• Stars
    star
    1,081
  • Rank 42,808 (Top 0.9 %)
  • Language
    Go
  • License
    MIT License
  • Created over 8 years ago
  • Updated 29 days ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A simple HTTP proxy that fogs over naughty URLs

Smokescreen Test Coverage Status

Smokescreen is a HTTP CONNECT proxy. It proxies most traffic from Stripe to the external world (e.g., webhooks).

Smokescreen restricts which URLs it connects to: it resolves each domain name that is requested and ensures that it is a publicly routable IP and not a Stripe-internal IP. This prevents a class of attacks where, for instance, our own webhooks infrastructure is used to scan Stripe's internal network.

Smokescreen also allows us to centralize egress from Stripe, allowing us to give financial partners stable egress IP addresses and abstracting away the details of which Stripe service is making the request.

In typical usage, clients contact Smokescreen over mTLS. Upon receiving a connection, Smokescreen authenticates the client's certificate against a configurable set of CAs and CRLs, extracts the client's identity, and checks the client's requested CONNECT destination against a configurable per-client ACL.

By default, Smokescreen will identify clients by the "common name" in the TLS certificate they present, if any. The client identification function can also be easily replaced; more on this in the usage section.

Dependencies

Smokescreen uses go modules to manage dependencies. The linked page contains documentation, but some useful commands are reproduced below:

  • Adding a dependency: go build go test go mod tidy will automatically fetch the latest version of any new dependencies. Running go mod vendor will vendor the dependency.
  • Updating a dependency: go get [email protected] or go get dep@commit-hash will bring in specific versions of a dependency. The updated dependency should be vendored using go mod vendor.

Smokescreen uses a custom fork of goproxy to allow us to support context passing and setting granular timeouts on proxy connections.

Generally, Smokescreen will only support the two most recent Go versions. See the test configuration for details.

Usage

CLI

Here are the options you can give Smokescreen:

   --help                                      Show this help text.
   --config-file FILE                          Load configuration from FILE.  Command line options override values in the file.
   --listen-ip IP                              Listen on interface with address IP.
                                                 This argument is ignored when running under Einhorn. (default: any)
   --listen-port PORT                          Listen on port PORT.
                                                 This argument is ignored when running under Einhorn. (default: 4750)
   --timeout DURATION                          Time out after DURATION when connecting. (default: 10s)
   --proxy-protocol                            Enable PROXY protocol support.
   --deny-range RANGE                          Add RANGE(in CIDR notation) to list of blocked IP ranges.  Repeatable.
   --allow-range RANGE                         Add RANGE (in CIDR notation) to list of allowed IP ranges.  Repeatable.
   --deny-address value                        Add IP[:PORT] to list of blocked IPs.  Repeatable.
   --allow-address value                       Add IP[:PORT] to list of allowed IPs.  Repeatable.
   --egress-acl-file FILE                      Validate egress traffic against FILE
   --expose-prometheus-metrics                 Exposes metrics via a Prometheus scrapable endpoint.
   --prometheus-endpoint ENDPOINT              Specify endpoint to host Prometheus metrics on. (default: "/metrics")
                                                 Requires `--expose-prometheus-metrics` to be set.
   --prometheus-port PORT                      Specify port to host Prometheus metrics on. (default "9810")
                                                 Requires `--expose-prometheus-metrics` to be set.
   --resolver-address ADDRESS                  Make DNS requests to ADDRESS (IP:port).  Repeatable.
   --statsd-address ADDRESS                    Send metrics to statsd at ADDRESS (IP:port). (default: "127.0.0.1:8200")
   --tls-server-bundle-file FILE               Authenticate to clients using key and certs from FILE
   --tls-client-ca-file FILE                   Validate client certificates using Certificate Authority from FILE
   --tls-crl-file FILE                         Verify validity of client certificates against Certificate Revocation List from FILE
   --additional-error-message-on-deny MESSAGE  Display MESSAGE in the HTTP response if proxying request is denied
   --disable-acl-policy-action POLICY ACTION   Disable usage of a POLICY ACTION such as "open" in the egress ACL
   --stats-socket-dir DIR                      Enable connection tracking. Will expose one UDS in DIR going by the name of "track-{pid}.sock".
                                                 This should be an absolute path with all symlinks, if any, resolved.
   --stats-socket-file-mode FILE_MODE          Set the filemode to FILE_MODE on the statistics socket (default: "700")
   --version, -v                               print the version

Client Identification

In order to override how Smokescreen identifies its clients, you must:

  • Create a new go project
  • Import Smokescreen
  • Create a Smokescreen configuration using cmd.NewConfiguration
  • Replace smokescreen.Config.RoleFromRequest with your own func(request *http.Request) (string, error)
  • Call smokescreen.StartWithConfig
  • Build your new project and use the resulting executable through its CLI

Here is a fictional example that would split a client certificate's OrganizationalUnit on commas and use the first particle as the service name.

package main

import (...)

func main() {
	// Here is an opportunity to pass your logger
	conf, err := cmd.NewConfiguration(nil, nil)
	if err != nil {
		log.Fatal(err)
	}
	if conf == nil {
		os.Exit(1)
	}

	conf.RoleFromRequest = func(request *http.Request) (string, error) {
		fail := func(err error) (string, error) { return "", err }

		subject := request.TLS.PeerCertificates[0].Subject
		if len(subject.OrganizationalUnit) == 0 {
			fail(fmt.Errorf("warn: Provided cert has no 'OrganizationalUnit'. Can't extract service role."))
		}
		return strings.SplitN(subject.OrganizationalUnit[0], ".", 2)[0], nil
	}

	smokescreen.StartWithConfig(conf, nil)
}

ACLs

An ACL can be described in a YAML formatted file. The ACL, at its top-level, contains a list of services as well as a default behavior.

Three policies are supported:

Policy Behavior
Open Allows all traffic for this service
Report Allows all traffic for this service and warns if client accesses a remote host which is not in the list
Enforce Only allows traffic to remote hosts provided in the list. Will warn and deny if remote host is not in the list

A host can be specified with or without a globbing prefix. The host (without the globbing prefix) must be in Punycode to prevent ambiguity.

host valid
example.com yes
*.example.com yes
api.*.example.com no
*example.com no
ex*ample.com no
éxämple.com no
example.* hell no

Here is a sample ACL.

Global Allow/Deny Lists

Optionally, you may specify a global allow list and a global deny list in your ACL config.

These lists override the policy, but do not override the allowed_domains list for each role.

For example, specifying example.com in your global_allow_list will allow traffic for that domain on that role, even if that role is set to enforce and does not specify example.com in its allowed domains.

Similarly, specifying malicious.com in your global_deny_list will deny traffic for that domain on a role, even if that role is set to report or open. However, if the host specifies malicious.com in its allowed_domains, traffic to malicious.com will be allowed on that role, regardless of policy.

If a domain matches both the global_allow_list and the global_deny_list, the global_deny_list behavior takes priority.

Here is a sample ACL specifying these options.

Development and Testing

Running locally

To run Smokescreen locally, you can provide a minimal configuration file and use curl as a client. For example:

# config.yaml
---
allow_missing_role: true  # skip mTLS client validation
statsd_address: 127.0.0.1:8200

If you want to see metrics Smokescreen emits, listen on a local port:

$ nc -uklv 127.0.0.1 8200

Build and run Smokescreen:

$ go run . --config-file config.yaml
{"level":"info","msg":"starting","time":"2022-11-30T15:19:08-08:00"}

Make a request using curl:

$ curl --proxytunnel -x localhost:4750 https://stripe.com/

Testing

$ go test ./...

Contributors

  • Aditya Mukerjee
  • Andreas Fuchs
  • Andrew Dunham
  • Andrew Metcalf
  • Aniket Joshi
  • Ben Ransford
  • Carl Jackson
  • Craig Shannon
  • Evan Broder
  • Marc-André Tremblay
  • Ryan Koppenhaver

More Repositories

1

stripe-node

Node.js library for the Stripe API.
TypeScript
3,874
star
2

stripe-php

PHP library for the Stripe API.
PHP
3,736
star
3

stripe-go

Go library for the Stripe API.
Go
2,144
star
4

stripe-ios

Stripe iOS SDK
Swift
2,110
star
5

stripe-ruby

Ruby library for the Stripe API.
Ruby
1,952
star
6

react-stripe-js

React components for Stripe.js and Stripe Elements
TypeScript
1,757
star
7

veneur

A distributed, fault-tolerant pipeline for observability data
Go
1,734
star
8

stripe-python

Python library for the Stripe API.
Python
1,669
star
9

stripe-cli

A command-line tool for Stripe
Go
1,609
star
10

stripe-mock

stripe-mock is a mock HTTP server that responds like the real Stripe API. It can be used instead of Stripe's testmode to make test suites integrating with Stripe faster and less brittle.
Go
1,374
star
11

stripe-dotnet

Stripe.net is a sync/async .NET 4.6.1+ client, and a portable class library for stripe.com.
C#
1,362
star
12

stripe-android

Stripe Android SDK
Kotlin
1,277
star
13

stripe-react-native

React Native library for Stripe.
TypeScript
1,272
star
14

elements-examples

Stripe Elements examples.
HTML
996
star
15

stripe-java

Java library for the Stripe API.
Java
818
star
16

skycfg

Skycfg is an extension library for the Starlark language that adds support for constructing Protocol Buffer messages.
Go
646
star
17

stripe-connect-rocketrides

Sample on-demand platform built on Stripe: Connect onboarding for pilots, iOS app for passengers to request rides.
Swift
634
star
18

stripe-js

Loading wrapper for Stripe.js
TypeScript
625
star
19

poncho

Easily create REST APIs
Ruby
516
star
20

rainier

Bayesian inference in Scala.
Scala
433
star
21

openapi

An OpenAPI specification for the Stripe API.
391
star
22

pg-schema-diff

Go library for diffing Postgres schemas and generating SQL migrations
Go
364
star
23

stripe-billing-typographic

⚡️Typographic is a webfont service (and demo) built with Stripe Billing.
JavaScript
216
star
24

subprocess

A port of Python's subprocess module to Ruby
Ruby
208
star
25

carbon-removal-source-materials

Source materials supporting Stripe Climate carbon removal purchases (http://stripe.com/climate)
190
star
26

stripe-apps

Stripe Apps lets you embed custom user experiences directly in the Stripe Dashboard and orchestrate the Stripe API.
TypeScript
148
star
27

dagon

Tools for rewriting and optimizing DAGs (directed-acyclic graphs) in Scala
Scala
148
star
28

bonsai

Beautiful trees, without the landscaping.
Scala
141
star
29

ios-dashboard-ui

[DEPRECATED] UI components from the Stripe Dashboard iOS app
Swift
138
star
30

vscode-stripe

Stripe for Visual Studio Code
TypeScript
123
star
31

stripe.github.io

A landing page for Stripe's GitHub organization
HTML
117
star
32

stripe-terminal-react-native

React Native SDK for Stripe Terminal
TypeScript
108
star
33

example-mobile-backend

A simple, easy-to-deploy backend that you can use to demo our example mobile apps.
Ruby
106
star
34

stripe-terminal-ios

Stripe Terminal iOS SDK
Objective-C
102
star
35

stripe-demo-connect-roastery-saas-platform

Roastery demo SaaS platform using Stripe Connect
JavaScript
94
star
36

stripe-terminal-android

Stripe Terminal Android SDK
Java
93
star
37

example-terminal-backend

A simple, easy-to-deploy backend that you can use to run the Stripe Terminal example apps
Ruby
88
star
38

stripe-terminal-js-demo

Demo app for the Stripe Terminal JS SDK
JavaScript
82
star
39

stripe-postman

Postman collection for Stripe's API
77
star
40

unilog

A logger for use with daemontools.
Go
77
star
41

goforit

A feature flags client library for Go
Go
70
star
42

stripe-connect-custom-rocketdeliveries

Sample on-demand platform built on Stripe Connect: Custom Accounts and Connect Onboarding for deliveries. https://rocketdeliveries.io
JavaScript
69
star
43

tracer-objc

Generic record & playback framework for Objective-C
Objective-C
52
star
44

mobile-viewport-control

Dynamically control the mobile viewport
JavaScript
48
star
45

log4j-remediation-tools

Tools for remediating the recent log4j2 RCE vulnerability (CVE-2021-44228)
Go
41
star
46

terminal-js

Loading wrapper for the Terminal JS SDK
TypeScript
34
star
47

stripe-connect-furever-demo

Code sample demo built on Stripe Connect embedded components.
TypeScript
34
star
48

stripe-identity-react-native

React Native library for Stripe Identity
TypeScript
33
star
49

stripe-reachability

A bash script to test access to the Stripe API
Shell
32
star
50

krl

OpenSSH Key Revocation List support for Go
Go
30
star
51

stripe-magento2-releases

27
star
52

react-connect-js

React components for Connect.js and Connect embedded components
TypeScript
22
star
53

connect-js

Loading wrapper for Connect.js
TypeScript
21
star
54

stripe-mirakl-connector

Official Stripe Mirakl Connector
PHP
13
star
55

salesforce-connector-examples

Stripe Salesforce Connector examples
Apex
12
star
56

checkout-sales-demo

Sales demo of Stripe Checkout with different locales around the world.
HTML
12
star
57

stripe-ios-spm

Swift Package Manager mirror for the Stripe iOS SDK. See http://github.com/stripe/stripe-ios for details.
12
star
58

.github

Stripe uses the Contributor Covenant Code of Conduct for our open-source community.
8
star
59

homebrew-stripe-mock

Homebrew tap for stripestub
Ruby
7
star
60

scoop-stripe-cli

7
star
61

homebrew-stripe-cli

Ruby
7
star
62

stripe-sfcc-b2c-connector

JavaScript
7
star
63

stripe-commercetools-connect-app

TypeScript
5
star
64

ssf-ruby

A Ruby client for the Sensor Sensibility Format
Ruby
5
star
65

terminal-connector-releases

Release binaries for Stripe Terminal connectors
3
star
66

open-banking-v2-docs

Open banking docs for V2 APIs
CSS
2
star
67

vscode-endsmart

vscode extension to smartly add `end` keywords
TypeScript
1
star