Comments (4)
sgmiller
commented on May 19, 2024
Ah, I see this operates as a direct copy of the byte stream once TLS is established, so it wouldn't really work.
from ghostunnel.
csstaub
commented on May 19, 2024
There's some prior art here, Squarespace/ghostunnel is a fork of ghostunnel that adds functionality for exposing a read-only memcache instance. I could see adding this via a plugin architecture, i.e. ghostunnel itself would continue operating on byte streams but users could select plugins to parse and intercept protocols on top of that. That would allow for things like filtering memcache, but also adding headers to HTTP, etc. What do you think?
from ghostunnel.
csstaub
commented on May 19, 2024
Having a plugin architecture would also allow for doing neat things like logging request and response data for debugging purposes. And thanks to https://golang.org/pkg/plugin/, third-party/custom plugins would be possible too.
from ghostunnel.
mcpherrinm
commented on May 19, 2024
A plugin architecture seems really cool here. I'd love to make sure whatever we end up doing is flexible enough to support a wide variety of protocols.
A short list of desired features, I think:
- Observing both directions of the network connection, so a protocol state machine can be maintained
- Inject data into one side or the other (eg: HTTP headers, error responses)
- Terminate the connection (eg: when access is denied)
- Customize the handshake (custom cert validation, client cert selection, etc)
I think some example use-cases that should be able to be supported:
- The existing
authcode: All the handling of what client certs are allowed. - The memcache filter in the fork, and other protocols too (eg, Redis)
- Telling the client and/or server the certificate provided at the far end.
- Fine-grained HTTP or gRPC access control
- Allow some connections to succeed with no client cert (eg, GET, but POST requires auth).
I think func fuse is probably going to be the most likely place for changes here. The biggest change is probably that we might not want to have two completely seperate io.Copy for input and output, as many protocols will need access to both sides.
This will add some complexity to Ghostunnel, but I feel this is probably worth it for the many added possibilities. It's possible we could even factor some existing code into the plugin architecture. I'm thinking about the auth package, as well as SPIFFE support.
from ghostunnel.
Related Issues (20)
- Q: Is it possible to configure ghostunnel to skip the host verification during the TLS handshake? HOT 1
- Open Policy Agent support? HOT 7
- Support for OPA policies hot-reload and re-authorizing existing connections HOT 5
- CVE-2022-37434 HOT 6
- Help not show how to set cert HOT 1
- keystore password not working HOT 6
- GLIBC too old HOT 7
- Can't build HOT 2
- x/text dependendy should be updated to latest version for CVE-2022-32149 HOT 4
- PKCS11 tokens that don't support RSA-PSS don't work. We should make sure the mechanism is supported or handle the error HOT 3
- Windows binary .exe extension is missing HOT 1
- Add linux arm64 binaries in the official releases ? HOT 2
- Trying to use ghostunnel in client mode only to connect directly to a mysql server. Is this even possible? HOT 1
- Any plans to support DTLS? HOT 2
- Release 1.7.2 is missing binary ghostunnel-linux-amd64 HOT 2
- Getting the error while running in windows. for workload api (spiffe/error: Failed to watch the Workload API : rpc error: code = Unavailable desc = connection error: desc = "transport: Erro r while dialing: open \\.\pipe\backend-agent\public\api: The system cannot find the file specified.") HOT 3
- Workload API is not working in Windows. HOT 1
- spire for cert, no client validation fails HOT 7
- failed to build resolver: invalid (non-empty) authority
- [ documentation ] Comparision section HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ghostunnel.