fluent-plugin-secure-forward 0.2.6 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0a035b4fd131a7bf4b7cc2941bdfb7584ead806d
-  data.tar.gz: 93613ca4e49b0bfcf30e20bcc8e32677b1fa6896
+  metadata.gz: df29e6485f04c40533bd9dbbbeb16ccdf510763d
+  data.tar.gz: 4d3cdcc2ce8a6cb570de129eef1f18dcad3d0f6b
 SHA512:
-  metadata.gz: 62f182fa4b20baf9db98908f54bfddf9474abb005526a9b7702382b84a6f8bcfaad0b7d5d0b12ff7348e85cd689a8ba17331c5b4505d7470fd31c066785a0726
-  data.tar.gz: de999cd97f64b0661cc8012a6afcb7f14445836db10bd55806ef17b4c6e2ade0de3d32e97137f9dc4ce9d47c3927bba7d516731604efb9af4fdaa3f4b361ba3c
+  metadata.gz: 842034f48f6a55b49d4a5ff43d552bc525e7634bdf22e71f4e8c657a39841cb438a07ebac3ec27fe68f6a2b341c2bf7315da30dc64f2c05f5fc43dfb895f1cc5
+  data.tar.gz: 2215336ca4b4a59c78beca450ff53b3302809ea15fa200ebf61a27746fb7181c27f8c31d79975079831a47d6ffc8164e65e678e8fa8a70ed4af2a0ba57694d33

data/README.md

@@ -5,21 +5,165 @@
 This plugin makes you to be able to:
 
  * protect your data from others in transferring with SSL
-   * with certificate signed and registered correctly
-   * with self-signed certificate (and generate certificate in in\_secure\_forward automatically)
+   * with certificate signed and registered correctly/publicly
+   * with private CA certificates generated by users
+   * with automatically generated and self-signed certificates **in vulnerable way**
  * authenticate by shared\_key check from both of client(out\_secure\_forward) and server(in\_secure\_forward)
  * authenticate with username / password pairs
 
 ## Installation
 install with gem or fluent-gem command as:
 
-`````
-### native gem
+```
+ ### native gem
 $ gem install fluent-plugin-secure-forward
-
-### fluentd gem
+ 
+ ### fluentd gem
 $ fluent-gem install fluent-plugin-secure-forward
-`````
+```
+
+### Using SSL certificates issued from trusted CA
+
+To communicate over SSL with valid certificate issued from public CA, configure params below for input plugin:
+
+* `secure`: set `yes` or `true`
+* `cert_path`: set path of certificate file issued from CA
+* `private_key_path`: set path of private key file
+* `private_key_passphrase`: set passphrase of private key
+
+```apache
+<source>
+  type secure_forward
+  
+  # bind 0.0.0.0 # default
+  # port 24284 # default
+  self_hostname server.fqdn.example.com
+  shared_key    secret_string
+  
+  secure yes
+  
+  cert_path        /path/for/certificate/cert.pem
+  private_key_path /path/for/certificate/key.pem
+  private_key_passphrase secret_foo_bar_baz
+</source>
+```
+
+For output plugin, specify just 2 options below:
+
+* `secure`: set `yes` or `true`
+* `enable_strict_verification`: specify `yes` or `true` to verify FQDN of servers (input plugin)
+
+```apache
+<match secret.data.**>
+  type secure_forward
+  
+  self_hostname client.fqdn.local
+  shared_key    secret_string
+  
+  secure yes
+  enable_strict_verification yes
+  
+  <server>
+    host server.fqdn.example.com  # or IP
+    # port 24284
+  </server>
+  <server>
+    host 203.0.113.8 # ip address to connect
+    hostlabel server.fqdn.example.com # specify hostlabel for FQDN verification if ipaddress is used for host
+  </server>
+</match>
+```
+
+### Using private CA file and key
+
+This plugin has a simple utility command to generate private CA cert/key files just for secure-forward.
+
+```
+$ secure-forward-ca-generate /path/for/dir/of/certs "passphrase for private CA secret key"
+```
+
+This command generates `ca_cert.pem` and `ca_key.pem` on `/path/for/dir/of/certs`. For SSL communication with private CA, users must deploy both files for input plugins, and also must deploy `ca_cert.pem` for output plugins.
+And then, configure Fluentd with these files and the passphrase. With this configuration, server certificates are automatically generated and issued by private CA.
+
+```apache
+<source>
+  type secure_forward
+  
+  # bind 0.0.0.0 # default
+  # port 24284 # default
+  self_hostname myserver.local
+  shared_key    secret_string
+  
+  secure yes
+  
+  ca_cert_path        /path/for/certificate/ca_cert.pem
+  ca_private_key_path /path/for/certificate/ca_key.pem
+  ca_private_key_passphrase passphrase for private CA secret key
+</source>
+```
+
+For output plugin, specify just 2 options below:
+
+* `secure`: set `yes` or `true`
+* `enable_strict_verification`: specify `yes` or `true`
+
+```apache
+<match secret.data.**>
+  type secure_forward
+  
+  self_hostname myclient.local
+  shared_key    secret_string
+  
+  secure yes
+  ca_cert_path /path/for/certificate/ca_cert.pem
+  # enable_strict_verification yes
+  
+  <server>
+    host server.fqdn.example.com  # or IP
+    # port 24284
+  </server>
+  <server>
+    host 203.0.113.8 # ip address to connect
+    hostlabel server.fqdn.example.com # specify hostlabel for FQDN verification if ipaddress is used for host
+  </server>
+</match>
+```
+
+### Using insecure self-signed certificates
+
+**This is very dangerous and vulnerable to man-in-the-middle attacks**
+
+For just testing or data center internal communications, this plugin has a feature to communicate without any verification of certificates. Turn `secure` option to `false` to use this feature.
+
+```apache
+<source>
+  type secure_forward
+  
+  self_hostname myserver.local
+  shared_key    secret_string
+  
+  secure no
+</source>
+```
+
+Configure output plugin just same way:
+
+```apache
+<match data.**>
+  type secure_forward
+  
+  self_hostname myclient.local
+  shared_key    secret_string
+  
+  secure no
+  
+  <server>
+    host server.fqdn.example.com  # or IP
+  </server>
+</match>
+```
+
+In this mode, output plugin cannot verify peer node of connections. Man-in-the-middle attackers can spoof messages from output plugins under many various situations.
 
 ## Configuration
 
@@ -28,7 +172,7 @@ $ fluent-gem install fluent-plugin-secure-forward
 Default settings:
   * listen 0.0.0.0:24284
     * `bind 192.168.0.101`
-    * `port 24285`
+    * `port 24284`
   * allow to accept from any sources
   * allow to connect without authentications
   * use certificate automatically generated
@@ -37,6 +181,7 @@ Default settings:
     * `generate_cert_state    CA`
     * `generate_cert_locality Mountain View`
     * `generate_cert_common_name SAME_WITH_SELF_HOSTNAME_PARAMETER`
+  * use TLSv1.2
   
 Minimal configurations like below:
 
@@ -45,7 +190,9 @@ Minimal configurations like below:
   type secure_forward
   shared_key         secret_string
   self_hostname      server.fqdn.local  # This fqdn is used as CN (Common Name) of certificates
-  cert_auto_generate yes                # This parameter MUST be specified
+  
+  secure yes
+  # and configurations for certs
 </source>
 ```
 
@@ -56,7 +203,10 @@ To check username/password from clients, like this:
   type secure_forward
   shared_key         secret_string
   self_hostname      server.fqdn.local
-  cert_auto_generate yes
+  
+  secure yes
+  # and configurations for certs
+  
   authentication     yes # Deny clients without valid username/password
   <user>
     username tagomoris
@@ -76,7 +226,10 @@ To deny unknown source IP/hosts:
   type secure_forward
   shared_key         secret_string
   self_hostname      server.fqdn.local
-  cert_auto_generate     yes
+  
+  secure yes
+  # and configurations for certs
+  
   allow_anonymous_source no  # Allow to accept from nodes of <client>
   <client>
     host 192.168.10.30
@@ -98,7 +251,10 @@ You can use both of username/password check and client check:
   type secure_forward
   shared_key         secret_string
   self_hostname      server.fqdn.local
-  cert_auto_generate     yes
+  
+  secure yes
+  # and configurations for certs
+  
   allow_anonymous_source no  # Allow to accept from nodes of <client>
   authentication         yes # Deny clients without valid username/password
   <user>
@@ -130,9 +286,6 @@ You can use both of username/password check and client check:
 
 ### SecureForwardOutput
 
-Default settings:
-  * allow to connect server using self-signed certificates
-
 Minimal configurations like this:
 
 ```apache
@@ -140,6 +293,10 @@ Minimal configurations like this:
   type secure_forward
   shared_key secret_string
   self_hostname client.fqdn.local
+  
+  secure yes
+  # and configurations for certs/verification
+  
   <server>
     host server.fqdn.local  # or IP
     # port 24284
@@ -154,6 +311,10 @@ Without hostname ACL (and it's not implemented yet), `self_hostname` is not chec
   type secure_forward
   shared_key secret_string
   self_hostname ${hostname}
+  
+  secure yes
+  # and configurations for certs/verification
+  
   <server>
     host server.fqdn.local  # or IP
     # port 24284
@@ -170,6 +331,10 @@ If server requires username/password, set `username` and `password` in `<server>
   type secure_forward
   shared_key secret_string
   self_hostname client.fqdn.local
+  
+  secure yes
+  # and configurations for certs/verification
+  
   <server>
     host      first.fqdn.local
     hostlabel server.fqdn.local
@@ -201,6 +366,10 @@ To specify keepalive timeouts, use `keepalive` configuration with seconds. SSL c
   type secure_forward
   shared_key secret_string
   self_hostname client.fqdn.local
+  
+  secure yes
+  # and configurations for certs/verification
+  
   keepalive 3600
   <server>
     host server.fqdn.local  # or IP
@@ -216,32 +385,6 @@ To specify keepalive timeouts, use `keepalive` configuration with seconds. SSL c
 * client
   * out\_secure\_forward
 
-### Setup Phase (server)
-
-1. SSLContext
-  * with certificate file / private key file
-    1. read cert file
-    2. generate SSLContext object
-  * without certificate file
-    1. generate key pair
-    2. generate cert data
-    3. sign cert data with generated private key
-2. shared key
-  * read shared key from configuration
-3. username / password pairs
-  * read from configuration
-
-### Setup Phase (client)
-
-1. SSLContext
-  1. certificate
-    * with certificate file, read from file
-    * without certificate file, `new SSLContext` without any options
-  2. set SSLContext option which allow self signed key option or not
-2. shared key
-  * read shared key from configuration
-3. read server list with username / password pairs from configuration
-
 ### Handshake
 
 1. (client) connect to server
@@ -282,7 +425,6 @@ CONSIDER RETURN ACK OR NOT
 
 ## TODO
 
-* test for non self-signed certificates
 * ACK mode (protocol)
 * support disabling keepalive (input/output)
 * access control (input plugin)
@@ -292,7 +434,6 @@ CONSIDER RETURN ACK OR NOT
 * pluggable authentication database (input plugin)
   * RDBMS, LDAP, or ...
   * Authentication by clients certificate
-* encryption algorithm option (output plugin)
 * TESTS!
 
 ## Copyright

data/bin/secure-forward-ca-generate

@@ -0,0 +1,34 @@
+#!/usr/bin/env ruby
+
+require 'fileutils'
+require 'fluent/plugin/secure_forward/cert_util'
+
+ca_dir, passphrase = ARGV
+
+unless ca_dir && passphrase
+  puts 'USAGE: secure-forward-ca-generate  DIR_PATH  PRIVATE_KEY_PASSPHRASE'
+  puts ''
+  exit 0
+end
+
+FileUtils.mkdir_p(ca_dir)
+
+opt = {
+  private_key_length: 2048,
+  cert_country:  'US',
+  cert_state:    'CA',
+  cert_locality: 'Mountain View',
+  cert_common_name: 'SecureForward CA',
+}
+cert, key = Fluent::SecureForward::CertUtil.generate_ca_pair(opt)
+
+key_data = key.export(OpenSSL::Cipher::Cipher.new('aes256'), passphrase)
+File.open(File.join(ca_dir, 'ca_key.pem'), 'w') do |file|
+  file.write key_data
+end
+File.open(File.join(ca_dir, 'ca_cert.pem'), 'w') do |file|
+  file.write cert.to_pem
+end
+
+puts "successfully generated: ca_key.pem, ca_cert.pem"
+puts "copy and use ca_cert.pem to client(out_secure_forward)"

data/example/cert_client.conf

@@ -4,11 +4,10 @@
 
 <match test.**>
   type secure_forward
+  secure yes
   self_hostname client
   #shared_key hogeposxxx0
   shared_key wrong_shared_key
-  allow_self_signed_certificate yes
-  ca_file_path /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/cert.pem
   <server>
     host localhost
     hostlabel tagomoris

data/example/cert_server.conf

@@ -1,12 +1,13 @@
 <source>
   type secure_forward
+  secure yes
   self_hostname server
   # self_hostname tagomoris
   shared_key hogeposxxx0
-  ####cert_auto_generate no
-  cert_file_path /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/cert.pem
-  private_key_file /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/key.pem
-  # private_key_passphrase blank
+  cert_path        /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/cert.pem
+  private_key_path /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/key.pem
+  # blank passphrase
+  private_key_passphrase 
   allow_anonymous_source no
   authentication yes
   <user>

data/example/client.conf

@@ -4,18 +4,21 @@
 
 <match test.**>
   type secure_forward
+  secure yes
   self_hostname client
   shared_key hogeposxxx0
   keepalive 30
+  ca_cert_path /Users/tagomoris/github/fluent-plugin-secure-forward/test/tmp/cadir/ca_cert.pem
+  enable_strict_verification yes
   <server>
     host localhost
   </server>
-  <server>
-    host localhost
-    standby yes
-  </server>
-  <server>
-    host localhost
-  </server>
+  # <server>
+  #   host localhost
+  #   standby yes
+  # </server>
+  # <server>
+  #   host localhost
+  # </server>
   flush_interval 1s
 </match>

data/example/insecure_client.conf

@@ -0,0 +1,23 @@
+<source>
+  type forward
+</source>
+
+<match test.**>
+  type secure_forward
+  secure no
+  self_hostname client
+  shared_key hogeposxxx0
+  keepalive 30
+  enable_strict_verification yes
+  <server>
+    host localhost
+  </server>
+  # <server>
+  #   host localhost
+  #   standby yes
+  # </server>
+  # <server>
+  #   host localhost
+  # </server>
+  flush_interval 1s
+</match>

data/example/insecure_server.conf

@@ -0,0 +1,10 @@
+<source>
+  type secure_forward
+  secure no
+  self_hostname localhost
+  shared_key hogeposxxx0
+</source>
+
+<match test.**>
+  type stdout
+</match>

data/example/server.conf

@@ -1,8 +1,11 @@
 <source>
   type secure_forward
-  self_hostname server
+  secure yes
+  self_hostname localhost
   shared_key hogeposxxx0
-  cert_auto_generate yes
+  ca_cert_path        /Users/tagomoris/github/fluent-plugin-secure-forward/test/tmp/cadir/ca_cert.pem
+  ca_private_key_path /Users/tagomoris/github/fluent-plugin-secure-forward/test/tmp/cadir/ca_key.pem
+  ca_private_key_passphrase testing secret phrase
 </source>
 
 <match test.**>

data/fluent-plugin-secure-forward.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "fluent-plugin-secure-forward"
-  gem.version       = "0.2.6"
+  gem.version       = "0.3.0"
   gem.authors       = ["TAGOMORI Satoshi"]
   gem.email         = ["tagomoris@gmail.com"]
   gem.summary       = %q{Fluentd input/output plugin to forward over SSL with authentications}