From 2b06450a921733e2ff680062506d8cdee8bfe36a Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Sat, 21 Oct 2023 23:32:21 +0200 Subject: [PATCH] dev-environment: https-proxy-upstream-tlsv13 --- Makefile | 6 -- .../https-proxy-upstream-tlsv1.3/Makefile | 18 +++++ .../https-proxy-upstream-tlsv1.3/README.md | 59 ++++++++++++++++ .../apicast-config.json | 70 +++++++++++++++++++ .../cert/Makefile | 16 +++++ .../docker-compose.yml | 45 ++++++++++++ .../tinyproxy.Dockerfile | 0 .../tinyproxy.conf | 0 dev-environments/upstream-tlsv1.3/README.md | 2 +- examples/forward-proxy/README.md | 9 --- examples/forward-proxy/apicast-config.json | 36 ---------- examples/forward-proxy/proxy-nginx.conf | 27 ------- .../forward-proxy/upstream-cert/upstream.crt | 23 ------ .../forward-proxy/upstream-cert/upstream.key | 28 -------- 14 files changed, 209 insertions(+), 130 deletions(-) create mode 100644 dev-environments/https-proxy-upstream-tlsv1.3/Makefile create mode 100644 dev-environments/https-proxy-upstream-tlsv1.3/README.md create mode 100644 dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json create mode 100644 dev-environments/https-proxy-upstream-tlsv1.3/cert/Makefile create mode 100644 dev-environments/https-proxy-upstream-tlsv1.3/docker-compose.yml rename {examples/forward-proxy => dev-environments/https-proxy-upstream-tlsv1.3}/tinyproxy.Dockerfile (100%) rename {examples/forward-proxy => dev-environments/https-proxy-upstream-tlsv1.3}/tinyproxy.conf (100%) delete mode 100644 examples/forward-proxy/README.md delete mode 100644 examples/forward-proxy/apicast-config.json delete mode 100644 examples/forward-proxy/proxy-nginx.conf delete mode 100644 examples/forward-proxy/upstream-cert/upstream.crt delete mode 100644 examples/forward-proxy/upstream-cert/upstream.key diff --git a/Makefile b/Makefile index 0edb1a97a..ac58634ae 100644 --- a/Makefile +++ b/Makefile @@ -23,7 +23,6 @@ DEVEL_DOCKER_COMPOSE_VOLMOUNT_MAC_FILE ?= docker-compose-devel-volmount-mac.yml DEVEL_DOCKER_COMPOSE_VOLMOUNT_DEFAULT_FILE ?= docker-compose-devel-volmount-default.yml PROVE_DOCKER_COMPOSE_FILE ?= docker-compose.prove.yml -FORWARD_PROXY_DOCKER_COMPOSE_FILE ?= docker-compose.forward-proxy.yml DOCKER_VOLUME_NAME ?= apicast-local-volume @@ -172,10 +171,6 @@ opentelemetry-gateway: ## run gateway instrumented with opentelemetry opentracing-gateway: ## run gateway instrumented with opentracing $(DOCKER) compose run opentracing-instrumented-gateway -# Environment described in ./examples/forward-proxy -forward-proxy-gateway: ## run gateway configured to run along with a forward proxy - $(DOCKER) compose -f $(FORWARD_PROXY_DOCKER_COMPOSE_FILE) run gateway - test-runtime-image: export IMAGE_NAME ?= $(RUNTIME_IMAGE) test-runtime-image: clean-containers ## Smoke test the runtime image. Pass any docker image in IMAGE_NAME parameter. $(DOCKER) compose --version @@ -242,7 +237,6 @@ clean-containers: $(DOCKER) compose down --volumes --remove-orphans $(DOCKER) compose -f $(PROVE_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans $(DOCKER) compose -f $(DEVEL_DOCKER_COMPOSE_FILE) -f $(DEVEL_DOCKER_COMPOSE_VOLMOUNT_FILE) down --volumes --remove-orphans - $(DOCKER) compose -f $(FORWARD_PROXY_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans clean-deps: ## Remove all local dependency folders - rm -rf $(PROJECT_PATH)/lua_modules $(PROJECT_PATH)/local $(PROJECT_PATH)/.cpanm $(PROJECT_PATH)/vendor/cache $(PROJECT_PATH)/.cache : diff --git a/dev-environments/https-proxy-upstream-tlsv1.3/Makefile b/dev-environments/https-proxy-upstream-tlsv1.3/Makefile new file mode 100644 index 000000000..fe6780662 --- /dev/null +++ b/dev-environments/https-proxy-upstream-tlsv1.3/Makefile @@ -0,0 +1,18 @@ +SHELL = /usr/bin/env bash -o pipefail +.SHELLFLAGS = -ec +.DEFAULT_GOAL := gateway +MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST))) +WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH))) +DOCKER ?= $(shell which docker 2> /dev/null || echo "docker") + +gateway: ## run gateway configured to access upstream powered with TLS + $(DOCKER) compose -f docker-compose.yml run --service-ports gateway + +clean: + $(DOCKER) compose down --volumes --remove-orphans + $(DOCKER) compose -f docker-compose.yml down --volumes --remove-orphans + +certs: + $(MAKE) clean -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile + $(MAKE) ca -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile + $(MAKE) clientcerts -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile DOMAIN=example.com diff --git a/dev-environments/https-proxy-upstream-tlsv1.3/README.md b/dev-environments/https-proxy-upstream-tlsv1.3/README.md new file mode 100644 index 000000000..55a835a88 --- /dev/null +++ b/dev-environments/https-proxy-upstream-tlsv1.3/README.md @@ -0,0 +1,59 @@ +# PROXY with upstream using TLSv1.3 + +APIcast --> tiny proxy (connect to 443 but no cert installed) --> upstream (TLSv1.3) + +APIcast configured with TLSv1.3 powered upstream through a proxy. TLS termination endpoint is `socat`. + +APicast starts SSL tunnel (via HTTP CONNECT method) against proxy to access upstream configured with TLSv1.3 + +## Create the SSL Certificates + +```sh +make certs +``` + +## Run the gateway + +Running local `apicast-test` docker image + +```sh +make gateway +``` + +Running custom apicast image + +```sh +make gateway IMAGE_NAME=quay.io/3scale/apicast:latest +``` + +Traffic between the proxy and upstream can be inspected looking at logs from `example.com` service + +``` +docker compose -p https-proxy-upstream-tlsv13 logs -f example.com +``` + +Proxy can be inspected looking at logs from `proxy` service + +``` +docker compose -p https-proxy-upstream-tlsv13 logs -f proxy +``` + +## Testing + +`GET` request + +```sh +curl --resolve get.example.com:8080:127.0.0.1 -v "http://get.example.com:8080/?user_key=123" +``` + +`POST` request + +```sh +curl --resolve post.example.com:8080:127.0.0.1 -v -X POST "http://post.example.com:8080/?user_key=123" +``` + +## Clean env + +```sh +make clean +``` diff --git a/dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json b/dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json new file mode 100644 index 000000000..5227c5aaf --- /dev/null +++ b/dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json @@ -0,0 +1,70 @@ +{ + "services": [ + { + "id": "1", + "backend_version": "1", + "proxy": { + "hosts": ["get.example.com"], + "api_backend": "https://example.com/get", + "backend": { + "endpoint": "http://127.0.0.1:8081", + "host": "backend" + }, + "policy_chain": [ + { + "name": "apicast.policy.http_proxy", + "configuration": { + "https_proxy": "http://proxy:443/" + } + }, + { + "name": "apicast.policy.apicast" + } + ], + "proxy_rules": [ + { + "http_method": "GET", + "pattern": "/", + "metric_system_name": "hits", + "delta": 1, + "parameters": [], + "querystring_parameters": {} + } + ] + } + }, + { + "id": "2", + "backend_version": "1", + "proxy": { + "hosts": ["post.example.com"], + "api_backend": "https://example.com/post", + "backend": { + "endpoint": "http://127.0.0.1:8081", + "host": "backend" + }, + "policy_chain": [ + { + "name": "apicast.policy.http_proxy", + "configuration": { + "https_proxy": "http://proxy:443/" + } + }, + { + "name": "apicast.policy.apicast" + } + ], + "proxy_rules": [ + { + "http_method": "POST", + "pattern": "/", + "metric_system_name": "hits", + "delta": 1, + "parameters": [], + "querystring_parameters": {} + } + ] + } + } + ] +} diff --git a/dev-environments/https-proxy-upstream-tlsv1.3/cert/Makefile b/dev-environments/https-proxy-upstream-tlsv1.3/cert/Makefile new file mode 100644 index 000000000..e9efe9b61 --- /dev/null +++ b/dev-environments/https-proxy-upstream-tlsv1.3/cert/Makefile @@ -0,0 +1,16 @@ +clean: + - rm *.crt *.key *.pem *.csr + +ca: + openssl genrsa -out rootCA.key 2048 + openssl req -batch -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem + +clientcerts: + openssl req -subj '/CN=$(DOMAIN)' -newkey rsa:4096 -nodes \ + -sha256 \ + -days 3650 \ + -keyout $(DOMAIN).key \ + -out $(DOMAIN).csr + chmod +r $(DOMAIN).key + openssl x509 -req -in $(DOMAIN).csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $(DOMAIN).crt -days 500 -sha256 + cat $(DOMAIN).key $(DOMAIN).crt >$(DOMAIN).pem diff --git a/dev-environments/https-proxy-upstream-tlsv1.3/docker-compose.yml b/dev-environments/https-proxy-upstream-tlsv1.3/docker-compose.yml new file mode 100644 index 000000000..9fa735f7c --- /dev/null +++ b/dev-environments/https-proxy-upstream-tlsv1.3/docker-compose.yml @@ -0,0 +1,45 @@ +--- +version: '3.8' +services: + gateway: + image: ${IMAGE_NAME:-apicast-test} + depends_on: + - proxy + - example.com + - two.upstream + environment: + THREESCALE_CONFIG_FILE: /tmp/config.json + THREESCALE_DEPLOYMENT_ENV: staging + APICAST_CONFIGURATION_LOADER: lazy + APICAST_WORKERS: 1 + APICAST_LOG_LEVEL: debug + APICAST_CONFIGURATION_CACHE: "0" + expose: + - "8080" + - "8090" + ports: + - "8080:8080" + - "8090:8090" + volumes: + - ./apicast-config.json:/tmp/config.json + proxy: + build: + dockerfile: ./tinyproxy.Dockerfile + expose: + - "3128:3128" + - "443:443" + volumes: + - ./tinyproxy.conf:/etc/tinyproxy/tinyproxy.conf + example.com: + image: alpine/socat:1.7.4.4 + container_name: example.com + command: "-v openssl-listen:443,reuseaddr,fork,cert=/etc/pki/example.com.pem,verify=0,openssl-min-proto-version=TLS1.3,openssl-max-proto-version=TLS1.3 TCP:two.upstream:80" + expose: + - "443" + restart: unless-stopped + volumes: + - ./cert/example.com.pem:/etc/pki/example.com.pem + two.upstream: + image: kennethreitz/httpbin + expose: + - "80" diff --git a/examples/forward-proxy/tinyproxy.Dockerfile b/dev-environments/https-proxy-upstream-tlsv1.3/tinyproxy.Dockerfile similarity index 100% rename from examples/forward-proxy/tinyproxy.Dockerfile rename to dev-environments/https-proxy-upstream-tlsv1.3/tinyproxy.Dockerfile diff --git a/examples/forward-proxy/tinyproxy.conf b/dev-environments/https-proxy-upstream-tlsv1.3/tinyproxy.conf similarity index 100% rename from examples/forward-proxy/tinyproxy.conf rename to dev-environments/https-proxy-upstream-tlsv1.3/tinyproxy.conf diff --git a/dev-environments/upstream-tlsv1.3/README.md b/dev-environments/upstream-tlsv1.3/README.md index 7672d261c..b2da7e763 100644 --- a/dev-environments/upstream-tlsv1.3/README.md +++ b/dev-environments/upstream-tlsv1.3/README.md @@ -24,7 +24,7 @@ Running custom apicast image make gateway IMAGE_NAME=quay.io/3scale/apicast:latest ``` -Traffic between the proxy and upstream can be inspected looking at logs from `example.com` service +Traffic between the gateway and upstream can be inspected looking at logs from `example.com` service ``` docker compose -p upstream-tlsv13 logs -f example.com diff --git a/examples/forward-proxy/README.md b/examples/forward-proxy/README.md deleted file mode 100644 index 68fd9899f..000000000 --- a/examples/forward-proxy/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# PROXY with upstream using TLSv1.3 - -APIcast --> tiny proxy (connect to 443 but no cert installed) --> upstream (TLSv1.3) - -APicast starts SSL tunnel (via HTTP Connect method) against proxy to access upstream configured with TLSv1.3 - -``` -curl -v -H "Host: one" http://${APICAST_IP}:8080/get?user_key=foo -``` diff --git a/examples/forward-proxy/apicast-config.json b/examples/forward-proxy/apicast-config.json deleted file mode 100644 index 63298bd41..000000000 --- a/examples/forward-proxy/apicast-config.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "services": [ - { - "backend_version": "1", - "proxy": { - "hosts": ["one"], - "api_backend": "https://upstream:443/", - "backend": { - "endpoint": "http://127.0.0.1:8081", - "host": "backend" - }, - "policy_chain": [ - { - "name": "apicast.policy.apicast" - }, - { - "name": "apicast.policy.http_proxy", - "configuration": { - "https_proxy": "http://proxy:443/" - } - } - ], - "proxy_rules": [ - { - "http_method": "GET", - "pattern": "/", - "metric_system_name": "hits", - "delta": 1, - "parameters": [], - "querystring_parameters": {} - } - ] - } - } - ] -} diff --git a/examples/forward-proxy/proxy-nginx.conf b/examples/forward-proxy/proxy-nginx.conf deleted file mode 100644 index 3809958e4..000000000 --- a/examples/forward-proxy/proxy-nginx.conf +++ /dev/null @@ -1,27 +0,0 @@ -worker_processes auto; - -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - -events { worker_connections 1024; } - -http { - server { - listen 443 ssl; - - server_name upstream; - - resolver 8.8.8.8; - - access_log /dev/stdout; - error_log /dev/stdout info; - - ssl_certificate /etc/pki/tls.crt; - ssl_certificate_key /etc/pki/tls.key; - ssl_protocols TLSv1.3; - - location ~ ^/(.*)$ { - proxy_pass https://postman-echo.com/get/$1$is_args$args; - } - } -} diff --git a/examples/forward-proxy/upstream-cert/upstream.crt b/examples/forward-proxy/upstream-cert/upstream.crt deleted file mode 100644 index a88a1381d..000000000 --- a/examples/forward-proxy/upstream-cert/upstream.crt +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID0TCCArmgAwIBAgIUVLuR+puDZ8IZ2IdWZlBmeNSLW0UwDQYJKoZIhvcNAQEL -BQAweDELMAkGA1UEBhMCRVMxEjAQBgNVBAgMCUJhcmNlbG9uYTESMBAGA1UEBwwJ -QmFyY2Vsb25hMR0wGwYDVQQKDBRSSC0zc2NhbGUtRGV2dGVzdGluZzEPMA0GA1UE -CwwGM3NjYWxlMREwDwYDVQQDDAh1cHN0cmVhbTAeFw0yMzAzMzEwODE2MzVaFw0z -MzAzMjgwODE2MzVaMHgxCzAJBgNVBAYTAkVTMRIwEAYDVQQIDAlCYXJjZWxvbmEx -EjAQBgNVBAcMCUJhcmNlbG9uYTEdMBsGA1UECgwUUkgtM3NjYWxlLURldnRlc3Rp -bmcxDzANBgNVBAsMBjNzY2FsZTERMA8GA1UEAwwIdXBzdHJlYW0wggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDE5pVWHIECIcA9BiKN6LZjg7qAl/BAediR -WOHtzksE96Y3pMtQcI8qQcExu4cbrJyc0O2C/wvsyhi0giAhMPLJlFjBcpIOhapH -nc1ZIgYW/mIzPp+lS0HBrZj6SJef/83DIkou1tv8DOnDtrUHH2o1FtB/PTkGlfh2 -oyNe75ZjG82DU8ToKIvJLmhc094XQIes7qRnbd/miBwLyvnOFeQoHQzcuaX1Of2c -Q4VJlNsQwxFLdaN/Xd1zCMLL0t/XhQvKS8ofQFd9ySDbzfuB59NV5aUatM3hcNbL -ieUMPHCisyvuO36O2ZpnsAcN5aMaHZ4xAHTzpfuSwfUotFnoTpdhAgMBAAGjUzBR -MB0GA1UdDgQWBBTSz08QUrGbnVKWJEkeFF7kSdEt4jAfBgNVHSMEGDAWgBTSz08Q -UrGbnVKWJEkeFF7kSdEt4jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA -A4IBAQBUNHY1dXQlfLpfrVeMtJbSIPkpZPcjPmEJlS9whrqs1739IZcgs1W3LEb/ -LOYUZyctV7CC1aXQkYqrEvTQ/IMJe4ui+gwz2Gas+lfh6JLjnAPazlMfPoHzhypG -8GDo9+xwTkOqX4oOJBhdiNeAbOCCFdGPIyMO4Tb7Knc60APPjqc/jA+z9xA9E2wY -Pv1WDqPuL8c+a6lzvuj1oEFwrIgZzjxZ0Cu/MIcC0mgJJ39iSE/VAIibujB7cyMg -zw0xVEUMBOcVmvBa1E0v6m8S6FoersKiitzXxsF29s7fPYNxbA6O257wXyZnhNmr -SniQDbc9OhOyxKPbirf+DD/UIAc8 ------END CERTIFICATE----- diff --git a/examples/forward-proxy/upstream-cert/upstream.key b/examples/forward-proxy/upstream-cert/upstream.key deleted file mode 100644 index 673d68fc3..000000000 --- a/examples/forward-proxy/upstream-cert/upstream.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDE5pVWHIECIcA9 -BiKN6LZjg7qAl/BAediRWOHtzksE96Y3pMtQcI8qQcExu4cbrJyc0O2C/wvsyhi0 -giAhMPLJlFjBcpIOhapHnc1ZIgYW/mIzPp+lS0HBrZj6SJef/83DIkou1tv8DOnD -trUHH2o1FtB/PTkGlfh2oyNe75ZjG82DU8ToKIvJLmhc094XQIes7qRnbd/miBwL -yvnOFeQoHQzcuaX1Of2cQ4VJlNsQwxFLdaN/Xd1zCMLL0t/XhQvKS8ofQFd9ySDb -zfuB59NV5aUatM3hcNbLieUMPHCisyvuO36O2ZpnsAcN5aMaHZ4xAHTzpfuSwfUo -tFnoTpdhAgMBAAECggEAECZ3pk4FOOcKzRaVO/2UBDqYUBbmUmuMG3PmaCqNFbW4 -cQT31ju9SnKFRa6DiP4SBHzQlneUA1KaTygDOaW5rFYaJ5fdqgpFqsUjREXZqQYp -iNmAn766AIhcLV9J7Io/VtuXqRrfhV+Lxw1T8OcfP4aFCIK9jDA95oFAE/fj5nIL -Bw+w5SUL96q7czYta8zOjJCX8AIhsx7aScR2xYmSu7qyOS6er3+O+6MiAuj9rUD6 -j7EG2bV115TDth4RU5g32U/x0EqhQh63KhncXi96LlMK+NMicmD8LytcA8uzg4W1 -G50BTF/TCfCl7FKAMnxVdi2fvZF23om16v3SWQ6N9wKBgQDfxXVg2m63qp1cLaYL -yCZsH2C24IeNJaEm6Scy4Lv42rCC+Vv06r272uoHxobdaeFkfWQiBeYT6FmTvlSm -CIBxg3Dh0esNYSN9l4k3WDCj0UPWSqexvGsVa5nnRCLPlBUVfNg30Jf+tBdCKiDs -1JjdNI1aFd9pfH6jlxtK2geB+wKBgQDhQmT6E0z0uzbqIty8eYYNrUPNQdelM5nP -1yUAYoMsCDr9GFrE3tnENeDyvC3MlooOfxSlnAcbkjpBFXTrCB3MU928Ku2KFQdM -yoqz68/64TmqPoJAMehqkthKNb4tZJE/N5dhcR/Mt6LGy8sp/0vYp4hrmk6oX+ir -YIKu9RbpUwKBgQDOUDgQvFQoct3zBwN5CWijd6qr8ggIUxFp1r2VYy7sGnVzzITE -I0ob0ZLE6H2f1udAx3tzAw1GfYtZdLqG+n+yKQYCrpCRHWajfPu+U0lFQMPS57IF -ZTs13KdhWqjdyiJGVXzkuSXqaBCpqD4DHWBzUuigjloV3/rCyacYND2H0QKBgQCc -g2Vl3MM7yFj/lfmJe2aJWjoiA/2x64iTwQkUm15I2e8irCllYPIuQsFp5xZrcK28 -JNBTwXWu0otnbWEvbRRHRH5sn+csajAISzLUkKSRzKwkfgpCUGsMobtm1LCvGZFS -O24TZmaR94ZCWpdvNtOcVcuT+ENu+jTP3t7ucZzZwQKBgQCaHYZAV83R08nd0Mil -GKmV2MkFbWsoDCf1Z6I9h877Dpi+ilT5aX20Fv/eMpfUXCXwkciV2Yk9gtDmVJdR -emAt/f7ldcVZ1dymTZIoKTVQCXexZliISq88ZwlmHbphF8LHC/0awC4XOvsDFHmg -iAa0ukVxqPWNmpGp4wuRoa+Tpg== ------END PRIVATE KEY-----