fluent-plugin-secure-forward 0.2.6 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +184 -43
- data/bin/secure-forward-ca-generate +34 -0
- data/example/cert_client.conf +1 -2
- data/example/cert_server.conf +5 -4
- data/example/client.conf +10 -7
- data/example/insecure_client.conf +23 -0
- data/example/insecure_server.conf +10 -0
- data/example/server.conf +5 -2
- data/fluent-plugin-secure-forward.gemspec +1 -1
- data/lib/fluent/plugin/in_secure_forward.rb +89 -50
- data/lib/fluent/plugin/input_session.rb +2 -2
- data/lib/fluent/plugin/out_secure_forward.rb +35 -18
- data/lib/fluent/plugin/output_node.rb +46 -23
- data/lib/fluent/plugin/secure_forward/cert_util.rb +85 -0
- data/test/plugin/test_in_secure_forward.rb +73 -8
- data/test/plugin/test_out_secure_forward.rb +45 -0
- metadata +9 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: df29e6485f04c40533bd9dbbbeb16ccdf510763d
|
4
|
+
data.tar.gz: 4d3cdcc2ce8a6cb570de129eef1f18dcad3d0f6b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 842034f48f6a55b49d4a5ff43d552bc525e7634bdf22e71f4e8c657a39841cb438a07ebac3ec27fe68f6a2b341c2bf7315da30dc64f2c05f5fc43dfb895f1cc5
|
7
|
+
data.tar.gz: 2215336ca4b4a59c78beca450ff53b3302809ea15fa200ebf61a27746fb7181c27f8c31d79975079831a47d6ffc8164e65e678e8fa8a70ed4af2a0ba57694d33
|
data/README.md
CHANGED
@@ -5,21 +5,165 @@
|
|
5
5
|
This plugin makes you to be able to:
|
6
6
|
|
7
7
|
* protect your data from others in transferring with SSL
|
8
|
-
* with certificate signed and registered correctly
|
9
|
-
* with
|
8
|
+
* with certificate signed and registered correctly/publicly
|
9
|
+
* with private CA certificates generated by users
|
10
|
+
* with automatically generated and self-signed certificates **in vulnerable way**
|
10
11
|
* authenticate by shared\_key check from both of client(out\_secure\_forward) and server(in\_secure\_forward)
|
11
12
|
* authenticate with username / password pairs
|
12
13
|
|
13
14
|
## Installation
|
14
15
|
install with gem or fluent-gem command as:
|
15
16
|
|
16
|
-
|
17
|
-
### native gem
|
17
|
+
```
|
18
|
+
### native gem
|
18
19
|
$ gem install fluent-plugin-secure-forward
|
19
|
-
|
20
|
-
### fluentd gem
|
20
|
+
|
21
|
+
### fluentd gem
|
21
22
|
$ fluent-gem install fluent-plugin-secure-forward
|
22
|
-
|
23
|
+
```
|
24
|
+
|
25
|
+
### Using SSL certificates issued from trusted CA
|
26
|
+
|
27
|
+
To communicate over SSL with valid certificate issued from public CA, configure params below for input plugin:
|
28
|
+
|
29
|
+
* `secure`: set `yes` or `true`
|
30
|
+
* `cert_path`: set path of certificate file issued from CA
|
31
|
+
* `private_key_path`: set path of private key file
|
32
|
+
* `private_key_passphrase`: set passphrase of private key
|
33
|
+
|
34
|
+
```apache
|
35
|
+
<source>
|
36
|
+
type secure_forward
|
37
|
+
|
38
|
+
# bind 0.0.0.0 # default
|
39
|
+
# port 24284 # default
|
40
|
+
self_hostname server.fqdn.example.com
|
41
|
+
shared_key secret_string
|
42
|
+
|
43
|
+
secure yes
|
44
|
+
|
45
|
+
cert_path /path/for/certificate/cert.pem
|
46
|
+
private_key_path /path/for/certificate/key.pem
|
47
|
+
private_key_passphrase secret_foo_bar_baz
|
48
|
+
</source>
|
49
|
+
```
|
50
|
+
|
51
|
+
For output plugin, specify just 2 options below:
|
52
|
+
|
53
|
+
* `secure`: set `yes` or `true`
|
54
|
+
* `enable_strict_verification`: specify `yes` or `true` to verify FQDN of servers (input plugin)
|
55
|
+
|
56
|
+
```apache
|
57
|
+
<match secret.data.**>
|
58
|
+
type secure_forward
|
59
|
+
|
60
|
+
self_hostname client.fqdn.local
|
61
|
+
shared_key secret_string
|
62
|
+
|
63
|
+
secure yes
|
64
|
+
enable_strict_verification yes
|
65
|
+
|
66
|
+
<server>
|
67
|
+
host server.fqdn.example.com # or IP
|
68
|
+
# port 24284
|
69
|
+
</server>
|
70
|
+
<server>
|
71
|
+
host 203.0.113.8 # ip address to connect
|
72
|
+
hostlabel server.fqdn.example.com # specify hostlabel for FQDN verification if ipaddress is used for host
|
73
|
+
</server>
|
74
|
+
</match>
|
75
|
+
```
|
76
|
+
|
77
|
+
### Using private CA file and key
|
78
|
+
|
79
|
+
This plugin has a simple utility command to generate private CA cert/key files just for secure-forward.
|
80
|
+
|
81
|
+
```
|
82
|
+
$ secure-forward-ca-generate /path/for/dir/of/certs "passphrase for private CA secret key"
|
83
|
+
```
|
84
|
+
|
85
|
+
This command generates `ca_cert.pem` and `ca_key.pem` on `/path/for/dir/of/certs`. For SSL communication with private CA, users must deploy both files for input plugins, and also must deploy `ca_cert.pem` for output plugins.
|
86
|
+
And then, configure Fluentd with these files and the passphrase. With this configuration, server certificates are automatically generated and issued by private CA.
|
87
|
+
|
88
|
+
```apache
|
89
|
+
<source>
|
90
|
+
type secure_forward
|
91
|
+
|
92
|
+
# bind 0.0.0.0 # default
|
93
|
+
# port 24284 # default
|
94
|
+
self_hostname myserver.local
|
95
|
+
shared_key secret_string
|
96
|
+
|
97
|
+
secure yes
|
98
|
+
|
99
|
+
ca_cert_path /path/for/certificate/ca_cert.pem
|
100
|
+
ca_private_key_path /path/for/certificate/ca_key.pem
|
101
|
+
ca_private_key_passphrase passphrase for private CA secret key
|
102
|
+
</source>
|
103
|
+
```
|
104
|
+
|
105
|
+
For output plugin, specify just 2 options below:
|
106
|
+
|
107
|
+
* `secure`: set `yes` or `true`
|
108
|
+
* `enable_strict_verification`: specify `yes` or `true`
|
109
|
+
|
110
|
+
```apache
|
111
|
+
<match secret.data.**>
|
112
|
+
type secure_forward
|
113
|
+
|
114
|
+
self_hostname myclient.local
|
115
|
+
shared_key secret_string
|
116
|
+
|
117
|
+
secure yes
|
118
|
+
ca_cert_path /path/for/certificate/ca_cert.pem
|
119
|
+
# enable_strict_verification yes
|
120
|
+
|
121
|
+
<server>
|
122
|
+
host server.fqdn.example.com # or IP
|
123
|
+
# port 24284
|
124
|
+
</server>
|
125
|
+
<server>
|
126
|
+
host 203.0.113.8 # ip address to connect
|
127
|
+
hostlabel server.fqdn.example.com # specify hostlabel for FQDN verification if ipaddress is used for host
|
128
|
+
</server>
|
129
|
+
</match>
|
130
|
+
```
|
131
|
+
|
132
|
+
### Using insecure self-signed certificates
|
133
|
+
|
134
|
+
**This is very dangerous and vulnerable to man-in-the-middle attacks**
|
135
|
+
|
136
|
+
For just testing or data center internal communications, this plugin has a feature to communicate without any verification of certificates. Turn `secure` option to `false` to use this feature.
|
137
|
+
|
138
|
+
```apache
|
139
|
+
<source>
|
140
|
+
type secure_forward
|
141
|
+
|
142
|
+
self_hostname myserver.local
|
143
|
+
shared_key secret_string
|
144
|
+
|
145
|
+
secure no
|
146
|
+
</source>
|
147
|
+
```
|
148
|
+
|
149
|
+
Configure output plugin just same way:
|
150
|
+
|
151
|
+
```apache
|
152
|
+
<match data.**>
|
153
|
+
type secure_forward
|
154
|
+
|
155
|
+
self_hostname myclient.local
|
156
|
+
shared_key secret_string
|
157
|
+
|
158
|
+
secure no
|
159
|
+
|
160
|
+
<server>
|
161
|
+
host server.fqdn.example.com # or IP
|
162
|
+
</server>
|
163
|
+
</match>
|
164
|
+
```
|
165
|
+
|
166
|
+
In this mode, output plugin cannot verify peer node of connections. Man-in-the-middle attackers can spoof messages from output plugins under many various situations.
|
23
167
|
|
24
168
|
## Configuration
|
25
169
|
|
@@ -28,7 +172,7 @@ $ fluent-gem install fluent-plugin-secure-forward
|
|
28
172
|
Default settings:
|
29
173
|
* listen 0.0.0.0:24284
|
30
174
|
* `bind 192.168.0.101`
|
31
|
-
* `port
|
175
|
+
* `port 24284`
|
32
176
|
* allow to accept from any sources
|
33
177
|
* allow to connect without authentications
|
34
178
|
* use certificate automatically generated
|
@@ -37,6 +181,7 @@ Default settings:
|
|
37
181
|
* `generate_cert_state CA`
|
38
182
|
* `generate_cert_locality Mountain View`
|
39
183
|
* `generate_cert_common_name SAME_WITH_SELF_HOSTNAME_PARAMETER`
|
184
|
+
* use TLSv1.2
|
40
185
|
|
41
186
|
Minimal configurations like below:
|
42
187
|
|
@@ -45,7 +190,9 @@ Minimal configurations like below:
|
|
45
190
|
type secure_forward
|
46
191
|
shared_key secret_string
|
47
192
|
self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
|
48
|
-
|
193
|
+
|
194
|
+
secure yes
|
195
|
+
# and configurations for certs
|
49
196
|
</source>
|
50
197
|
```
|
51
198
|
|
@@ -56,7 +203,10 @@ To check username/password from clients, like this:
|
|
56
203
|
type secure_forward
|
57
204
|
shared_key secret_string
|
58
205
|
self_hostname server.fqdn.local
|
59
|
-
|
206
|
+
|
207
|
+
secure yes
|
208
|
+
# and configurations for certs
|
209
|
+
|
60
210
|
authentication yes # Deny clients without valid username/password
|
61
211
|
<user>
|
62
212
|
username tagomoris
|
@@ -76,7 +226,10 @@ To deny unknown source IP/hosts:
|
|
76
226
|
type secure_forward
|
77
227
|
shared_key secret_string
|
78
228
|
self_hostname server.fqdn.local
|
79
|
-
|
229
|
+
|
230
|
+
secure yes
|
231
|
+
# and configurations for certs
|
232
|
+
|
80
233
|
allow_anonymous_source no # Allow to accept from nodes of <client>
|
81
234
|
<client>
|
82
235
|
host 192.168.10.30
|
@@ -98,7 +251,10 @@ You can use both of username/password check and client check:
|
|
98
251
|
type secure_forward
|
99
252
|
shared_key secret_string
|
100
253
|
self_hostname server.fqdn.local
|
101
|
-
|
254
|
+
|
255
|
+
secure yes
|
256
|
+
# and configurations for certs
|
257
|
+
|
102
258
|
allow_anonymous_source no # Allow to accept from nodes of <client>
|
103
259
|
authentication yes # Deny clients without valid username/password
|
104
260
|
<user>
|
@@ -130,9 +286,6 @@ You can use both of username/password check and client check:
|
|
130
286
|
|
131
287
|
### SecureForwardOutput
|
132
288
|
|
133
|
-
Default settings:
|
134
|
-
* allow to connect server using self-signed certificates
|
135
|
-
|
136
289
|
Minimal configurations like this:
|
137
290
|
|
138
291
|
```apache
|
@@ -140,6 +293,10 @@ Minimal configurations like this:
|
|
140
293
|
type secure_forward
|
141
294
|
shared_key secret_string
|
142
295
|
self_hostname client.fqdn.local
|
296
|
+
|
297
|
+
secure yes
|
298
|
+
# and configurations for certs/verification
|
299
|
+
|
143
300
|
<server>
|
144
301
|
host server.fqdn.local # or IP
|
145
302
|
# port 24284
|
@@ -154,6 +311,10 @@ Without hostname ACL (and it's not implemented yet), `self_hostname` is not chec
|
|
154
311
|
type secure_forward
|
155
312
|
shared_key secret_string
|
156
313
|
self_hostname ${hostname}
|
314
|
+
|
315
|
+
secure yes
|
316
|
+
# and configurations for certs/verification
|
317
|
+
|
157
318
|
<server>
|
158
319
|
host server.fqdn.local # or IP
|
159
320
|
# port 24284
|
@@ -170,6 +331,10 @@ If server requires username/password, set `username` and `password` in `<server>
|
|
170
331
|
type secure_forward
|
171
332
|
shared_key secret_string
|
172
333
|
self_hostname client.fqdn.local
|
334
|
+
|
335
|
+
secure yes
|
336
|
+
# and configurations for certs/verification
|
337
|
+
|
173
338
|
<server>
|
174
339
|
host first.fqdn.local
|
175
340
|
hostlabel server.fqdn.local
|
@@ -201,6 +366,10 @@ To specify keepalive timeouts, use `keepalive` configuration with seconds. SSL c
|
|
201
366
|
type secure_forward
|
202
367
|
shared_key secret_string
|
203
368
|
self_hostname client.fqdn.local
|
369
|
+
|
370
|
+
secure yes
|
371
|
+
# and configurations for certs/verification
|
372
|
+
|
204
373
|
keepalive 3600
|
205
374
|
<server>
|
206
375
|
host server.fqdn.local # or IP
|
@@ -216,32 +385,6 @@ To specify keepalive timeouts, use `keepalive` configuration with seconds. SSL c
|
|
216
385
|
* client
|
217
386
|
* out\_secure\_forward
|
218
387
|
|
219
|
-
### Setup Phase (server)
|
220
|
-
|
221
|
-
1. SSLContext
|
222
|
-
* with certificate file / private key file
|
223
|
-
1. read cert file
|
224
|
-
2. generate SSLContext object
|
225
|
-
* without certificate file
|
226
|
-
1. generate key pair
|
227
|
-
2. generate cert data
|
228
|
-
3. sign cert data with generated private key
|
229
|
-
2. shared key
|
230
|
-
* read shared key from configuration
|
231
|
-
3. username / password pairs
|
232
|
-
* read from configuration
|
233
|
-
|
234
|
-
### Setup Phase (client)
|
235
|
-
|
236
|
-
1. SSLContext
|
237
|
-
1. certificate
|
238
|
-
* with certificate file, read from file
|
239
|
-
* without certificate file, `new SSLContext` without any options
|
240
|
-
2. set SSLContext option which allow self signed key option or not
|
241
|
-
2. shared key
|
242
|
-
* read shared key from configuration
|
243
|
-
3. read server list with username / password pairs from configuration
|
244
|
-
|
245
388
|
### Handshake
|
246
389
|
|
247
390
|
1. (client) connect to server
|
@@ -282,7 +425,6 @@ CONSIDER RETURN ACK OR NOT
|
|
282
425
|
|
283
426
|
## TODO
|
284
427
|
|
285
|
-
* test for non self-signed certificates
|
286
428
|
* ACK mode (protocol)
|
287
429
|
* support disabling keepalive (input/output)
|
288
430
|
* access control (input plugin)
|
@@ -292,7 +434,6 @@ CONSIDER RETURN ACK OR NOT
|
|
292
434
|
* pluggable authentication database (input plugin)
|
293
435
|
* RDBMS, LDAP, or ...
|
294
436
|
* Authentication by clients certificate
|
295
|
-
* encryption algorithm option (output plugin)
|
296
437
|
* TESTS!
|
297
438
|
|
298
439
|
## Copyright
|
@@ -0,0 +1,34 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require 'fileutils'
|
4
|
+
require 'fluent/plugin/secure_forward/cert_util'
|
5
|
+
|
6
|
+
ca_dir, passphrase = ARGV
|
7
|
+
|
8
|
+
unless ca_dir && passphrase
|
9
|
+
puts 'USAGE: secure-forward-ca-generate DIR_PATH PRIVATE_KEY_PASSPHRASE'
|
10
|
+
puts ''
|
11
|
+
exit 0
|
12
|
+
end
|
13
|
+
|
14
|
+
FileUtils.mkdir_p(ca_dir)
|
15
|
+
|
16
|
+
opt = {
|
17
|
+
private_key_length: 2048,
|
18
|
+
cert_country: 'US',
|
19
|
+
cert_state: 'CA',
|
20
|
+
cert_locality: 'Mountain View',
|
21
|
+
cert_common_name: 'SecureForward CA',
|
22
|
+
}
|
23
|
+
cert, key = Fluent::SecureForward::CertUtil.generate_ca_pair(opt)
|
24
|
+
|
25
|
+
key_data = key.export(OpenSSL::Cipher::Cipher.new('aes256'), passphrase)
|
26
|
+
File.open(File.join(ca_dir, 'ca_key.pem'), 'w') do |file|
|
27
|
+
file.write key_data
|
28
|
+
end
|
29
|
+
File.open(File.join(ca_dir, 'ca_cert.pem'), 'w') do |file|
|
30
|
+
file.write cert.to_pem
|
31
|
+
end
|
32
|
+
|
33
|
+
puts "successfully generated: ca_key.pem, ca_cert.pem"
|
34
|
+
puts "copy and use ca_cert.pem to client(out_secure_forward)"
|
data/example/cert_client.conf
CHANGED
@@ -4,11 +4,10 @@
|
|
4
4
|
|
5
5
|
<match test.**>
|
6
6
|
type secure_forward
|
7
|
+
secure yes
|
7
8
|
self_hostname client
|
8
9
|
#shared_key hogeposxxx0
|
9
10
|
shared_key wrong_shared_key
|
10
|
-
allow_self_signed_certificate yes
|
11
|
-
ca_file_path /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/cert.pem
|
12
11
|
<server>
|
13
12
|
host localhost
|
14
13
|
hostlabel tagomoris
|
data/example/cert_server.conf
CHANGED
@@ -1,12 +1,13 @@
|
|
1
1
|
<source>
|
2
2
|
type secure_forward
|
3
|
+
secure yes
|
3
4
|
self_hostname server
|
4
5
|
# self_hostname tagomoris
|
5
6
|
shared_key hogeposxxx0
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
7
|
+
cert_path /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/cert.pem
|
8
|
+
private_key_path /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/key.pem
|
9
|
+
# blank passphrase
|
10
|
+
private_key_passphrase
|
10
11
|
allow_anonymous_source no
|
11
12
|
authentication yes
|
12
13
|
<user>
|
data/example/client.conf
CHANGED
@@ -4,18 +4,21 @@
|
|
4
4
|
|
5
5
|
<match test.**>
|
6
6
|
type secure_forward
|
7
|
+
secure yes
|
7
8
|
self_hostname client
|
8
9
|
shared_key hogeposxxx0
|
9
10
|
keepalive 30
|
11
|
+
ca_cert_path /Users/tagomoris/github/fluent-plugin-secure-forward/test/tmp/cadir/ca_cert.pem
|
12
|
+
enable_strict_verification yes
|
10
13
|
<server>
|
11
14
|
host localhost
|
12
15
|
</server>
|
13
|
-
<server>
|
14
|
-
|
15
|
-
|
16
|
-
</server>
|
17
|
-
<server>
|
18
|
-
|
19
|
-
</server>
|
16
|
+
# <server>
|
17
|
+
# host localhost
|
18
|
+
# standby yes
|
19
|
+
# </server>
|
20
|
+
# <server>
|
21
|
+
# host localhost
|
22
|
+
# </server>
|
20
23
|
flush_interval 1s
|
21
24
|
</match>
|
@@ -0,0 +1,23 @@
|
|
1
|
+
<source>
|
2
|
+
type forward
|
3
|
+
</source>
|
4
|
+
|
5
|
+
<match test.**>
|
6
|
+
type secure_forward
|
7
|
+
secure no
|
8
|
+
self_hostname client
|
9
|
+
shared_key hogeposxxx0
|
10
|
+
keepalive 30
|
11
|
+
enable_strict_verification yes
|
12
|
+
<server>
|
13
|
+
host localhost
|
14
|
+
</server>
|
15
|
+
# <server>
|
16
|
+
# host localhost
|
17
|
+
# standby yes
|
18
|
+
# </server>
|
19
|
+
# <server>
|
20
|
+
# host localhost
|
21
|
+
# </server>
|
22
|
+
flush_interval 1s
|
23
|
+
</match>
|
data/example/server.conf
CHANGED
@@ -1,8 +1,11 @@
|
|
1
1
|
<source>
|
2
2
|
type secure_forward
|
3
|
-
|
3
|
+
secure yes
|
4
|
+
self_hostname localhost
|
4
5
|
shared_key hogeposxxx0
|
5
|
-
|
6
|
+
ca_cert_path /Users/tagomoris/github/fluent-plugin-secure-forward/test/tmp/cadir/ca_cert.pem
|
7
|
+
ca_private_key_path /Users/tagomoris/github/fluent-plugin-secure-forward/test/tmp/cadir/ca_key.pem
|
8
|
+
ca_private_key_passphrase testing secret phrase
|
6
9
|
</source>
|
7
10
|
|
8
11
|
<match test.**>
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
2
2
|
Gem::Specification.new do |gem|
|
3
3
|
gem.name = "fluent-plugin-secure-forward"
|
4
|
-
gem.version = "0.
|
4
|
+
gem.version = "0.3.0"
|
5
5
|
gem.authors = ["TAGOMORI Satoshi"]
|
6
6
|
gem.email = ["tagomoris@gmail.com"]
|
7
7
|
gem.summary = %q{Fluentd input/output plugin to forward over SSL with authentications}
|