Skip to content

Commit

Permalink
Add mTLS and AuthorizedGroups support (#3)
Browse files Browse the repository at this point in the history 
* Initial repo scaffolding and setup

* Initial implementation of a TCP proxy supporting basic configuration and a least-connection load balancer.

Yet to be implemented: mTLS authn/z and RateLimiting

* Fix GH action workflow

* Misc cleanup

* @tigrato feedback part 1

- Comments and consolidation of Config
- Simplify connection handling in proxy with less channels + goroutines

* Integrate a large chunk of feedback with the exception of the LoadBalancer implementation.

* Add some more test cases for failure paths

* Address feedback related to LoadBalancer implementation

* Rework how IdleTimeout is configured via SetDeadline. Tested this by setting a sleep in the echo server,
and confirmed the tests failed, logging the i/o timeout. It is possible this doesn't work exactly how I think,
in that long-lived connections that don't send some type of heartbeat might expire. Will test that once I have
the server component.

```
❯ make test
go test ./...
2024/02/28 21:27:59 INFO proxy ready listening=127.0.0.1:61459 targets=127.0.0.1:61458
2024/02/28 21:28:01 ERROR idle timeout exceeded error="readfrom tcp 127.0.0.1:61459->127.0.0.1:61460: read tcp 127.0.0.1:61461->127.0.0.1:61458: i/o timeout"
2024/02/28 21:28:01 ERROR copying data error="readfrom tcp 127.0.0.1:61459->127.0.0.1:61460: read tcp 127.0.0.1:61461->127.0.0.1:61458: i/o timeout"
2024/02/28 21:28:01 ERROR idle timeout exceeded error="readfrom tcp 127.0.0.1:61461->127.0.0.1:61458: read tcp 127.0.0.1:61459->127.0.0.1:61460: i/o timeout"
2024/02/28 21:28:01 ERROR copying data error="readfrom tcp 127.0.0.1:61461->127.0.0.1:61458: read tcp 127.0.0.1:61459->127.0.0.1:61460: i/o timeout"
```

* Add back DialTimeout to ensure we can't hang connecting to an upstream

* Add some missing public function godoc

* Address feedback to ensure you can't double close/serve. Added safety on connection closing to prevent
a goroutine from getting stuck. Simplify the public API.

* Add support for mTLS and an authorization layer

This configures the proxy to listen with TLS, with mutual TLS between it and the client, and vice versa.

* Provided certificates with the repo to make it easy to run and connect to the proxy.

* Two user certificates provided, with two different groups, with tests confirming unauthorized clients have their connection closed.

* Certificates are generated with SAN that supports `localhost` and `127.0.0.1` for the server name.

* Cleanup some comments

* Simplify locking behavior of Serving with atomic.Bool

* Switch TLS confiugration to be file paths for better UX

* Handle invalid TLS config
  • Loading branch information
@joshbranham
joshbranham authored Mar 8, 2024
1 parent cc5be98 commit 3e31fdf
Show file tree
Hide file tree
Showing 19 changed files with 494 additions and 55 deletions.
6 changes: 3 additions & 3 deletions DESIGN.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,10 +98,10 @@ type Configuration struct {
type ListenerConfig struct {
ListenerAddr string // eg :5000

// TLS configuraition for the listener to use.
Ca string
// TLS configuration for the listener to use. The values should be relative paths to certificates in PEM format.
CA string
Certificate string
PrivateKey string
PrivateKey string
}

// Individual configuration for an upstream "group"
Expand Down
18 changes: 18 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,21 @@ In order to run linting:
In order to run tests:

make test

### Certificates

The proxy is configured to listen with TLS, requiring the client and proxy to have certificates signed and trusted by
each-other. This is accomplished by using the same CA. This repository provides sample certificates in `certificates/`,
as well as scripts to generate a new CA and client/server certificates.

The certificates generated and committed to this repo are also used in tests as fixtures.

#### Generating

You can create a new CA key and certificate:

cd certificates && ./generate-ca.sh

To then generate certificates for the proxy to use, and 2 client certificates:

cd certificates && ./generate-clients.sh
28 changes: 28 additions & 0 deletions certificates/ca.key
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCSrpLErrXjbRD/
yEO11/812L8Hgwf/ImkLzCTd8ZLyAHW082R71eqPiOyuKu2rcZuyju82rSqDz8Sz
RA1rXLGwewvxtiLrsTT/q6QNPFaHlROgUn+xvS2Njcz8KhB1V17PrjYfyVhf0Vi4
EaTt8ByL/4dKesoqrhbNwKWUjl57N/pFZ7Ti8+KgGftzW605zX6+O6YnKNvjtB2p
cP+hbZcYR4WBRjpsIioO/rMSwujDBdc1i3ih5pJ9ZSVIzLrp3QnVV+hPQ/X2ykld
akkqWRVqV/lVqVPgaZcmJZqdPb4/CrZif12XjweHSsG7bZi9qT7wNCz0T3Ye6adl
cj+f1YfDAgMBAAECggEAEfRYdsbD8OCq0gRbdWjJDnhHec3qLqqxnQYSBTDKweCY
h9u7EwVuPr+N6QvMJ84yNrsUQOcVaykFdMQBuICSJ34ISj/3Kk54pEsIO66FEPeI
fXlbtA/qAYe37a3gcdyN+HHkoiNtM91WNMHEJHPdqq1OjClXkb3ZgLnyCqsamY5j
B9buh2r9kghAk0DBSky0xK27fubCi064LGzUX6p/iB0Jqr9OWimLJ123svjuSvb6
ugdqPqbIbkrzc04rC+Gn8XfzK5SHazkorbjFe6z/euZkps5Fxh2W/PKz7mQLbNNT
m/RaEt97XbEESWXUZkWiv9DOtjuqOI5581tC32oy8QKBgQDNuEbcbPgKBJEqKBSG
ztJGnLByFUki0BmVVLc5enkxXyEHRd0dXC36XvFBVEO41vUnS3uAda7lT0g9G2Cd
ySXll40lDscXEpyc1TmcX7tluVHPK4AeoD+EEOB8qhB6TKHVNzmpkjy6zPQSGF9F
YIhiexcfA06WnlMh+yOWAetcbQKBgQC2iFe5DE5Gm7tIiLLN/MGt6CZKlGMHEWSu
Zcxy+RnS+KM2kGTNXM1GcasOifL8/lebI6CmmliC9TOCTi0r7vlE8ovgDT8OgyWS
RaOFRRRtQON1YCCCZu0WQdRPomA0Bt+USJGnR9c9Da5hsasFbkvITnMzX4kPXRRN
kv0WaoB27wKBgH5cJXJ5oHWOzpfFXK5dVX23+w1oE69FgaFfEthEaTKxSvlLqYDC
QR+bt7a4Coz7xEOpsqd6Ib6KT0Xxjgv9JMD8sN7FT/bVIMuYkTWC+/mEtkJ5Zs3p
AnqdXzZTw6FLdtAfhtSolZLsFzMSM1rK65sKHm6XOmt7vnaN6xLWBPqVAoGAQ9a2
a6LkMJ/OYi3T7nSi8uRV3t/5UfYn6h0ReCWWcG9SEYRmwmBcNnMmdPfWJCrPGmyK
V4EDpmBFLYeqiCp/4B0Y2UNzDQy22P8iv/QlnFlCcCwyyORB90SuCI67nHp1e+Hg
qEAuAZXlGo/ylMkiRybI7+3wvZIFarNXdo5MgmcCgYBsFBVO+ShRicvDnt5N8X64
YyE/Qhg8h8GcpMmrdicGQQZ/Cb24O9f0h0wALa+XNVngHzUlhlL2+pnMoSeNgU6Z
XV5wzVUHR3NNdgNw6NGx5nFQSeslU+bT6SmLVtZJ+Koew1OF2Cc1IfYKwME5b4gl
uWovAYxhfBMdsppxh+KtEQ==
-----END PRIVATE KEY-----
21 changes: 21 additions & 0 deletions certificates/ca.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIUYniMEudTuKLLWK/lodDVRf3Oiw8wDQYJKoZIhvcNAQEL
BQAwTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNPMQ8wDQYDVQQHDAZEZW52ZXIx
DTALBgNVBAoMBFRlc3QxEDAOBgNVBAMMB3Jvb3QtY2EwHhcNMjQwMzAxMDA0MDAy
WhcNMzQwMjI3MDA0MDAyWjBMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xDzAN
BgNVBAcMBkRlbnZlcjENMAsGA1UECgwEVGVzdDEQMA4GA1UEAwwHcm9vdC1jYTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJKuksSuteNtEP/IQ7XX/zXY
vweDB/8iaQvMJN3xkvIAdbTzZHvV6o+I7K4q7atxm7KO7zatKoPPxLNEDWtcsbB7
C/G2IuuxNP+rpA08VoeVE6BSf7G9LY2NzPwqEHVXXs+uNh/JWF/RWLgRpO3wHIv/
h0p6yiquFs3ApZSOXns3+kVntOLz4qAZ+3NbrTnNfr47pico2+O0Halw/6FtlxhH
hYFGOmwiKg7+sxLC6MMF1zWLeKHmkn1lJUjMuundCdVX6E9D9fbKSV1qSSpZFWpX
+VWpU+BplyYlmp09vj8KtmJ/XZePB4dKwbttmL2pPvA0LPRPdh7pp2VyP5/Vh8MC
AwEAAaNTMFEwHQYDVR0OBBYEFC1Jb6qPdcW0Uz4/xwHrtjujqSslMB8GA1UdIwQY
MBaAFC1Jb6qPdcW0Uz4/xwHrtjujqSslMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggEBAFbqJQmkEQpGGfQm6GCTmXT4AfHeHIJtTMfqVgk9FtpxIrvq
bDDVa3Kl9prBmqMhdV//tGVq/tE33RIgiVOjEvhv33HwolVtQEF1unOBuskzRmAn
vFknkq2BRT+YgUpvhLiyA/BBgw5PT/82u71z07/neQrBozF9TvJs+RGzcHdtvt93
DqSWbcr1AU/QXH2OQGy3j58BEHdNOID0/TZUvJ9uCa2cJPcy0OauGd8JQYgAgmLk
PrkPBADvcXeA9U/iq273P8jqko/vihILbawtLk/b+NvCKU5wmzOS8oueRK0J+Fjg
jf2tZ8QW8aXM+t6Mo/lpKG+fp8uHYHQH4C3FYE0=
-----END CERTIFICATE-----
8 changes: 8 additions & 0 deletions certificates/generate-ca.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/usr/bin/env bash

set -ex

# Generate a root CA cert and private key
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem \
-subj "/C=US/ST=CO/L=Denver/O=Test/CN=root-ca"
32 changes: 32 additions & 0 deletions certificates/generate-clients.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
#!/usr/bin/env bash

set -ex

# Create a private key and CSR for the proxy, then sign
openssl genrsa -out tcp-proxy.key 2048
openssl req -new -key tcp-proxy.key -out tcp-proxy.csr \
-subj "/C=US/ST=CO/L=Denver/O=Test/CN=tcp-proxy"

openssl x509 -req -in tcp-proxy.csr -CA ca.pem -CAkey ca.key \
-out tcp-proxy.pem -days 365 -sha256 \
-extfile san_config.ext

# Create a private key and CSR for user1 in group engineering
openssl genrsa -out user1.key 2048
openssl req -new -key user1.key -out user1.csr \
-subj "/C=US/ST=CO/L=Denver/O=Test/CN=user1@engineering"

# Create a signed certificate from CSR for user1
openssl x509 -req -in user1.csr -CA ca.pem -CAkey ca.key \
-out user1.pem -days 365 -sha256 \
-extfile san_config.ext

# Create a private key and CSR for user2 in group administrators
openssl genrsa -out user2.key 2048
openssl req -new -key user2.key -out user2.csr \
-subj "/C=US/ST=CO/L=Denver/O=Test/CN=user2@administrators"

# Create a signed certificate from CSR for user2
openssl x509 -req -in user2.csr -CA ca.pem -CAkey ca.key \
-out user2.pem -days 365 -sha256 \
-extfile san_config.ext
5 changes: 5 additions & 0 deletions certificates/san_config.ext
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
16 changes: 16 additions & 0 deletions certificates/tcp-proxy.csr
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNPMQ8wDQYDVQQH
DAZEZW52ZXIxDTALBgNVBAoMBFRlc3QxEjAQBgNVBAMMCXRjcC1wcm94eTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANX2DHGleqfEPgZ4v9GKU4C90wfN
MQJChPft+WOPDd00hyjGyZdYZcDp/gRMuSGtiDBYI3kXR3R+nY7WuhrJP19zuAto
eIRbanpCOY/tzmPDvYc1Rki7LGkvFHV67NAztlFumZcOOMAq91YdbDvWutTpjOiw
7ki58W9FO7r+RAVHcSCfEtVIqePOOswmFfEbis7bDAWt/s9hYAk0I6VHZ03slBGB
ibm6qkoku7l09MTnmkv1Oe57d+fqcHnXat7qF1XEszcJ4sSnSJawRGv7q83TEfl1
Px+8hJSWLmGM1JHVMb8OMA3lUW3w2YZup6DBXZrDmWn6jVUChh/pwuM5oa0CAwEA
AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCYqQNFWl0kCsAsbb61epy7hoO5VP8oEaQA
CDYq+QaMk04jwvw6WsTEqeEADVo5cm2+6abb1BikJ+lYTg1pHwdrPYPqNhzv78dT
gUbAUZkluMPFWOuAL7wddrPWF4u75yMgUXoIqApaT961tjFk3qUfePJj2unNIYRo
RTa/jWb4ADfg7eVNB/hNSiAlewaiKgqXf8ycR/8vt04+CygextvXfijx0Kqy3rS7
xzM6YHL0jrzTChwVAArRwUK/BJvUYfUs/RQ5UjoG1XfCuAS3C6tGjAsdH9HukJ/w
ihjnJOrM33zJ5uQW2lQNhDC1UJ7SadEPss1ThEeVdrP7mSSjgXJy
-----END CERTIFICATE REQUEST-----
28 changes: 28 additions & 0 deletions certificates/tcp-proxy.key
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDV9gxxpXqnxD4G
eL/RilOAvdMHzTECQoT37fljjw3dNIcoxsmXWGXA6f4ETLkhrYgwWCN5F0d0fp2O
1roayT9fc7gLaHiEW2p6QjmP7c5jw72HNUZIuyxpLxR1euzQM7ZRbpmXDjjAKvdW
HWw71rrU6YzosO5IufFvRTu6/kQFR3EgnxLVSKnjzjrMJhXxG4rO2wwFrf7PYWAJ
NCOlR2dN7JQRgYm5uqpKJLu5dPTE55pL9Tnue3fn6nB512re6hdVxLM3CeLEp0iW
sERr+6vN0xH5dT8fvISUli5hjNSR1TG/DjAN5VFt8NmGbqegwV2aw5lp+o1VAoYf
6cLjOaGtAgMBAAECggEAGeEIUUimz3BHi53YSakgVM6LngJzaTwQJt10UCvx4oMO
JAr4lXiI2i693YRFfNgnRFMCJg0q7za5/5hjldt98aF8AyPli9DIzgqA5DKVx5sE
gLxGCNmxffQcATesjrmVKuqkjiZCC/rxGUvhbFLFHKfhC2thxDnQBNmMEh/bV1iQ
5O0T2jv4p7XBcwaSXL/H856GJOJCEnGAMM+nhTmEKoCPH7+HDmeV1lY0tlCtd3b9
0UAtnhSLzIUOqBfDh6t2kpTJCPIA2v8dPDg0sccGsEPhUrttVavpYueckVSRLDFq
G6Wq2a0Dz1GyDI573W/JW+PvUtTorrtzMAp0fMKLuwKBgQD5qbozdjQjtS325265
EPiiW802XMM+aEPj77+sfinbRBa1pCzlmNjX7/xtFpcaRH29gUhVjZCof2eRZdOW
a7rCdZdJbKtMhqJAHSiUhBs2oZ3aeQMD9zVQ4qG+KriodwQqha7UXOINDOTndwcA
1pgnh30ObIBh+MocfaacqsSwJwKBgQDbZFX7w95y+gfQrm61DDRCodAp2fiwPkO6
mji5dYcC1hoLsfxV9E33NufZc6eDSev8z2QAFcV5qtQ6fwMYCRhGjR+plSJ8ezhp
te9eahGFVn8W8GJ4AqdjRaslF3XTn4lyUwcUMG7gMCVbAbBmPTw5QYz7pNiJNh5J
y9lHXsNwCwKBgQDsDEBDZa/4TtXtinUSPuyFPTyx+FSVDamaudPEd+iFKkQ6asYU
MkZbK8jDL0egCz/DS5ejY9xwozy9qMO7hZGnR9zJDBiNmwGOksMKYDkGlxmTNTTX
rARZvFzmWqgKh7SFq61XlZYYdqd5/Py/GyXywdRILefYOYyGEXrUx1R9owKBgQCj
SGHWJ0kAOaZnYetzQ8oBbX0IKPo18aFm2DEvlpENQ1vPKICtWE5Ol8amyLT7uaCx
X4kFpy56BvI9NxqOYPZ4S8As7pnkG7E4u/eTRU4U9vNPl0kyGIeMEuX1jShcgHhD
Zhf2prVelXa37OHktd6EnozXHTErreOM+PKVc6nxUQKBgFZ8tx9v5y70ZmI77Mca
YfXGLhvHrG4Bc+rgs3lSvzG07DflHu1TvcKnCLLTo2xjMc1gOZmUSyIYIrjten64
xqg05ajlZxSw1HV1rm3mnAm9hp7ywRCfm/SoNWhIWcLt4Qav/oQxCgKr9WYEi2CF
rlTluot+vpgRgUTKoaTqtrar
-----END PRIVATE KEY-----
21 changes: 21 additions & 0 deletions certificates/tcp-proxy.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDhjCCAm6gAwIBAgIUSm0dQ2ZwbL6P1Y17fVOG0uBrfcowDQYJKoZIhvcNAQEL
BQAwTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNPMQ8wDQYDVQQHDAZEZW52ZXIx
DTALBgNVBAoMBFRlc3QxEDAOBgNVBAMMB3Jvb3QtY2EwHhcNMjQwMzAxMDI1NjQ0
WhcNMjUwMzAxMDI1NjQ0WjBOMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xDzAN
BgNVBAcMBkRlbnZlcjENMAsGA1UECgwEVGVzdDESMBAGA1UEAwwJdGNwLXByb3h5
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1fYMcaV6p8Q+Bni/0YpT
gL3TB80xAkKE9+35Y48N3TSHKMbJl1hlwOn+BEy5Ia2IMFgjeRdHdH6djta6Gsk/
X3O4C2h4hFtqekI5j+3OY8O9hzVGSLssaS8UdXrs0DO2UW6Zlw44wCr3Vh1sO9a6
1OmM6LDuSLnxb0U7uv5EBUdxIJ8S1Uip4846zCYV8RuKztsMBa3+z2FgCTQjpUdn
TeyUEYGJubqqSiS7uXT0xOeaS/U57nt35+pweddq3uoXVcSzNwnixKdIlrBEa/ur
zdMR+XU/H7yElJYuYYzUkdUxvw4wDeVRbfDZhm6noMFdmsOZafqNVQKGH+nC4zmh
rQIDAQABo14wXDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwHQYDVR0OBBYE
FALdffLBX6U4nzXwO0U0CTH75/DrMB8GA1UdIwQYMBaAFC1Jb6qPdcW0Uz4/xwHr
tjujqSslMA0GCSqGSIb3DQEBCwUAA4IBAQBjgs4ug+9nznbKlO8dB3GysSKGYzB8
xuL26VRHGBtUbhtKmNHH+1ZVHNkN7fKxVDNU0r3iXPgz3lo3iiWofHB3Im86PSpa
XI1jAJUhrrTSERcT71nQ+k9hmLk58TqzRSbLJFNT5BtECP9m9/OHtPrs+jEKIcFT
rLp5WmeHL/4wbKt4AhkGHcB18YYD8qxCQ6mG2uQY7meiG3SsvlStlBMGK2OPQ76l
UVhDfnX5p9xlpknPmHo2TeIuUpQsLevxW/AOt3NShrz7AYRQ0DG0t398d6HkgIIK
XleRpFMvnL+FbirRoSaSdlhf0gWOboOcX4UOsPys9vjwReh+0MoUWv4U
-----END CERTIFICATE-----
16 changes: 16 additions & 0 deletions certificates/user1.csr
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICmzCCAYMCAQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNPMQ8wDQYDVQQH
DAZEZW52ZXIxDTALBgNVBAoMBFRlc3QxGjAYBgNVBAMMEXVzZXIxQGVuZ2luZWVy
aW5nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzORbqKhUQQ1VtnJy
pw899Bh2HdQ82bZ9qwkdy6YDNQ3/qSXn8IjbsijwHlDxbq3/M7mh2bQwouDo52Rh
uO4r8MUOl/vSdM02L9ABb11knB8aqYpfWX+Csm1YeQVOoYlaUHEr7yBA155a26xH
Fb3J8Seg4ZJZCBFwJvoMUEDCreY4i5E1yMOexJlmNcVA1BJzW2aXkweJdsrtynVX
TfLeWjK6ggCRIiB/hwfbvbl9x2YE8XVMSSzDaWwwV7reg6RLIGTaAijCLO4yB20Z
He88AIp5wN5vd2q9uf0BnlLrGzJ0K95E4s2FwK0fEY7UsGQPkzR1eRUwVkebJKv0
PEG+xQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAE5FGvio/RLxkiOZWG5G0IUb
9hJuV31j2qzSnVzUGnwDEIgPzJPc/kRwH4ABpDyxzLbDIbZ1ZT54TPIWKOVufjLV
xoCAFQCHuye14khAViacwBItkhTatBWNJNYpbag2ucPGdz8GCZb5U5uHu3I18vK1
twHFfb2Ei+poUijpE3XvTEvLbCehX7E9H1tBb57Hj1Gh7STYWZfj5uWpwofXmdck
apd4R/mPw0tZFPL2eXju9qjPLSmYPgqoNYs6BUJ2RjCbT4/wkEayOmvm1UNCYKvw
swiErKzKuiE4MHYwikchwbeaeD8F1FpGOQqg9Jlx2le2cVrdfjYxiYv4I5PoSxw=
-----END CERTIFICATE REQUEST-----
28 changes: 28 additions & 0 deletions certificates/user1.key
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDM5FuoqFRBDVW2
cnKnDz30GHYd1DzZtn2rCR3LpgM1Df+pJefwiNuyKPAeUPFurf8zuaHZtDCi4Ojn
ZGG47ivwxQ6X+9J0zTYv0AFvXWScHxqpil9Zf4KybVh5BU6hiVpQcSvvIEDXnlrb
rEcVvcnxJ6DhklkIEXAm+gxQQMKt5jiLkTXIw57EmWY1xUDUEnNbZpeTB4l2yu3K
dVdN8t5aMrqCAJEiIH+HB9u9uX3HZgTxdUxJLMNpbDBXut6DpEsgZNoCKMIs7jIH
bRkd7zwAinnA3m93ar25/QGeUusbMnQr3kTizYXArR8RjtSwZA+TNHV5FTBWR5sk
q/Q8Qb7FAgMBAAECggEABskFNAz8WqR7aIMFGFKL5a/YXDKGyrBIHHLn1rJVEYZj
fLwxoH3tG0r5xgyTgkEm3hVRWSlQzFllvSFOOdaWrpmIBdvOuL7XAuGrj9Q9nGH3
UGgHB6q5BE7/YA/0mQA4dR4vq0fxKHLTusn2F1qP+87T0sSK8uvI6rGF2N6G0/AS
78/CthBQ1JxwMV6FXB2h86qrbk/TCgdauoiWWahBBenVYhJQxfPq+JGIztzoerr9
Rap/SPcoJkucSkcZ/UTBJdsxOF17vl5qXmShr4vKmSd9azpmbI8sM7fP2NQTq+7Z
hTS8Dq3S5VmOWfWSdwb74L9rLv/I3O8T6F84jKx8oQKBgQD8Tqq+B1rp1UgPpU6G
YKnAEKfMgNeBK0/6WgLc+oe33UWT6LCpGv91oLNJ2kzyRgYgPZDqjEOpyzgpxrpF
qbhg9e2ucxwV8Fobp3WJedhw6qyA3j1RMJSwVn0UhcU3swufzRUFbkrjepGMPsyR
aFpQgQSzzMQMlqXHMNS/Ms0MzQKBgQDP5AmsqLbOEVXiAki4BEH2zhzAfyWwjeGj
mPJkrAyClyse0zlRF+o8/sQSIuq3MOnwV5m4+DB89fM9MUGE35MBuVi6nF+9Mz3G
nv5utfY4jaiq/Xc099CnkVfLXTY83JbzWKlokoYk3jchpPZZOpPhx/9nRVi+iafI
nXulBvl52QKBgQC+fIoOFDGATyUrostpSrt+JVT6Yd/SRqgIRELbIU6r8yPfqpMN
6TMrVJtny6fCVjmzx6eMXT+MhsAtUjs58wwgMCw1Q/TVX3Q4YrKri1Fs1tBMLv2u
OXZYt8ORZflitwu0pzoSspVZryUJ9DOwKE/fbbjmIld1hZs9itFkVO9YlQKBgDlv
LOUQr4B69Zk9PE3qjzbadsMP3Z/Lcv05si3yAnrJvNYFUR6AVuyHDjBciTAXSWpn
KUca+nprkMnlI87L3ddqF4Nm1GR3FagcIPsBNoclS+YBpL9zf6fr1a+Pjv59iw6r
/hGv+XOSGPUomA7KyjRkhsFHPV9WtI4ORCyxopbxAoGBAPVuR0fQWwXhgDcGGwoe
OHzBIxcamjbF3k9o1PZFLoobo5boT6tupqL1KH5gxS+rhynm0oAhB35/b9A1xCsl
4nZ4JxnJut9SRRqSX8lFGcTZVgAGGuZnal/oGsHh71d56L1MjmUOBvUSE+CfB1+2
5vKxnVdl1Y2+Ct3hX7TCTrac
-----END PRIVATE KEY-----
22 changes: 22 additions & 0 deletions certificates/user1.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIUSm0dQ2ZwbL6P1Y17fVOG0uBrfcswDQYJKoZIhvcNAQEL
BQAwTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNPMQ8wDQYDVQQHDAZEZW52ZXIx
DTALBgNVBAoMBFRlc3QxEDAOBgNVBAMMB3Jvb3QtY2EwHhcNMjQwMzAxMDI1NjQ0
WhcNMjUwMzAxMDI1NjQ0WjBWMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xDzAN
BgNVBAcMBkRlbnZlcjENMAsGA1UECgwEVGVzdDEaMBgGA1UEAwwRdXNlcjFAZW5n
aW5lZXJpbmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM5FuoqFRB
DVW2cnKnDz30GHYd1DzZtn2rCR3LpgM1Df+pJefwiNuyKPAeUPFurf8zuaHZtDCi
4OjnZGG47ivwxQ6X+9J0zTYv0AFvXWScHxqpil9Zf4KybVh5BU6hiVpQcSvvIEDX
nlrbrEcVvcnxJ6DhklkIEXAm+gxQQMKt5jiLkTXIw57EmWY1xUDUEnNbZpeTB4l2
yu3KdVdN8t5aMrqCAJEiIH+HB9u9uX3HZgTxdUxJLMNpbDBXut6DpEsgZNoCKMIs
7jIHbRkd7zwAinnA3m93ar25/QGeUusbMnQr3kTizYXArR8RjtSwZA+TNHV5FTBW
R5skq/Q8Qb7FAgMBAAGjXjBcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATAd
BgNVHQ4EFgQUhov743YOxQWjuwJGfdpr/PgH/B8wHwYDVR0jBBgwFoAULUlvqo91
xbRTPj/HAeu2O6OpKyUwDQYJKoZIhvcNAQELBQADggEBAJBvkzEhHSyu4mfyh0Z2
NIz/D4Djql8R7qGrCfyiHaam3qqKW+bUwM6WS1F3mFdmJAU94/8+N9ejF3mVbPqw
96f5LmD4ySNZhKxZl4sMEp1Iq064ot3A4Zbwezih8MVFGGNdNAPkC0NFqevo8q8/
jN7UhFX/6IgICFhDDxPImtRvphkoaUc/IwgWk/WheCnuSSdsaHA9V2ebD/hbidxx
F058F3wcHhg4qTA62X8/AuIGkpoexg+CRJLYxhdc2vvpjsQ6CXeUOhIpDP7wJ/oy
KQAGbite5LwHsKIIx6q1oBvYttrU3QRAqRl8SPB/liricv+wiGIcrD43fqJkaYyH
Os0=
-----END CERTIFICATE-----
17 changes: 17 additions & 0 deletions certificates/user2.csr
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICnjCCAYYCAQAwWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNPMQ8wDQYDVQQH
DAZEZW52ZXIxDTALBgNVBAoMBFRlc3QxHTAbBgNVBAMMFHVzZXIyQGFkbWluaXN0
cmF0b3JzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5Y6TYgBjqOrq
QDkxRXodnojanBqoc0mBnZ0v56KBWUphd4QAhztA2VR+Y/VFG1WBuJoI+jUwsaKr
uJG3EMMgOY+iOiaO6gjMdSEbJCFGitkahB6pL5OvYNlrsTzgX1cdGYddxRVt+OSR
L8LMsHTCJw98mDj6pJG2ZkdkwdOQZ0rycbS3EgphjDtvxkdFitMHjLntLlE4hMdc
Jh6wJ36xQxslTaM4SR0j3AQOprtFU63SCARMQLzC5LxpLKVrXKZr0GtvfAK/d0aU
P7TONta87gDLQ1/Z38WKYsffcuph1eJuimSSHkAnzV4pbfSIuRK6Bc30x9hLhM6f
dBBFqwP7/QIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAELCrdQ/FIlrO0Qrg3l7
l3gufCIl1S5PUUmZEAJtdoHGnZewFXrfeua2NmgUhrhIT2cn61oqEH59dBp7LxB+
OCYivbCbNZ/aIWJR38dadPB0NombpPkysCOSAlzMlH4wYzKcJoaesA+I7+Nf0Uvs
ydnm26yXXQlsCntMRJXmeH9qGNvoU+RP4XhOQsVntrlKWkIwCm42mFn9TLP0lSgK
vsfpXH/5C1QyOvo876KgmoH5XhyBDQUj6f4oI6J/Ur17bXhuWdu8Pj/Hv2CQa0Ms
ESaEapPAstEirBzT0F9IcQuFDF/f0Ip6JTvRfdr9dMzi1MNz8kjKwm3WxUOzhlQ+
XYY=
-----END CERTIFICATE REQUEST-----
28 changes: 28 additions & 0 deletions certificates/user2.key
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDljpNiAGOo6upA
OTFFeh2eiNqcGqhzSYGdnS/nooFZSmF3hACHO0DZVH5j9UUbVYG4mgj6NTCxoqu4
kbcQwyA5j6I6Jo7qCMx1IRskIUaK2RqEHqkvk69g2WuxPOBfVx0Zh13FFW345JEv
wsywdMInD3yYOPqkkbZmR2TB05BnSvJxtLcSCmGMO2/GR0WK0weMue0uUTiEx1wm
HrAnfrFDGyVNozhJHSPcBA6mu0VTrdIIBExAvMLkvGkspWtcpmvQa298Ar93RpQ/
tM421rzuAMtDX9nfxYpix99y6mHV4m6KZJIeQCfNXilt9Ii5EroFzfTH2EuEzp90
EEWrA/v9AgMBAAECggEALJ/evrpcpUWla/6yOVNX1q278YStIlwzujQIT/sjMfxn
nhgnEiLOpHDscPoJCRtCMGShQiJ86Ms6npKVB8kmxonJe4xrU8uKE2rwH8HoOK2j
nfNn6DvJaAZcDQRMibwhiAjsjZdw3WVxY9t2dwb7hyRXkC/jaYJ59sACMjuyYqGs
zjuWVgzaEC3Yjs7EDjBHkRWvyvni6ZDEW9nSc5SY/0eEfiay6oCk1vKsWqzlbxBl
OY5qylK7caRLKzEwxnSfAK9W4/V5yDnL8Zi8xApmwRW649guXQ+noaKIc1wzV82G
B7T5izYoeHZ8xNXnsVt4iAZdCmI+ZoPre2OWlgZ78QKBgQD9xmflYrWo0CUNRghl
Clyo9XQjHS4GKjk3g3BVm13dASfoA9ZCuV/1Y8ekW+8JzvZ8VMjZuinU+uOoKDu2
b2kObr5nYlM+6pxUHvhbMEm30o3De/XBmXNSOfOtVG3NaIN5NFnu3jU6cDVcRPkP
hmiyOWbNEOba4zLiIWlYniNSDwKBgQDnkdAQGs+di/GOse6aeXZ+ttXjIZS7Kn8S
8K7evS1bNnIoraUSJsaZTHDBJwFHajxFqnp0rlRw64o1p3165tykaIqO/JTxXUBP
ffWhTpXOI8x9f9FBFMS+CpBQ3Yd062JgsdoQo6KvVzuBIyQ2vbuYU3VHsIcBX+TX
nrUIWJItMwKBgGpruIgWQ+3eE5ukYcLVfJQSErji9Lj7HfFsuj/8HnmekXiXm1Nx
347NYBxJvU1UsELlXzEHA6Hf8HZFIP1ZbSnzQP+j2RsKUbJpJmc/MbrXnkF7C007
p4O0774hKMa57GB4lro4DwRJp+bgub1L9T3AGp8mVlk2a9Euh7n03wT7AoGAOqa0
0w9nXFjwkprAe0GeYJPAcqmzuQAXdV2efO3fSgXtPh5U+9b0YCl7OYC+ky72GxMF
tv3ch0kxFUvZvUIxyjZsObEBrGxY+IlHqFZ2HOL2TScNgfVXq2aTjNe/Ej74CNOj
DqnTb6Ohf6C98Ft34ynoP4MXfqKiHHanFXkRdP8CgYBXjne9fa45doTyHvp/xiUo
WqsrcKox2B7zmSlNe/C2eFXy6QVC1JdyvLAGmjzqUrCctkrFMLcUoRs9iLOcGCvJ
UxwM505PyqkZMCs5y12k3vi4LRGYvOK3mjSFmqjbZd7uzyq2Pn6BnKjUtRNX/1nP
NfPyayIv4sm3LBg1g8o54A==
-----END PRIVATE KEY-----
22 changes: 22 additions & 0 deletions certificates/user2.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDkTCCAnmgAwIBAgIUSm0dQ2ZwbL6P1Y17fVOG0uBrfcwwDQYJKoZIhvcNAQEL
BQAwTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNPMQ8wDQYDVQQHDAZEZW52ZXIx
DTALBgNVBAoMBFRlc3QxEDAOBgNVBAMMB3Jvb3QtY2EwHhcNMjQwMzAxMDI1NjQ0
WhcNMjUwMzAxMDI1NjQ0WjBZMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xDzAN
BgNVBAcMBkRlbnZlcjENMAsGA1UECgwEVGVzdDEdMBsGA1UEAwwUdXNlcjJAYWRt
aW5pc3RyYXRvcnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDljpNi
AGOo6upAOTFFeh2eiNqcGqhzSYGdnS/nooFZSmF3hACHO0DZVH5j9UUbVYG4mgj6
NTCxoqu4kbcQwyA5j6I6Jo7qCMx1IRskIUaK2RqEHqkvk69g2WuxPOBfVx0Zh13F
FW345JEvwsywdMInD3yYOPqkkbZmR2TB05BnSvJxtLcSCmGMO2/GR0WK0weMue0u
UTiEx1wmHrAnfrFDGyVNozhJHSPcBA6mu0VTrdIIBExAvMLkvGkspWtcpmvQa298
Ar93RpQ/tM421rzuAMtDX9nfxYpix99y6mHV4m6KZJIeQCfNXilt9Ii5EroFzfTH
2EuEzp90EEWrA/v9AgMBAAGjXjBcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA
ATAdBgNVHQ4EFgQUfWKm29oYI2+RfhP4DzKdpMZTWOEwHwYDVR0jBBgwFoAULUlv
qo91xbRTPj/HAeu2O6OpKyUwDQYJKoZIhvcNAQELBQADggEBAHf8fnAv5ddy5eFX
P0NUBo8LczMLOQNRFg9oqtGO1S06W4mUyWrkfNgNz6AxHfZBIoJIfDIMafZX4wW8
4Am4UuGV4sjIJEmWReqJMEX8mBKMOT/qTS2I17TZOehYhywVveuRrTCvOYsDcY6q
r24nH1IJpaRLbZ2O4n02jgsjjg/L5ubG8uqsRt9690XK5dfy/xT9TGI+90+8Dr3N
hi0KsRfF1eLfWattNuOr4BQauKaR8FTL4dhlGev2/z7FyuFX9JVpe/9aVFuPKCZS
K2WTUerOJQVSLQ9N1jU7IDyVHm5lk8pd8KmVyJGFAavYRdRo2E6TyOPynvRhUOFe
7b6n17E=
-----END CERTIFICATE-----
32 changes: 30 additions & 2 deletions pkg/tcpproxy/config.go
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
package tcpproxy

import (
"crypto/tls"
"crypto/x509"
"errors"
"log/slog"
"os"
)

// Config is the top-level configuration object used to configure a Proxy.
Expand All @@ -23,8 +26,7 @@ type ListenerConfig struct {
// ListenerAddr is passed to tls.Listen, for example, ":5000" to listen on port 5000.
ListenerAddr string

// TLS configuration for the listener to use. The values should be string data with certificates
// in PEM format.
// TLS configuration for the listener to use. The values should be relative paths to certificates in PEM format.
CA string
Certificate string
PrivateKey string
Expand Down Expand Up @@ -58,3 +60,29 @@ func (c *Config) Validate() error {

return nil
}

func (c *Config) TLSConfig() (*tls.Config, error) {
pool := x509.NewCertPool()
caData, err := os.ReadFile(c.ListenerConfig.CA)
if err != nil {
return nil, err
}
pool.AppendCertsFromPEM(caData)

cert, err := tls.LoadX509KeyPair(
c.ListenerConfig.Certificate,
c.ListenerConfig.PrivateKey,
)
if err != nil {
return nil, err
}

return &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: pool,
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: pool,
InsecureSkipVerify: false,
MinVersion: tls.VersionTLS13,
}, nil
}
Loading

0 comments on commit 3e31fdf

Please sign in to comment.