fluent-plugin-secure-forward 0.1.9.pre.rc1 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +140 -119
- data/fluent-plugin-secure-forward.gemspec +2 -2
- data/lib/fluent/plugin/out_secure_forward.rb +2 -0
- data/test/plugin/test_out_secure_forward.rb +20 -0
- metadata +7 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ca2356a052a35ccb1ce9a6e1e06aefdaaf58fd37
|
4
|
+
data.tar.gz: 3733590e3818bbbdbc7f92a11a609639e0d19fca
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b2f8f19e8550dec4e7b9eff6ec47b030ae5d77e04fc0cbeabc39ff42ba865382839359bb3bf648120c388cfce0357b767b9b767887a336491042e1233095f355
|
7
|
+
data.tar.gz: e41959d32c7370796154763a0d8314270255f02d738ed3a1f8253f6f7555dc5b6b17040fd4c5aaf99ae82f3fc6b833491f0962c188bb7752355093289d59004e
|
data/README.md
CHANGED
@@ -40,85 +40,93 @@ Default settings:
|
|
40
40
|
|
41
41
|
Minimal configurations like below:
|
42
42
|
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
43
|
+
```apache
|
44
|
+
<source>
|
45
|
+
type secure_forward
|
46
|
+
shared_key secret_string
|
47
|
+
self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
|
48
|
+
cert_auto_generate yes # This parameter MUST be specified
|
49
|
+
</source>
|
50
|
+
```
|
49
51
|
|
50
52
|
To check username/password from clients, like this:
|
51
53
|
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
54
|
+
```apache
|
55
|
+
<source>
|
56
|
+
type secure_forward
|
57
|
+
shared_key secret_string
|
58
|
+
self_hostname server.fqdn.local
|
59
|
+
cert_auto_generate yes
|
60
|
+
authentication yes # Deny clients without valid username/password
|
61
|
+
<user>
|
62
|
+
username tagomoris
|
63
|
+
password foobar012
|
64
|
+
</user>
|
65
|
+
<user>
|
66
|
+
username frsyuki
|
67
|
+
password yakiniku
|
68
|
+
</user>
|
69
|
+
</source>
|
70
|
+
```
|
67
71
|
|
68
72
|
To deny unknown source IP/hosts:
|
69
73
|
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
74
|
+
```apache
|
75
|
+
<source>
|
76
|
+
type secure_forward
|
77
|
+
shared_key secret_string
|
78
|
+
self_hostname server.fqdn.local
|
79
|
+
cert_auto_generate yes
|
80
|
+
allow_anonymous_source no # Allow to accept from nodes of <client>
|
81
|
+
<client>
|
82
|
+
host 192.168.10.30
|
83
|
+
</client>
|
84
|
+
<client>
|
85
|
+
host your.host.fqdn.local
|
86
|
+
# wildcard (ex: *.host.fqdn.local) NOT Supported now
|
87
|
+
</client>
|
88
|
+
<client>
|
89
|
+
network 192.168.16.0/24 # network address specification
|
90
|
+
</client>
|
91
|
+
</source>
|
92
|
+
```
|
87
93
|
|
88
94
|
You can use both of username/password check and client check:
|
89
95
|
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
96
|
+
```apache
|
97
|
+
<source>
|
98
|
+
type secure_forward
|
99
|
+
shared_key secret_string
|
100
|
+
self_hostname server.fqdn.local
|
101
|
+
cert_auto_generate yes
|
102
|
+
allow_anonymous_source no # Allow to accept from nodes of <client>
|
103
|
+
authentication yes # Deny clients without valid username/password
|
104
|
+
<user>
|
105
|
+
username tagomoris
|
106
|
+
password foobar012
|
107
|
+
</user>
|
108
|
+
<user>
|
109
|
+
username frsyuki
|
110
|
+
password sukiyaki
|
111
|
+
</user>
|
112
|
+
<user>
|
113
|
+
username repeatedly
|
114
|
+
password sushi
|
115
|
+
</user>
|
116
|
+
<client>
|
117
|
+
host 192.168.10.30 # allow all users to connect from 192.168.10.30
|
118
|
+
</client>
|
119
|
+
<client>
|
120
|
+
host 192.168.10.31
|
121
|
+
users tagomoris,frsyuki # deny repeatedly from 192.168.10.31
|
122
|
+
</client>
|
123
|
+
<client>
|
124
|
+
host 192.168.10.32
|
125
|
+
shared_key less_secret_string # limited shared_key for 192.168.10.32
|
126
|
+
users repeatedly # and repatedly only
|
127
|
+
</client>
|
128
|
+
</source>
|
129
|
+
```
|
122
130
|
|
123
131
|
### SecureForwardOutput
|
124
132
|
|
@@ -127,66 +135,79 @@ Default settings:
|
|
127
135
|
|
128
136
|
Minimal configurations like this:
|
129
137
|
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
138
|
+
```apache
|
139
|
+
<match secret.data.**>
|
140
|
+
type secure_forward
|
141
|
+
shared_key secret_string
|
142
|
+
self_hostname client.fqdn.local
|
143
|
+
<server>
|
144
|
+
host server.fqdn.local # or IP
|
145
|
+
# port 24284
|
146
|
+
</server>
|
147
|
+
</match>
|
148
|
+
```
|
139
149
|
|
140
150
|
Without hostname ACL (and it's not implemented yet), `self_hostname` is not checked in any state. `${hostname}` placeholder is available for such cases.
|
141
151
|
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
152
|
+
```apache
|
153
|
+
<match secret.data.**>
|
154
|
+
type secure_forward
|
155
|
+
shared_key secret_string
|
156
|
+
self_hostname ${hostname}
|
157
|
+
<server>
|
158
|
+
host server.fqdn.local # or IP
|
159
|
+
# port 24284
|
160
|
+
</server>
|
161
|
+
</match>
|
162
|
+
```
|
151
163
|
|
152
164
|
When specified 2 or more `<server>`, this plugin uses these nodes in simple round-robin order. And servers with `standby yes` will be selected until all of non-standby servers goes down.
|
153
165
|
|
154
166
|
If server requires username/password, set `username` and `password` in `<server>` section:
|
155
167
|
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
162
|
-
|
163
|
-
|
164
|
-
|
165
|
-
|
166
|
-
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
|
172
|
-
|
173
|
-
|
174
|
-
|
175
|
-
|
176
|
-
|
168
|
+
```apache
|
169
|
+
<match secret.data.**>
|
170
|
+
type secure_forward
|
171
|
+
shared_key secret_string
|
172
|
+
self_hostname client.fqdn.local
|
173
|
+
<server>
|
174
|
+
host first.fqdn.local
|
175
|
+
hostlabel server.fqdn.local
|
176
|
+
username repeatedly
|
177
|
+
password sushi
|
178
|
+
</server>
|
179
|
+
<server>
|
180
|
+
host second.fqdn.local
|
181
|
+
hostlabel server.fqdn.local
|
182
|
+
username sasatatsu
|
183
|
+
password karaage
|
184
|
+
</server>
|
185
|
+
<server>
|
186
|
+
host standby.fqdn.local
|
187
|
+
hostlabel server.fqdn.local
|
188
|
+
username kzk
|
189
|
+
password hawaii
|
190
|
+
standby yes
|
191
|
+
</server>
|
192
|
+
</match>
|
193
|
+
```
|
194
|
+
|
195
|
+
Specify `hostlabel` if server (`in_forward`) have different hostname (`self_host` configuration of `in_forward`) from DNS name (`first.fqdn.local`, `second.fqdn.local` or `standby.fqdn.local`). This configuration variable will be used to check common name (CN) of certifications.
|
177
196
|
|
178
197
|
To specify keepalive timeouts, use `keepalive` configuration with seconds. SSL connection will be disconnected and re-connected for each 1 hour with configuration below. In Default (and with `keepalive 0`), connections will not be disconnected without any communication troubles. (This feature is for dns name updates, and SSL common key refreshing.)
|
179
198
|
|
180
|
-
|
181
|
-
|
182
|
-
|
183
|
-
|
184
|
-
|
185
|
-
|
186
|
-
|
187
|
-
|
188
|
-
|
189
|
-
|
199
|
+
```apache
|
200
|
+
<match secret.data.**>
|
201
|
+
type secure_forward
|
202
|
+
shared_key secret_string
|
203
|
+
self_hostname client.fqdn.local
|
204
|
+
keepalive 3600
|
205
|
+
<server>
|
206
|
+
host server.fqdn.local # or IP
|
207
|
+
# port 24284
|
208
|
+
</server>
|
209
|
+
</match>
|
210
|
+
```
|
190
211
|
|
191
212
|
## Senario (developer document)
|
192
213
|
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
2
2
|
Gem::Specification.new do |gem|
|
3
3
|
gem.name = "fluent-plugin-secure-forward"
|
4
|
-
gem.version = "0.
|
4
|
+
gem.version = "0.2.0"
|
5
5
|
gem.authors = ["TAGOMORI Satoshi"]
|
6
6
|
gem.email = ["tagomoris@gmail.com"]
|
7
7
|
gem.summary = %q{Fluentd input/output plugin to forward over SSL with authentications}
|
@@ -15,7 +15,7 @@ Gem::Specification.new do |gem|
|
|
15
15
|
gem.require_paths = ["lib"]
|
16
16
|
|
17
17
|
gem.add_runtime_dependency "fluentd", ">= 0.10.46"
|
18
|
-
gem.add_runtime_dependency "fluent-mixin-config-placeholders"
|
18
|
+
gem.add_runtime_dependency "fluent-mixin-config-placeholders", ">= 0.3.0"
|
19
19
|
gem.add_runtime_dependency "resolve-hostname"
|
20
20
|
gem.add_development_dependency "rake"
|
21
21
|
end
|
@@ -7,4 +7,24 @@ class SecureForwardOutputTest < Test::Unit::TestCase
|
|
7
7
|
def create_driver(conf=CONFIG,tag='test')
|
8
8
|
Fluent::Test::OutputTestDriver.new(Fluent::SecureForwardOutput, tag).configure(conf)
|
9
9
|
end
|
10
|
+
|
11
|
+
def test_configure_secondary
|
12
|
+
p1 = nil
|
13
|
+
assert_nothing_raised { p1 = create_driver(<<CONFIG).instance }
|
14
|
+
type secure_forward
|
15
|
+
shared_key secret_string
|
16
|
+
self_hostname client.fqdn.local
|
17
|
+
<server>
|
18
|
+
host server.fqdn.local # or IP
|
19
|
+
# port 24284
|
20
|
+
</server>
|
21
|
+
<secondary>
|
22
|
+
type forward
|
23
|
+
<server>
|
24
|
+
host localhost
|
25
|
+
</server>
|
26
|
+
</secondary>
|
27
|
+
CONFIG
|
28
|
+
end
|
29
|
+
|
10
30
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-secure-forward
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- TAGOMORI Satoshi
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2014-
|
11
|
+
date: 2014-08-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: fluentd
|
@@ -30,14 +30,14 @@ dependencies:
|
|
30
30
|
requirements:
|
31
31
|
- - ">="
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version:
|
33
|
+
version: 0.3.0
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - ">="
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version:
|
40
|
+
version: 0.3.0
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: resolve-hostname
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
@@ -112,9 +112,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
112
112
|
version: '0'
|
113
113
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
114
114
|
requirements:
|
115
|
-
- - "
|
115
|
+
- - ">="
|
116
116
|
- !ruby/object:Gem::Version
|
117
|
-
version:
|
117
|
+
version: '0'
|
118
118
|
requirements: []
|
119
119
|
rubyforge_project:
|
120
120
|
rubygems_version: 2.2.2
|
@@ -126,3 +126,4 @@ test_files:
|
|
126
126
|
- test/plugin/test_in_secure_forward.rb
|
127
127
|
- test/plugin/test_input_session.rb
|
128
128
|
- test/plugin/test_out_secure_forward.rb
|
129
|
+
has_rdoc:
|