Skip to content

Latest commit

 

History

History
62 lines (49 loc) · 2.73 KB

README.md

File metadata and controls

62 lines (49 loc) · 2.73 KB

EXIGN Egress Proxy

An egress proxy that is capable to add signature header to all received request and forward the request to the actual server.

Usage

Steps:

  1. Start exign container using docker with the following command:

    docker run \
      --rm \
      --name exign \
      --pull 'always' \
      --dns '8.8.8.8' \
      --dns '8.8.1.1' \
      --publish '53:53/udp' \
      --publish '80:80' \
      --publish '443:443' \
      --publish '1080:1080' \
      --publish '127.0.0.1:3000:3000' \
      --volume "$(pwd)/config:/src/config" \
      --volume "$(pwd)/logs:/src/logs" \
      ghcr.io/telkomindonesia/exign

    In case you can't allocate port 80, 443, or 53 (UDP), then you can start exign without those ports. But in step 3, you can only use SOCKS5 Proxy if you need request redirection. Meanwhile port 1080 and 3000 (left side of --publish arguments) can be changed as necessary.

    docker run \
        --rm \
        --name exign \
        --pull 'always' \
        --publish '1080:1080' \
        --publish '127.0.0.1:3000:3000' \
        --volume "$(pwd)/config:/src/config" \
        --volume "$(pwd)/logs:/src/logs" \
        ghcr.io/telkomindonesia/exign
  2. If the remote server you are trying to connect to need to verify the signature, then distribute the generated public key to the administrator of the remote server. Meanwhile, keep the private key safe and private.

  3. Setup redirection to exign by doing one of the following:

    • Use SOCKS5 proxy at 127.0.0.1:1080 for all of your HTTP and DNS requests.
    • Change your DNS resolver to 127.0.0.1.
    • Add custom host-IP mapping to your hosts file manually.
  4. If your tools need to verify TLS certificate, then trust the generated CA Certificate. For reference, checkout Portswigger documentation on how to trust a particular CA Certificate.

Container Signature

The container image is signed using cosign. You should verify that you are using the legitimate container as follow:

docker run \
     --rm \
     --env KEY=$'-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE3il8roBEOKz2Ogu5adrXSvoCbrL\nq3kbKfGJXVmTTinmNd3VJ/VbOS+kGoB/F++AtQRY7GcCrSIfWWsPf6YyVg==\n-----END PUBLIC KEY-----' \
     gcr.io/projectsigstore/cosign:v1.13.1 \
          verify --key env://KEY \
          ghcr.io/telkomindonesia/exign