Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identity aware TCP forwarding over HTTPS #332

Closed
8 tasks done
mathieuancelin opened this issue Aug 8, 2019 · 0 comments
Closed
8 tasks done

Identity aware TCP forwarding over HTTPS #332

mathieuancelin opened this issue Aug 8, 2019 · 0 comments
Assignees
@mathieuancelin
Labels
1.5.0-alpha.1 beyond corp. feature identity aware proxy priority: high security tcp
Milestone
v1.5.0

Comments

@mathieuancelin
Copy link
Member

mathieuancelin commented Aug 8, 2019
edited
Loading

Like in GCP IAP. The idea here is to provide a client that will expose a local port for TCP connections. This client will wrap every tcp packet in an https connection and send it to Otoroshi. Otoroshi will verify if the connection is okay (user, etc ...) and then unwrap packet and forward it to the target tcp service.

To do that we need to

  • write a client (node js or rust) based on https://github.com/mathieuancelin/node-httptunnel
    • can establish a connection with a public service
    • can establish a connection with a private service (apikey)
    • can establish a connection with a secured service (auth. modules)
  • write the logic to unwrap packets and send it to target service in handler.scala
    • add special event log with identity
    • possible strategies
      • Websocket wrapping
      • Classic GET / POST / PUT / DELETE, but we need to handle the loadbalancing issue (client side ?)
        • need to check if we can enforce sticky on nginx or haproxy or whatever
      • Stateful and distributed with db and pubsub stuff
      • Http tunnel with CONNECT (not sure play can handle it)
      • the crappy way using http streams
      • we need to encode the logic in an external module usage by all these strategies
  • support private app session id extraction from places other than cookies (Private app. session id in/from http header and query param #202)
    • header
    • query param
    • config. will be set in auth. module config.
  • Support private apps redirection to urn:ietf:wg:oauth:2.0:oob (Support something like urn:ietf:wg:oauth:2.0:oob in private apps. #297)
  • Support full OAuth2 lifecyle through private apps (Support full OIDC / OAuth2 lifecycle with forwarded access token #298)
  • TCP forwarding over https will allow to
    • setup a target address and port (tls flag)
    • get address and or port from headers or query params (flag)

Tasks for MVP

Tasks for stable version

Docs
@mathieuancelin mathieuancelin added this to the v1.5.0 milestone Aug 8, 2019
@mathieuancelin mathieuancelin self-assigned this Aug 8, 2019
mathieuancelin added a commit that referenced this issue Sep 16, 2019
@mathieuancelin
Start work around #332
f88d77e
mathieuancelin added a commit that referenced this issue Sep 16, 2019
@mathieuancelin
Start work around #332
9bd1458
mathieuancelin added a commit that referenced this issue Sep 16, 2019
@mathieuancelin
Start work around #332
b8f5aa8
mathieuancelin added a commit that referenced this issue Sep 16, 2019
@mathieuancelin
Working prototype for #332
bb91d18
@mathieuancelin mathieuancelin mentioned this issue Sep 27, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mathieuancelin mathieuancelin

Labels
1.5.0-alpha.1 beyond corp. feature identity aware proxy priority: high security tcp
Projects
None yet
Milestone
v1.5.0
Development

No branches or pull requests
1 participant
@mathieuancelin