fluent-plugin-secure-forward 0.4.2 → 0.4.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +3 -3
- data/example/auth_client.conf +5 -7
- data/example/auth_server.conf +4 -4
- data/example/cacerts1/ca_cert.pem +19 -0
- data/example/cacerts1/ca_key.pem +30 -0
- data/example/cacerts2/ca_cert.pem +19 -0
- data/example/cacerts2/ca_key.pem +30 -0
- data/example/cert_c.conf +3 -3
- data/example/cert_client.conf +5 -7
- data/example/cert_copy_client.conf +35 -0
- data/example/cert_copy_server_a.conf +16 -0
- data/example/cert_copy_server_b.conf +16 -0
- data/example/cert_i.conf +4 -4
- data/example/cert_server.conf +7 -10
- data/example/client.conf +3 -11
- data/example/client_proxy.conf +3 -11
- data/example/insecure_client.conf +2 -9
- data/example/insecure_server.conf +2 -2
- data/example/server.conf +4 -4
- data/fluent-plugin-secure-forward.gemspec +1 -2
- data/lib/fluent/plugin/in_secure_forward.rb +32 -11
- data/lib/fluent/plugin/input_session.rb +2 -2
- data/lib/fluent/plugin/out_secure_forward.rb +28 -12
- data/lib/fluent/plugin/output_node.rb +9 -3
- data/test/plugin/test_in_secure_forward.rb +33 -0
- data/test/plugin/test_out_secure_forward.rb +49 -0
- metadata +9 -16
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9601f59a121cd93cafea5680070f5576063161ef
|
4
|
+
data.tar.gz: 46d5cdff55de400c05415994a12b653439ecbfd1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e6d160a617827e2ce82a57e85ae751325ba7ba71e7ade2c9b6ff7a4939e83deddd851b9fe6cb5cb7633831f8b2dc934de54734928cc59568b53ac0c043c1c72d
|
7
|
+
data.tar.gz: 93ba1ea3da142b50d972a891b02fd22a8575f91b6bfb9464bf6c6d7c2e164293b225a8fac95bdd5f7539797d6b4cad1636d748eb95bc4ae70f6caf7bd57eaa8b
|
data/.travis.yml
CHANGED
data/example/auth_client.conf
CHANGED
@@ -1,19 +1,17 @@
|
|
1
1
|
<source>
|
2
|
-
type forward
|
2
|
+
@type forward
|
3
3
|
</source>
|
4
4
|
|
5
5
|
<match test.**>
|
6
|
-
type secure_forward
|
7
|
-
self_hostname client
|
8
|
-
|
9
|
-
shared_key
|
6
|
+
@type secure_forward
|
7
|
+
self_hostname auth-client.local
|
8
|
+
secure no
|
9
|
+
shared_key hogeposxxx0
|
10
10
|
<server>
|
11
11
|
host localhost
|
12
12
|
shared_key hogeposxxx1
|
13
13
|
username tagomoris
|
14
14
|
password 001122
|
15
|
-
# password XXYYZZ
|
16
|
-
# password wrong_pass
|
17
15
|
</server>
|
18
16
|
flush_interval 1s
|
19
17
|
</match>
|
data/example/auth_server.conf
CHANGED
@@ -1,6 +1,7 @@
|
|
1
1
|
<source>
|
2
|
-
type secure_forward
|
2
|
+
@type secure_forward
|
3
3
|
self_hostname server
|
4
|
+
secure no
|
4
5
|
shared_key hogeposxxx0
|
5
6
|
cert_auto_generate yes
|
6
7
|
allow_anonymous_source no
|
@@ -18,13 +19,12 @@
|
|
18
19
|
password XXYYZZ
|
19
20
|
</user>
|
20
21
|
<client>
|
21
|
-
host
|
22
|
+
host 127.0.0.1
|
22
23
|
users tagomoris
|
23
24
|
shared_key hogeposxxx1
|
24
|
-
# users sugomoris
|
25
25
|
</client>
|
26
26
|
</source>
|
27
27
|
|
28
28
|
<match test.**>
|
29
|
-
type stdout
|
29
|
+
@type stdout
|
30
30
|
</match>
|
@@ -0,0 +1,19 @@
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
2
|
+
MIIDIDCCAggCAQEwDQYJKoZIhvcNAQEFBQAwTTELMAkGA1UEBhMCVVMxCzAJBgNV
|
3
|
+
BAgMAkNBMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRkwFwYDVQQDDBBTZWN1cmVG
|
4
|
+
b3J3YXJkIENBMB4XDTcwMDEwMTAwMDAwMFoXDTIxMDcyODA0MTczMVowTTELMAkG
|
5
|
+
A1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRkw
|
6
|
+
FwYDVQQDDBBTZWN1cmVGb3J3YXJkIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
|
7
|
+
MIIBCgKCAQEA6661Su72owkCqTcIBHI1dTSnUCdRduk/Mzu8x2D8nwQRGPVroRwJ
|
8
|
+
5ddqZsBpuKSfoZSZXLvL9d4VpLRxOzrM6+KhldxG5QNRIQTIE2Cw4xMop4nURLrP
|
9
|
+
7z1KxM6o1U/lqLSO0GDBfyZS0xhNg8xN7nMObP/YiZYKse5BfLD8kXmhH0DkhOBl
|
10
|
+
+DPo7Vk8Yhs+930YLzrwOXLOi0w1bfSuTKjIUIxLH7jHiJ7NITH179r+BcyOraG8
|
11
|
+
thv9QsRnPfgM0xOwdIEUPVbay7Q4wD6ZBqGHba+U49USdcq7lS86nYJa1Z5/s4SV
|
12
|
+
lx+Jpnxf4IDKxpP7fh/Rofj8LV/CcHbfAQIDAQABoxAwDjAMBgNVHRMEBTADAQH/
|
13
|
+
MA0GCSqGSIb3DQEBBQUAA4IBAQDSJRHzhPW4fLzb0PSbRZDdmECYiMjvtktUTZtE
|
14
|
+
n0ATPOkQME2n6l/5m28rs+25wqhYrELhRVxE1SOBQQCmkUnxuSpI7+KgYJwetl7W
|
15
|
+
IJZEWjC6R0NK05H44ZCNfDk/kNV1cq1Y78F3VtSfBm4ng6IOMf7NN8t8qyF1UEYT
|
16
|
+
eZzasoFf1Njxnkg9ry1bCISGoU6swmZlE00h1JFV5xhg8rxDMzQCQ8j3PbH+8C40
|
17
|
+
jQasBuBIb7z9XUfveeoRBWsPa0wlydYbJJo+i8HgF8Wg+qn6BG03A+1IuzzfgzLf
|
18
|
+
o/aUGK98gi8JKPJ+GPVGBQqOk5UpT8RcyxdMGm7ZlE/TwXHd
|
19
|
+
-----END CERTIFICATE-----
|
@@ -0,0 +1,30 @@
|
|
1
|
+
-----BEGIN RSA PRIVATE KEY-----
|
2
|
+
Proc-Type: 4,ENCRYPTED
|
3
|
+
DEK-Info: AES-256-CBC,B42AD5E6BF9AB7CCD39BC79D260E73BC
|
4
|
+
|
5
|
+
PpbaxpBrgNeW85QjfZZaU8egw5bow3QX1eqZXeJW5+Kol7vRz9aciOeCVZ56IUfj
|
6
|
+
8hivC2g5rHwwCMpipFoX6+Q1H+hfQZCuEgL8Ea7h8VTnHd6fxSQjUiTJdcmIsuPI
|
7
|
+
3WaLPQm22mbkrEUOe4mwq5qu0YiKUdF9ExtZoiSKnaV+oHvFrOmOMGY3L8HlscpZ
|
8
|
+
/qKEKp3bgJbsEPNHHW9VSU2ds8RUcWr9/MwAcAQJUTOpl7o4kAg5mCd/kx5tU2TW
|
9
|
+
kkt2YBPxkUEZoww5aThjgMVyg4C6hF2jM1nNlaGpHMZ7SuZTJW7dw5T2aQv+s2G6
|
10
|
+
6/9LD54PE07/cF7x+RlZ22q0ibPyLzJiu7rKBb5KwNgdnwQCq/c7dJaQsk1M3c5t
|
11
|
+
mzoTn6JqKmyaWWrELD1EJq6ttcpMxCSb7UTpZxB3zMqsReplPgaOHx3V8Fi0mFup
|
12
|
+
kmN4p5fMOm8PCSo3eSTyQzOpRyrYtZ24AorLZ1Tu1xAT5xl0S8kLxiulovKBAzS9
|
13
|
+
h8dfpoCWZfn90I9NigrfKkQ4WxPizZAjwteYuhZ2GYfILz9ctLEcWhYMFzj65ahM
|
14
|
+
Vo1w8Bb8rQ/sdgJlfu6V8C64b0UVvyacWSbWRHObhcVEeMLId+8cdR1EzhrWNvAb
|
15
|
+
rpZia9bFxKZTIHuRbGhn7eEelZ4FEXsq97dn3a71pooQPEOUIbTEEI1zd3KaKsu6
|
16
|
+
AtPm3pMij8AMPfUQA6UGA/5v0xU18fz90UWfjx3EzlOcHXK1iswFXZYJNy3BR4ao
|
17
|
+
de01Nino5C88YXjuUSFFf75jL1Kw7zgLLGwfPvFYz57R2P9ujZ/0QjkFAq1C2Mti
|
18
|
+
MaUFbBdy6mqE0vcUnrARpjWKuDr+wTm34miWmbF3WIjZQC3j4Q4zqbIZ28O+5pfP
|
19
|
+
l12n2bGN6c7lqP7ueaOYXXI+4av/R29A89/9xFJ/cMJlmbfVwYKzLHWI7yRYFmAC
|
20
|
+
HhUDWqyY/2bX5NF/OQNgWXJOG5mEgq42ygPFpNyF6Z8BeuGPnfwIQDf4X6kz5vP3
|
21
|
+
a6kigDgs2Ma4AU9ZMiWOGDnUgSBQF00gECEkNV9b5scGyiqAsuvY/QTWDw04v+6E
|
22
|
+
VI4ctDRkrJHc8Q+rWbFTsr3Za6LxjDo3LDbnWPG7e6tSEjW9fdJLtTvmB8klIa3J
|
23
|
+
131YCkCXIKr5gs/AmyH7ccF7UCMuFA55TK1ZMIwwVIHmAmmwV0LZ63Syy8xWRrMk
|
24
|
+
aieZTLovxJMybCW87X/AXcIlRFAHuy9+V35xrmeq3r1O7PG5aKlWXwSKGTAILQzl
|
25
|
+
w0pIALqwAtHSXGnOIHtyQeu/AhZhVGEqb8uwa/7LGdchIxW/VOw+jzQFQTd/o/uO
|
26
|
+
bNcFbs7iDTvOKmVOkAnKUG48ETe12mYiyn4HxHl8pDR2WGBN32VfbRkzKHVYhWcX
|
27
|
+
xDwzMAfMH73pMGvdpTfZVI8GRcZEuPz0JvieQe4Esu6qHKgR8q9Onkl6RlqT9qVs
|
28
|
+
8don37z0MA6ZKja3L56ObeVwRA1C4t1GDNyjB0bL1bMDnShPJSqROvEEhxt8AnHc
|
29
|
+
XrrAnePUWah2DXqYxKKwahfdjdQjPX+kU+vy++izEj5QdFF84KOZJAeTYtRxTmlf
|
30
|
+
-----END RSA PRIVATE KEY-----
|
@@ -0,0 +1,19 @@
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
2
|
+
MIIDIDCCAggCAQEwDQYJKoZIhvcNAQEFBQAwTTELMAkGA1UEBhMCVVMxCzAJBgNV
|
3
|
+
BAgMAkNBMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRkwFwYDVQQDDBBTZWN1cmVG
|
4
|
+
b3J3YXJkIENBMB4XDTcwMDEwMTAwMDAwMFoXDTIxMDcyODA0MzI1MlowTTELMAkG
|
5
|
+
A1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRkw
|
6
|
+
FwYDVQQDDBBTZWN1cmVGb3J3YXJkIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
|
7
|
+
MIIBCgKCAQEAtBX3hMotHdbUuIy9jnmHHUI2Pcn+hQnZzDw77ynEAtaFMchSTTeB
|
8
|
+
etMl7FkaGYpEZSXEfCZmzZgbhTlh2Dq9TinqN3QqYij/zH0VN1jRjAWiHMSsz5E0
|
9
|
+
cLvpLTm2oIrvJToMulAF2duH2hvPsnbBLV7Bm5sfzxSoMD6UM+yjkSyjSq9RlM6g
|
10
|
+
QS3BsJc2+OOFzSpHw+h/H/xaqQPYscU9a4SWGsJKoP/il4dM8DZTiZUZW/3LD45C
|
11
|
+
0J/t/qjbrWUhAnHa1iCVN9UYiq+AhBq+luOR6ZXQ847YFsjF9IL3SNrkFSI1cjl5
|
12
|
+
6l3DxsuGSkWCMT+mUfr+W0BSnq1ShElOdQIDAQABoxAwDjAMBgNVHRMEBTADAQH/
|
13
|
+
MA0GCSqGSIb3DQEBBQUAA4IBAQBr0Vt8xiic10D+zaJZebbGXn5zvkKPz9YgEJGj
|
14
|
+
u37CPmlf46rk3Bpmm64QYzbliRUMfJ0uQc66k/0qvNgfokahHmV6QOsk7LpAFBKC
|
15
|
+
pxyEH6w7iADP8IO+rMmnTrOGGIarjFOCkTNyR5TPHPQTIKY3Gf/yLIXguXEG7mKH
|
16
|
+
40EJbN7KhxywO/oKW8a02Quv2vVQQjXBRLejuxK+JJvDzxRQoTFsvYtL5uJMwR5m
|
17
|
+
IkGAdtMOwoqz4pY+mFnifjwpKy1llIk47RkbLx3uVb0y+OrWxh+KmF9sHuvnFDh7
|
18
|
+
1vctdqOHQWc2RlprPO9Yxb7sBIVktWaOyU2JTjDmaS5BvXZu
|
19
|
+
-----END CERTIFICATE-----
|
@@ -0,0 +1,30 @@
|
|
1
|
+
-----BEGIN RSA PRIVATE KEY-----
|
2
|
+
Proc-Type: 4,ENCRYPTED
|
3
|
+
DEK-Info: AES-256-CBC,B40E264210E818183F1296FDE1900ABA
|
4
|
+
|
5
|
+
tPAdiPpZx0kEVsd1P668AH/lpGzc7YsLiy8hwUuleW39bi3aF+MC2f5oVhp8l3+B
|
6
|
+
AT5LWsAsPooUX2lR2hGqcBsxr/u4bOtTTDRQjmqONWr1RdcTf10uM013mU6w/K4e
|
7
|
+
qlj3+JiR1foBHmVyz47N+U93S5WhtSvfw5767QTnuNVP2N+ZYoVfloLz4ph+gcn4
|
8
|
+
k9HPM0bsQMlXikFC3GU4P7Jw8vQPaiv7Jp34GOfX8kSiYvZJ/IhHe8RCytgPHDTr
|
9
|
+
1lB7NNBC3ez0EkqGswPwRIYVbn2cR2bOzOdj12IROszdn8xK4iqOlZ7J/n30+Wq6
|
10
|
+
KTBPF7NC04ie6cIfyr3gpYU5QiM5W+No5vYb8XjqryJSfyXtV0cf2vKlHChwBM/1
|
11
|
+
HKe4p8JB3tGZ6oY3PWPl5z3h34t5H/c33DAhaCbAtJow1HUqgyGsscDKBnyBRTbx
|
12
|
+
16bEZh533E0R2fvlAQNkAi2fQhJ12HV1mlZT3iY9cV2mfTQMxwfryqm8NmZpDaWB
|
13
|
+
5qqJxlAg5fhRCLNbPz4ln3AAwyafR9e+C04kr1CqvxXKDQkPMBvlEMpMVYrl/ZVc
|
14
|
+
wSqRuYChpMENk9tPEpqP9tnF4nIuWo4lJ2SxuYQa9Rf/RkTzulwMP1m8Vfn4F6EZ
|
15
|
+
N66cf9iAnqlgaMWn/m2LnZO4OXkNUfQSvcZT0YjfP5RwOVs8reeSCVNjZyJyCHGS
|
16
|
+
ROXAATGoJiSSaJYQgc1qmIQzJskMwAqZFKjM++gmD7Ba3gSmosmjKG2BJZmQcfBR
|
17
|
+
ostQmS3yebsNE7RZRtI1oxI50QdZ5X6a8MEXRZTa0sHGppCXcSQ45IO7Ag1snNsa
|
18
|
+
SfFeFOHwVv8RzKRLDSQBYK706onY2UuBTAuM+qpcOaO24H5sWB3MWICqGZde62Ff
|
19
|
+
vBpo7CJfDbyR/jH/JtxbRL2qTDLRMccQlcEt5HIrnfkhE9boh6USSqtiINNe8R8R
|
20
|
+
xtVYkCDuq1S7o2saGF40PHYPQMICV3e4I2/r44YGFAasbsAn2eBibpkWErFFaPfl
|
21
|
+
lLUGTTKfFJCDTV1qikxq1StKBMOimPQLhn/KP+YNUzDeP15KABYhcgvRBhpcxZfw
|
22
|
+
CLnTC+BTOddTd1A2imRn6q5BaF7EvE3bAnmhq14wK/c7ykMKT//R3vvFD47qhXLF
|
23
|
+
vvv9PdTyxEGeNM4Mu5uwapUWo5gV1+aDqg3UoR0hszEWK60dkC4sTI5DaZbmhRh2
|
24
|
+
JezoQATQnZ19XeEKQTt6XMi9goTzQ5c63TDGnYlCds/KV3fV5i0cQmSJCdsBtlnW
|
25
|
+
8wPY0f/ejgdVU2AaxeWgPi7ivuT1/FU5F/TRNZRBigUH8vyXRRHjFC1S6Zl7d5bA
|
26
|
+
Fp/Axpr2KxFlVFKzz0lmoYw9pO2mOMd1MQSTmHt81GZleyMpt6Rb0/QCa5dElRv6
|
27
|
+
5YSY0jlEVfFomqO/gkuD2FduYrG5pvnFycELwEoLgkdQJUOKGKFWnAe8ZOnMfflZ
|
28
|
+
4zODkvxAm0wbAw8PCPRL0l1/hHntt7f5cTKw1NiHwrvjJD8Umi/W4/7AsRZyHw0o
|
29
|
+
9OBMQgliw0fKqo9ZY6y+tj+R7SomzWO7+8j6cGjDAJTxwbUwp/jQ9OG0XtxRHt/D
|
30
|
+
-----END RSA PRIVATE KEY-----
|
data/example/cert_c.conf
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
<source>
|
2
|
-
type forward
|
2
|
+
@type forward
|
3
3
|
</source>
|
4
4
|
|
5
5
|
<match test.**>
|
6
|
-
type secure_forward
|
6
|
+
@type secure_forward
|
7
7
|
secure yes
|
8
8
|
enable_strict_verification yes
|
9
9
|
self_hostname client
|
10
10
|
shared_key norikra2
|
11
|
-
ca_cert_path /
|
11
|
+
ca_cert_path "#{Dir.pwd}/example/root.pem"
|
12
12
|
<server>
|
13
13
|
host 127.0.0.1
|
14
14
|
hostlabel testing.fluentd.org
|
data/example/cert_client.conf
CHANGED
@@ -1,21 +1,19 @@
|
|
1
1
|
<source>
|
2
|
-
type forward
|
2
|
+
@type forward
|
3
3
|
</source>
|
4
4
|
|
5
5
|
<match test.**>
|
6
|
-
type secure_forward
|
6
|
+
@type secure_forward
|
7
7
|
secure yes
|
8
8
|
self_hostname client
|
9
|
-
|
10
|
-
|
9
|
+
shared_key hogeposxxx0
|
10
|
+
enable_strict_verification yes
|
11
11
|
<server>
|
12
|
-
host
|
12
|
+
host 127.0.0.1
|
13
13
|
hostlabel tagomoris
|
14
14
|
shared_key hogeposxxx1
|
15
15
|
username tagomoris
|
16
16
|
password 001122
|
17
|
-
# password XXYYZZ
|
18
|
-
# password wrong_pass
|
19
17
|
</server>
|
20
18
|
flush_interval 1s
|
21
19
|
</match>
|
@@ -0,0 +1,35 @@
|
|
1
|
+
<source>
|
2
|
+
@type forward
|
3
|
+
</source>
|
4
|
+
|
5
|
+
<match test.**>
|
6
|
+
@type copy
|
7
|
+
<store>
|
8
|
+
@type secure_forward
|
9
|
+
secure yes
|
10
|
+
self_hostname client
|
11
|
+
shared_key hogeposxxx0
|
12
|
+
ca_cert_path "#{Dir.pwd}/example/cacerts1/ca_cert.pem"
|
13
|
+
enable_strict_verification yes
|
14
|
+
<server>
|
15
|
+
host localhost
|
16
|
+
port 24284
|
17
|
+
hostlabel server_a.local
|
18
|
+
</server>
|
19
|
+
flush_interval 1s
|
20
|
+
</store>
|
21
|
+
<store>
|
22
|
+
@type secure_forward
|
23
|
+
secure yes
|
24
|
+
self_hostname client
|
25
|
+
shared_key hogeposxxx0
|
26
|
+
ca_cert_path "#{Dir.pwd}/example/cacerts2/ca_cert.pem"
|
27
|
+
enable_strict_verification yes
|
28
|
+
<server>
|
29
|
+
host localhost
|
30
|
+
port 24285
|
31
|
+
hostlabel server_a.local
|
32
|
+
</server>
|
33
|
+
flush_interval 1s
|
34
|
+
</store>
|
35
|
+
</match>
|
@@ -0,0 +1,16 @@
|
|
1
|
+
<source>
|
2
|
+
@type secure_forward
|
3
|
+
port 24284
|
4
|
+
secure yes
|
5
|
+
self_hostname server_a.local
|
6
|
+
shared_key hogeposxxx0
|
7
|
+
ca_cert_path "#{Dir.pwd}/example/cacerts1/ca_cert.pem"
|
8
|
+
ca_private_key_path "#{Dir.pwd}/example/cacerts1/ca_key.pem"
|
9
|
+
ca_private_key_passphrase "my secret"
|
10
|
+
allow_anonymous_source yes
|
11
|
+
authentication no
|
12
|
+
</source>
|
13
|
+
|
14
|
+
<match test.**>
|
15
|
+
@type stdout
|
16
|
+
</match>
|
@@ -0,0 +1,16 @@
|
|
1
|
+
<source>
|
2
|
+
@type secure_forward
|
3
|
+
port 24285
|
4
|
+
secure yes
|
5
|
+
self_hostname server_a.local
|
6
|
+
shared_key hogeposxxx0
|
7
|
+
ca_cert_path "#{Dir.pwd}/example/cacerts2/ca_cert.pem"
|
8
|
+
ca_private_key_path "#{Dir.pwd}/example/cacerts2/ca_key.pem"
|
9
|
+
ca_private_key_passphrase "my secret 2"
|
10
|
+
allow_anonymous_source yes
|
11
|
+
authentication no
|
12
|
+
</source>
|
13
|
+
|
14
|
+
<match test.**>
|
15
|
+
@type stdout
|
16
|
+
</match>
|
data/example/cert_i.conf
CHANGED
@@ -3,16 +3,16 @@
|
|
3
3
|
# openssl s_client -connect testing.fluentd.org:24284 -showcerts
|
4
4
|
|
5
5
|
<source>
|
6
|
-
type secure_forward
|
6
|
+
@type secure_forward
|
7
7
|
secure yes
|
8
8
|
self_hostname testing.fluentd.org
|
9
9
|
shared_key norikra2
|
10
|
-
cert_path /
|
11
|
-
private_key_path /
|
10
|
+
cert_path "#{Dir.pwd}/example/certs/cert-with-intermediate.pem"
|
11
|
+
private_key_path "#{Dir.pwd}/example/certs/key-for-with-intermediate.key"
|
12
12
|
private_key_passphrase norikra2
|
13
13
|
authentication no
|
14
14
|
</source>
|
15
15
|
|
16
16
|
<match test.**>
|
17
|
-
type stdout
|
17
|
+
@type stdout
|
18
18
|
</match>
|
data/example/cert_server.conf
CHANGED
@@ -1,13 +1,11 @@
|
|
1
1
|
<source>
|
2
|
-
type secure_forward
|
2
|
+
@type secure_forward
|
3
3
|
secure yes
|
4
|
-
self_hostname
|
5
|
-
# self_hostname tagomoris
|
4
|
+
self_hostname tagomoris
|
6
5
|
shared_key hogeposxxx0
|
7
|
-
cert_path /
|
8
|
-
private_key_path /
|
9
|
-
# blank passphrase
|
10
|
-
private_key_passphrase
|
6
|
+
cert_path "#{Dir.pwd}/example/certs/cert.pem"
|
7
|
+
private_key_path "#{Dir.pwd}/example/certs/key.pem"
|
8
|
+
private_key_passphrase # blank passphrase
|
11
9
|
allow_anonymous_source no
|
12
10
|
authentication yes
|
13
11
|
<user>
|
@@ -23,13 +21,12 @@
|
|
23
21
|
password XXYYZZ
|
24
22
|
</user>
|
25
23
|
<client>
|
26
|
-
host
|
24
|
+
host 127.0.0.1
|
27
25
|
users tagomoris
|
28
26
|
shared_key hogeposxxx1
|
29
|
-
# users sugomoris
|
30
27
|
</client>
|
31
28
|
</source>
|
32
29
|
|
33
30
|
<match test.**>
|
34
|
-
type stdout
|
31
|
+
@type stdout
|
35
32
|
</match>
|
data/example/client.conf
CHANGED
@@ -1,24 +1,16 @@
|
|
1
1
|
<source>
|
2
|
-
type forward
|
2
|
+
@type forward
|
3
3
|
</source>
|
4
4
|
|
5
5
|
<match test.**>
|
6
|
-
type secure_forward
|
6
|
+
@type secure_forward
|
7
7
|
secure yes
|
8
8
|
self_hostname client
|
9
9
|
shared_key hogeposxxx0
|
10
10
|
keepalive 30
|
11
|
-
ca_cert_path /
|
11
|
+
ca_cert_path "#{Dir.pwd}/test/tmp/cadir/ca_cert.pem"
|
12
12
|
enable_strict_verification yes
|
13
13
|
<server>
|
14
14
|
host localhost
|
15
15
|
</server>
|
16
|
-
# <server>
|
17
|
-
# host localhost
|
18
|
-
# standby yes
|
19
|
-
# </server>
|
20
|
-
# <server>
|
21
|
-
# host localhost
|
22
|
-
# </server>
|
23
|
-
flush_interval 1s
|
24
16
|
</match>
|
data/example/client_proxy.conf
CHANGED
@@ -1,26 +1,18 @@
|
|
1
1
|
<source>
|
2
|
-
type forward
|
2
|
+
@type forward
|
3
3
|
</source>
|
4
4
|
|
5
5
|
<match test.**>
|
6
|
-
type secure_forward
|
6
|
+
@type secure_forward
|
7
7
|
secure yes
|
8
8
|
self_hostname client
|
9
9
|
shared_key hogeposxxx0
|
10
10
|
keepalive 30
|
11
|
-
ca_cert_path /
|
11
|
+
ca_cert_path "#{Dir.pwd}/test/tmp/cadir/ca_cert.pem"
|
12
12
|
enable_strict_verification yes
|
13
13
|
<server>
|
14
14
|
proxy_uri http://foo.foo.local:3128
|
15
15
|
host localhost
|
16
16
|
</server>
|
17
|
-
# <server>
|
18
|
-
# proxy_uri http://bar.bar.local:3128
|
19
|
-
# host localhost
|
20
|
-
# standby yes
|
21
|
-
# </server>
|
22
|
-
# <server>
|
23
|
-
# host localhost
|
24
|
-
# </server>
|
25
17
|
flush_interval 1s
|
26
18
|
</match>
|
@@ -1,9 +1,9 @@
|
|
1
1
|
<source>
|
2
|
-
type forward
|
2
|
+
@type forward
|
3
3
|
</source>
|
4
4
|
|
5
5
|
<match test.**>
|
6
|
-
type secure_forward
|
6
|
+
@type secure_forward
|
7
7
|
secure no
|
8
8
|
self_hostname client
|
9
9
|
shared_key hogeposxxx0
|
@@ -12,12 +12,5 @@
|
|
12
12
|
<server>
|
13
13
|
host localhost
|
14
14
|
</server>
|
15
|
-
# <server>
|
16
|
-
# host localhost
|
17
|
-
# standby yes
|
18
|
-
# </server>
|
19
|
-
# <server>
|
20
|
-
# host localhost
|
21
|
-
# </server>
|
22
15
|
flush_interval 1s
|
23
16
|
</match>
|
data/example/server.conf
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
<source>
|
2
|
-
type secure_forward
|
2
|
+
@type secure_forward
|
3
3
|
secure yes
|
4
4
|
self_hostname localhost
|
5
5
|
shared_key hogeposxxx0
|
6
|
-
ca_cert_path /
|
7
|
-
ca_private_key_path /
|
6
|
+
ca_cert_path "#{Dir.pwd}/test/tmp/cadir/ca_cert.pem"
|
7
|
+
ca_private_key_path "#{Dir.pwd}/test/tmp/cadir/ca_key.pem"
|
8
8
|
ca_private_key_passphrase testing secret phrase
|
9
9
|
</source>
|
10
10
|
|
11
11
|
<match test.**>
|
12
|
-
type stdout
|
12
|
+
@type stdout
|
13
13
|
</match>
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
2
2
|
Gem::Specification.new do |gem|
|
3
3
|
gem.name = "fluent-plugin-secure-forward"
|
4
|
-
gem.version = "0.4.
|
4
|
+
gem.version = "0.4.3"
|
5
5
|
gem.authors = ["TAGOMORI Satoshi"]
|
6
6
|
gem.email = ["tagomoris@gmail.com"]
|
7
7
|
gem.summary = %q{Fluentd input/output plugin to forward over SSL with authentications}
|
@@ -15,7 +15,6 @@ Gem::Specification.new do |gem|
|
|
15
15
|
gem.require_paths = ["lib"]
|
16
16
|
|
17
17
|
gem.add_runtime_dependency "fluentd", ">= 0.10.46"
|
18
|
-
gem.add_runtime_dependency "fluent-mixin-config-placeholders", ">= 0.3.0"
|
19
18
|
gem.add_runtime_dependency "resolve-hostname"
|
20
19
|
gem.add_runtime_dependency "proxifier"
|
21
20
|
gem.add_development_dependency "test-unit"
|
@@ -1,7 +1,12 @@
|
|
1
1
|
# -*- coding: utf-8 -*-
|
2
2
|
|
3
3
|
require 'fluent/input'
|
4
|
-
|
4
|
+
|
5
|
+
require 'ipaddr'
|
6
|
+
require 'socket'
|
7
|
+
require 'openssl'
|
8
|
+
require 'digest'
|
9
|
+
require 'securerandom'
|
5
10
|
|
6
11
|
module Fluent
|
7
12
|
class SecureForwardInput < Input
|
@@ -19,8 +24,8 @@ module Fluent
|
|
19
24
|
|
20
25
|
config_param :secure, :bool # if secure, cert_path or ca_cert_path required
|
21
26
|
|
27
|
+
config_param :hostname, :string, default: nil # This is evaluated after rewriting conf in fact.
|
22
28
|
config_param :self_hostname, :string
|
23
|
-
include Fluent::Mixin::ConfigPlaceholders
|
24
29
|
|
25
30
|
config_param :shared_key, :string, secret: true
|
26
31
|
|
@@ -73,15 +78,6 @@ module Fluent
|
|
73
78
|
|
74
79
|
attr_reader :sessions # node/socket/thread list which has sslsocket instance keepaliving to client
|
75
80
|
|
76
|
-
def initialize
|
77
|
-
super
|
78
|
-
require 'ipaddr'
|
79
|
-
require 'socket'
|
80
|
-
require 'openssl'
|
81
|
-
require 'digest'
|
82
|
-
require 'securerandom'
|
83
|
-
end
|
84
|
-
|
85
81
|
# Define `log` method for v0.10.42 or earlier
|
86
82
|
unless method_defined?(:log)
|
87
83
|
define_method("log") { $log }
|
@@ -92,7 +88,32 @@ module Fluent
|
|
92
88
|
define_method("router") { Fluent::Engine }
|
93
89
|
end
|
94
90
|
|
91
|
+
def initialize
|
92
|
+
super
|
93
|
+
@cert = nil
|
94
|
+
end
|
95
|
+
|
96
|
+
HOSTNAME_PLACEHOLDERS = [ '__HOSTNAME__', '${hostname}' ]
|
97
|
+
|
98
|
+
def replace_hostname_placeholder(conf, hostname)
|
99
|
+
replace_element = ->(c) {
|
100
|
+
c.keys.each do |key|
|
101
|
+
v = c[key]
|
102
|
+
if v && v.respond_to?(:include?) && v.respond_to?(:gsub)
|
103
|
+
if HOSTNAME_PLACEHOLDERS.any?{|ph| v.include?(ph) }
|
104
|
+
c[key] = HOSTNAME_PLACEHOLDERS.inject(v){|r, ph| r.gsub(ph, hostname) }
|
105
|
+
end
|
106
|
+
end
|
107
|
+
end
|
108
|
+
c.elements.each{|e| replace_element.call(e) }
|
109
|
+
}
|
110
|
+
replace_element.call(conf)
|
111
|
+
end
|
112
|
+
|
95
113
|
def configure(conf)
|
114
|
+
hostname = conf.has_key?('hostname') ? conf['hostname'].to_s : Socket.gethostname
|
115
|
+
replace_hostname_placeholder(conf, hostname)
|
116
|
+
|
96
117
|
super
|
97
118
|
|
98
119
|
if @secure
|
@@ -72,7 +72,7 @@ class Fluent::SecureForwardInput::Session
|
|
72
72
|
unless message.size == 6 && message[0] == 'PING'
|
73
73
|
return false, 'invalid ping message'
|
74
74
|
end
|
75
|
-
|
75
|
+
_ping, hostname, shared_key_salt, shared_key_hexdigest, username, password_digest = message
|
76
76
|
|
77
77
|
shared_key = if @node && @node[:shared_key]
|
78
78
|
@node[:shared_key]
|
@@ -156,7 +156,7 @@ class Fluent::SecureForwardInput::Session
|
|
156
156
|
return
|
157
157
|
end
|
158
158
|
|
159
|
-
|
159
|
+
_proto, port, host, ipaddr = @socket.io.peeraddr
|
160
160
|
@node = check_node(ipaddr)
|
161
161
|
if @node.nil? && (! @receiver.allow_anonymous_source)
|
162
162
|
log.warn "Connection required from unknown host '#{host}' (#{ipaddr}), disconnecting..."
|
@@ -1,7 +1,12 @@
|
|
1
1
|
# -*- coding: utf-8 -*-
|
2
2
|
|
3
3
|
require 'fluent/output'
|
4
|
-
|
4
|
+
|
5
|
+
require 'socket'
|
6
|
+
require 'openssl'
|
7
|
+
require 'digest'
|
8
|
+
require 'resolve/hostname'
|
9
|
+
require 'securerandom'
|
5
10
|
|
6
11
|
module Fluent
|
7
12
|
class SecureForwardOutput < ObjectBufferedOutput
|
@@ -18,8 +23,8 @@ module Fluent
|
|
18
23
|
|
19
24
|
config_param :secure, :bool
|
20
25
|
|
26
|
+
config_param :hostname, :string, default: nil # This is evaluated after rewriting conf in fact.
|
21
27
|
config_param :self_hostname, :string
|
22
|
-
include Fluent::Mixin::ConfigPlaceholders
|
23
28
|
|
24
29
|
config_param :shared_key, :string, secret: true
|
25
30
|
|
@@ -62,21 +67,32 @@ module Fluent
|
|
62
67
|
|
63
68
|
attr_reader :hostname_resolver
|
64
69
|
|
65
|
-
def initialize
|
66
|
-
super
|
67
|
-
require 'socket'
|
68
|
-
require 'openssl'
|
69
|
-
require 'digest'
|
70
|
-
require 'resolve/hostname'
|
71
|
-
require 'securerandom'
|
72
|
-
end
|
73
|
-
|
74
70
|
# Define `log` method for v0.10.42 or earlier
|
75
71
|
unless method_defined?(:log)
|
76
72
|
define_method("log") { $log }
|
77
73
|
end
|
78
74
|
|
75
|
+
HOSTNAME_PLACEHOLDERS = [ '__HOSTNAME__', '${hostname}' ]
|
76
|
+
|
77
|
+
def replace_hostname_placeholder(conf, hostname)
|
78
|
+
replace_element = ->(c) {
|
79
|
+
c.keys.each do |key|
|
80
|
+
v = c[key]
|
81
|
+
if v && v.respond_to?(:include?) && v.respond_to?(:gsub)
|
82
|
+
if HOSTNAME_PLACEHOLDERS.any?{|ph| v.include?(ph) }
|
83
|
+
c[key] = HOSTNAME_PLACEHOLDERS.inject(v){|r, ph| r.gsub(ph, hostname) }
|
84
|
+
end
|
85
|
+
end
|
86
|
+
end
|
87
|
+
c.elements.each{|e| replace_element.call(e) }
|
88
|
+
}
|
89
|
+
replace_element.call(conf)
|
90
|
+
end
|
91
|
+
|
79
92
|
def configure(conf)
|
93
|
+
hostname = conf.has_key?('hostname') ? conf['hostname'].to_s : Socket.gethostname
|
94
|
+
replace_hostname_placeholder(conf, hostname)
|
95
|
+
|
80
96
|
super
|
81
97
|
|
82
98
|
if @secure
|
@@ -84,7 +100,7 @@ module Fluent
|
|
84
100
|
raise Fluent::ConfigError, "CA cert file not found nor readable at '#{@ca_cert_path}'" unless File.readable?(@ca_cert_path)
|
85
101
|
begin
|
86
102
|
OpenSSL::X509::Certificate.new File.read(@ca_cert_path)
|
87
|
-
rescue OpenSSL::X509::CertificateError
|
103
|
+
rescue OpenSSL::X509::CertificateError
|
88
104
|
raise Fluent::ConfigError, "failed to load CA cert file"
|
89
105
|
end
|
90
106
|
else
|
@@ -166,7 +166,7 @@ class Fluent::SecureForwardOutput::Node
|
|
166
166
|
unless message.size == 5 && message[0] == 'PONG'
|
167
167
|
return false, 'invalid format for PONG message'
|
168
168
|
end
|
169
|
-
|
169
|
+
_pong, auth_result, reason, hostname, shared_key_hexdigest = message
|
170
170
|
|
171
171
|
unless auth_result
|
172
172
|
return false, 'authentication failed: ' + reason
|
@@ -227,8 +227,14 @@ class Fluent::SecureForwardOutput::Node
|
|
227
227
|
Thread.current.abort_on_exception = true
|
228
228
|
log.debug "starting client"
|
229
229
|
|
230
|
-
|
231
|
-
|
230
|
+
begin
|
231
|
+
addr = @sender.hostname_resolver.getaddress(@host)
|
232
|
+
log.debug "create tcp socket to node", host: @host, address: addr, port: @port
|
233
|
+
rescue => e
|
234
|
+
log.warn "failed to resolve the hostname", error_class: e.class, error: e, host: @host
|
235
|
+
@state = :failed
|
236
|
+
return
|
237
|
+
end
|
232
238
|
|
233
239
|
begin
|
234
240
|
if @proxy_uri.nil? then
|
@@ -234,4 +234,37 @@ CONFIG
|
|
234
234
|
ca_private_key_passphrase testing secret phrase
|
235
235
|
CONFIG
|
236
236
|
end
|
237
|
+
|
238
|
+
def test_configure_using_hostname
|
239
|
+
my_system_hostname = Socket.gethostname
|
240
|
+
|
241
|
+
d = create_driver(%[
|
242
|
+
secure false
|
243
|
+
shared_key secret_string
|
244
|
+
self_hostname ${hostname}
|
245
|
+
])
|
246
|
+
assert_equal my_system_hostname, d.instance.self_hostname
|
247
|
+
|
248
|
+
d = create_driver(%[
|
249
|
+
secure false
|
250
|
+
shared_key secret_string
|
251
|
+
self_hostname __HOSTNAME__
|
252
|
+
])
|
253
|
+
assert_equal my_system_hostname, d.instance.self_hostname
|
254
|
+
|
255
|
+
d = create_driver(%[
|
256
|
+
secure false
|
257
|
+
shared_key secret_string
|
258
|
+
self_hostname test.${hostname}
|
259
|
+
])
|
260
|
+
assert_equal "test.#{my_system_hostname}", d.instance.self_hostname
|
261
|
+
|
262
|
+
d = create_driver(%[
|
263
|
+
secure false
|
264
|
+
shared_key secret_string
|
265
|
+
hostname dummy.local
|
266
|
+
self_hostname test.${hostname}
|
267
|
+
])
|
268
|
+
assert_equal "test.dummy.local", d.instance.self_hostname
|
269
|
+
end
|
237
270
|
end
|
@@ -144,4 +144,53 @@ CONFIG
|
|
144
144
|
</server>
|
145
145
|
CONFIG
|
146
146
|
end
|
147
|
+
|
148
|
+
def test_configure_using_hostname
|
149
|
+
my_system_hostname = Socket.gethostname
|
150
|
+
|
151
|
+
d = create_driver(%[
|
152
|
+
secure no
|
153
|
+
shared_key secret_string
|
154
|
+
self_hostname ${hostname}
|
155
|
+
<server>
|
156
|
+
host server.fqdn.local # or IP
|
157
|
+
# port 24284
|
158
|
+
</server>
|
159
|
+
])
|
160
|
+
assert_equal my_system_hostname, d.instance.self_hostname
|
161
|
+
|
162
|
+
d = create_driver(%[
|
163
|
+
secure no
|
164
|
+
shared_key secret_string
|
165
|
+
self_hostname __HOSTNAME__
|
166
|
+
<server>
|
167
|
+
host server.fqdn.local # or IP
|
168
|
+
# port 24284
|
169
|
+
</server>
|
170
|
+
])
|
171
|
+
assert_equal my_system_hostname, d.instance.self_hostname
|
172
|
+
|
173
|
+
d = create_driver(%[
|
174
|
+
secure no
|
175
|
+
shared_key secret_string
|
176
|
+
self_hostname test.${hostname}
|
177
|
+
<server>
|
178
|
+
host server.fqdn.local # or IP
|
179
|
+
# port 24284
|
180
|
+
</server>
|
181
|
+
])
|
182
|
+
assert_equal "test.#{my_system_hostname}", d.instance.self_hostname
|
183
|
+
|
184
|
+
d = create_driver(%[
|
185
|
+
secure no
|
186
|
+
shared_key secret_string
|
187
|
+
hostname dummy.local
|
188
|
+
self_hostname test.${hostname}
|
189
|
+
<server>
|
190
|
+
host server.fqdn.local # or IP
|
191
|
+
# port 24284
|
192
|
+
</server>
|
193
|
+
])
|
194
|
+
assert_equal "test.dummy.local", d.instance.self_hostname
|
195
|
+
end
|
147
196
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-secure-forward
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- TAGOMORI Satoshi
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-
|
11
|
+
date: 2016-08-10 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: fluentd
|
@@ -24,20 +24,6 @@ dependencies:
|
|
24
24
|
- - ">="
|
25
25
|
- !ruby/object:Gem::Version
|
26
26
|
version: 0.10.46
|
27
|
-
- !ruby/object:Gem::Dependency
|
28
|
-
name: fluent-mixin-config-placeholders
|
29
|
-
requirement: !ruby/object:Gem::Requirement
|
30
|
-
requirements:
|
31
|
-
- - ">="
|
32
|
-
- !ruby/object:Gem::Version
|
33
|
-
version: 0.3.0
|
34
|
-
type: :runtime
|
35
|
-
prerelease: false
|
36
|
-
version_requirements: !ruby/object:Gem::Requirement
|
37
|
-
requirements:
|
38
|
-
- - ">="
|
39
|
-
- !ruby/object:Gem::Version
|
40
|
-
version: 0.3.0
|
41
27
|
- !ruby/object:Gem::Dependency
|
42
28
|
name: resolve-hostname
|
43
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -111,8 +97,15 @@ files:
|
|
111
97
|
- bin/secure-forward-ca-generate
|
112
98
|
- example/auth_client.conf
|
113
99
|
- example/auth_server.conf
|
100
|
+
- example/cacerts1/ca_cert.pem
|
101
|
+
- example/cacerts1/ca_key.pem
|
102
|
+
- example/cacerts2/ca_cert.pem
|
103
|
+
- example/cacerts2/ca_key.pem
|
114
104
|
- example/cert_c.conf
|
115
105
|
- example/cert_client.conf
|
106
|
+
- example/cert_copy_client.conf
|
107
|
+
- example/cert_copy_server_a.conf
|
108
|
+
- example/cert_copy_server_b.conf
|
116
109
|
- example/cert_i.conf
|
117
110
|
- example/cert_server.conf
|
118
111
|
- example/certs/cert-with-intermediate.pem
|