fluent-plugin-secure-forward 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +24 -0
- data/Gemfile +4 -0
- data/LICENSE.txt +13 -0
- data/README.md +238 -0
- data/Rakefile +2 -0
- data/example/auth_client.conf +19 -0
- data/example/auth_server.conf +30 -0
- data/example/cert_client.conf +22 -0
- data/example/cert_server.conf +34 -0
- data/example/certs/cert.pem +18 -0
- data/example/certs/key.pem +15 -0
- data/example/client.conf +13 -0
- data/example/server.conf +10 -0
- data/fluent-plugin-secure-forward.gemspec +20 -0
- data/lib/fluent/plugin/in_secure_forward.rb +402 -0
- data/lib/fluent/plugin/out_secure_forward.rb +417 -0
- data/test/plugin/test_in_secure_forward.rb +0 -0
- data/test/plugin/test_out_secure_forward.rb +0 -0
- metadata +129 -0
data/.gitignore
ADDED
@@ -0,0 +1,24 @@
|
|
1
|
+
*.gem
|
2
|
+
*.rbc
|
3
|
+
.bundle
|
4
|
+
.config
|
5
|
+
.yardoc
|
6
|
+
Gemfile.lock
|
7
|
+
InstalledFiles
|
8
|
+
_yardoc
|
9
|
+
coverage
|
10
|
+
doc/
|
11
|
+
lib/bundler/man
|
12
|
+
pkg
|
13
|
+
rdoc
|
14
|
+
spec/reports
|
15
|
+
test/tmp
|
16
|
+
test/version_tmp
|
17
|
+
tmp
|
18
|
+
# For TextMate, emacs, vim
|
19
|
+
*.tmproj
|
20
|
+
tmtags
|
21
|
+
*~
|
22
|
+
\#*
|
23
|
+
.\#*
|
24
|
+
*.swp
|
data/Gemfile
ADDED
data/LICENSE.txt
ADDED
@@ -0,0 +1,13 @@
|
|
1
|
+
Copyright (c) 2012- TAGOMORI Satoshi
|
2
|
+
|
3
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
you may not use this file except in compliance with the License.
|
5
|
+
You may obtain a copy of the License at
|
6
|
+
|
7
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
8
|
+
|
9
|
+
Unless required by applicable law or agreed to in writing, software
|
10
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
See the License for the specific language governing permissions and
|
13
|
+
limitations under the License.
|
data/README.md
ADDED
@@ -0,0 +1,238 @@
|
|
1
|
+
# fluent-plugin-secure-forward
|
2
|
+
|
3
|
+
Fluentd input/output plugin to forward fluentd messages over SSL with authentication.
|
4
|
+
|
5
|
+
**THIS PLUGIN IS PoC, and now version is HIGHLY EXPERIMENTAL.**
|
6
|
+
|
7
|
+
This plugin makes you to be able to:
|
8
|
+
|
9
|
+
* protect your data from others in transferring with SSL
|
10
|
+
* with certificate signed and registered correctly
|
11
|
+
* with self-signed certificate (and generate certificate in in\_secure\_forward automatically)
|
12
|
+
* authenticate by shared\_key check from both of client(out\_secure\_forward) and server(in\_secure\_forward)
|
13
|
+
* authenticate with username / password pairs
|
14
|
+
|
15
|
+
**DON'T USE THIS PLUGIN OF THIS VERSION (v0.0.x) IN PRODUCTION ENVIRONMENT.**
|
16
|
+
|
17
|
+
We need new developer/maintainer of this plugin, who wants to use this plugin in their systems.
|
18
|
+
|
19
|
+
## Configuration
|
20
|
+
|
21
|
+
### SecureForwardInput
|
22
|
+
|
23
|
+
Default settings:
|
24
|
+
* listen 0.0.0.0:24284
|
25
|
+
* `bind 192.168.0.101`
|
26
|
+
* `port 24285`
|
27
|
+
* allow to accept from any sources
|
28
|
+
* allow to connect without authentications
|
29
|
+
* use certificate automatically generated
|
30
|
+
* `generate_private_key_length 2048`
|
31
|
+
* `generate_cert_country US`
|
32
|
+
* `generate_cert_state CA`
|
33
|
+
* `generate_cert_locality Mountain View`
|
34
|
+
* `generate_cert_common_name SAME_WITH_SELF_HOSTNAME_PARAMETER`
|
35
|
+
|
36
|
+
Minimal configurations like below:
|
37
|
+
|
38
|
+
<source>
|
39
|
+
type secure_forward
|
40
|
+
shared_key secret_string
|
41
|
+
self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
|
42
|
+
cert_auto_generate yes # This parameter MUST be specified
|
43
|
+
</source>
|
44
|
+
|
45
|
+
To check username/password from clients, like this:
|
46
|
+
|
47
|
+
<source>
|
48
|
+
type secure_forward
|
49
|
+
shared_key secret_string
|
50
|
+
self_hostname server.fqdn.local
|
51
|
+
cert_auto_generate yes
|
52
|
+
authentication yes # Deny clients without valid username/password
|
53
|
+
<user>
|
54
|
+
username tagomoris
|
55
|
+
password foobar012
|
56
|
+
</user>
|
57
|
+
<user>
|
58
|
+
username frsyuki
|
59
|
+
password yakiniku
|
60
|
+
</user>
|
61
|
+
</source>
|
62
|
+
|
63
|
+
To deny unknown source IP/hosts:
|
64
|
+
|
65
|
+
<source>
|
66
|
+
type secure_forward
|
67
|
+
shared_key secret_string
|
68
|
+
self_hostname server.fqdn.local
|
69
|
+
cert_auto_generate yes
|
70
|
+
allow_anonymous_source no # Allow to accept from nodes of <client>
|
71
|
+
<client>
|
72
|
+
host 192.168.10.30
|
73
|
+
# network address (ex: 192.168.10.0/24) NOT Supported now
|
74
|
+
</client>
|
75
|
+
<client>
|
76
|
+
host your.host.fqdn.local
|
77
|
+
# wildcard (ex: *.host.fqdn.local) NOT Supported now
|
78
|
+
</client>
|
79
|
+
</source>
|
80
|
+
|
81
|
+
You can use both of username/password check and client check:
|
82
|
+
|
83
|
+
<source>
|
84
|
+
type secure_forward
|
85
|
+
shared_key secret_string
|
86
|
+
self_hostname server.fqdn.local
|
87
|
+
cert_auto_generate yes
|
88
|
+
allow_anonymous_source no # Allow to accept from nodes of <client>
|
89
|
+
authentication yes # Deny clients without valid username/password
|
90
|
+
<user>
|
91
|
+
username tagomoris
|
92
|
+
password foobar012
|
93
|
+
</user>
|
94
|
+
<user>
|
95
|
+
username frsyuki
|
96
|
+
password sukiyaki
|
97
|
+
</user>
|
98
|
+
<user>
|
99
|
+
username repeatedly
|
100
|
+
password sushi
|
101
|
+
</user
|
102
|
+
<client>
|
103
|
+
host 192.168.10.30 # allow all users to connect from 192.168.10.30
|
104
|
+
</client>
|
105
|
+
<client>
|
106
|
+
host 192.168.10.31
|
107
|
+
users tagomoris,frsyuki # deny repeatedly from 192.168.10.31
|
108
|
+
</client>
|
109
|
+
<client>
|
110
|
+
host 192.168.10.32
|
111
|
+
shared_key less_secret_string # limited shared_key for 192.168.10.32
|
112
|
+
users repeatedly # and repatedly only
|
113
|
+
</client>
|
114
|
+
</source>
|
115
|
+
|
116
|
+
### SecureForwardOutput
|
117
|
+
|
118
|
+
Default settings:
|
119
|
+
* allow to connect server using self-signed certificates
|
120
|
+
|
121
|
+
Minimal configurations like this:
|
122
|
+
|
123
|
+
<match secret.data.**>
|
124
|
+
type secure_forward
|
125
|
+
shared_key secret_string
|
126
|
+
<server>
|
127
|
+
host server.fqdn.local # or IP
|
128
|
+
# port 24284
|
129
|
+
</server>
|
130
|
+
</match>
|
131
|
+
|
132
|
+
At this version (v0.0.x), only one `<server>` section can be specified.
|
133
|
+
|
134
|
+
If server requires username/password, set `username` and `password` in `<server>` section:
|
135
|
+
|
136
|
+
<match secret.data.**>
|
137
|
+
type secure_forward
|
138
|
+
shared_key secret_string
|
139
|
+
<server>
|
140
|
+
host server.fqdn.local
|
141
|
+
username repeatedly
|
142
|
+
password sushi
|
143
|
+
</server>
|
144
|
+
</match>
|
145
|
+
|
146
|
+
## Senario (developer document)
|
147
|
+
|
148
|
+
* server
|
149
|
+
* in\_secure\_forward
|
150
|
+
* client
|
151
|
+
* out\_secure\_forward
|
152
|
+
|
153
|
+
### Setup Phase (server)
|
154
|
+
|
155
|
+
1. SSLContext
|
156
|
+
* with certificate file / private key file
|
157
|
+
1. read cert file
|
158
|
+
2. generate SSLContext object
|
159
|
+
* without certificate file
|
160
|
+
1. generate key pair
|
161
|
+
2. generate cert data
|
162
|
+
3. sign cert data with generated private key
|
163
|
+
2. shared key
|
164
|
+
* read shared key from configuration
|
165
|
+
3. username / password pairs
|
166
|
+
* read from configuration
|
167
|
+
|
168
|
+
### Setup Phase (client)
|
169
|
+
|
170
|
+
1. SSLContext
|
171
|
+
1. certificate
|
172
|
+
* with certificate file, read from file
|
173
|
+
* without certificate file, `new SSLContext` without any options
|
174
|
+
2. set SSLContext option which allow self signed key option or not
|
175
|
+
2. shared key
|
176
|
+
* read shared key from configuration
|
177
|
+
3. read server list with username / password pairs from configuration
|
178
|
+
|
179
|
+
### Handshake
|
180
|
+
|
181
|
+
1. (client) connect to server
|
182
|
+
* on SSL socket handshake, checks certificate and its significate (in client)
|
183
|
+
2. (server)
|
184
|
+
* check network/domain acl (if enabled)
|
185
|
+
* check client dns reverse lookup result (if enabled)
|
186
|
+
* disconnect when failed
|
187
|
+
3. (server) send HELO
|
188
|
+
* ['HELO', options(hash)]
|
189
|
+
* options:
|
190
|
+
* auth: string or blank\_string (string: authentication required, and its salt is this value)
|
191
|
+
* keepalive: bool (allowed or not)
|
192
|
+
4. (client) send PING
|
193
|
+
* ['PING', selfhostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + selfhostname + sharedkey), username || '', sha512\_hex(auth\_salt + username + password) || '']
|
194
|
+
5. (server) check PING
|
195
|
+
* check sharedkey
|
196
|
+
* check username / password (if required)
|
197
|
+
* send PONG FAILURE if failed
|
198
|
+
* ['PONG', false, 'reason of authentication failure', '', '']
|
199
|
+
6. (server) send PONG
|
200
|
+
* ['PONG', bool(authentication result), 'reason if authentication failed', selfhostname, sha512\_hex(salt + selfhostname + sharedkey)]
|
201
|
+
7. (client) check PONG
|
202
|
+
* check sharedkey
|
203
|
+
* disconnect when failed
|
204
|
+
8. connection established
|
205
|
+
* send data from client (until keepalive expiration)
|
206
|
+
|
207
|
+
### Data transferring
|
208
|
+
|
209
|
+
CONSIDER RETURN ACK OR NOT
|
210
|
+
|
211
|
+
* This version (v0.0.1) has no ACKs
|
212
|
+
* only supports burst transferring (same as ForwardInput/Output)
|
213
|
+
* ack for each message ?
|
214
|
+
* pipeline mode and one-by-one mode ?
|
215
|
+
* data sequence number in keepalive session ?
|
216
|
+
|
217
|
+
## TODO
|
218
|
+
|
219
|
+
* test for non self-signed certificates
|
220
|
+
* ACK mode (protocol)
|
221
|
+
* support disabling keepalive (input/output)
|
222
|
+
* access control (input plugin)
|
223
|
+
* network acl / domain acl
|
224
|
+
* check connecting source ip and its dns reverse lookup result (for domaian acl)
|
225
|
+
* access deny on accept (against DoS)
|
226
|
+
* pluggable authentication database (input plugin)
|
227
|
+
* RDBMS, LDAP, or ...
|
228
|
+
* encryption algorithm option (output plugin)
|
229
|
+
* balancing/failover (output plugin)
|
230
|
+
* TESTS!
|
231
|
+
|
232
|
+
* GET NEW MAINTAINER
|
233
|
+
|
234
|
+
## Copyright
|
235
|
+
|
236
|
+
* Copyright (c) 2013- TAGOMORI Satoshi (tagomoris)
|
237
|
+
* License
|
238
|
+
* Apache License, Version 2.0
|
data/Rakefile
ADDED
@@ -0,0 +1,19 @@
|
|
1
|
+
<source>
|
2
|
+
type forward
|
3
|
+
</source>
|
4
|
+
|
5
|
+
<match test.**>
|
6
|
+
type secure_forward
|
7
|
+
self_hostname client
|
8
|
+
#shared_key hogeposxxx0
|
9
|
+
shared_key wrong_shared_key
|
10
|
+
<server>
|
11
|
+
host localhost
|
12
|
+
shared_key hogeposxxx1
|
13
|
+
username tagomoris
|
14
|
+
password 001122
|
15
|
+
# password XXYYZZ
|
16
|
+
# password wrong_pass
|
17
|
+
</server>
|
18
|
+
flush_interval 1s
|
19
|
+
</match>
|
@@ -0,0 +1,30 @@
|
|
1
|
+
<source>
|
2
|
+
type secure_forward
|
3
|
+
self_hostname server
|
4
|
+
shared_key hogeposxxx0
|
5
|
+
cert_auto_generate yes
|
6
|
+
allow_anonymous_source no
|
7
|
+
authentication yes
|
8
|
+
<user>
|
9
|
+
username tagomoris
|
10
|
+
password 001122
|
11
|
+
</user>
|
12
|
+
<user>
|
13
|
+
username sugomoris
|
14
|
+
password 012345
|
15
|
+
</user>
|
16
|
+
<user>
|
17
|
+
username tagomoris
|
18
|
+
password XXYYZZ
|
19
|
+
</user>
|
20
|
+
<client>
|
21
|
+
host localhost
|
22
|
+
users tagomoris
|
23
|
+
shared_key hogeposxxx1
|
24
|
+
# users sugomoris
|
25
|
+
</client>
|
26
|
+
</source>
|
27
|
+
|
28
|
+
<match test.**>
|
29
|
+
type stdout
|
30
|
+
</match>
|
@@ -0,0 +1,22 @@
|
|
1
|
+
<source>
|
2
|
+
type forward
|
3
|
+
</source>
|
4
|
+
|
5
|
+
<match test.**>
|
6
|
+
type secure_forward
|
7
|
+
self_hostname client
|
8
|
+
#shared_key hogeposxxx0
|
9
|
+
shared_key wrong_shared_key
|
10
|
+
allow_self_signed_certificate yes
|
11
|
+
ca_file_path /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/cert.pem
|
12
|
+
<server>
|
13
|
+
host localhost
|
14
|
+
hostlabel tagomoris
|
15
|
+
shared_key hogeposxxx1
|
16
|
+
username tagomoris
|
17
|
+
password 001122
|
18
|
+
# password XXYYZZ
|
19
|
+
# password wrong_pass
|
20
|
+
</server>
|
21
|
+
flush_interval 1s
|
22
|
+
</match>
|
@@ -0,0 +1,34 @@
|
|
1
|
+
<source>
|
2
|
+
type secure_forward
|
3
|
+
self_hostname server
|
4
|
+
# self_hostname tagomoris
|
5
|
+
shared_key hogeposxxx0
|
6
|
+
####cert_auto_generate no
|
7
|
+
cert_file_path /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/cert.pem
|
8
|
+
private_key_file /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/key.pem
|
9
|
+
# private_key_passphrase blank
|
10
|
+
allow_anonymous_source no
|
11
|
+
authentication yes
|
12
|
+
<user>
|
13
|
+
username tagomoris
|
14
|
+
password 001122
|
15
|
+
</user>
|
16
|
+
<user>
|
17
|
+
username sugomoris
|
18
|
+
password 012345
|
19
|
+
</user>
|
20
|
+
<user>
|
21
|
+
username tagomoris
|
22
|
+
password XXYYZZ
|
23
|
+
</user>
|
24
|
+
<client>
|
25
|
+
host localhost
|
26
|
+
users tagomoris
|
27
|
+
shared_key hogeposxxx1
|
28
|
+
# users sugomoris
|
29
|
+
</client>
|
30
|
+
</source>
|
31
|
+
|
32
|
+
<match test.**>
|
33
|
+
type stdout
|
34
|
+
</match>
|
@@ -0,0 +1,18 @@
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
2
|
+
MIIC9TCCAl6gAwIBAgIJAPZkY4lTv8EcMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
|
3
|
+
BAYTAkpQMQ4wDAYDVQQIEwVUb2t5bzEQMA4GA1UEBxMHU2hpYnV5YTEWMBQGA1UE
|
4
|
+
ChMNRmx1ZW50ZCBKYXBhbjESMBAGA1UEAxMJdGFnb21vcmlzMB4XDTEzMDIxNDA4
|
5
|
+
MzQ0OVoXDTIzMDIxMjA4MzQ0OVowWzELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRv
|
6
|
+
a3lvMRAwDgYDVQQHEwdTaGlidXlhMRYwFAYDVQQKEw1GbHVlbnRkIEphcGFuMRIw
|
7
|
+
EAYDVQQDEwl0YWdvbW9yaXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPli
|
8
|
+
bZUddJEJDaPza0dQElKYefGcWyN5f6FHBrv0MU29PW4+9fape3/u6Kal2knXhz7c
|
9
|
+
ujkyoQgK7pqCOuwpTCi0Fyg2peSLVJm4lw2TS5HP/7qRbKXhx2g3FaHrs/Ug/pbQ
|
10
|
+
6xPSy894w2QaXgkeuDLb/bhu8MHulglm/iXg9wHrAgMBAAGjgcAwgb0wHQYDVR0O
|
11
|
+
BBYEFNWgnetVbxQlGX6euMDea7WGgWO+MIGNBgNVHSMEgYUwgYKAFNWgnetVbxQl
|
12
|
+
GX6euMDea7WGgWO+oV+kXTBbMQswCQYDVQQGEwJKUDEOMAwGA1UECBMFVG9reW8x
|
13
|
+
EDAOBgNVBAcTB1NoaWJ1eWExFjAUBgNVBAoTDUZsdWVudGQgSmFwYW4xEjAQBgNV
|
14
|
+
BAMTCXRhZ29tb3Jpc4IJAPZkY4lTv8EcMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
|
15
|
+
AQEFBQADgYEAai2UAUa5WAahfUp/UV/7zX7+r/QdUP0fwrrmLzodk+FS3+yS6oqQ
|
16
|
+
tBs0K81cD3XKfoYjAqzJ1Hul6orR63wD+yrPq3FApuWKd+CJDBxJmY8MtIA0xHHn
|
17
|
+
nfotL/TzTAEIcFVLYb8yaBA27VMstBHvE4TsbL7mA0avF3FFzxG5GqE=
|
18
|
+
-----END CERTIFICATE-----
|
@@ -0,0 +1,15 @@
|
|
1
|
+
-----BEGIN RSA PRIVATE KEY-----
|
2
|
+
MIICXQIBAAKBgQD5Ym2VHXSRCQ2j82tHUBJSmHnxnFsjeX+hRwa79DFNvT1uPvX2
|
3
|
+
qXt/7uimpdpJ14c+3Lo5MqEICu6agjrsKUwotBcoNqXki1SZuJcNk0uRz/+6kWyl
|
4
|
+
4cdoNxWh67P1IP6W0OsT0svPeMNkGl4JHrgy2/24bvDB7pYJZv4l4PcB6wIDAQAB
|
5
|
+
AoGBAIGvxu7Rl4nI3HgTIQm/wReExX144whKqa2UAxOBBJa5v5VyVnSEZH3+Hqxy
|
6
|
+
+VaHJ4TwQkN2abmF/dkJulyPiVNmsAEXeYKmNOOnOuvGVYlYgRHGJ0P13oszvtKC
|
7
|
+
mIFsL4D01FYOHMeblxGhfPQgh4UTcQtIG9gB+yPJ/JJNH7whAkEA/XPV5rxkz/8i
|
8
|
+
BMgUHxXxv1o4CJf0exJiMjqNViydgnWyOSEGpoABbbxsN/XV2pwaG0Sythz/4AcF
|
9
|
+
phgCJssNUQJBAPvkIALt96XTB/mlcXap1LC+bleEdiwANpgBlwxp0HlxhBrgyDyJ
|
10
|
+
iV65FGixi6xIOOjwQbFaLupDC383L8kW3HsCQEjHcX3PTVeY2Kjs1zJR99hNzNdS
|
11
|
+
4yZQEhiATcOYDia/K01SWXmIOmDLgXvUQPOEbc60vGilDSjEe2/FZyDCn/ECQQCY
|
12
|
+
pfLQU64UjAL1Q1Gze9AtG/p6hwemOqrbC3uiRi3UqvpH35j5NtBM2xSHLbFbQpla
|
13
|
+
cN8ev2xXAzJgce0/i98pAkACvTTdRqRIp/7X24tzXJlageBxXX2vBQF8PZcjdx7C
|
14
|
+
nVOmUTBuw5JrB34ehYnoWEwMqeyU3CNgUIIgslhcAsVl
|
15
|
+
-----END RSA PRIVATE KEY-----
|