Bud – A TLS terminating proxy


README.md

Build Status
NPM version

A TLS terminator for superheroes.

What is bud?

Bud is a TLS terminating proxy, a babel fish decoding incoming TLS traffic and
sending it in a plain text to your backend servers.
Not only does it do this well, bud has a lot of useful features!

Install

Requirements

You must have gcc installed. Chances are that you do, but in case you don’t:

# OSX
# Command Line Tools for Xcode: xcode-select --install,
# https://developer.apple.com/downloads, or Xcode

# SmartOS
[sudo] pkgin update
[sudo] pkgin install gcc47

# Ubuntu
[sudo] apt-get update
[sudo] apt-get install build-essential

Easy Install

Bud can easily be installed using npm

[sudo] npm install -g bud-tls

This will install the command line tool bud. Optionally, you can build
Bud from source with the steps below.

Build

Preparing:

git submodule update --init --recursive
Then:
git clone https://chromium.googlesource.com/external/gyp.git tools/gyp
OR
svn co http://gyp.googlecode.com/svn/trunk tools/gyp tools/gyp

Building:

The result will be located at: ./out/Release/bud.

Starting

To start bud – create a configuration file using this template and then:

Options

Usage: bud [options]

options:
  --version, -v              Print bud version
  --config PATH, -c PATH     Load JSON configuration
  --piped-config, -p         Load piped JSON configuration
  --default-config           Print default JSON config
  --daemon, -d               Daemonize process

Configuration

Bud uses JSON as the configuration format. Run bud --default-config
to get the default configuration options (with comments and description below):

{
  // Number of workers to use, if 0 - only one process will be spawned.
  "workers": 1,

  // Timeout in ms after which workers will be restarted (if they die)
  "restart_timeout": 250,

  // Logging configuration
  "log": {
    // Minimum observable log level, possible values:
    // "debug", "notice", "info" (default), "warning", "fatal"
    "level": "info",

    // syslog facility to use, could be:
    // "auth", "cron", "kern", "lpr", "mail", "news", "syslog"
    // "deamon", "uucp", "local0", ... "local7"
    "facility": "user",

    // if true - logging will be printed to standard output
    "stdio": true,

    // if true - syslog will be used for logging
    "syslog": true
  },

  // Availability of the backend
  "availability": {
    // Maximum number of backend reconnects before giving up
    "max_retries": 5,

    // Time between retries
    "retry_interval": 250,

    // How long backend should not be responding until considered to be dead -- ms
    "death_timeout": 1000,

    // Timeout in ms after which it should be revived
    "revive_interval": 2500
  },

  // Frontend configuration (i.e. TLS/SSL server)
  "frontend": {
    "port": 1443,
    "host": "0.0.0.0",

    // Alternatively you may want to specify multiple address to bind server to
    // "interfaces": [
    //   { "port": 1443, "host": "1.1.1.1" },
    //   { "port": 1444, "host": "2.2.2.2" }
    // ],

    // tcp keepalive value (in seconds)
    "keepalive": 3600,

    // if true - server listed ciphers will be preferenced
    "server_preference": true,

    // Which protocol versions to support:
    // **optional**, default: "ssl23"
    // "ssl23" (implies tls1.*): "tls1", "tls1.1", "tls1.2"
    "security": "ssl23",

    // Path to default TLS certificate
    // NOTE: Could be an array of cert strings
    // e.g. ["-----BEGIN CERTIFICATE-----...", "-----BEGIN CERTIFICATE-----..."]
    "cert": "keys/cert.pem",

    // Path to default TLS private key
    // NOTE: Could be an array of keys as file paths or strings
    "key": "keys/key.pem",

    // **Optional** Passphrase for the private key
    // NOTE: Could be an array of passphrases
    "passphrase": null,

    // **Optional** Cipher suites to use
    // Bud defaults to:
    // "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA256:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:DES-CBC3-SHA"
    "ciphers": null,

    // **Optional** ECDH Curve to use, defaults to `prime256v1
    "ecdh": "prime256v1",

    // **Optional** Path to DH parameters file
    // **Recommend** generate a file
    // openssl dhparam -out dh.key 3072
    "dh": null,

    // **Optional** Base64 encoded TLS session ticket key,
    // should decode into 48 raw bytes
    // **Recommend** Generate with:
    // node -pe "require('crypto').randomBytes(48).toString('base64')"
    //
    // **Important note**: it should not be generally set, OpenSSL will generate
    // a random value for it at start, and ticket rotation will change it after
    // some time anyway
    "ticket_key": "yzNUDktR5KmA4wX9g9kDSzEn...true randomness",

    // **Optional** Ticket timeout in seconds, default: 3600
    "ticket_timeout": 3600,

    // **Optional** Interval between rotating ticket keys.
    // NOTE: If you are deploying bud to many boxes - please contact me, I'll
    // explain how ticket may be rotated simulatenously on all of them
    "ticket_rotate": 3600,

    // **Optional** NPN protocols to advertise
    "npn": ["http/1.1", "http/1.0"],

    // NOTE: Better leave this default:

    // **Optional** Renegotiation window in seconds
    "reneg_window": 300,

    // **Optional** Maximum number of renegotiations in a window
    "reneg_limit": 3,

    // **Optional** Maximum size of TLS fragment
    "max_send_fragment": 1400,

    // **Optional** If false - close frontend connection on backend EOF
    "allow_half_open": false,

    // **Optional** If true - the clients will be requested to provide the cert
    "request_cert": true,

    // **Optional**: Either filename or array of PEM certificate chain that
    // should be used for validating client certs
    "ca": "filename"
    // "ca": [ "-----BEGIN CERTIFICATE----n..." ]
  },

  // Balance tactic
  // **Optional** possible values: "roundrobin", "sni", or "on-fail"
  //
  // * "roundrobin" - on each new connection select next live backend
  // * "sni" - select backend list from either async sni or supplied contexts
  // * "on-fail" - select next backend in list only if the previous one is
  //   dead
  "balance": "roundrobin"

  // Unix-specific option, drop privileges after starting the process
  // **Recommend** Create a user and a group for bud.
  "user": null,
  "group": null,

  // Backend configuration (i.e. address of Cleartext server)
  "backend": [{
    "port": 8000,
    "host": "127.0.0.1",
    "keepalive": 3600,

    // if true - HAProxy compatible proxyline will be sent:
    // "PROXY TCP4 ... ... ... ..."
    // if "json":
    // 'BUD {"family":"TCP4","bud":{"host":"...","port":...},"peer":{...}'
    "proxyline": false,

    // if true:
    // - if NPN is enabled and either `spdy/3.1`, `spdy/3` or `spdy/2` is
    //   negotiated - custom `X_FORWARDED` frame will be sent on connection.
    //   see: https://groups.google.com/forum/#!topic/spdy-dev/XkdtuShtVCEadds
    //
    // - in all other cases `X-Forwarded-For: 
` will be added right // after the first line in the incoming data. // // - in order to avoid parsing each request, the `X-Forwarded-For` header // will only be sent on the first client request. "x-forward": false, // *Optional key* // If this property is present - balancing will start from the backend, // which `external` value is matching server address. // (Useful when listening on multiple interfaces) "external": "[1.2.3.4]:443" }], // SNI context loading "sni": { "enabled": false, "port": 9000, "host": "127.0.0.1", // %s will be replaced with actual servername "query": "/bud/sni/%s" }, // OCSP Stapling response loading "stapling": { "enabled": false, "port": 9000, "host": "127.0.0.1", // %s will be replaced with actual servername "query": "/bud/stapling/%s" }, // Secure contexts (i.e. Server Name Indication support) "contexts": [{ // Servername to match against "servername": "blog.indutny.com", // **Optional** balance algorithm, could not be `sni` "balance": "roundrobin", // Path to TLS certificate // Could be an array "cert": "keys/cert.pem", // Path to TLS private key // Could be an array "key": "keys/key.pem", // **Optional** Passphrase for the private key // Could be an array "passphrase": null, // Cipherlist to use (overrides frontend.ciphers, if not null) "ciphers": null, // ECDH curve to use, overrides frontend.ecdh "ecdh": null, // **Optional** Path to DH parameters file, overrides frontend.dh "dh": null, // TLS session ticket key to use, overrides frontend.ticket_key "ticket_key": null, // NPN protocols to advertise // **optional** (overrides frontend.npn, if not null) "npn": ["http/1.1", "http/1.0"], // Backends to use, works only when "balance" is set to "sni" "backend": [{ "port": 8000, "host": "127.0.0.1", "keepalive": 3600 }], // **Optional** If true - the clients will be requested to provide the cert "request_cert": true, // **Optional**: Either filename or array of PEM certificate chain that // should be used for validating client certs "ca": "filename" // "ca": [ "-----BEGIN CERTIFICATE----n..." ] }] }

To start bud – create a configuration file using this template:

To reload config – send SIGHUP to the bud’s master process (or worker, if you
wish to reload configuration only in a single process):

kill -SIGHUP <bud-master's-pid>

X-Forwarded-For

Setting backend.*.x-forward will cause an X-Forwarded-For header to be
injected into the first request seen on a socket. However, subsequent requests
using the same socket (via Keep-Alive), will not receive this header from bud.
To remedy this, you should associate this header with the underlying socket
or connection, and not expect it to be present with every HTTP request. A
possible implementation in Node.JS would look like:

var http = require('http')
http.createServer(onrequest).listen(8080, 'localhost')

function onrequest(req, res) {
  // this is a previous SSL request
  if (req.connection.xForward)
    req.headers['x-forwarded-for'] = req.connection.xForward;
  // this is a new SSL request
  else if (req.headers['x-forwarded-for'])
    req.connection.xForward = req.headers['x-forwarded-for'];
  // this is not an SSL request
  else {
    // optional, but a way to force SSL
    res.writeHead(301, {
      'Location': 'https://localhost:1443'
    })
    return void res.end()
  }


  // optional, it's a good idea to send this header to
  // force SSL in modern browsers
  res.setHeader('Strict-Transport-Security', 'max-age=' + 60 * 60 * 24 * 365)

  // handle request normally now knowing that the
  // `X-Forwarded-For` header is present
}

SNI Storage

If you have enabled SNI lookup (sni.enabled set to true), on every TLS
connection a request to the HTTP server will be made (using sni.host,
sni.port and sni.query as url template). The response should be a JSON
of the following form:

{
  "cert": "certificate contents",
  "key": "key contents",

  // Optional
  "npn": [],

  // Optional
  "ciphers": "...",

  // Optional
  "ecdh": "..."

  // **Optional** Path to DH parameters file, overrides frontend.dh
  "dh": null
}

Or any other JSON and a 404 status code, if SNI certificate is not found.

If optional fields are not present – their value would be taken from frontend
object in configuration file.

OCSP Stapling

OCSP Stapling has exactly the same configuration options as SNI Storage.
Main difference is that 2 requests to OCSP Stapling server could be made by bud:

  1. GET /stapling_url/ – to probe backend’s cache
  2. POST /stapling_url/ with JSON body:
    {"url":"http://some.ocsp.server.com/","ocsp":"base64-encoded-data"}.

For the first request, if backend has cached OCSP response for given
, backend should respond with following JSON:

{"response":"base64-encoded-response"}

Or with a 404 status code and any other JSON.

For the second request, backend should send a POST request to the OCSP server
given in the JSON body. This request should have Content-Type header set
to application/ocsp-request and a decoded (from base64) ocsp field from
body.

The response to bud should be the same as in the first case, base64-encoded
data received from OCSP server.

Backend Example

Example OCSP+SNI backend implementation in node.js could be found here.

Generating a key and getting an ssl cert

Generating a key is easy with openssl

openssl genrsa -out server.key 2048

To generate the public certs, you’ll need to buy an SSL cert from the provider
of your choice. They’ll ask you to upload your key file, and the .crt file
generated below:

# you'll be asked for a bunch of info. The most important one is "common name"
# and this must match your domain exactly. e.g.
# example.com
# if you've bought a wildcard cert, you should use
# *.example.com
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 9999 -in server.csr -signkey server.key -out server.crt

You’ll need to upload the .crt and .key files to the cert provider. What you want back
from them is a .pem file that has their entire cert chain. Then in your bud
config set it like this:

{
  "frontent": {
    // you generated this in the first step
    "key": "server.key",
    // this is the file you downloaded from your cert provider
    "cert": "server.pem"
  }
}

Running as monitored process

Keep bud running even after a server restart

SmartOS

touch bud.xml
read -d '' budconfig << EOF
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<!--
        Created by Manifold
--><service_bundle type="manifest" name="bud">

    <service name="bud" type="service" version="1">

        <create_default_instance enabled="true"/>

        <single_instance/>

        <dependency name="network" grouping="require_all" restart_on="error" type="service">
            <service_fmri value="svc:/milestone/network:default"/>
        </dependency>

        <dependency name="filesystem" grouping="require_all" restart_on="error" type="service">
            <service_fmri value="svc:/system/filesystem/local"/>
        </dependency>

        <exec_method type="method" name="start" exec="/opt/local/bin/bud -c %{config_file} -d" timeout_seconds="5"/>

        <exec_method type="method" name="stop" exec=":kill" timeout_seconds="60"/>

        <property_group name="startd" type="framework">

            <propval name="duration" type="astring" value="contract"/>
            <propval name="ignore_error" type="astring" value="core,signal"/>
        </property_group>


        <property_group name="application" type="application">
            <!-- TODO: customize this path to your bud config -->
            <propval name="config_file" type="astring" value="/root/bud/bud.json"/>
        </property_group>


        <stability value="Evolving"/>

        <template>
            <common_name>
                <loctext xml:lang="C">
                    bud-tls
                </loctext>
            </common_name>
        </template>

    </service>

</service_bundle>
EOF
echo $budconfig > bud.xml
svccfg import bud.xml
svcadm enable bud
# should be in the online state
svcs -l bud
# see the logs for details
tail /var/svc/log/bud:default.log

Ubuntu

A docker image is avaliable

Community

Join #bud-tls on freenode IRC to discuss things with me or others!

LICENSE

This software is licensed under the MIT License.

Copyright Fedor Indutny, 2013.

Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
“Software”), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, subject to the
following conditions:

The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
USE OR OTHER DEALINGS IN THE SOFTWARE.


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/QM3b9fu2Y3c/bud

Original article

Show HN: Gulp AWS Splash, the Open-Source LaunchRock Alternative


Readme.md

Circle CI
MIT License

The open-source LaunchRock alternative. Build beautiful splash pages to collect emails & more – primarily focused on performance and rapid development. This project is sponsored by Clevertech.

View the demo

Default Components & Services*

This project is bundled with the following default components and services in mind:

* Note that you can swap out many of these components and services with your preferred alternatives.

Development

Development (and Deployment) is made simple thanks to Gulp. Follow these simple instructions for setting up this project locally:

  1. Make sure you are using Node.js version >= 0.12.

  2. Either clone this repository (recommended) or download a ZIP locally:

    To clone locally (preferred approach):

    git clone git@github.com:niftylettuce/gulp-aws-splash.git

    Or, to download a ZIP locally:

    curl -o ~/gulp-aws-splash.zip https://github.com/niftylettuce/gulp-aws-splash/archive/master.zip

    If you downloaded the ZIP, then you’ll need to extract it first of course.

  3. Change your working directory in terminal to the project’s (e.g. cd ~/gulp-aws-splash/).

  4. Install NPM dependencies required for developing locally and deploying the project:

    Also install gulp and bower globally if you have not yet already:

    npm install -g gulp bower
  5. Configure boot/config.js with your Google Analytics, MailChimp, and Amazon Web Services credentials.

    For Google Analytics:

    1. Go to https://www.google.com/analytics/web/ → Admin → Create New Account.

    2. Complete required fields in order to create a new account.

    3. Copy/paste the generated “Tracking ID” as the value of googleAnalytics in boot/config.js:

      -      googleAnalytics: env.GA || 'TODO',
      +      googleAnalytics: env.GA || '12345678',

    For MailChimp:

    1. Go to http://mailchimp.com/ → Log in (or Sign up) → Create List.

    2. Complete required fields in order to create a new list.

    3. Go to the Lists → Select (select your newly created list) → Signup forms → Embedded forms.

    4. Copy/paste the generated

      action attribute value as the value of mailChimp.actionUrl in boot/config.js:

            mailChimp: {
      -        actionUrl: env.MC_AU || 'TODO',
      +        actionUrl: env.MC_AU || '//johndoe.us0.list-manage.com/subscribe/post?u=123456789abcdefghijklmno&id=1234567890',
    5. Copy/paste the generated name attribute value as the value of mailChimp.hiddenInputName in boot/config.js (note that this is inside of an

      with absolute CSS positioning):

      -        hiddenInputName: env.MC_HIN || 'TODO'
      +        hiddenInputName: env.MC_HIN || 'm_4co51234b92a65zb2a52z0221_154363e5def'
            },

    For Amazon Web Services:

    1. Go to https://console.aws.amazon.com/s3/home → Create New Bucket.

    2. Click on the newly created bucket → Static Website Hosting → Enable Website Hosting.

    3. Set the value of Index Document to index.html and Error Document to 404.html, then click Save.

    4. Modify boot/config.js with your newly created bucket name:

            params: {
      -        Bucket: env.AWS_BUCKET || 'TODO'
      +        Bucket: env.AWS_BUCKET || 'gulp-aws-splash'
            }
    5. Go to https://console.aws.amazon.com/iam/home#security_credential → Access Keys (Access Key ID and Secret Access Key) → Create New Access Key.

    6. Copy/paste the values of Access Key ID and Secret Access Key to boot/config.js (note that you will repeat yourself below, since gulp-awspublish and gulp-cloudfront call for different configurations):

            aws: {
      -        key: env.AWS_KEY || 'TODO',
      +        key: env.AWS_KEY || 'ZFIKXOJ1MKTNVTQ4VPAD',
      -        accessKeyId: env.AWS_KEY || 'TODO',
      +        accessKeyId: env.AWS_KEY || 'ZFIKXOJ1MKTNVTQ4VPAD',
      -        secret: env.AWS_SECRET || 'TODO',
      +        secret: env.AWS_SECRET || 'j4nIT6KSuuuk01g3q4y+eYsuxtIUvMuoyWTfGV86W',
      -        secretAccessKey: env.AWS_KEY || 'TODO',
      +        secretAccessKey: env.AWS_SECRET || 'j4nIT6KSuuuk01g3q4y+eYsuxtIUvMuoyWTfGV86W',
    7. Go to https://console.aws.amazon.com/cloudfront/home → Web → Get Started → Create Distribution.

    8. Complete required fields in order to create a new distribution

      • If you want to use your own domain name, then please fill out the value of Alternate Domain Names).
    9. Copy/paste the Distribution ID as the value for aws.distributionId in boot/config.js:

      -        distributionId: env.AWS_DI || 'TODO',
      +        distributionId: env.AWS_DI || 'UXCY8BV5VXPSL',
  6. Start gulp watch to start watching changes you make locally to the project. It should automatically open up http://localhost:3000/ in your default browser for you as well (which is the default development URL).

Deployment

Manual

To manually publish changes to your project, simply run gulp publish. That’s all you have to do!

Automated

If you’d like your project to automatically be built and published to Amazon when you git push to GitHub, then configure CircleCI for continuous integration:

  1. Create a new repo on GitHub for your gulp-aws-splash project and push to it your locally checked out copy (ensure that the default circle.yml still exists in your project’s root folder).
  2. Log in to CircleCI and add the newly created repository
  3. Create custom environment variables based off your configuration in boot/config.js. Here is a list of all the required variables:

  • GA – Google Analytics ID
  • MC_AU – MailChimp Form Action URL
  • MC_HIN – MailChimp Hidden Input Name
  • AWS_KEY – AWS key
  • AWS_SECRET – AWS secret
  • AWS_BUCKET – AWS bucket
  • AWS_DI – AWS distribution ID

License

MIT


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/LqG2VrW9vdU/gulp-aws-splash

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: