fluent-plugin-secure-forward 0.3.3dev2 → 0.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 38fb1038da46d346bb5ffa749bada1d09ae921a6
-  data.tar.gz: 3ffc89b139fd68f9a64b8babff12ada6613644f2
+  metadata.gz: 95abed3f7c511ce154782072f6b4ab38dd067e6b
+  data.tar.gz: 49ec93a55ebdb11829cbf3b7afbb0c8802f05ea2
 SHA512:
-  metadata.gz: ade64ee8b5df2b601059f54cb345ea22a9d05627ba06edb21ca2279e7a037e477a34ec7f059cac61cae7407a58ad622492402ae2802d36683fecf6b916b497d7
-  data.tar.gz: 3d66cf86ddcce251ad2e2668b54897c1beb01ac99bd6f912a11d3d110753edcdd76b14b9db24f54b933f20a3c8b808732ce7182f684b6dd3a9a3f517d405268c
+  metadata.gz: bfa064b8e5872a565a22f1cec9af4fe27f83a4b7b34d56254c03979d7781f71caae25c540cb5682007aef8d71cdde2304a968011b4eba2eb63832cc6f775908f
+  data.tar.gz: 93af7276b30cf49cf9a4a58dfcd550379e5bc918032bb7c42a0d8596cf49416591164f9ee92f69179814201f12277bc650068e0f6e2c44d01d7e975d35837c1f

data/README.md

@@ -378,6 +378,26 @@ To specify keepalive timeouts, use `keepalive` configuration with seconds. SSL c
 </match>
 ```
 
+
+If you connect via Proxy, 
+set for `proxy_uri` in `<server>` section:
+```apache
+<match secret.data.**>
+  type secure_forward
+  shared_key secret_string
+  self_hostname client.fqdn.local
+
+  secure yes
+  # and configurations for certs/verification
+
+  <server>
+    host server.fqdn.local  # or IP
+    # port 24284
+    proxy_uri http://foo.bar.local:3128
+  </server>
+</match>
+```
+
 ## Senario (developer document)
 
 * server

data/example/cert_c.conf

@@ -0,0 +1,17 @@
+<source>
+  type forward
+</source>
+
+<match test.**>
+  type secure_forward
+  secure yes
+  enable_strict_verification yes
+  self_hostname client
+  shared_key norikra2
+  ca_cert_path /Users/tagomoris/github/fluent-plugin-secure-forward/root.pem
+  <server>
+    host 127.0.0.1
+    hostlabel testing.fluentd.org
+  </server>
+  flush_interval 1s
+</match>

data/example/cert_i.conf

@@ -0,0 +1,18 @@
+
+# To check SSL certificate informations
+# openssl s_client -connect testing.fluentd.org:24284 -showcerts
+
+<source>
+  type secure_forward
+  secure yes
+  self_hostname testing.fluentd.org
+  shared_key norikra2
+  cert_path        /Users/tagomoris/github/fluent-plugin-secure-forward/example/certs/cert-with-intermediate.pem
+  private_key_path /Users/tagomoris/github/fluent-plugin-secure-forward/example/certs/key-for-with-intermediate.key
+  private_key_passphrase norikra2
+  authentication no
+</source>
+
+<match test.**>
+  type stdout
+</match>

data/example/certs/cert-with-intermediate.pem

@@ -0,0 +1,80 @@
+-----BEGIN CERTIFICATE-----
+MIIFRTCCBC2gAwIBAgIQVMhYFMdnctqh7wAXLx1HjzANBgkqhkiG9w0BAQsFADCBvDELMAkGA1UE
+BhMCSlAxHTAbBgNVBAoTFFN5bWFudGVjIEphcGFuLCBJbmMuMS8wLQYDVQQLEyZGb3IgVGVzdCBQ
+dXJwb3NlcyBPbmx5LiBObyBhc3N1cmFuY2VzLjE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0
+dHBzOi8vd3d3LnN5bWF1dGguY29tL2Nwcy90ZXN0Y2ExIDAeBgNVBAMTF1RyaWFsIFNTTCBKYXBh
+biBDQSAtIEcyMB4XDTE1MTEyNDAwMDAwMFoXDTE1MTIwODIzNTk1OVowgdAxCzAJBgNVBAYTAkpQ
+MQ4wDAYDVQQIDAVUb2t5bzETMBEGA1UEBwwKQ2hpeW9kYS1LdTEcMBoGA1UECgwTVHJlYXN1cmUg
+RGF0YSwgSy5LLjEYMBYGA1UECwwPT3BlblNvdXJjZSBUZWFtMSwwKgYDVQQLDCNodHRwczovL3d3
+dy5zeW1hbnRlYy5jb20vY3BzL3Rlc3RjYTEYMBYGA1UECwwPcjQ1MDExNTExNTE4MzgyMRwwGgYD
+VQQDDBN0ZXN0aW5nLmZsdWVudGQub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+pz2pcz/cGXSvEYMCXZLyLj8BXQvPRPfQIITPzCWpr+jbr5oVI2D3FqysJLedLRZHWY3wAmp/AHqS
+WIHfaGUr6TmLVaKM2weFfxjKtwHboVYSHrhL5bth6fm8gMzJrB6UbFyfUXRPlZw6z/WxcMezIoHp
+6KSS8Ao9ixeql1AFKF4Yc8H6xUH0fLLNOBLP7UxIbg7xZNxqcjlULOgKcMojK2YioI98Yq9nJ5To
+VopopIgtPEqXzN7W9EdrtaHelky9fsXLY3YnZ599ujEmHMMOzKbrTg7OMOyKwyhFdyERsGfNOHJ1
+/WdgCZZXRlfc0s2SxEWttaJ8v9D18Va1w4cR8wIDAQABo4IBKzCCAScwCQYDVR0TBAIwADAOBgNV
+HQ8BAf8EBAMCBaAwXgYDVR0fBFcwVTBToFGgT4ZNaHR0cDovL29uc2l0ZWNybC5zeW1hdXRoLmpw
+L1N5bWFudGVjSmFwYW5JbmNUcmlhbFNTTEphcGFuQ0FzaGEyL0xhdGVzdENSTC5jcmwwHgYDVR0R
+BBcwFYITdGVzdGluZy5mbHVlbnRkLm9yZzBKBgNVHSAEQzBBMD8GCmCGSAGG+EUBBxUwMTAvBggr
+BgEFBQcCARYjaHR0cHM6Ly93d3cuc3ltYW50ZWMuY29tL2Nwcy90ZXN0Y2EwHQYDVR0lBBYwFAYI
+KwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFN0fIWQuRcLgQDlIvuPLhICXwySKMA0GCSqG
+SIb3DQEBCwUAA4IBAQAU6rXvUcybWiyHfIGSlzy4MYO6HBeaF0tc2Pt0T4ByX+smXvKoVVgZbX8E
+ahlZURfjSwZyXHCpMvcH17/IyW7c+HrX/jheMZ7iyYdvCQnZ2GrT8Zr3GRMcNYf8e8wnXwkBFAPj
+yek5XHF5ShwLv64bOWDjAfdIAUCHEo1PpDz6JPQgJEb+SHqrxWx+O0zmELYUgSvRWKBuEC5TrxGU
+HEib235vmz6/TgDUqfci7RPf16cwqVyEilzD5tLXTuMp4+tkPRjEA5d+EzH5O2Lx/ef5RTnYYMZ0
+zsVBXssRtwcFKO2vStIGitRK9G9mbvzMNKuItaHcmw8GOhyXnMjTpl8u
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFRjCCBC6gAwIBAgIQdV9MvP3+ENU3kdfSg2vm/DANBgkqhkiG9w0BAQsFADCB
+hTELMAkGA1UEBhMCSlAxHTAbBgNVBAoTFFN5bWFudGVjIEphcGFuLCBJbmMuMS8w
+LQYDVQQLEyZGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiBObyBhc3N1cmFuY2VzLjEm
+MCQGA1UEAxMdVHJpYWwgQ2xhc3MgMyBKYXBhbiBSb290IC0gRzUwHhcNMTUwMjE4
+MDAwMDAwWhcNMjUwMjE3MjM1OTU5WjCBvDELMAkGA1UEBhMCSlAxHTAbBgNVBAoT
+FFN5bWFudGVjIEphcGFuLCBJbmMuMS8wLQYDVQQLEyZGb3IgVGVzdCBQdXJwb3Nl
+cyBPbmx5LiBObyBhc3N1cmFuY2VzLjE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0
+IGh0dHBzOi8vd3d3LnN5bWF1dGguY29tL2Nwcy90ZXN0Y2ExIDAeBgNVBAMTF1Ry
+aWFsIFNTTCBKYXBhbiBDQSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA20T0ajk8CG7rIu90Zyh4bDAo32nO6RdBN1xjFD054LbjIR9R7dqAXbLx
+sYj5+V/7v5tN4ogqyHiK2CKLe3z/rtrFjeei/Xyr5NysNWuY2v/OIRSLpeKYYivr
+Ax76ssHbPRdqT4OobxYfRaOEZKwM5etUD55jLI1/0lcSeNqv7Gps8tKt44T4vDx2
+E8J0zT9Z102e649si0rUoGbP3flEBwvnkrmLTQDV1Rf9p3QbaAaZgsmEaXshgufJ
+Bti/BpOy1Sdg4ZTCcKPb/qhSphn2LZNbBFOH/rQiu4UoWHWWMOcsJm22pARSsELI
+ivNJIcXSE8PLTkLWisqRkVODaRaL+wIDAQABo4IBdzCCAXMwEgYDVR0TAQH/BAgw
+BgEB/wIBADB7BgNVHSAEdDByMHAGCmCGSAGG+EUBBxUwYjAuBggrBgEFBQcCARYi
+aHR0cHM6Ly93d3cuc3ltYXV0aC5jb20vY3BzL3Rlc3RjYTAwBggrBgEFBQcCAjAk
+GiJodHRwczovL3d3dy5zeW1hdXRoLmNvbS9jcHMvdGVzdGNhMGUGA1UdHwReMFww
+WqBYoFaGVGh0dHA6Ly9vbnNpdGVjcmwuc3ltYXV0aC5qcC9BUkwvU3ltYW50ZWNK
+YXBhbkluY1RyaWFsQ2xhc3MzSmFwYW5Sb290RzUvTGF0ZXN0QVJMLmNybDAOBgNV
+HQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGUzLTIw
+NDgtMTc5MB0GA1UdDgQWBBTdHyFkLkXC4EA5SL7jy4SAl8MkijAfBgNVHSMEGDAW
+gBRivYsKGrwW4qUaX5DjNlpcExbkETANBgkqhkiG9w0BAQsFAAOCAQEAZbKcrNvS
+q/b4KNd4Y41uNEqaCQlL6Uvqs5q6b0HQbK/Hjolt3sJttqT/jtSxGIITZVPH8PRt
+6fo3aWII1eLIiCVzuQc0eVA0671pPhUHgd8mPHgUmhsxLURWgEE3lMx9dKQhKL1V
+Fcp/2bQy+dLVZELQl2L3qtRCVEYubLFmoAgBG7nyiwjt+AsvG6AX2N7MLzsF+C8L
+vRbWEqglqDCFAt1es1Vfb2a7zFj0/BUYDDo6eQE/BpYiYmbHtoWz6SzBNZsehMb5
+OlnF9xqndWK7x2rtaNyi+Z287AzaDe0VFTUaGd1YnzKlEHphRr2nMHd/iNRZFNLy
+poe4IWfm9maFow==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID2DCCAsCgAwIBAgIQGOtH8axDhLeZoyevey+LezANBgkqhkiG9w0BAQUFADCB
+hTELMAkGA1UEBhMCSlAxHTAbBgNVBAoTFFN5bWFudGVjIEphcGFuLCBJbmMuMS8w
+LQYDVQQLEyZGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiBObyBhc3N1cmFuY2VzLjEm
+MCQGA1UEAxMdVHJpYWwgQ2xhc3MgMyBKYXBhbiBSb290IC0gRzUwHhcNMTUwMjE4
+MDAwMDAwWhcNMzUwMjE3MjM1OTU5WjCBhTELMAkGA1UEBhMCSlAxHTAbBgNVBAoT
+FFN5bWFudGVjIEphcGFuLCBJbmMuMS8wLQYDVQQLEyZGb3IgVGVzdCBQdXJwb3Nl
+cyBPbmx5LiBObyBhc3N1cmFuY2VzLjEmMCQGA1UEAxMdVHJpYWwgQ2xhc3MgMyBK
+YXBhbiBSb290IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF
+xdnFVPR3Azt7ar9rYymmrSxRYinWPrNByp8jSWhWudfgbRi0FGh848rsAgvg51c/
+xilEYouj3iRFV0Tt90jWgYQuH6+HRdTz39JGQ8cCGdjo6u0gBUZZMAMJven4nGRk
+zF4u4KPh288sZZWL0VZqHIoKQZTgwnr+QFDlthRCQBKLStl1KTQ9WKw8z8VxK19+
+v7b/lURmBVANhZgf+cxnvwstO1goxj34B6y5eoJ9DTIwWSFGkARhdiAMrOzSAU8u
+h/G1Xcp3JoVX8NNEd5LhHkJKS1idK4PXTP7uXXqOFI5NoL+Q0gNAyJYNtXe8KQ4q
+8L9O9pNaC418OCiiS/4rAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
+AQH/BAQDAgEGMB0GA1UdDgQWBBRivYsKGrwW4qUaX5DjNlpcExbkETANBgkqhkiG
+9w0BAQUFAAOCAQEAqB1+wsyBShUOzkAdoFh55x9e1Od7nrnIPv6KKbcycMDv8kf3
+25D5KlgVIW+OWrMKOK7wlRUX7kvF4cENqSCn1W3VVLzCvKTbx34pRR/V8cuUD+2D
+7k1Q1331qFiulycGOl0IlqJCJRi3UPa2fuCDyHikOcbnIApK3Hk2/wGWhool5yzj
+0wUbGcyDg12o1U96bB0tO5ZFIFdYB31skviyiHJojcq4+uRVKA1DrsKoK8ZQx0xf
+p6l5H/z5jmFqlBTW8EIW+tdB1NOKCRI6JPwR+NSC8UtZS2M39oyGkGyReoIKjT8K
+XFfTm7TDhB9Tf65TF+mw0Rkr101KsoUT5Sm8Dw==
+-----END CERTIFICATE-----

data/example/certs/key-for-with-intermediate.key

@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,FCB585C311CF8314
+
+l58lb4gVU02qpt3Ejb0SktlphW/ZbZCTquYnY7vRWimBIlXQjSyx7ZJM9b+4zyW7
+oQCWUkY4bM6GbdLJ3hf4j2tazY5qTZIEsxf89qro3yjfr9hIMONbfgF4JVI05LP/
+vNCyOskHJSkfEnAfL8pAd7kilhwrUa2M5rbOTGoZTDGUShhIRsKx4q/HIcGAQQD5
+VNl57idQz1mCQQaDsuFIhVk+A4QifG8QfjjbmbT3J+ZxqWo2UL+c0G56udcJSSSe
+XgSjJfclykl0mBQwXyKCe/APntOJm31fZHJ1UCEaShHoMXLjvaCRosIbVnIakXtu
+zSkB+XnQqNfYvp7gTIEUzOyvE/uXGk0h6NbYBJpOYEIzlUzXlgq5us3uMpGzzWx9
+OG0IE9ePR1sRCuW176TtwgP4TwO0U/oZz8KI2vGSEcNcHNTWqc8LfswXySqEvpYG
+ZigqKx/js+7DK+8z15D2oez9GoeXPsUnKNrkJ+kKgo/oDQQSJpcDyRG/fOrH/6Ke
+/n74cXtLo5gMxGOezc7W845JABtgtT26RxB2fVw22OThs8Ap1ushJF9hYmdnW4iz
+ubWvUd7bXcsDAzig9CEzlGRXms9VNCK+U7aU+rLmI2ipY8dCmJUMkBydFY0Rn9Es
+mwGqcT+gabwIuxGRCLJyyQBQclNetrPOUUNSj4Y0KgzZBo6VodthAqb5Au5xGCk5
+9nDke11zjPCu3oDYNOVXTJCgt7Tj+xtGR7xKpdj8rRR8EEy/Yvd4ebupWLJ0zr/v
+lhzBdOJ/wuzNX+zd4vw/xCVxx+W3i0hO8NWvHEAhYd3NeOacIM8vXgT6hCGuphu4
+M+ggAcsIPwFy52ol50kF0uSfKAUWbaldMFalc4BYt7ZjDAbYe1tY1mefiWF+drSg
+PUZ86pZOWc4s3/MCA9bfGYuFzKCQhRDChVt0pMBYfFmxXsvwIVpzgEh5MHE0/5zU
+0fiEXLzn/gkpTDwo1jlYKZ4yK6UiWnqMVCz2cTIa/4wHE2HgBV8APzF4tO5uJZu1
+EiKu+qx6jS3c//E32oRmjsCbQBi/D4DNY7uAsNGXfCGvAceDp1Z6Sp5difaelNOM
+Af/EsJaO8xSwLvM5Hj3Q8NC+kYT0Kr8oDCTSU4w2x/596QJdtzNB2r3YlWqjWh4D
+dMy8jzmVnyAjD3tvzAf/XqMs8e3YHNEh+q1MQaXa2y7Drw6MaoIRVSmXYHwHeJzg
+BNU47QOjDYwX0fJgzpq65N4aGzG3wdRR3hKXl0S9Z3CBC6xWaw4Ps2tlspFk4ekN
+TODB2jOh+aQQR4npy4RtUKBwIQc2O/VqP0V4D0OdVZr01W4CfBGiiSh5rsve4XxY
+KRvyz6LwHVdKKlgyVJCCMcAQv4OI4omPopvpZwBqYAkZQmQQJIh/O0o+BLb8pqOL
+/ntJ8y3FF4FIWjtrd58iSOFUpmBw/rLjUNgm86cuOz4RKW8kBtYTWyBym3+DdCzF
+mlOobTEN1TqDVA24qQFdFH4F0E917JY0FyWg7JpE2ekLAixBSCm800fgx7Tqy4/m
+s0twidyXlnNKA3ejkbDwa1jtqkGfvsD5ELmbNyY5hZFeJsZwpLCJA8AY0hHvquYR
+-----END RSA PRIVATE KEY-----

data/example/certs/root.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2DCCAsCgAwIBAgIQGOtH8axDhLeZoyevey+LezANBgkqhkiG9w0BAQUFADCB
+hTELMAkGA1UEBhMCSlAxHTAbBgNVBAoTFFN5bWFudGVjIEphcGFuLCBJbmMuMS8w
+LQYDVQQLEyZGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiBObyBhc3N1cmFuY2VzLjEm
+MCQGA1UEAxMdVHJpYWwgQ2xhc3MgMyBKYXBhbiBSb290IC0gRzUwHhcNMTUwMjE4
+MDAwMDAwWhcNMzUwMjE3MjM1OTU5WjCBhTELMAkGA1UEBhMCSlAxHTAbBgNVBAoT
+FFN5bWFudGVjIEphcGFuLCBJbmMuMS8wLQYDVQQLEyZGb3IgVGVzdCBQdXJwb3Nl
+cyBPbmx5LiBObyBhc3N1cmFuY2VzLjEmMCQGA1UEAxMdVHJpYWwgQ2xhc3MgMyBK
+YXBhbiBSb290IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF
+xdnFVPR3Azt7ar9rYymmrSxRYinWPrNByp8jSWhWudfgbRi0FGh848rsAgvg51c/
+xilEYouj3iRFV0Tt90jWgYQuH6+HRdTz39JGQ8cCGdjo6u0gBUZZMAMJven4nGRk
+zF4u4KPh288sZZWL0VZqHIoKQZTgwnr+QFDlthRCQBKLStl1KTQ9WKw8z8VxK19+
+v7b/lURmBVANhZgf+cxnvwstO1goxj34B6y5eoJ9DTIwWSFGkARhdiAMrOzSAU8u
+h/G1Xcp3JoVX8NNEd5LhHkJKS1idK4PXTP7uXXqOFI5NoL+Q0gNAyJYNtXe8KQ4q
+8L9O9pNaC418OCiiS/4rAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
+AQH/BAQDAgEGMB0GA1UdDgQWBBRivYsKGrwW4qUaX5DjNlpcExbkETANBgkqhkiG
+9w0BAQUFAAOCAQEAqB1+wsyBShUOzkAdoFh55x9e1Od7nrnIPv6KKbcycMDv8kf3
+25D5KlgVIW+OWrMKOK7wlRUX7kvF4cENqSCn1W3VVLzCvKTbx34pRR/V8cuUD+2D
+7k1Q1331qFiulycGOl0IlqJCJRi3UPa2fuCDyHikOcbnIApK3Hk2/wGWhool5yzj
+0wUbGcyDg12o1U96bB0tO5ZFIFdYB31skviyiHJojcq4+uRVKA1DrsKoK8ZQx0xf
+p6l5H/z5jmFqlBTW8EIW+tdB1NOKCRI6JPwR+NSC8UtZS2M39oyGkGyReoIKjT8K
+XFfTm7TDhB9Tf65TF+mw0Rkr101KsoUT5Sm8Dw==
+-----END CERTIFICATE-----

data/example/certs/testing-intermediate.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFRjCCBC6gAwIBAgIQdV9MvP3+ENU3kdfSg2vm/DANBgkqhkiG9w0BAQsFADCB
+hTELMAkGA1UEBhMCSlAxHTAbBgNVBAoTFFN5bWFudGVjIEphcGFuLCBJbmMuMS8w
+LQYDVQQLEyZGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiBObyBhc3N1cmFuY2VzLjEm
+MCQGA1UEAxMdVHJpYWwgQ2xhc3MgMyBKYXBhbiBSb290IC0gRzUwHhcNMTUwMjE4
+MDAwMDAwWhcNMjUwMjE3MjM1OTU5WjCBvDELMAkGA1UEBhMCSlAxHTAbBgNVBAoT
+FFN5bWFudGVjIEphcGFuLCBJbmMuMS8wLQYDVQQLEyZGb3IgVGVzdCBQdXJwb3Nl
+cyBPbmx5LiBObyBhc3N1cmFuY2VzLjE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0
+IGh0dHBzOi8vd3d3LnN5bWF1dGguY29tL2Nwcy90ZXN0Y2ExIDAeBgNVBAMTF1Ry
+aWFsIFNTTCBKYXBhbiBDQSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA20T0ajk8CG7rIu90Zyh4bDAo32nO6RdBN1xjFD054LbjIR9R7dqAXbLx
+sYj5+V/7v5tN4ogqyHiK2CKLe3z/rtrFjeei/Xyr5NysNWuY2v/OIRSLpeKYYivr
+Ax76ssHbPRdqT4OobxYfRaOEZKwM5etUD55jLI1/0lcSeNqv7Gps8tKt44T4vDx2
+E8J0zT9Z102e649si0rUoGbP3flEBwvnkrmLTQDV1Rf9p3QbaAaZgsmEaXshgufJ
+Bti/BpOy1Sdg4ZTCcKPb/qhSphn2LZNbBFOH/rQiu4UoWHWWMOcsJm22pARSsELI
+ivNJIcXSE8PLTkLWisqRkVODaRaL+wIDAQABo4IBdzCCAXMwEgYDVR0TAQH/BAgw
+BgEB/wIBADB7BgNVHSAEdDByMHAGCmCGSAGG+EUBBxUwYjAuBggrBgEFBQcCARYi
+aHR0cHM6Ly93d3cuc3ltYXV0aC5jb20vY3BzL3Rlc3RjYTAwBggrBgEFBQcCAjAk
+GiJodHRwczovL3d3dy5zeW1hdXRoLmNvbS9jcHMvdGVzdGNhMGUGA1UdHwReMFww
+WqBYoFaGVGh0dHA6Ly9vbnNpdGVjcmwuc3ltYXV0aC5qcC9BUkwvU3ltYW50ZWNK
+YXBhbkluY1RyaWFsQ2xhc3MzSmFwYW5Sb290RzUvTGF0ZXN0QVJMLmNybDAOBgNV
+HQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGUzLTIw
+NDgtMTc5MB0GA1UdDgQWBBTdHyFkLkXC4EA5SL7jy4SAl8MkijAfBgNVHSMEGDAW
+gBRivYsKGrwW4qUaX5DjNlpcExbkETANBgkqhkiG9w0BAQsFAAOCAQEAZbKcrNvS
+q/b4KNd4Y41uNEqaCQlL6Uvqs5q6b0HQbK/Hjolt3sJttqT/jtSxGIITZVPH8PRt
+6fo3aWII1eLIiCVzuQc0eVA0671pPhUHgd8mPHgUmhsxLURWgEE3lMx9dKQhKL1V
+Fcp/2bQy+dLVZELQl2L3qtRCVEYubLFmoAgBG7nyiwjt+AsvG6AX2N7MLzsF+C8L
+vRbWEqglqDCFAt1es1Vfb2a7zFj0/BUYDDo6eQE/BpYiYmbHtoWz6SzBNZsehMb5
+OlnF9xqndWK7x2rtaNyi+Z287AzaDe0VFTUaGd1YnzKlEHphRr2nMHd/iNRZFNLy
+poe4IWfm9maFow==
+-----END CERTIFICATE-----

data/example/certs/testing-server.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIFRTCCBC2gAwIBAgIQVMhYFMdnctqh7wAXLx1HjzANBgkqhkiG9w0BAQsFADCBvDELMAkGA1UE
+BhMCSlAxHTAbBgNVBAoTFFN5bWFudGVjIEphcGFuLCBJbmMuMS8wLQYDVQQLEyZGb3IgVGVzdCBQ
+dXJwb3NlcyBPbmx5LiBObyBhc3N1cmFuY2VzLjE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0
+dHBzOi8vd3d3LnN5bWF1dGguY29tL2Nwcy90ZXN0Y2ExIDAeBgNVBAMTF1RyaWFsIFNTTCBKYXBh
+biBDQSAtIEcyMB4XDTE1MTEyNDAwMDAwMFoXDTE1MTIwODIzNTk1OVowgdAxCzAJBgNVBAYTAkpQ
+MQ4wDAYDVQQIDAVUb2t5bzETMBEGA1UEBwwKQ2hpeW9kYS1LdTEcMBoGA1UECgwTVHJlYXN1cmUg
+RGF0YSwgSy5LLjEYMBYGA1UECwwPT3BlblNvdXJjZSBUZWFtMSwwKgYDVQQLDCNodHRwczovL3d3
+dy5zeW1hbnRlYy5jb20vY3BzL3Rlc3RjYTEYMBYGA1UECwwPcjQ1MDExNTExNTE4MzgyMRwwGgYD
+VQQDDBN0ZXN0aW5nLmZsdWVudGQub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+pz2pcz/cGXSvEYMCXZLyLj8BXQvPRPfQIITPzCWpr+jbr5oVI2D3FqysJLedLRZHWY3wAmp/AHqS
+WIHfaGUr6TmLVaKM2weFfxjKtwHboVYSHrhL5bth6fm8gMzJrB6UbFyfUXRPlZw6z/WxcMezIoHp
+6KSS8Ao9ixeql1AFKF4Yc8H6xUH0fLLNOBLP7UxIbg7xZNxqcjlULOgKcMojK2YioI98Yq9nJ5To
+VopopIgtPEqXzN7W9EdrtaHelky9fsXLY3YnZ599ujEmHMMOzKbrTg7OMOyKwyhFdyERsGfNOHJ1
+/WdgCZZXRlfc0s2SxEWttaJ8v9D18Va1w4cR8wIDAQABo4IBKzCCAScwCQYDVR0TBAIwADAOBgNV
+HQ8BAf8EBAMCBaAwXgYDVR0fBFcwVTBToFGgT4ZNaHR0cDovL29uc2l0ZWNybC5zeW1hdXRoLmpw
+L1N5bWFudGVjSmFwYW5JbmNUcmlhbFNTTEphcGFuQ0FzaGEyL0xhdGVzdENSTC5jcmwwHgYDVR0R
+BBcwFYITdGVzdGluZy5mbHVlbnRkLm9yZzBKBgNVHSAEQzBBMD8GCmCGSAGG+EUBBxUwMTAvBggr
+BgEFBQcCARYjaHR0cHM6Ly93d3cuc3ltYW50ZWMuY29tL2Nwcy90ZXN0Y2EwHQYDVR0lBBYwFAYI
+KwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFN0fIWQuRcLgQDlIvuPLhICXwySKMA0GCSqG
+SIb3DQEBCwUAA4IBAQAU6rXvUcybWiyHfIGSlzy4MYO6HBeaF0tc2Pt0T4ByX+smXvKoVVgZbX8E
+ahlZURfjSwZyXHCpMvcH17/IyW7c+HrX/jheMZ7iyYdvCQnZ2GrT8Zr3GRMcNYf8e8wnXwkBFAPj
+yek5XHF5ShwLv64bOWDjAfdIAUCHEo1PpDz6JPQgJEb+SHqrxWx+O0zmELYUgSvRWKBuEC5TrxGU
+HEib235vmz6/TgDUqfci7RPf16cwqVyEilzD5tLXTuMp4+tkPRjEA5d+EzH5O2Lx/ef5RTnYYMZ0
+zsVBXssRtwcFKO2vStIGitRK9G9mbvzMNKuItaHcmw8GOhyXnMjTpl8u
+-----END CERTIFICATE-----
+

data/example/client_proxy.conf

@@ -0,0 +1,26 @@
+<source>
+  type forward
+</source>
+
+<match test.**>
+  type secure_forward
+  secure yes
+  self_hostname client
+  shared_key hogeposxxx0
+  keepalive 30
+  ca_cert_path /Users/tagomoris/github/fluent-plugin-secure-forward/test/tmp/cadir/ca_cert.pem
+  enable_strict_verification yes
+  <server>
+    proxy_uri http://foo.foo.local:3128
+    host localhost
+  </server>
+  # <server>
+  #   proxy_uri http://bar.bar.local:3128
+  #   host localhost
+  #   standby yes
+  # </server>
+  # <server>
+  #   host localhost
+  # </server>
+  flush_interval 1s
+</match>

data/fluent-plugin-secure-forward.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "fluent-plugin-secure-forward"
-  gem.version       = "0.3.3dev2"
+  gem.version       = "0.3.3"
   gem.authors       = ["TAGOMORI Satoshi"]
   gem.email         = ["tagomoris@gmail.com"]
   gem.summary       = %q{Fluentd input/output plugin to forward over SSL with authentications}
@@ -17,6 +17,7 @@ Gem::Specification.new do |gem|
   gem.add_runtime_dependency "fluentd", ">= 0.10.46"
   gem.add_runtime_dependency "fluent-mixin-config-placeholders", ">= 0.3.0"
   gem.add_runtime_dependency "resolve-hostname"
+  gem.add_runtime_dependency "proxifier"
   gem.add_development_dependency "test-unit"
   gem.add_development_dependency "rake"
 end

data/lib/fluent/plugin/in_secure_forward.rb

@@ -21,7 +21,7 @@ module Fluent
     config_param :self_hostname, :string
     include Fluent::Mixin::ConfigPlaceholders
 
-    config_param :shared_key, :string
+    config_param :shared_key, :string, secret: true
 
     config_param :bind, :string, default: '0.0.0.0'
     config_param :port, :integer, default: DEFAULT_SECURE_LISTEN_PORT
@@ -36,12 +36,12 @@ module Fluent
     # Cert signed by public CA
     config_param :cert_path, :string, default: nil
     config_param :private_key_path, :string, default: nil
-    config_param :private_key_passphrase, :string, default: nil
+    config_param :private_key_passphrase, :string, default: nil, secret: true
 
     # Cert automatically generated and signed by private CA
     config_param :ca_cert_path, :string, default: nil
     config_param :ca_private_key_path, :string, default: nil
-    config_param :ca_private_key_passphrase, :string, default: nil
+    config_param :ca_private_key_passphrase, :string, default: nil, secret: true
 
     # Otherwise: Cert automatically generated and signed by itself (for without any verification)
 
@@ -59,13 +59,13 @@ module Fluent
 
     config_section :user, param_name: :users do
       config_param :username, :string
-      config_param :password, :string
+      config_param :password, :string, secret: true
     end
 
     config_section :client, param_name: :clients do
       config_param :host, :string, default: nil
       config_param :network, :string, default: nil
-      config_param :shared_key, :string, default: nil
+      config_param :shared_key, :string, default: nil, secret: true
       config_param :users, :string, default: nil # comma separated username list
     end
     attr_reader :nodes
@@ -96,6 +96,10 @@ module Fluent
         if @cert_path
           raise Fluent::ConfigError, "private_key_path required" unless @private_key_path
           raise Fluent::ConfigError, "private_key_passphrase required" unless @private_key_passphrase
+          certs = Fluent::SecureForward::CertUtil.certificates_from_file(@cert_path)
+          if certs.size < 1
+            raise Fluent::ConfigError, "no valid certificates in cert_path: #{@cert_path}"
+          end
         else # @ca_cert_path
           raise Fluent::ConfigError, "ca_private_key_path required" unless @ca_private_key_path
           raise Fluent::ConfigError, "ca_private_key_passphrase required" unless @ca_private_key_passphrase
@@ -171,9 +175,12 @@ module Fluent
     def certificate
       return @cert, @key if @cert && @key
 
+      @client_ca = nil
       if @cert_path
         @key = OpenSSL::PKey::RSA.new(File.read(@private_key_path), @private_key_passphrase)
-        @cert = OpenSSL::X509::Certificate.new(File.read(@cert_path))
+        certs = Fluent::SecureForward::CertUtil.certificates_from_file(@cert_path)
+        @cert = certs.shift
+        @client_ca = certs
       elsif @ca_cert_path
         opts = {
           ca_cert_path: @ca_cert_path,
@@ -220,6 +227,9 @@ module Fluent
 
       ctx.cert = cert
       ctx.key = key
+      if @client_ca
+        ctx.extra_chain_cert = @client_ca
+      end
 
       log.trace "start to listen", bind: @bind, port: @port
       server = TCPServer.new(@bind, @port)

data/lib/fluent/plugin/out_secure_forward.rb

@@ -20,7 +20,7 @@ module Fluent
     config_param :self_hostname, :string
     include Fluent::Mixin::ConfigPlaceholders
 
-    config_param :shared_key, :string
+    config_param :shared_key, :string, secret: true
 
     config_param :keepalive, :time, default: nil # nil/0 means disable keepalive expiration
 
@@ -41,16 +41,19 @@ module Fluent
     config_param :reconnect_interval, :time, default: 5
     config_param :established_timeout, :time, default: 10
 
+    config_param :proxy_uri, :string, default: nil
+
     attr_reader :read_interval, :socket_interval
 
     config_section :server, param_name: :servers do
       config_param :host, :string
       config_param :hostlabel, :string, default: nil
       config_param :port, :integer, default: DEFAULT_SECURE_CONNECT_PORT
-      config_param :shared_key, :string, default: nil
+      config_param :shared_key, :string, default: nil, secret: true
       config_param :username, :string, default: ''
-      config_param :password, :string, default: ''
+      config_param :password, :string, default: '', secret: true
       config_param :standby, :bool, default: false
+      config_param :proxy_uri, :string, default: nil
     end
     attr_reader :nodes
 

data/lib/fluent/plugin/output_node.rb

@@ -4,6 +4,8 @@
 # require 'digest'
 # require 'resolve/hostname'
 
+require 'proxifier'
+
 require_relative 'openssl_util'
 
 class Fluent::SecureForwardOutput::Node
@@ -27,6 +29,8 @@ class Fluent::SecureForwardOutput::Node
     @password = conf.password
     @standby = conf.standby
 
+    @proxy_uri = conf.proxy_uri
+
     @keepalive = sender.keepalive
 
     @authentication = nil
@@ -53,7 +57,7 @@ class Fluent::SecureForwardOutput::Node
   def dup
     renewed = self.class.new(
       @sender,
-      Fluent::Config::Section.new({host: @host, port: @port, hostlabel: @hostlabel, username: @username, password: @password, shared_key: @shared_key, standby: @standby})
+      Fluent::Config::Section.new({host: @host, port: @port, hostlabel: @hostlabel, username: @username, password: @password, shared_key: @shared_key, standby: @standby, proxy_uri: @proxy_uri})
     )
     renewed
   end
@@ -217,8 +221,14 @@ class Fluent::SecureForwardOutput::Node
 
     addr = @sender.hostname_resolver.getaddress(@host)
     log.debug "create tcp socket to node", host: @host, address: addr, port: @port
+
     begin
-      sock = TCPSocket.new(addr, @port)
+      if @proxy_uri.nil? then
+        sock = TCPSocket.new(addr, @port)
+      else
+        proxy = Proxifier::Proxy(@proxy_uri)
+        sock = proxy.open(addr, @port)
+      end
     rescue => e
       log.warn "failed to connect for secure-forward", error_class: e.class, error: e, host: @host, address: addr, port: @port
       @state = :failed

data/lib/fluent/plugin/secure_forward/cert_util.rb

@@ -3,6 +3,14 @@ require 'openssl'
 module Fluent
   module SecureForward
     module CertUtil
+      def self.certificates_from_file(path)
+        data = File.read(path)
+        pattern = Regexp.compile('-+BEGIN CERTIFICATE-+\n(?:[^-]*\n)+-+END CERTIFICATE-+\n', Regexp::MULTILINE)
+        list = []
+        data.scan(pattern){|match| list << OpenSSL::X509::Certificate.new(match)}
+        list
+      end
+
       def self.generate_ca_pair(opts={})
         key = OpenSSL::PKey::RSA.generate(opts[:private_key_length])
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-secure-forward
 version: !ruby/object:Gem::Version
-  version: 0.3.3dev2
+  version: 0.3.3
 platform: ruby
 authors:
 - TAGOMORI Satoshi
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-07-02 00:00:00.000000000 Z
+date: 2015-11-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fluentd
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: proxifier
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: test-unit
   requirement: !ruby/object:Gem::Requirement
@@ -97,11 +111,19 @@ files:
 - bin/secure-forward-ca-generate
 - example/auth_client.conf
 - example/auth_server.conf
+- example/cert_c.conf
 - example/cert_client.conf
+- example/cert_i.conf
 - example/cert_server.conf
+- example/certs/cert-with-intermediate.pem
 - example/certs/cert.pem
+- example/certs/key-for-with-intermediate.key
 - example/certs/key.pem
+- example/certs/root.pem
+- example/certs/testing-intermediate.pem
+- example/certs/testing-server.pem
 - example/client.conf
+- example/client_proxy.conf
 - example/insecure_client.conf
 - example/insecure_server.conf
 - example/server.conf
@@ -131,9 +153,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.4.5
@@ -145,3 +167,4 @@ test_files:
 - test/plugin/test_in_secure_forward.rb
 - test/plugin/test_input_session.rb
 - test/plugin/test_out_secure_forward.rb
+has_rdoc: