fluent-plugin-secure-forward 0.1.9.pre.rc1 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +140 -119
- data/fluent-plugin-secure-forward.gemspec +2 -2
- data/lib/fluent/plugin/out_secure_forward.rb +2 -0
- data/test/plugin/test_out_secure_forward.rb +20 -0
- metadata +7 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ca2356a052a35ccb1ce9a6e1e06aefdaaf58fd37
|
4
|
+
data.tar.gz: 3733590e3818bbbdbc7f92a11a609639e0d19fca
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b2f8f19e8550dec4e7b9eff6ec47b030ae5d77e04fc0cbeabc39ff42ba865382839359bb3bf648120c388cfce0357b767b9b767887a336491042e1233095f355
|
7
|
+
data.tar.gz: e41959d32c7370796154763a0d8314270255f02d738ed3a1f8253f6f7555dc5b6b17040fd4c5aaf99ae82f3fc6b833491f0962c188bb7752355093289d59004e
|
data/README.md
CHANGED
@@ -40,85 +40,93 @@ Default settings:
|
|
40
40
|
|
41
41
|
Minimal configurations like below:
|
42
42
|
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
43
|
+
```apache
|
44
|
+
<source>
|
45
|
+
type secure_forward
|
46
|
+
shared_key secret_string
|
47
|
+
self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
|
48
|
+
cert_auto_generate yes # This parameter MUST be specified
|
49
|
+
</source>
|
50
|
+
```
|
49
51
|
|
50
52
|
To check username/password from clients, like this:
|
51
53
|
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
54
|
+
```apache
|
55
|
+
<source>
|
56
|
+
type secure_forward
|
57
|
+
shared_key secret_string
|
58
|
+
self_hostname server.fqdn.local
|
59
|
+
cert_auto_generate yes
|
60
|
+
authentication yes # Deny clients without valid username/password
|
61
|
+
<user>
|
62
|
+
username tagomoris
|
63
|
+
password foobar012
|
64
|
+
</user>
|
65
|
+
<user>
|
66
|
+
username frsyuki
|
67
|
+
password yakiniku
|
68
|
+
</user>
|
69
|
+
</source>
|
70
|
+
```
|
67
71
|
|
68
72
|
To deny unknown source IP/hosts:
|
69
73
|
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
74
|
+
```apache
|
75
|
+
<source>
|
76
|
+
type secure_forward
|
77
|
+
shared_key secret_string
|
78
|
+
self_hostname server.fqdn.local
|
79
|
+
cert_auto_generate yes
|
80
|
+
allow_anonymous_source no # Allow to accept from nodes of <client>
|
81
|
+
<client>
|
82
|
+
host 192.168.10.30
|
83
|
+
</client>
|
84
|
+
<client>
|
85
|
+
host your.host.fqdn.local
|
86
|
+
# wildcard (ex: *.host.fqdn.local) NOT Supported now
|
87
|
+
</client>
|
88
|
+
<client>
|
89
|
+
network 192.168.16.0/24 # network address specification
|
90
|
+
</client>
|
91
|
+
</source>
|
92
|
+
```
|
87
93
|
|
88
94
|
You can use both of username/password check and client check:
|
89
95
|
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
96
|
+
```apache
|
97
|
+
<source>
|
98
|
+
type secure_forward
|
99
|
+
shared_key secret_string
|
100
|
+
self_hostname server.fqdn.local
|
101
|
+
cert_auto_generate yes
|
102
|
+
allow_anonymous_source no # Allow to accept from nodes of <client>
|
103
|
+
authentication yes # Deny clients without valid username/password
|
104
|
+
<user>
|
105
|
+
username tagomoris
|
106
|
+
password foobar012
|
107
|
+
</user>
|
108
|
+
<user>
|
109
|
+
username frsyuki
|
110
|
+
password sukiyaki
|
111
|
+
</user>
|
112
|
+
<user>
|
113
|
+
username repeatedly
|
114
|
+
password sushi
|
115
|
+
</user>
|
116
|
+
<client>
|
117
|
+
host 192.168.10.30 # allow all users to connect from 192.168.10.30
|
118
|
+
</client>
|
119
|
+
<client>
|
120
|
+
host 192.168.10.31
|
121
|
+
users tagomoris,frsyuki # deny repeatedly from 192.168.10.31
|
122
|
+
</client>
|
123
|
+
<client>
|
124
|
+
host 192.168.10.32
|
125
|
+
shared_key less_secret_string # limited shared_key for 192.168.10.32
|
126
|
+
users repeatedly # and repatedly only
|
127
|
+
</client>
|
128
|
+
</source>
|
129
|
+
```
|
122
130
|
|
123
131
|
### SecureForwardOutput
|
124
132
|
|
@@ -127,66 +135,79 @@ Default settings:
|
|
127
135
|
|
128
136
|
Minimal configurations like this:
|
129
137
|
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
138
|
+
```apache
|
139
|
+
<match secret.data.**>
|
140
|
+
type secure_forward
|
141
|
+
shared_key secret_string
|
142
|
+
self_hostname client.fqdn.local
|
143
|
+
<server>
|
144
|
+
host server.fqdn.local # or IP
|
145
|
+
# port 24284
|
146
|
+
</server>
|
147
|
+
</match>
|
148
|
+
```
|
139
149
|
|
140
150
|
Without hostname ACL (and it's not implemented yet), `self_hostname` is not checked in any state. `${hostname}` placeholder is available for such cases.
|
141
151
|
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
152
|
+
```apache
|
153
|
+
<match secret.data.**>
|
154
|
+
type secure_forward
|
155
|
+
shared_key secret_string
|
156
|
+
self_hostname ${hostname}
|
157
|
+
<server>
|
158
|
+
host server.fqdn.local # or IP
|
159
|
+
# port 24284
|
160
|
+
</server>
|
161
|
+
</match>
|
162
|
+
```
|
151
163
|
|
152
164
|
When specified 2 or more `<server>`, this plugin uses these nodes in simple round-robin order. And servers with `standby yes` will be selected until all of non-standby servers goes down.
|
153
165
|
|
154
166
|
If server requires username/password, set `username` and `password` in `<server>` section:
|
155
167
|
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
162
|
-
|
163
|
-
|
164
|
-
|
165
|
-
|
166
|
-
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
|
172
|
-
|
173
|
-
|
174
|
-
|
175
|
-
|
176
|
-
|
168
|
+
```apache
|
169
|
+
<match secret.data.**>
|
170
|
+
type secure_forward
|
171
|
+
shared_key secret_string
|
172
|
+
self_hostname client.fqdn.local
|
173
|
+
<server>
|
174
|
+
host first.fqdn.local
|
175
|
+
hostlabel server.fqdn.local
|
176
|
+
username repeatedly
|
177
|
+
password sushi
|
178
|
+
</server>
|
179
|
+
<server>
|
180
|
+
host second.fqdn.local
|
181
|
+
hostlabel server.fqdn.local
|
182
|
+
username sasatatsu
|
183
|
+
password karaage
|
184
|
+
</server>
|
185
|
+
<server>
|
186
|
+
host standby.fqdn.local
|
187
|
+
hostlabel server.fqdn.local
|
188
|
+
username kzk
|
189
|
+
password hawaii
|
190
|
+
standby yes
|
191
|
+
</server>
|
192
|
+
</match>
|
193
|
+
```
|
194
|
+
|
195
|
+
Specify `hostlabel` if server (`in_forward`) have different hostname (`self_host` configuration of `in_forward`) from DNS name (`first.fqdn.local`, `second.fqdn.local` or `standby.fqdn.local`). This configuration variable will be used to check common name (CN) of certifications.
|
177
196
|
|
178
197
|
To specify keepalive timeouts, use `keepalive` configuration with seconds. SSL connection will be disconnected and re-connected for each 1 hour with configuration below. In Default (and with `keepalive 0`), connections will not be disconnected without any communication troubles. (This feature is for dns name updates, and SSL common key refreshing.)
|
179
198
|
|
180
|
-
|
181
|
-
|
182
|
-
|
183
|
-
|
184
|
-
|
185
|
-
|
186
|
-
|
187
|
-
|
188
|
-
|
189
|
-
|
199
|
+
```apache
|
200
|
+
<match secret.data.**>
|
201
|
+
type secure_forward
|
202
|
+
shared_key secret_string
|
203
|
+
self_hostname client.fqdn.local
|
204
|
+
keepalive 3600
|
205
|
+
<server>
|
206
|
+
host server.fqdn.local # or IP
|
207
|
+
# port 24284
|
208
|
+
</server>
|
209
|
+
</match>
|
210
|
+
```
|
190
211
|
|
191
212
|
## Senario (developer document)
|
192
213
|
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
2
2
|
Gem::Specification.new do |gem|
|
3
3
|
gem.name = "fluent-plugin-secure-forward"
|
4
|
-
gem.version = "0.
|
4
|
+
gem.version = "0.2.0"
|
5
5
|
gem.authors = ["TAGOMORI Satoshi"]
|
6
6
|
gem.email = ["tagomoris@gmail.com"]
|
7
7
|
gem.summary = %q{Fluentd input/output plugin to forward over SSL with authentications}
|
@@ -15,7 +15,7 @@ Gem::Specification.new do |gem|
|
|
15
15
|
gem.require_paths = ["lib"]
|
16
16
|
|
17
17
|
gem.add_runtime_dependency "fluentd", ">= 0.10.46"
|
18
|
-
gem.add_runtime_dependency "fluent-mixin-config-placeholders"
|
18
|
+
gem.add_runtime_dependency "fluent-mixin-config-placeholders", ">= 0.3.0"
|
19
19
|
gem.add_runtime_dependency "resolve-hostname"
|
20
20
|
gem.add_development_dependency "rake"
|
21
21
|
end
|
@@ -7,4 +7,24 @@ class SecureForwardOutputTest < Test::Unit::TestCase
|
|
7
7
|
def create_driver(conf=CONFIG,tag='test')
|
8
8
|
Fluent::Test::OutputTestDriver.new(Fluent::SecureForwardOutput, tag).configure(conf)
|
9
9
|
end
|
10
|
+
|
11
|
+
def test_configure_secondary
|
12
|
+
p1 = nil
|
13
|
+
assert_nothing_raised { p1 = create_driver(<<CONFIG).instance }
|
14
|
+
type secure_forward
|
15
|
+
shared_key secret_string
|
16
|
+
self_hostname client.fqdn.local
|
17
|
+
<server>
|
18
|
+
host server.fqdn.local # or IP
|
19
|
+
# port 24284
|
20
|
+
</server>
|
21
|
+
<secondary>
|
22
|
+
type forward
|
23
|
+
<server>
|
24
|
+
host localhost
|
25
|
+
</server>
|
26
|
+
</secondary>
|
27
|
+
CONFIG
|
28
|
+
end
|
29
|
+
|
10
30
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-secure-forward
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- TAGOMORI Satoshi
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2014-
|
11
|
+
date: 2014-08-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: fluentd
|
@@ -30,14 +30,14 @@ dependencies:
|
|
30
30
|
requirements:
|
31
31
|
- - ">="
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version:
|
33
|
+
version: 0.3.0
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - ">="
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version:
|
40
|
+
version: 0.3.0
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: resolve-hostname
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
@@ -112,9 +112,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
112
112
|
version: '0'
|
113
113
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
114
114
|
requirements:
|
115
|
-
- - "
|
115
|
+
- - ">="
|
116
116
|
- !ruby/object:Gem::Version
|
117
|
-
version:
|
117
|
+
version: '0'
|
118
118
|
requirements: []
|
119
119
|
rubyforge_project:
|
120
120
|
rubygems_version: 2.2.2
|
@@ -126,3 +126,4 @@ test_files:
|
|
126
126
|
- test/plugin/test_in_secure_forward.rb
|
127
127
|
- test/plugin/test_input_session.rb
|
128
128
|
- test/plugin/test_out_secure_forward.rb
|
129
|
+
has_rdoc:
|