in Client / Server Hello

    View Slide

  5. TLS 1.x
    Client Hello
    1.1.1.1 2.2.2.2
    TCP 40001 <-> 443
    Server Hello
    TLS
    C S

    View Slide

  6. Proxy
    P
    Client Hello (serverName=S)
    Server Hello
    TLS + Proxy
    P
    C S
    TCP
    40001 <-> 443
    TCP
    41001 <-> 443
    1.1.1.1 1.1.1.254 (GW) 2.2.2.2

    View Slide

  7. l7proxify
    • Small Go service
    • Using a bit of code I had written before with some
    new ideas
    • TCP Proxy
    • Peeks at the TLS Client Hello and pulls out SNI
    (hostname)
    • Connects to that host and joins all the streams

    View Slide

  8. l7proxify
    • Uses a few great libraries
    • github.com/spf13/cobra for command flags
    • github.com/spf13/viper for configuration
    • github.com/apex/log for logging
    • Some code from the crypto/tls inside Go

    View Slide

  9. –Linus Torvalds
    “Talk is cheap. Show me the code.”

    View Slide

  10. l7proxify
    • So why use code from inside Go itself:
    • Already decodes TLS records, albeit internally
    • Battle tested
    • Really nice code
    • Note always respect the licence and ensure it is
    included with your project!

    View Slide

  11. In AWS
    L7Proxyify GW
    10.0.0.1/24
    EIP (205.0.1.1)
    VPC Route 0.0.0.0/0 -> 10.0.0.1
    ELB
    Web Servers
    10.1.0.1/24
    10.1.0.2/24
    Private Subnet Public Subnet

    View Slide

  12. Demo Time

    View Slide

  13. In Summary
    • Keep it simple
    • Use libraries which make your software more
    amazing
    • Wireshark is a great piece of software
    • Understand what your servers are connecting to…

    View Slide

  14. Questions?
    • Mark Wolfe
    • @wolfeidau on Twitter
    • github.com/wolfeidau
    • http://www.wolfe.id.au

    View Slide

  15. Links
    • https://en.wikipedia.org/wiki/
    Transport_Layer_Security
    • http://wiki.squid-cache.org/Features/
    SslPeekAndSplice
    • https://blogs.aws.amazon.com/security/post/
    TxFRX7UFUIT2GD/How-to-Add-DNS-Filtering-to-
    Your-NAT-Instance-with-Squid
    • https://github.com/wolfeidau/l7proxify

    View Slide