Forward Proxy w TLS termination Apache Traffic Server

  • Slides: 41
Download presentation
Forward Proxy w/ TLS termination Apache Traffic Server – Summit Fall 2017 Copyright ©

Forward Proxy w/ TLS termination Apache Traffic Server – Summit Fall 2017 Copyright © Clearswift 2017 www. clearswift. com

Who I am • Mischa Lehmann – mischa. lehmann@clearswift. com – https: //duckpond. ch

Who I am • Mischa Lehmann – mischa. lehmann@clearswift. com – https: //duckpond. ch • Clearswift – UK – 20 years of experience • RUAG – CH – ~9000 employees – Space, Aerostructures, Aviation, Ammotec, Defence – Major contractor for the swiss armed forces Copyright © Clearswift 2017 www. clearswift. com 2

Goals - Agenda • Invite feedback criticism and solicited help. • What we do

Goals - Agenda • Invite feedback criticism and solicited help. • What we do • Getting our API changes into master. • The CSTLSPlugin Copyright © Clearswift 2017 www. clearswift. com • How we use ATS • Summary 3

What others do Data loss Adaptive prevention(A-DLP) (DLP) prevention Copyright © Clearswift 2017 www.

What others do Data loss Adaptive prevention(A-DLP) (DLP) prevention Copyright © Clearswift 2017 www. clearswift. com 4

What we do Secure WEB Gateway (SWG) Adaptive Data loss prevention (A-DLP) *** Secure

What we do Secure WEB Gateway (SWG) Adaptive Data loss prevention (A-DLP) *** Secure EMAIL Gateway (SEG) Copyright © Clearswift 2017 www. clearswift. com 5

How we use ATS Secure WEB Gateway (SWG) Adaptive Data loss prevention (A-DLP) ***

How we use ATS Secure WEB Gateway (SWG) Adaptive Data loss prevention (A-DLP) *** Copyright © Clearswift 2017 www. clearswift. com 6

How we use ATS – Forward Proxy Mode Adaptive Data loss prevention (A-DLP) Apache

How we use ATS – Forward Proxy Mode Adaptive Data loss prevention (A-DLP) Apache Traffic Server 7. 1. x Copyright © Clearswift 2017 www. clearswift. com 7 TLS encryption TLS decryption Secure WEB Gateway (SWG)

7. 1. x state of the art • TLS sockets will interpret CONNECT as

7. 1. x state of the art • TLS sockets will interpret CONNECT as handshake • No generation and signing of certificates on the fly Copyright © Clearswift 2017 www. clearswift. com 8

What we’d like to contribute Adaptive Data loss prevention (A-DLP) Generate certificate CONNECT Apache

What we’d like to contribute Adaptive Data loss prevention (A-DLP) Generate certificate CONNECT Apache Traffic Server 7. 1. x CSTLSPlugin Copyright © Clearswift 2017 www. clearswift. com 9 TLS encryption TLS decryption Secure WEB Gateway (SWG)

CSTLSPlugin - Ideas • When loaded makes all TLS sockets ready forward proxy mode

CSTLSPlugin - Ideas • When loaded makes all TLS sockets ready forward proxy mode • Uses as much ATS functionality as possible • Minimal code changes in ATS • Contains a minimal amount of Clearswift specific code Copyright © Clearswift 2017 www. clearswift. com 10

CSTLSPlugin - Functionality • TS_VCONN_PRE_ACCEPT_HOOK – Parse HTTP CONNECT – Extract header fields to

CSTLSPlugin - Functionality • TS_VCONN_PRE_ACCEPT_HOOK – Parse HTTP CONNECT – Extract header fields to forward • TS_EVENT_HTTP_SEND_REQUEST_HDR – Append extracted header fields to request • Coming Next – Generate Certificate Copyright © Clearswift 2017 www. clearswift. com 11

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 12

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 12

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 13

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 13

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 14

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 14

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 15

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 15

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 16

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 16

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 17

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 17

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 18

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 18

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 19

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 19

CSTLSPlugin - Functionality • TS_VCONN_PRE_ACCEPT_HOOK – Parse HTTP CONNECT – Extract header fields to

CSTLSPlugin - Functionality • TS_VCONN_PRE_ACCEPT_HOOK – Parse HTTP CONNECT – Extract header fields to forward • TS_EVENT_HTTP_SEND_REQUEST_HDR – Append extracted header fields to request • Coming Next – Generate Certificate Copyright © Clearswift 2017 www. clearswift. com 20

CSTLSPlugin - Functionality • TS_VCONN_PRE_ACCEPT_HOOK – Parse HTTP CONNECT – Extract header fields to

CSTLSPlugin - Functionality • TS_VCONN_PRE_ACCEPT_HOOK – Parse HTTP CONNECT – Extract header fields to forward • TS_EVENT_HTTP_SEND_REQUEST_HDR – Append extracted header fields to request • Coming Next – Generate Certificate • How to read the CONNECT? • Read from socket • Invalid CONNECT: How To close a SSLNet. VC? • Memory leak on TSVConn. Close in TS_VCONN_PRE_ACCE PT_HOOK (#2361) • Invalid TLS Handshake • Missing pre session clean-up hook (#2380) Copyright © Clearswift 2017 www. clearswift. com 21

CSTLSPlugin - Functionality • TS_VCONN_PRE_ACCEPT_HOOK – Parse HTTP CONNECT – Extract header fields to

CSTLSPlugin - Functionality • TS_VCONN_PRE_ACCEPT_HOOK – Parse HTTP CONNECT – Extract header fields to forward • TS_EVENT_HTTP_SEND_REQUEST_HDR – Append extracted header fields to request • Coming Next – Generate Certificate Copyright © Clearswift 2017 www. clearswift. com 22 • How to add contextual data on (Net)Vconnections? (#2388) • How to get the (Net)Vconnection from a TSHttp. Ssn?

Summary • CSTLSPlugin (clearswift: trafficserver/feature/forward-tls-plugin) – CONNECT handling – On the fly certificate generation

Summary • CSTLSPlugin (clearswift: trafficserver/feature/forward-tls-plugin) – CONNECT handling – On the fly certificate generation and signing • Integration – Logging changes (clearswift: trafficserver/feature/logging) – Configuration library (based on boost: : program_options) • Bugs / Feature Requests – Missing pre session clean-up hook (#2380) – Ability to add contextual data on (Net)Vconnections (#2388) – Memory leak on TSVConn. Close in TS_VCONN_PRE_ACCEPT_HOOK (#2361) Copyright © Clearswift 2017 www. clearswift. com 23

Forward Proxy w/ TLS termination mischa. lehmann@clearswift. com Copyright © Clearswift 2017 www. clearswift.

Forward Proxy w/ TLS termination mischa. lehmann@clearswift. com Copyright © Clearswift 2017 www. clearswift. com

What we do Secure WEB Gateway (SWG) Data loss Adaptive prevention(A-DLP) (DLP) prevention ***

What we do Secure WEB Gateway (SWG) Data loss Adaptive prevention(A-DLP) (DLP) prevention *** Secure EMAIL Gateway (SEG) Copyright © Clearswift 2017 www. clearswift. com 25

How we use ATS – Forward Proxy Mode Secure WEB Gateway (SWG) Adaptive Data

How we use ATS – Forward Proxy Mode Secure WEB Gateway (SWG) Adaptive Data loss prevention (A-DLP) CONNECT what? Apache Traffic Server 7. 1. x Which Certificate? Copyright © Clearswift 2017 www. clearswift. com 26 TLS encryption Give me Certificate! Şǿмệ śầмρļề ẠÇĬİţéҳţằďƒåđƒ TLS decryption CONNECT to abc. com

How we use ATS – Forward Proxy Mode Secure WEB Gateway (SWG) Adaptive Data

How we use ATS – Forward Proxy Mode Secure WEB Gateway (SWG) Adaptive Data loss prevention (A-DLP) Generate Certificate! CONNECT! Apache Traffic Server 7. 1. x CSTLSPlugin Copyright © Clearswift 2017 www. clearswift. com 27 TLS encryption Give me Certificate! Şǿмệ śầмρļề ẠÇĬİţéҳţằďƒåđƒ TLS decryption CONNECT to abc. com

Copyright © Clearswift 2017 www. clearswift. com 28

Copyright © Clearswift 2017 www. clearswift. com 28

Copyright © Clearswift 2017 www. clearswift. com 29

Copyright © Clearswift 2017 www. clearswift. com 29

Copyright © Clearswift 2017 www. clearswift. com 30

Copyright © Clearswift 2017 www. clearswift. com 30

Copyright © Clearswift 2017 www. clearswift. com 31

Copyright © Clearswift 2017 www. clearswift. com 31

• </sales> Copyright © Clearswift 2017 www. clearswift. com 32

• </sales> Copyright © Clearswift 2017 www. clearswift. com 32

Logging Changes and Configuration Library Apache Traffic Server – Summit Fall 2017 Copyright ©

Logging Changes and Configuration Library Apache Traffic Server – Summit Fall 2017 Copyright © Clearswift 2017 www. clearswift. com

Goals - Agenda • Invite feedback criticism and solicited help. Copyright © Clearswift 2017

Goals - Agenda • Invite feedback criticism and solicited help. Copyright © Clearswift 2017 www. clearswift. com • Logging Changes • Configuration Library 34

Logging changes • Log with microsecond precision • Write errors to syslog • Write

Logging changes • Log with microsecond precision • Write errors to syslog • Write stack traces to syslog • Not ready to be merged – clearswift: trafficserver/feature/logging Copyright © Clearswift 2017 www. clearswift. com 35

Configuration Library • Configuration Reload • Handling of multiple sources • a thin wrapper

Configuration Library • Configuration Reload • Handling of multiple sources • a thin wrapper for boost: : program_options Copyright © Clearswift 2017 www. clearswift. com 36

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 37

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 37

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 38

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 38

CONNECT State Machine ? ? Copyright © Clearswift 2017 www. clearswift. com 39

CONNECT State Machine ? ? Copyright © Clearswift 2017 www. clearswift. com 39

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 40

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 40

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 41

CONNECT State Machine Copyright © Clearswift 2017 www. clearswift. com 41