• Stars
    star
    140
  • Rank 261,473 (Top 6 %)
  • Language
    Ruby
  • License
    Other
  • Created almost 12 years ago
  • Updated over 7 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

fluent-plugin-secure-forward

Fluentd input/output plugin to forward fluentd messages over SSL with authentication.

Plugin status

NOTE: This plugin will not be updated anymore.

Fluentd v0.14.12 supports event forwarding via encrypted network communication. Use that feature instead of using this plugin.

Overview

This plugin makes you to be able to:

  • protect your data from others in transferring with SSL
    • with certificate signed and registered correctly/publicly
    • with private CA certificates generated by users
    • with automatically generated and self-signed certificates in vulnerable way
  • authenticate by shared_key check from both of client(out_secure_forward) and server(in_secure_forward)
  • authenticate with username / password pairs

Installation

install with gem or fluent-gem command as:

 ### native gem
$ gem install fluent-plugin-secure-forward
 
 ### fluentd gem
$ fluent-gem install fluent-plugin-secure-forward

Using SSL certificates issued from trusted CA

To communicate over SSL with valid certificate issued from public CA, configure params below for input plugin:

  • secure: set yes or true
  • cert_path: set path of certificate file issued from CA
  • private_key_path: set path of private key file
  • private_key_passphrase: set passphrase of private key
<source>
  @type secure_forward
  
  # bind 0.0.0.0 # default
  # port 24284 # default
  self_hostname server.fqdn.example.com
  shared_key    secret_string
  
  secure yes
  
  cert_path        /path/for/certificate/cert.pem
  private_key_path /path/for/certificate/key.pem
  private_key_passphrase secret_foo_bar_baz
</source>

For output plugin, specify just 2 options below:

  • secure: set yes or true
  • enable_strict_verification: specify yes or true to verify FQDN of servers (input plugin)
<match secret.data.**>
  @type secure_forward
  
  self_hostname client.fqdn.local
  shared_key    secret_string
  
  secure yes
  enable_strict_verification yes
  
  <server>
    host server.fqdn.example.com  # or IP
    # port 24284
  </server>
  <server>
    host 203.0.113.8 # ip address to connect
    hostlabel server.fqdn.example.com # specify hostlabel for FQDN verification if ipaddress is used for host
  </server>
</match>

Using private CA file and key

This plugin has a simple utility command to generate private CA cert/key files just for secure-forward.

$ secure-forward-ca-generate /path/for/dir/of/certs "passphrase for private CA secret key"

This command generates ca_cert.pem and ca_key.pem on /path/for/dir/of/certs. For SSL communication with private CA, users must deploy both files for input plugins, and also must deploy ca_cert.pem for output plugins. And then, configure Fluentd with these files and the passphrase. With this configuration, server certificates are automatically generated and issued by private CA.

<source>
  @type secure_forward
  
  # bind 0.0.0.0 # default
  # port 24284 # default
  self_hostname myserver.local
  shared_key    secret_string
  
  secure yes
  
  ca_cert_path        /path/for/certificate/ca_cert.pem
  ca_private_key_path /path/for/certificate/ca_key.pem
  ca_private_key_passphrase passphrase for private CA secret key
</source>

For output plugin, specify just 2 options below:

  • secure: set yes or true
  • enable_strict_verification: specify yes or true
<match secret.data.**>
  @type secure_forward
  
  self_hostname myclient.local
  shared_key    secret_string
  
  secure yes
  ca_cert_path /path/for/certificate/ca_cert.pem
  # enable_strict_verification yes
  
  <server>
    host server.fqdn.example.com  # or IP
    # port 24284
  </server>
  <server>
    host 203.0.113.8 # ip address to connect
    hostlabel server.fqdn.example.com # specify hostlabel for FQDN verification if ipaddress is used for host
  </server>
</match>

Using insecure self-signed certificates

This is very dangerous and vulnerable to man-in-the-middle attacks

For just testing or data center internal communications, this plugin has a feature to communicate without any verification of certificates. Turn secure option to false to use this feature.

<source>
  @type secure_forward
  
  self_hostname myserver.local
  shared_key    secret_string
  
  secure no
</source>

Configure output plugin just same way:

<match data.**>
  @type secure_forward
  
  self_hostname myclient.local
  shared_key    secret_string
  
  secure no
  
  <server>
    host server.fqdn.example.com  # or IP
  </server>
</match>

In this mode, output plugin cannot verify peer node of connections. Man-in-the-middle attackers can spoof messages from output plugins under many various situations.

Configuration

SecureForwardInput

Default settings:

  • listen 0.0.0.0:24284
    • bind 192.168.0.101
    • port 24284
  • allow to accept from any sources
  • allow to connect without authentications
  • use certificate automatically generated
    • generate_private_key_length 2048
    • generate_cert_country US
    • generate_cert_state CA
    • generate_cert_locality Mountain View
    • generate_cert_common_name SAME_WITH_SELF_HOSTNAME_PARAMETER
  • use TLSv1.2

Minimal configurations like below:

<source>
  @type secure_forward
  shared_key         secret_string
  self_hostname      server.fqdn.local  # This fqdn is used as CN (Common Name) of certificates
  
  secure yes
  # and configurations for certs
</source>

To check username/password from clients, like this:

<source>
  @type secure_forward
  shared_key         secret_string
  self_hostname      server.fqdn.local
  
  secure yes
  # and configurations for certs
  
  authentication     yes # Deny clients without valid username/password
  <user>
    username tagomoris
    password foobar012
  </user>
  <user>
    username frsyuki
    password yakiniku
  </user>
</source>

To deny unknown source IP/hosts:

<source>
  @type secure_forward
  shared_key         secret_string
  self_hostname      server.fqdn.local
  
  secure yes
  # and configurations for certs
  
  allow_anonymous_source no  # Allow to accept from nodes of <client>
  <client>
    host 192.168.10.30
  </client>
  <client>
    host your.host.fqdn.local
    # wildcard (ex: *.host.fqdn.local) NOT Supported now
  </client>
  <client>
    network 192.168.16.0/24 # network address specification
  </client>
</source>

You can use both of username/password check and client check:

<source>
  @type secure_forward
  shared_key         secret_string
  self_hostname      server.fqdn.local
  
  secure yes
  # and configurations for certs
  
  allow_anonymous_source no  # Allow to accept from nodes of <client>
  authentication         yes # Deny clients without valid username/password
  <user>
    username tagomoris
    password foobar012
  </user>
  <user>
    username frsyuki
    password sukiyaki
  </user>
  <user>
    username repeatedly
    password sushi
  </user>
  <client>
    host 192.168.10.30      # allow all users to connect from 192.168.10.30
  </client>
  <client>
    host  192.168.10.31
    users tagomoris,frsyuki # deny repeatedly from 192.168.10.31
  </client>
  <client>
    host 192.168.10.32
    shared_key less_secret_string # limited shared_key for 192.168.10.32
    users      repeatedly         # and repatedly only
  </client>
</source>

SecureForwardOutput

Minimal configurations like this:

<match secret.data.**>
  @type secure_forward
  shared_key secret_string
  self_hostname client.fqdn.local
  
  secure yes
  # and configurations for certs/verification
  
  <server>
    host server.fqdn.local  # or IP
    # port 24284
  </server>
</match>

Without hostname ACL (and it's not implemented yet), self_hostname is not checked in any state. ${hostname} placeholder is available for such cases.

<match secret.data.**>
  @type secure_forward
  shared_key secret_string
  self_hostname ${hostname}
  
  secure yes
  # and configurations for certs/verification
  
  <server>
    host server.fqdn.local  # or IP
    # port 24284
  </server>
</match>

When specified 2 or more <server>, this plugin uses these nodes in simple round-robin order. And servers with standby yes will be selected until all of non-standby servers goes down.

If server requires username/password, set username and password in <server> section:

<match secret.data.**>
  @type secure_forward
  shared_key secret_string
  self_hostname client.fqdn.local
  
  secure yes
  # and configurations for certs/verification
  
  <server>
    host      first.fqdn.local
    hostlabel server.fqdn.local
    username  repeatedly
    password  sushi
  </server>
  <server>
    host      second.fqdn.local
    hostlabel server.fqdn.local
    username  sasatatsu
    password  karaage
  </server>
  <server>
    host      standby.fqdn.local
    hostlabel server.fqdn.local
    username  kzk
    password  hawaii
    standby   yes
  </server>
</match>

Specify hostlabel if server (in_forward) have different hostname (self_host configuration of in_forward) from DNS name (first.fqdn.local, second.fqdn.local or standby.fqdn.local). This configuration variable will be used to check common name (CN) of certifications.

To specify keepalive timeouts, use keepalive configuration with seconds. SSL connection will be disconnected and re-connected for each 1 hour with configuration below. In Default (and with keepalive 0), connections will not be disconnected without any communication troubles. (This feature is for dns name updates, and SSL common key refreshing.)

<match secret.data.**>
  @type secure_forward
  shared_key secret_string
  self_hostname client.fqdn.local
  
  secure yes
  # and configurations for certs/verification
  
  keepalive 3600
  <server>
    host server.fqdn.local  # or IP
    # port 24284
  </server>
</match>

If you connect via Proxy, set for proxy_uri in <server> section:

<match secret.data.**>
  @type secure_forward
  shared_key secret_string
  self_hostname client.fqdn.local

  secure yes
  # and configurations for certs/verification

  <server>
    host server.fqdn.local  # or IP
    # port 24284
    proxy_uri http://foo.bar.local:3128
  </server>
</match>

Scenario (developer document)

  • server
    • in_secure_forward
  • client
    • out_secure_forward

Handshake

  1. (client) connect to server
  • on SSL socket handshake, checks certificate and its significate (in client)
  1. (server)
  • check network/domain acl (if enabled)
  • check client dns reverse lookup result (if enabled)
  • disconnect when failed
  1. (server) send HELO
  • ['HELO', options(hash)]
  • options:
    • nonce: string as nonce: used for shared key digest (required, v0.3.2 or later)
    • auth: string or blank_string (string: authentication required, and its salt is this value)
    • keepalive: bool (allowed or not)
  1. (client) send PING
  • ['PING', selfhostname, sharedkey_salt, sha512_hex(sharedkey_salt + selfhostname + nonce + sharedkey), username || '', sha512_hex(auth_salt + username + password) || '']
  1. (server) check PING
  • check sharedkey
  • check username / password (if required)
  • send PONG FAILURE if failed
  • ['PONG', false, 'reason of authentication failure', '', '']
  1. (server) send PONG
  • ['PONG', bool(authentication result), 'reason if authentication failed', selfhostname, sha512_hex(salt + selfhostname + nonce + sharedkey)]
  1. (client) check PONG
  • check sharedkey
  • disconnect when failed
  1. connection established
  • send data from client (until keepalive expiration)

Data transferring

CONSIDER RETURN ACK OR NOT

  • Current version has no ACKs
    • only supports burst transferring (same as ForwardInput/Output)
  • ack for each message ?
  • pipeline mode and one-by-one mode ?
  • data sequence number in keepalive session ?

TODO

  • ACK mode (protocol)
  • support disabling keepalive (input/output)
  • access control (input plugin)
    • network acl / domain acl
    • check connecting source ip and its dns reverse lookup result (for domaian acl)
    • access deny on accept (against DoS)
  • pluggable authentication database (input plugin)
    • RDBMS, LDAP, or ...
    • Authentication by clients certificate
  • TESTS!

Copyright

  • Copyright (c) 2013- TAGOMORI Satoshi (tagomoris)
  • License
    • Apache License, Version 2.0

More Repositories

1

shib

WebUI for query engines: Hive and Presto
JavaScript
200
star
2

xbuild

Language runtimes installer for production environment
Shell
197
star
3

deferral

Golang-style defer in Ruby
Ruby
175
star
4

fluent-plugin-forest

Ruby
149
star
5

presto-client-node

Distributed query engine Presto client library for node.js
JavaScript
126
star
6

fluent-plugin-mysql

Ruby
91
star
7

fluent-agent-lite

Lightweight log delivery agent works w/ fluentd
Perl
79
star
8

fluent-plugin-parser

Ruby
75
star
9

fluent-plugin-flowcounter

TODO: one-line summary of your gem
Ruby
54
star
10

fluent-plugin-datacounter

Ruby
47
star
11

mysql2-cs-bind

'mysql2' extension to add pseudo prepared statement
Ruby
38
star
12

fluent-plugin-growthforecast

TODO: one-line summary of your gem
Ruby
37
star
13

maccro

Macro in Ruby
Ruby
30
star
14

fluent-plugin-file-alternative

Ruby
25
star
15

fluent-plugin-ping-message

Ruby
24
star
16

yabitz

Yet Another Business Information Tracker Z: host management application
Ruby
22
star
17

fluent-plugin-sampling-filter

TODO: one-line summary of your gem
Ruby
22
star
18

msgpack-inspect

A tool to inspect and dump the MessagePack binary data: msgpack.org[msgpack-inspect]
Ruby
20
star
19

fluent-plugin-route

This is copy of frsyuki's out_route
Ruby
20
star
20

fluent-plugin-numeric-monitor

Ruby
19
star
21

fluent-plugin-notifier

Ruby
18
star
22

rb-growthforecast

Ruby
17
star
23

astarisk

AST visualizer, named from "AST a risk"
Ruby
16
star
24

right_speed

Ruby
15
star
25

fluent-plugin-config-expander

Ruby
14
star
26

fluent-plugin-numeric-counter

Ruby
12
star
27

with_resources

Add "with" method in Ruby to allocate/release resources in safe way
Ruby
11
star
28

Apache-Log-Parser

Log Parser for Apache common, combined and other custom styles
Perl
11
star
29

fluent-mixin-config-placeholders

Ruby
10
star
30

fluent-plugin-pull_forward

Ruby
10
star
31

LFA

Web application framework to perform as Lambda Function Adapter
Ruby
8
star
32

scribe_line

Python script collection for log transfer with scribe
Python
7
star
33

binding-slicer

Let you write binding[:a, :b, :c] => Hash {a: a, b: b, c: c}
Ruby
7
star
34

fluent-plugin-hoop

TODO: one-line summary of your gem
Ruby
6
star
35

mysqldef_lambda_package

Docker container and scripts to run k0kubun/mysqldef
JavaScript
6
star
36

shibui

Perl
6
star
37

p5-Net-GrowthForecast

Client library for GrowthForecast
Perl
6
star
38

fluent-plugin-buffer-lightening

Ruby
6
star
39

stratum

O/R mapper library for ruby and MySQL on additional architecture
Ruby
6
star
40

fluent-mixin-plaintextformatter

Ruby
5
star
41

fluent-agent

Perl
4
star
42

fluent-plugin-ikachan

Ruby
4
star
43

fluentd-leak-test

Ruby
4
star
44

logstash-output-fluentd

Logstash plugin to forward data to Fluentd
Ruby
4
star
45

fluent-helper-plugin-spec

RSpec helper for Fluentd plugin development
Ruby
4
star
46

Net-Hadoop-DFSAdmin-ReportParser

Perl
4
star
47

fluent-plugin-dummydata-producer

Ruby
3
star
48

itunesconnect-reviews-bookmarklet

bookmarklet to load all reviews from all of countries in iTunes Connect
3
star
49

passenger-monitor

HTTP interface same as mod_status for passenger-status
Ruby
3
star
50

remote_driver

Python
3
star
51

fluentd-tester

Ruby
3
star
52

fluent-plugin-encrypt

Ruby
3
star
53

fluentd-book-samples

Ruby
3
star
54

fluent-plugin-ruby-memory-usage-profiler

Fluentd plugin to output memory profiler information for debugging of ruby/fluentd itself
Ruby
3
star
55

fluentd-v1-checker

Ruby
2
star
56

Net-Hadoop-WebHDFS

Perl
2
star
57

Net-Hadoop-Hive-QueryBuilder

Perl
2
star
58

ruby-memory-usage-profiler

Ruby
2
star
59

fluent-plugin-amplifier-filter

Ruby
2
star
60

scribed_launcher

start-stop script for facebook scribed
Python
2
star
61

isucon3-final-code

Perl
2
star
62

simpleoauth-gae

OAuth 1.0 library for Python on Google App Engine
Python
2
star
63

Net-Hadoop-Hoop

Hoop client library perl module
Perl
2
star
64

MessagePack-RPC-HTTP-Client

Perl
2
star
65

whada

Web Authentication Data Aggregator
Perl
2
star
66

fluent-plugin-reducer

TODO: one-line summary of your gem
Ruby
1
star
67

fluent-plugin-buffered-stdout

Ruby
1
star
68

fluent-plugin-http_file_upload

Ruby
1
star
69

ruby-cli

Ruby
1
star
70

node-scribed

facebook scribe server implementation on node.js (highly experimental)
JavaScript
1
star
71

fluent-plugin-deparser

Ruby
1
star
72

fluent-plugin-delay-inspector

Ruby
1
star
73

isucon7-elimination

Ruby
1
star
74

demo-webapps

Very simple Ruby webapps to verify app servers
Ruby
1
star
75

dyna_mo

Dynamic scope implementation for method overriding
Ruby
1
star
76

fluent-plugin-flatten-filter

Ruby
1
star
77

woothee-sqale

Ruby
1
star
78

logstash-output-treasure_data

Logstash output plugin to store data on Treasure Data service https://www.treasuredata.com/
Ruby
1
star
79

Net-Hadoop-HuahinManager

client library for Huahin Manager
Perl
1
star
80

fluent-plugin-test-counter

TODO: one-line summary of your gem
Ruby
1
star