From 6a7e59092e7b752d20014c8a982381352989302a Mon Sep 17 00:00:00 2001 From: Dan Date: Fri, 27 Oct 2023 11:10:21 +0000 Subject: [PATCH 1/4] Adds changes for clear text frontend mode --- .../proto/fleetspeak_components/config.pb.go | 398 ++++++++++++++---- .../proto/fleetspeak_components/config.proto | 39 ++ fleetspeak/src/server/https/https.go | 61 +-- 3 files changed, 382 insertions(+), 116 deletions(-) diff --git a/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go b/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go index 99212951..b5298c7f 100644 --- a/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go +++ b/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go @@ -343,6 +343,136 @@ func (x *HttpsHeaderChecksumConfig) GetClientCertificateChecksumHeader() string return "" } +// In this mode Fleetspeak runs in clear text (HTTP). This for example allows +// Fleetspeak to be deployed in a Service Mesh behind a side car proxy that +// offers a secure communications channel. +// Fleetspeak accepts a TLS connection from an intermediate actor which +// terminates the TLS protocol (typically a layer 7 load balancer). +// The intermediate actor passes the client certificate it receives from the +// original TLS connection to the frontend via an HTTP header. +// The Fleetspeak frontend uses the certificate passed in this header to +// identify the client. +type HttpHeaderConfig struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The name of the HTTP header set by the intermediary that contains the + // forwarded client certificate. Required. + ClientCertificateHeader string `protobuf:"bytes,1,opt,name=client_certificate_header,json=clientCertificateHeader,proto3" json:"client_certificate_header,omitempty"` +} + +func (x *HttpHeaderConfig) Reset() { + *x = HttpHeaderConfig{} + if protoimpl.UnsafeEnabled { + mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *HttpHeaderConfig) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*HttpHeaderConfig) ProtoMessage() {} + +func (x *HttpHeaderConfig) ProtoReflect() protoreflect.Message { + mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[4] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use HttpHeaderConfig.ProtoReflect.Descriptor instead. +func (*HttpHeaderConfig) Descriptor() ([]byte, []int) { + return file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDescGZIP(), []int{4} +} + +func (x *HttpHeaderConfig) GetClientCertificateHeader() string { + if x != nil { + return x.ClientCertificateHeader + } + return "" +} + +// In this mode Fleetspeak runs in clear text (HTTP). This for example allows +// Fleetspeak to be deployed in a Service Mesh behind a side car proxy that +// offers a secure communications channel. +// Fleetspeak accepts a TLS connection from an intermediate actor which +// terminates the TLS protocol (typically a layer 7 load balancer). +// The original client passes the certificate it uses for the TLS protocol to +// the frontend via an HTTP header. +// The intermediate actor passes a SHA256 checksum of client certificate it +// receives from the original TLS connection to the frontend via a second HTTP +// header. +// The Fleetspeak frontend uses the certificate passed passed from the client +// to identify it, and uses the hash from the intermediate actor to verify that +// this certificate was in fact used in the original TLS connection. +type HttpHeaderChecksumConfig struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The name of the HTTP header set by the client that contains the original + // client certificate. Required. + ClientCertificateHeader string `protobuf:"bytes,1,opt,name=client_certificate_header,json=clientCertificateHeader,proto3" json:"client_certificate_header,omitempty"` + // The name of the HTTP header set by the intermediary that contains the + // client certificate checksum. Required. + ClientCertificateChecksumHeader string `protobuf:"bytes,2,opt,name=client_certificate_checksum_header,json=clientCertificateChecksumHeader,proto3" json:"client_certificate_checksum_header,omitempty"` +} + +func (x *HttpHeaderChecksumConfig) Reset() { + *x = HttpHeaderChecksumConfig{} + if protoimpl.UnsafeEnabled { + mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *HttpHeaderChecksumConfig) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*HttpHeaderChecksumConfig) ProtoMessage() {} + +func (x *HttpHeaderChecksumConfig) ProtoReflect() protoreflect.Message { + mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[5] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use HttpHeaderChecksumConfig.ProtoReflect.Descriptor instead. +func (*HttpHeaderChecksumConfig) Descriptor() ([]byte, []int) { + return file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDescGZIP(), []int{5} +} + +func (x *HttpHeaderChecksumConfig) GetClientCertificateHeader() string { + if x != nil { + return x.ClientCertificateHeader + } + return "" +} + +func (x *HttpHeaderChecksumConfig) GetClientCertificateChecksumHeader() string { + if x != nil { + return x.ClientCertificateChecksumHeader + } + return "" +} + // The frontend config determines how the Fleetspeak frontend communicates with // clients and how it identifies them. type FrontendConfig struct { @@ -361,13 +491,15 @@ type FrontendConfig struct { // *FrontendConfig_MtlsConfig // *FrontendConfig_HttpsHeaderConfig // *FrontendConfig_HttpsHeaderChecksumConfig + // *FrontendConfig_HttpHeaderConfig + // *FrontendConfig_HttpHeaderChecksumConfig FrontendMode isFrontendConfig_FrontendMode `protobuf_oneof:"frontend_mode"` } func (x *FrontendConfig) Reset() { *x = FrontendConfig{} if protoimpl.UnsafeEnabled { - mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[4] + mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[6] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -380,7 +512,7 @@ func (x *FrontendConfig) String() string { func (*FrontendConfig) ProtoMessage() {} func (x *FrontendConfig) ProtoReflect() protoreflect.Message { - mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[4] + mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[6] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -393,7 +525,7 @@ func (x *FrontendConfig) ProtoReflect() protoreflect.Message { // Deprecated: Use FrontendConfig.ProtoReflect.Descriptor instead. func (*FrontendConfig) Descriptor() ([]byte, []int) { - return file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDescGZIP(), []int{4} + return file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDescGZIP(), []int{6} } func (m *FrontendConfig) GetFrontendMode() isFrontendConfig_FrontendMode { @@ -424,6 +556,20 @@ func (x *FrontendConfig) GetHttpsHeaderChecksumConfig() *HttpsHeaderChecksumConf return nil } +func (x *FrontendConfig) GetHttpHeaderConfig() *HttpHeaderConfig { + if x, ok := x.GetFrontendMode().(*FrontendConfig_HttpHeaderConfig); ok { + return x.HttpHeaderConfig + } + return nil +} + +func (x *FrontendConfig) GetHttpHeaderChecksumConfig() *HttpHeaderChecksumConfig { + if x, ok := x.GetFrontendMode().(*FrontendConfig_HttpHeaderChecksumConfig); ok { + return x.HttpHeaderChecksumConfig + } + return nil +} + type isFrontendConfig_FrontendMode interface { isFrontendConfig_FrontendMode() } @@ -440,12 +586,24 @@ type FrontendConfig_HttpsHeaderChecksumConfig struct { HttpsHeaderChecksumConfig *HttpsHeaderChecksumConfig `protobuf:"bytes,9,opt,name=https_header_checksum_config,json=httpsHeaderChecksumConfig,proto3,oneof"` } +type FrontendConfig_HttpHeaderConfig struct { + HttpHeaderConfig *HttpHeaderConfig `protobuf:"bytes,10,opt,name=http_header_config,json=httpHeaderConfig,proto3,oneof"` +} + +type FrontendConfig_HttpHeaderChecksumConfig struct { + HttpHeaderChecksumConfig *HttpHeaderChecksumConfig `protobuf:"bytes,11,opt,name=http_header_checksum_config,json=httpHeaderChecksumConfig,proto3,oneof"` +} + func (*FrontendConfig_MtlsConfig) isFrontendConfig_FrontendMode() {} func (*FrontendConfig_HttpsHeaderConfig) isFrontendConfig_FrontendMode() {} func (*FrontendConfig_HttpsHeaderChecksumConfig) isFrontendConfig_FrontendMode() {} +func (*FrontendConfig_HttpHeaderConfig) isFrontendConfig_FrontendMode() {} + +func (*FrontendConfig_HttpHeaderChecksumConfig) isFrontendConfig_FrontendMode() {} + type HttpsConfig struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -472,7 +630,7 @@ type HttpsConfig struct { func (x *HttpsConfig) Reset() { *x = HttpsConfig{} if protoimpl.UnsafeEnabled { - mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[5] + mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[7] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -485,7 +643,7 @@ func (x *HttpsConfig) String() string { func (*HttpsConfig) ProtoMessage() {} func (x *HttpsConfig) ProtoReflect() protoreflect.Message { - mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[5] + mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[7] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -498,7 +656,7 @@ func (x *HttpsConfig) ProtoReflect() protoreflect.Message { // Deprecated: Use HttpsConfig.ProtoReflect.Descriptor instead. func (*HttpsConfig) Descriptor() ([]byte, []int) { - return file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDescGZIP(), []int{5} + return file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDescGZIP(), []int{7} } func (x *HttpsConfig) GetListenAddress() string { @@ -549,7 +707,7 @@ type AdminConfig struct { func (x *AdminConfig) Reset() { *x = AdminConfig{} if protoimpl.UnsafeEnabled { - mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[6] + mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[8] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -562,7 +720,7 @@ func (x *AdminConfig) String() string { func (*AdminConfig) ProtoMessage() {} func (x *AdminConfig) ProtoReflect() protoreflect.Message { - mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[6] + mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[8] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -575,7 +733,7 @@ func (x *AdminConfig) ProtoReflect() protoreflect.Message { // Deprecated: Use AdminConfig.ProtoReflect.Descriptor instead. func (*AdminConfig) Descriptor() ([]byte, []int) { - return file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDescGZIP(), []int{6} + return file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDescGZIP(), []int{8} } func (x *AdminConfig) GetListenAddress() string { @@ -600,7 +758,7 @@ type StatsConfig struct { func (x *StatsConfig) Reset() { *x = StatsConfig{} if protoimpl.UnsafeEnabled { - mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[7] + mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[9] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -613,7 +771,7 @@ func (x *StatsConfig) String() string { func (*StatsConfig) ProtoMessage() {} func (x *StatsConfig) ProtoReflect() protoreflect.Message { - mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[7] + mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[9] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -626,7 +784,7 @@ func (x *StatsConfig) ProtoReflect() protoreflect.Message { // Deprecated: Use StatsConfig.ProtoReflect.Descriptor instead. func (*StatsConfig) Descriptor() ([]byte, []int) { - return file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDescGZIP(), []int{7} + return file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDescGZIP(), []int{9} } func (x *StatsConfig) GetAddress() string { @@ -649,7 +807,7 @@ type HealthCheckConfig struct { func (x *HealthCheckConfig) Reset() { *x = HealthCheckConfig{} if protoimpl.UnsafeEnabled { - mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[8] + mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[10] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -662,7 +820,7 @@ func (x *HealthCheckConfig) String() string { func (*HealthCheckConfig) ProtoMessage() {} func (x *HealthCheckConfig) ProtoReflect() protoreflect.Message { - mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[8] + mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[10] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -675,7 +833,7 @@ func (x *HealthCheckConfig) ProtoReflect() protoreflect.Message { // Deprecated: Use HealthCheckConfig.ProtoReflect.Descriptor instead. func (*HealthCheckConfig) Descriptor() ([]byte, []int) { - return file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDescGZIP(), []int{8} + return file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDescGZIP(), []int{10} } func (x *HealthCheckConfig) GetListenAddress() string { @@ -750,58 +908,86 @@ var file_fleetspeak_src_server_components_proto_fleetspeak_components_config_pro 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x1f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x65, 0x63, - 0x6b, 0x73, 0x75, 0x6d, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x22, 0xb8, 0x02, 0x0a, 0x0e, 0x46, - 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x44, 0x0a, - 0x0b, 0x6d, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x07, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2e, - 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x4d, 0x54, 0x6c, 0x73, 0x43, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x48, 0x00, 0x52, 0x0a, 0x6d, 0x74, 0x6c, 0x73, 0x43, 0x6f, 0x6e, - 0x66, 0x69, 0x67, 0x12, 0x5a, 0x0a, 0x13, 0x68, 0x74, 0x74, 0x70, 0x73, 0x5f, 0x68, 0x65, 0x61, - 0x64, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x28, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2e, 0x63, 0x6f, - 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x73, 0x48, 0x65, - 0x61, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x48, 0x00, 0x52, 0x11, 0x68, 0x74, - 0x74, 0x70, 0x73, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, - 0x73, 0x0a, 0x1c, 0x68, 0x74, 0x74, 0x70, 0x73, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, - 0x63, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, - 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, - 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x48, 0x74, - 0x74, 0x70, 0x73, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, - 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x48, 0x00, 0x52, 0x19, 0x68, 0x74, 0x74, 0x70, 0x73, - 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x43, 0x6f, - 0x6e, 0x66, 0x69, 0x67, 0x42, 0x0f, 0x0a, 0x0d, 0x66, 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x64, - 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x22, 0xf3, 0x01, 0x0a, 0x0b, 0x48, 0x74, 0x74, 0x70, 0x73, 0x43, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x25, 0x0a, 0x0e, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x5f, - 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6c, - 0x69, 0x73, 0x74, 0x65, 0x6e, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x22, 0x0a, 0x0c, - 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, - 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, - 0x65, 0x79, 0x12, 0x2b, 0x0a, 0x11, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x73, 0x74, - 0x72, 0x65, 0x61, 0x6d, 0x69, 0x6e, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x64, - 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x69, 0x6e, 0x67, 0x12, - 0x4e, 0x0a, 0x0f, 0x66, 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, + 0x6b, 0x73, 0x75, 0x6d, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x22, 0x4e, 0x0a, 0x10, 0x48, 0x74, + 0x74, 0x70, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x3a, + 0x0a, 0x19, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x17, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x22, 0xa3, 0x01, 0x0a, 0x18, 0x48, + 0x74, 0x74, 0x70, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, + 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x3a, 0x0a, 0x19, 0x63, 0x6c, 0x69, 0x65, 0x6e, + 0x74, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x68, 0x65, + 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x17, 0x63, 0x6c, 0x69, 0x65, + 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x48, 0x65, 0x61, + 0x64, 0x65, 0x72, 0x12, 0x4b, 0x0a, 0x22, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x63, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x73, + 0x75, 0x6d, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x1f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x65, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, + 0x22, 0x83, 0x04, 0x0a, 0x0e, 0x46, 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x64, 0x43, 0x6f, 0x6e, + 0x66, 0x69, 0x67, 0x12, 0x44, 0x0a, 0x0b, 0x6d, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, + 0x69, 0x67, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, + 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, + 0x2e, 0x4d, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x48, 0x00, 0x52, 0x0a, 0x6d, + 0x74, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x5a, 0x0a, 0x13, 0x68, 0x74, 0x74, + 0x70, 0x73, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, + 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, + 0x65, 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x48, + 0x74, 0x74, 0x70, 0x73, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, + 0x48, 0x00, 0x52, 0x11, 0x68, 0x74, 0x74, 0x70, 0x73, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, + 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x73, 0x0a, 0x1c, 0x68, 0x74, 0x74, 0x70, 0x73, 0x5f, 0x68, + 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x5f, 0x63, + 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x66, 0x6c, + 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, + 0x6e, 0x74, 0x73, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x73, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, + 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x48, 0x00, 0x52, + 0x19, 0x68, 0x74, 0x74, 0x70, 0x73, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x68, 0x65, 0x63, + 0x6b, 0x73, 0x75, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x57, 0x0a, 0x12, 0x68, 0x74, + 0x74, 0x70, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, + 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, + 0x65, 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x48, + 0x74, 0x74, 0x70, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x48, + 0x00, 0x52, 0x10, 0x68, 0x74, 0x74, 0x70, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, + 0x66, 0x69, 0x67, 0x12, 0x70, 0x0a, 0x1b, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x68, 0x65, 0x61, 0x64, + 0x65, 0x72, 0x5f, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x5f, 0x63, 0x6f, 0x6e, 0x66, + 0x69, 0x67, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, - 0x2e, 0x46, 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, - 0x0e, 0x66, 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x4a, - 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, 0x08, 0x06, 0x10, 0x07, 0x22, 0x34, 0x0a, 0x0b, 0x41, - 0x64, 0x6d, 0x69, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x25, 0x0a, 0x0e, 0x6c, 0x69, - 0x73, 0x74, 0x65, 0x6e, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0d, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, - 0x73, 0x22, 0x27, 0x0a, 0x0b, 0x53, 0x74, 0x61, 0x74, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x22, 0x3a, 0x0a, 0x11, 0x48, 0x65, - 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, - 0x25, 0x0a, 0x0e, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, - 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x41, - 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x42, 0x5b, 0x5a, 0x59, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x66, 0x6c, 0x65, 0x65, - 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2f, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, - 0x6b, 0x2f, 0x73, 0x72, 0x63, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x63, 0x6f, 0x6d, - 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x66, 0x6c, - 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x5f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, - 0x6e, 0x74, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x2e, 0x48, 0x74, 0x74, 0x70, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x68, 0x65, 0x63, 0x6b, + 0x73, 0x75, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x48, 0x00, 0x52, 0x18, 0x68, 0x74, 0x74, + 0x70, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x43, + 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x0f, 0x0a, 0x0d, 0x66, 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, + 0x64, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x22, 0xf3, 0x01, 0x0a, 0x0b, 0x48, 0x74, 0x74, 0x70, 0x73, + 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x25, 0x0a, 0x0e, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, + 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, + 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x22, 0x0a, + 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, + 0x73, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, + 0x6b, 0x65, 0x79, 0x12, 0x2b, 0x0a, 0x11, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x73, + 0x74, 0x72, 0x65, 0x61, 0x6d, 0x69, 0x6e, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, + 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x69, 0x6e, 0x67, + 0x12, 0x4e, 0x0a, 0x0f, 0x66, 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x64, 0x5f, 0x63, 0x6f, 0x6e, + 0x66, 0x69, 0x67, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x66, 0x6c, 0x65, 0x65, + 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, + 0x73, 0x2e, 0x46, 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, + 0x52, 0x0e, 0x66, 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, + 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, 0x08, 0x06, 0x10, 0x07, 0x22, 0x34, 0x0a, 0x0b, + 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x25, 0x0a, 0x0e, 0x6c, + 0x69, 0x73, 0x74, 0x65, 0x6e, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x41, 0x64, 0x64, 0x72, 0x65, + 0x73, 0x73, 0x22, 0x27, 0x0a, 0x0b, 0x53, 0x74, 0x61, 0x74, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, + 0x67, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x22, 0x3a, 0x0a, 0x11, 0x48, + 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, + 0x12, 0x25, 0x0a, 0x0e, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, + 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, + 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x42, 0x5b, 0x5a, 0x59, 0x67, 0x69, 0x74, 0x68, 0x75, + 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x66, 0x6c, 0x65, + 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2f, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, + 0x61, 0x6b, 0x2f, 0x73, 0x72, 0x63, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x63, 0x6f, + 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x66, + 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x5f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, + 0x65, 0x6e, 0x74, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -816,32 +1002,36 @@ func file_fleetspeak_src_server_components_proto_fleetspeak_components_config_pr return file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDescData } -var file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes = make([]protoimpl.MessageInfo, 9) +var file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes = make([]protoimpl.MessageInfo, 11) var file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_goTypes = []interface{}{ (*Config)(nil), // 0: fleetspeak.components.Config (*MTlsConfig)(nil), // 1: fleetspeak.components.MTlsConfig (*HttpsHeaderConfig)(nil), // 2: fleetspeak.components.HttpsHeaderConfig (*HttpsHeaderChecksumConfig)(nil), // 3: fleetspeak.components.HttpsHeaderChecksumConfig - (*FrontendConfig)(nil), // 4: fleetspeak.components.FrontendConfig - (*HttpsConfig)(nil), // 5: fleetspeak.components.HttpsConfig - (*AdminConfig)(nil), // 6: fleetspeak.components.AdminConfig - (*StatsConfig)(nil), // 7: fleetspeak.components.StatsConfig - (*HealthCheckConfig)(nil), // 8: fleetspeak.components.HealthCheckConfig + (*HttpHeaderConfig)(nil), // 4: fleetspeak.components.HttpHeaderConfig + (*HttpHeaderChecksumConfig)(nil), // 5: fleetspeak.components.HttpHeaderChecksumConfig + (*FrontendConfig)(nil), // 6: fleetspeak.components.FrontendConfig + (*HttpsConfig)(nil), // 7: fleetspeak.components.HttpsConfig + (*AdminConfig)(nil), // 8: fleetspeak.components.AdminConfig + (*StatsConfig)(nil), // 9: fleetspeak.components.StatsConfig + (*HealthCheckConfig)(nil), // 10: fleetspeak.components.HealthCheckConfig } var file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_depIdxs = []int32{ - 5, // 0: fleetspeak.components.Config.https_config:type_name -> fleetspeak.components.HttpsConfig - 6, // 1: fleetspeak.components.Config.admin_config:type_name -> fleetspeak.components.AdminConfig - 7, // 2: fleetspeak.components.Config.stats_config:type_name -> fleetspeak.components.StatsConfig - 8, // 3: fleetspeak.components.Config.health_check_config:type_name -> fleetspeak.components.HealthCheckConfig - 1, // 4: fleetspeak.components.FrontendConfig.mtls_config:type_name -> fleetspeak.components.MTlsConfig - 2, // 5: fleetspeak.components.FrontendConfig.https_header_config:type_name -> fleetspeak.components.HttpsHeaderConfig - 3, // 6: fleetspeak.components.FrontendConfig.https_header_checksum_config:type_name -> fleetspeak.components.HttpsHeaderChecksumConfig - 4, // 7: fleetspeak.components.HttpsConfig.frontend_config:type_name -> fleetspeak.components.FrontendConfig - 8, // [8:8] is the sub-list for method output_type - 8, // [8:8] is the sub-list for method input_type - 8, // [8:8] is the sub-list for extension type_name - 8, // [8:8] is the sub-list for extension extendee - 0, // [0:8] is the sub-list for field type_name + 7, // 0: fleetspeak.components.Config.https_config:type_name -> fleetspeak.components.HttpsConfig + 8, // 1: fleetspeak.components.Config.admin_config:type_name -> fleetspeak.components.AdminConfig + 9, // 2: fleetspeak.components.Config.stats_config:type_name -> fleetspeak.components.StatsConfig + 10, // 3: fleetspeak.components.Config.health_check_config:type_name -> fleetspeak.components.HealthCheckConfig + 1, // 4: fleetspeak.components.FrontendConfig.mtls_config:type_name -> fleetspeak.components.MTlsConfig + 2, // 5: fleetspeak.components.FrontendConfig.https_header_config:type_name -> fleetspeak.components.HttpsHeaderConfig + 3, // 6: fleetspeak.components.FrontendConfig.https_header_checksum_config:type_name -> fleetspeak.components.HttpsHeaderChecksumConfig + 4, // 7: fleetspeak.components.FrontendConfig.http_header_config:type_name -> fleetspeak.components.HttpHeaderConfig + 5, // 8: fleetspeak.components.FrontendConfig.http_header_checksum_config:type_name -> fleetspeak.components.HttpHeaderChecksumConfig + 6, // 9: fleetspeak.components.HttpsConfig.frontend_config:type_name -> fleetspeak.components.FrontendConfig + 10, // [10:10] is the sub-list for method output_type + 10, // [10:10] is the sub-list for method input_type + 10, // [10:10] is the sub-list for extension type_name + 10, // [10:10] is the sub-list for extension extendee + 0, // [0:10] is the sub-list for field type_name } func init() { file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_init() } @@ -899,7 +1089,7 @@ func file_fleetspeak_src_server_components_proto_fleetspeak_components_config_pr } } file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*FrontendConfig); i { + switch v := v.(*HttpHeaderConfig); i { case 0: return &v.state case 1: @@ -911,7 +1101,7 @@ func file_fleetspeak_src_server_components_proto_fleetspeak_components_config_pr } } file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*HttpsConfig); i { + switch v := v.(*HttpHeaderChecksumConfig); i { case 0: return &v.state case 1: @@ -923,7 +1113,7 @@ func file_fleetspeak_src_server_components_proto_fleetspeak_components_config_pr } } file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*AdminConfig); i { + switch v := v.(*FrontendConfig); i { case 0: return &v.state case 1: @@ -935,7 +1125,7 @@ func file_fleetspeak_src_server_components_proto_fleetspeak_components_config_pr } } file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*StatsConfig); i { + switch v := v.(*HttpsConfig); i { case 0: return &v.state case 1: @@ -947,6 +1137,30 @@ func file_fleetspeak_src_server_components_proto_fleetspeak_components_config_pr } } file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*AdminConfig); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*StatsConfig); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*HealthCheckConfig); i { case 0: return &v.state @@ -959,10 +1173,12 @@ func file_fleetspeak_src_server_components_proto_fleetspeak_components_config_pr } } } - file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[4].OneofWrappers = []interface{}{ + file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[6].OneofWrappers = []interface{}{ (*FrontendConfig_MtlsConfig)(nil), (*FrontendConfig_HttpsHeaderConfig)(nil), (*FrontendConfig_HttpsHeaderChecksumConfig)(nil), + (*FrontendConfig_HttpHeaderConfig)(nil), + (*FrontendConfig_HttpHeaderChecksumConfig)(nil), } type x struct{} out := protoimpl.TypeBuilder{ @@ -970,7 +1186,7 @@ func file_fleetspeak_src_server_components_proto_fleetspeak_components_config_pr GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDesc, NumEnums: 0, - NumMessages: 9, + NumMessages: 11, NumExtensions: 0, NumServices: 0, }, diff --git a/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto b/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto index f33fda2b..6b25d039 100644 --- a/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto +++ b/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto @@ -101,6 +101,43 @@ message HttpsHeaderChecksumConfig { string client_certificate_checksum_header = 2; } +// In this mode Fleetspeak runs in clear text (HTTP). This for example allows +// Fleetspeak to be deployed in a Service Mesh behind a side car proxy that +// offers a secure communications channel. +// Fleetspeak accepts a TLS connection from an intermediate actor which +// terminates the TLS protocol (typically a layer 7 load balancer). +// The intermediate actor passes the client certificate it receives from the +// original TLS connection to the frontend via an HTTP header. +// The Fleetspeak frontend uses the certificate passed in this header to +// identify the client. +message HttpHeaderConfig { + // The name of the HTTP header set by the intermediary that contains the + // forwarded client certificate. Required. + string client_certificate_header = 1; +} + +// In this mode Fleetspeak runs in clear text (HTTP). This for example allows +// Fleetspeak to be deployed in a Service Mesh behind a side car proxy that +// offers a secure communications channel. +// Fleetspeak accepts a TLS connection from an intermediate actor which +// terminates the TLS protocol (typically a layer 7 load balancer). +// The original client passes the certificate it uses for the TLS protocol to +// the frontend via an HTTP header. +// The intermediate actor passes a SHA256 checksum of client certificate it +// receives from the original TLS connection to the frontend via a second HTTP +// header. +// The Fleetspeak frontend uses the certificate passed passed from the client +// to identify it, and uses the hash from the intermediate actor to verify that +// this certificate was in fact used in the original TLS connection. +message HttpHeaderChecksumConfig { + // The name of the HTTP header set by the client that contains the original + // client certificate. Required. + string client_certificate_header = 1; + // The name of the HTTP header set by the intermediary that contains the + // client certificate checksum. Required. + string client_certificate_checksum_header = 2; +} + // The frontend config determines how the Fleetspeak frontend communicates with // clients and how it identifies them. message FrontendConfig { @@ -113,6 +150,8 @@ message FrontendConfig { MTlsConfig mtls_config = 7; HttpsHeaderConfig https_header_config = 8; HttpsHeaderChecksumConfig https_header_checksum_config = 9; + HttpHeaderConfig http_header_config = 10; + HttpHeaderChecksumConfig http_header_checksum_config = 11; } } diff --git a/fleetspeak/src/server/https/https.go b/fleetspeak/src/server/https/https.go index faca7055..371440ab 100644 --- a/fleetspeak/src/server/https/https.go +++ b/fleetspeak/src/server/https/https.go @@ -112,33 +112,44 @@ func NewCommunicator(p Params) (*Communicator, error) { if err != nil { return nil, err } + httpServer := http.Server{ + Handler: mux, + TLSConfig: &tls.Config{ + ClientAuth: tls.RequestClientCert, + Certificates: []tls.Certificate{c}, + CipherSuites: []uint16{ + // We may as well allow only the strongest (as far as we can guess) + // ciphers. Note that TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is + // required by the https library. + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, + // Correctly implementing session tickets means sharing and rotating a + // secret key between servers, with implications if it leaks. Simply + // disable for the moment. + SessionTicketsDisabled: true, + MinVersion: tls.VersionTLS12, + NextProtos: []string{"h2"}, + }, + ReadTimeout: 20 * time.Minute, + ReadHeaderTimeout: 10 * time.Second, + WriteTimeout: 20 * time.Minute, + IdleTimeout: 30 * time.Second, + } + if p.FrontendConfig.GetHttpHeaderConfig() != nil || + p.FrontendConfig.GetHttpHeaderChecksumConfig() != nil { + httpServer = http.Server{ + Handler: mux, + ReadTimeout: 20 * time.Minute, + ReadHeaderTimeout: 10 * time.Second, + WriteTimeout: 20 * time.Minute, + IdleTimeout: 30 * time.Second, + } + } h := Communicator{ p: p, - hs: http.Server{ - Handler: mux, - TLSConfig: &tls.Config{ - ClientAuth: tls.RequestClientCert, - Certificates: []tls.Certificate{c}, - CipherSuites: []uint16{ - // We may as well allow only the strongest (as far as we can guess) - // ciphers. Note that TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is - // required by the https library. - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, - // Correctly implementing session tickets means sharing and rotating a - // secret key between servers, with implications if it leaks. Simply - // disable for the moment. - SessionTicketsDisabled: true, - MinVersion: tls.VersionTLS12, - NextProtos: []string{"h2"}, - }, - ReadTimeout: 20 * time.Minute, - ReadHeaderTimeout: 10 * time.Second, - WriteTimeout: 20 * time.Minute, - IdleTimeout: 30 * time.Second, - }, + hs: httpServer, stopping: make(chan struct{}), } mux.Handle("/message", messageServer{&h}) From 53ad40985b9fdb3eefbd94d6a9ba1f8c9094df48 Mon Sep 17 00:00:00 2001 From: Dan Date: Fri, 27 Oct 2023 20:49:06 +0000 Subject: [PATCH 2/4] Adds tests for frontend clear text mode --- .../src/server/https/client_certificate.go | 13 ++ .../server/https/client_certificate_test.go | 128 ++++++++++++++++-- 2 files changed, 129 insertions(+), 12 deletions(-) diff --git a/fleetspeak/src/server/https/client_certificate.go b/fleetspeak/src/server/https/client_certificate.go index b4a372a4..08e6ad01 100644 --- a/fleetspeak/src/server/https/client_certificate.go +++ b/fleetspeak/src/server/https/client_certificate.go @@ -26,8 +26,21 @@ func GetClientCert(req *http.Request, frontendConfig *cpb.FrontendConfig) (*x509 switch { case frontendConfig.GetMtlsConfig() != nil: return getCertFromTLS(req) + case frontendConfig.GetHttpHeaderConfig() != nil: + return getCertFromHeader(frontendConfig.GetHttpHeaderConfig().GetClientCertificateHeader(), req.Header) case frontendConfig.GetHttpsHeaderConfig() != nil: return getCertFromHeader(frontendConfig.GetHttpsHeaderConfig().GetClientCertificateHeader(), req.Header) + case frontendConfig.GetHttpHeaderChecksumConfig() != nil: + cert, err := getCertFromHeader(frontendConfig.GetHttpHeaderChecksumConfig().GetClientCertificateHeader(), req.Header) + if err != nil { + return nil, err + } + err = verifyCertSha256Checksum(req.Header.Get(frontendConfig.GetHttpHeaderChecksumConfig().GetClientCertificateHeader()), + req.Header.Get(frontendConfig.GetHttpHeaderChecksumConfig().GetClientCertificateChecksumHeader())) + if err != nil { + return nil, err + } + return cert, nil case frontendConfig.GetHttpsHeaderChecksumConfig() != nil: cert, err := getCertFromHeader(frontendConfig.GetHttpsHeaderChecksumConfig().GetClientCertificateHeader(), req.Header) if err != nil { diff --git a/fleetspeak/src/server/https/client_certificate_test.go b/fleetspeak/src/server/https/client_certificate_test.go index c9f93f2a..17a53904 100644 --- a/fleetspeak/src/server/https/client_certificate_test.go +++ b/fleetspeak/src/server/https/client_certificate_test.go @@ -61,7 +61,7 @@ func calcClientCertChecksum(derBytes []byte) string { return base64EncodedStr } -func makeTestClient(t *testing.T) (common.ClientID, *http.Client, []byte, string) { +func makeTestClient(t *testing.T, clearText bool) (common.ClientID, *http.Client, []byte, string) { serverCert, _, err := comtesting.ServerCert() if err != nil { t.Fatal(err) @@ -104,20 +104,31 @@ func makeTestClient(t *testing.T) (common.ClientID, *http.Client, []byte, string t.Fatal(err) } - cl := http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{ - RootCAs: cp, - Certificates: []tls.Certificate{clientCert}, - InsecureSkipVerify: true, - }, + httpTransport := http.Transport{ + TLSClientConfig: &tls.Config{ + RootCAs: cp, + Certificates: []tls.Certificate{clientCert}, + InsecureSkipVerify: true, + }, + Dial: (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + }).Dial, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + } + if clearText { + httpTransport = http.Transport{ Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, }).Dial, TLSHandshakeTimeout: 10 * time.Second, ExpectContinueTimeout: 1 * time.Second, - }, + } + } + cl := http.Client{ + Transport: &httpTransport, } return id, &cl, bc, clientCertChecksum } @@ -163,7 +174,7 @@ func TestFrontendMode_MTLS(t *testing.T) { ts.StartTLS() defer ts.Close() - _, client, _, _ := makeTestClient(t) + _, client, _, _ := makeTestClient(t, false) res, err := client.Get(ts.URL) if err != nil { @@ -205,7 +216,7 @@ func TestFrontendMode_HEADER_TLS(t *testing.T) { ts.StartTLS() defer ts.Close() - _, client, bc, _ := makeTestClient(t) + _, client, bc, _ := makeTestClient(t, false) clientCert := url.PathEscape(string(bc)) req, err := http.NewRequest(http.MethodGet, ts.URL, nil) @@ -255,7 +266,100 @@ func TestFrontendMode_HEADER_TLS_CHECKSUM(t *testing.T) { ts.StartTLS() defer ts.Close() - _, client, bc, clientCertChecksum := makeTestClient(t) + _, client, bc, clientCertChecksum := makeTestClient(t, false) + + clientCert := url.PathEscape(string(bc)) + req, err := http.NewRequest(http.MethodGet, ts.URL, nil) + if err != nil { + t.Fatal(err) + } + req.Header.Set(clientCertHeader, clientCert) + req.Header.Set(clientCertChecksumHeader, clientCertChecksum) + + res, err := client.Do(req) + if err != nil { + t.Fatal(err) + } + defer res.Body.Close() + _, err = io.ReadAll(res.Body) + res.Body.Close() + if err != nil { + t.Fatal(err) + } +} + +func TestFrontendMode_HEADER_HTTP(t *testing.T) { + clientCertHeader := "ssl-client-cert" + frontendConfig := &cpb.FrontendConfig{ + FrontendMode: &cpb.FrontendConfig_HttpHeaderConfig{ + HttpHeaderConfig: &cpb.HttpHeaderConfig{ + ClientCertificateHeader: clientCertHeader, + }, + }, + } + ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + // test the valid frontend mode combination of receiving the client cert in the header + cert, err := GetClientCert(req, frontendConfig) + if err != nil { + t.Fatal(err) + } + // make sure we received the client cert in the header + if cert == nil { + t.Error("Expected client certificate but received none") + } + fmt.Fprintln(w, "Testing Frontend Mode: HEADER_HEADER") + })) + ts.Start() + defer ts.Close() + + _, client, bc, _:= makeTestClient(t, false) + + clientCert := url.PathEscape(string(bc)) + req, err := http.NewRequest(http.MethodGet, ts.URL, nil) + if err != nil { + t.Fatal(err) + } + req.Header.Set(clientCertHeader, clientCert) + + res, err := client.Do(req) + if err != nil { + t.Fatal(err) + } + defer res.Body.Close() + _, err = io.ReadAll(res.Body) + res.Body.Close() + if err != nil { + t.Fatal(err) + } +} + +func TestFrontendMode_HEADER_HTTP_CHECKSUM(t *testing.T) { + clientCertHeader := "ssl-client-cert" + clientCertChecksumHeader := "ssl-client-cert-checksum" + frontendConfig := &cpb.FrontendConfig{ + FrontendMode: &cpb.FrontendConfig_HttpHeaderChecksumConfig{ + HttpHeaderChecksumConfig: &cpb.HttpHeaderChecksumConfig{ + ClientCertificateHeader: clientCertHeader, + ClientCertificateChecksumHeader: clientCertChecksumHeader, + }, + }, + } + ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + // test the valid frontend mode combination of receiving the client cert in the header + cert, err := GetClientCert(req, frontendConfig) + if err != nil { + t.Fatal(err) + } + // make sure we received the client cert in the header + if cert == nil { + t.Error("Expected client certificate but received none") + } + fmt.Fprintln(w, "Testing Frontend Mode: HEADER_CHECKSUM") + })) + ts.Start() + defer ts.Close() + + _, client, bc, clientCertChecksum := makeTestClient(t, true) clientCert := url.PathEscape(string(bc)) req, err := http.NewRequest(http.MethodGet, ts.URL, nil) From 2340a97756cdc38ac71a1abdc4a19d3bb835507f Mon Sep 17 00:00:00 2001 From: Dan Date: Tue, 31 Oct 2023 15:50:52 +0000 Subject: [PATCH 3/4] Adds communicator test cases --- .../src/server/components/components.go | 14 +- .../proto/fleetspeak_components/config.pb.go | 10 +- .../proto/fleetspeak_components/config.proto | 10 +- fleetspeak/src/server/https/https.go | 88 ++++---- fleetspeak/src/server/https/https_test.go | 204 ++++++++++++++++-- 5 files changed, 256 insertions(+), 70 deletions(-) diff --git a/fleetspeak/src/server/components/components.go b/fleetspeak/src/server/components/components.go index 4bb4f9d0..4fa68ac8 100644 --- a/fleetspeak/src/server/components/components.go +++ b/fleetspeak/src/server/components/components.go @@ -56,8 +56,18 @@ func MakeComponents(cfg *cpb.Config) (*server.Components, error) { return nil, errors.New("mysql_data_source_name is required") } hcfg := cfg.HttpsConfig - if hcfg != nil && (hcfg.ListenAddress == "" || hcfg.Certificates == "" || hcfg.Key == "") { - return nil, errors.New("https_config requires listen_address, certificates and key") + if hcfg != nil { + switch { + case hcfg.GetFrontendConfig().GetHttpHeaderConfig() != nil, + hcfg.GetFrontendConfig().GetHttpHeaderChecksumConfig() != nil: + if hcfg.ListenAddress == "" { + return nil, errors.New("http_config requires listen_address") + } + default: + if (hcfg.ListenAddress == "" || hcfg.Certificates == "" || hcfg.Key == "") { + return nil, errors.New("https_config requires listen_address, certificates and key") + } + } } acfg := cfg.AdminConfig diff --git a/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go b/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go index b5298c7f..0efc59bb 100644 --- a/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go +++ b/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go @@ -343,7 +343,7 @@ func (x *HttpsHeaderChecksumConfig) GetClientCertificateChecksumHeader() string return "" } -// In this mode Fleetspeak runs in clear text (HTTP). This for example allows +// In this mode Fleetspeak runs in clear text (HTTP). This allows for // Fleetspeak to be deployed in a Service Mesh behind a side car proxy that // offers a secure communications channel. // Fleetspeak accepts a TLS connection from an intermediate actor which @@ -401,7 +401,7 @@ func (x *HttpHeaderConfig) GetClientCertificateHeader() string { return "" } -// In this mode Fleetspeak runs in clear text (HTTP). This for example allows +// In this mode Fleetspeak runs in clear text (HTTP). This allows for // Fleetspeak to be deployed in a Service Mesh behind a side car proxy that // offers a secure communications channel. // Fleetspeak accepts a TLS connection from an intermediate actor which @@ -613,10 +613,12 @@ type HttpsConfig struct { // "localhost:1234". Required. ListenAddress string `protobuf:"bytes,1,opt,name=listen_address,json=listenAddress,proto3" json:"listen_address,omitempty"` // A certificate chain which identifies the server to clients. Must lead to a - // certificate known to the clients. x509 format. Required. + // certificate known to the clients. x509 format. Required, if frontend mode is + // not cleartext (ie neither HttpHeaderConfig nor HttpHeaderChecksumConfig) Certificates string `protobuf:"bytes,2,opt,name=certificates,proto3" json:"certificates,omitempty"` // The private key used to identify the server. Must match the first entry in - // certificates. x509 format. Required. + // certificates. x509 format. Required, if frontend mode is not cleartext + // (ie neither HttpHeaderConfig nor HttpHeaderChecksumConfig) Key string `protobuf:"bytes,3,opt,name=key,proto3" json:"key,omitempty"` // If set, disables long running (streaming) connections. This type of // connection causes more active connections but can reduce database load and diff --git a/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto b/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto index 6b25d039..099a30cd 100644 --- a/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto +++ b/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto @@ -101,7 +101,7 @@ message HttpsHeaderChecksumConfig { string client_certificate_checksum_header = 2; } -// In this mode Fleetspeak runs in clear text (HTTP). This for example allows +// In this mode Fleetspeak runs in clear text (HTTP). This allows for // Fleetspeak to be deployed in a Service Mesh behind a side car proxy that // offers a secure communications channel. // Fleetspeak accepts a TLS connection from an intermediate actor which @@ -116,7 +116,7 @@ message HttpHeaderConfig { string client_certificate_header = 1; } -// In this mode Fleetspeak runs in clear text (HTTP). This for example allows +// In this mode Fleetspeak runs in clear text (HTTP). This allows for // Fleetspeak to be deployed in a Service Mesh behind a side car proxy that // offers a secure communications channel. // Fleetspeak accepts a TLS connection from an intermediate actor which @@ -163,11 +163,13 @@ message HttpsConfig { string listen_address = 1; // A certificate chain which identifies the server to clients. Must lead to a - // certificate known to the clients. x509 format. Required. + // certificate known to the clients. x509 format. Required, if frontend mode is + // not cleartext (ie neither HttpHeaderConfig nor HttpHeaderChecksumConfig) string certificates = 2; // The private key used to identify the server. Must match the first entry in - // certificates. x509 format. Required. + // certificates. x509 format. Required, if frontend mode is not cleartext + // (ie neither HttpHeaderConfig nor HttpHeaderChecksumConfig) string key = 3; // If set, disables long running (streaming) connections. This type of diff --git a/fleetspeak/src/server/https/https.go b/fleetspeak/src/server/https/https.go index 371440ab..dcbd520d 100644 --- a/fleetspeak/src/server/https/https.go +++ b/fleetspeak/src/server/https/https.go @@ -108,44 +108,47 @@ func NewCommunicator(p Params) (*Communicator, error) { } mux := http.NewServeMux() - c, err := tls.X509KeyPair(p.Cert, p.Key) - if err != nil { - return nil, err - } - httpServer := http.Server{ - Handler: mux, - TLSConfig: &tls.Config{ - ClientAuth: tls.RequestClientCert, - Certificates: []tls.Certificate{c}, - CipherSuites: []uint16{ - // We may as well allow only the strongest (as far as we can guess) - // ciphers. Note that TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is - // required by the https library. - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, - // Correctly implementing session tickets means sharing and rotating a - // secret key between servers, with implications if it leaks. Simply - // disable for the moment. - SessionTicketsDisabled: true, - MinVersion: tls.VersionTLS12, - NextProtos: []string{"h2"}, - }, - ReadTimeout: 20 * time.Minute, - ReadHeaderTimeout: 10 * time.Second, - WriteTimeout: 20 * time.Minute, - IdleTimeout: 30 * time.Second, - } - if p.FrontendConfig.GetHttpHeaderConfig() != nil || - p.FrontendConfig.GetHttpHeaderChecksumConfig() != nil { - httpServer = http.Server{ - Handler: mux, - ReadTimeout: 20 * time.Minute, - ReadHeaderTimeout: 10 * time.Second, - WriteTimeout: 20 * time.Minute, - IdleTimeout: 30 * time.Second, - } + var httpServer http.Server + switch { + case p.FrontendConfig.GetHttpHeaderConfig() != nil, + p.FrontendConfig.GetHttpHeaderChecksumConfig() != nil: + httpServer = http.Server{ + Handler: mux, + ReadTimeout: 20 * time.Minute, + ReadHeaderTimeout: 10 * time.Second, + WriteTimeout: 20 * time.Minute, + IdleTimeout: 30 * time.Second, + } + default: + c, err := tls.X509KeyPair(p.Cert, p.Key) + if err != nil { + return nil, err + } + httpServer = http.Server{ + Handler: mux, + TLSConfig: &tls.Config{ + ClientAuth: tls.RequestClientCert, + Certificates: []tls.Certificate{c}, + CipherSuites: []uint16{ + // We may as well allow only the strongest (as far as we can guess) + // ciphers. Note that TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is + // required by the https library. + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, + // Correctly implementing session tickets means sharing and rotating a + // secret key between servers, with implications if it leaks. Simply + // disable for the moment. + SessionTicketsDisabled: true, + MinVersion: tls.VersionTLS12, + NextProtos: []string{"h2"}, + }, + ReadTimeout: 20 * time.Minute, + ReadHeaderTimeout: 10 * time.Second, + WriteTimeout: 20 * time.Minute, + IdleTimeout: 30 * time.Second, + } } h := Communicator{ p: p, @@ -182,8 +185,13 @@ func (c *Communicator) Setup(fs comms.Context) error { } func (c *Communicator) Start() error { - go c.serve(tls.NewListener(c.p.Listener, c.hs.TLSConfig)) - + switch { + case c.p.FrontendConfig.GetHttpHeaderConfig() != nil, + c.p.FrontendConfig.GetHttpHeaderChecksumConfig() != nil: + go c.serve(c.p.Listener) + default: + go c.serve(tls.NewListener(c.p.Listener, c.hs.TLSConfig)) + } c.runningLock.Lock() defer c.runningLock.Unlock() c.running = true diff --git a/fleetspeak/src/server/https/https_test.go b/fleetspeak/src/server/https/https_test.go index b8027dd3..a2fabe99 100644 --- a/fleetspeak/src/server/https/https_test.go +++ b/fleetspeak/src/server/https/https_test.go @@ -105,7 +105,7 @@ func clientCertFingerprint(derBytes []byte) string { return base64EncodedStr } -func makeClient(t *testing.T) (common.ClientID, *http.Client, []byte, string) { +func makeClient(t *testing.T, doTls bool) (common.ClientID, *http.Client, []byte, string) { // Populate a CertPool with the server's certificate. cp := x509.NewCertPool() if !cp.AppendCertsFromPEM(serverCert) { @@ -143,20 +143,32 @@ func makeClient(t *testing.T) (common.ClientID, *http.Client, []byte, string) { if err != nil { t.Fatal(err) } - - cl := http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{ - RootCAs: cp, - Certificates: []tls.Certificate{clientCert}, + var cl http.Client + if doTls { + cl = http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + RootCAs: cp, + Certificates: []tls.Certificate{clientCert}, + }, + Dial: (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + }).Dial, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 1 * time.Second, }, - Dial: (&net.Dialer{ - Timeout: 30 * time.Second, - KeepAlive: 30 * time.Second, - }).Dial, - TLSHandshakeTimeout: 10 * time.Second, - ExpectContinueTimeout: 1 * time.Second, - }, + } + } else { + cl = http.Client{ + Transport: &http.Transport{ + Dial: (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + }).Dial, + ExpectContinueTimeout: 1 * time.Second, + }, + } } return id, &cl, bc, fp } @@ -165,7 +177,7 @@ func TestNormalPoll(t *testing.T) { ctx := context.Background() s, ds, addr := makeServer(t, "Normal", nil) - id, cl, _, _ := makeClient(t) + id, cl, _, _ := makeClient(t, true) defer s.Stop() u := url.URL{Scheme: "https", Host: addr, Path: "/message"} @@ -200,7 +212,7 @@ func TestNormalPoll(t *testing.T) { func TestFile(t *testing.T) { ctx := context.Background() s, ds, addr := makeServer(t, "File", nil) - _, cl, _, _ := makeClient(t) + _, cl, _, _ := makeClient(t, true) defer s.Stop() data := []byte("The quick sly fox jumped over the lazy dogs.") @@ -269,7 +281,7 @@ func readContact(body *bufio.Reader) (*fspb.ContactData, error) { func TestStreaming(t *testing.T) { ctx := context.Background() s, _, addr := makeServer(t, "Streaming", nil) - _, cl, _, _ := makeClient(t) + _, cl, _, _ := makeClient(t, true) defer s.Stop() br, bw := io.Pipe() @@ -339,7 +351,7 @@ func TestHeaderNormalPoll(t *testing.T) { } s, ds, addr := makeServer(t, "Normal", frontendConfig) - id, cl, bc, _ := makeClient(t) + id, cl, bc, _ := makeClient(t, true) defer s.Stop() u := url.URL{Scheme: "https", Host: addr, Path: "/message"} @@ -392,7 +404,7 @@ func TestHeaderStreaming(t *testing.T) { } s, _, addr := makeServer(t, "Streaming", frontendConfig) - _, cl, bc, _ := makeClient(t) + _, cl, bc, _ := makeClient(t, true) defer s.Stop() br, bw := io.Pipe() @@ -467,7 +479,7 @@ func TestHeaderStreamingChecksum(t *testing.T) { } s, _, addr := makeServer(t, "Streaming", frontendConfig) - _, cl, bc, fp := makeClient(t) + _, cl, bc, fp := makeClient(t, true) defer s.Stop() br, bw := io.Pipe() @@ -531,3 +543,155 @@ func TestHeaderStreamingChecksum(t *testing.T) { bw.Close() resp.Body.Close() } + +func TestHttpHeaderStreaming(t *testing.T) { + ctx := context.Background() + clientCertHeader := "ssl-client-cert" + frontendConfig := &cpb.FrontendConfig{ + FrontendMode: &cpb.FrontendConfig_HttpHeaderConfig{ + HttpHeaderConfig: &cpb.HttpHeaderConfig{ + ClientCertificateHeader: clientCertHeader, + }, + }, + } + + s, _, addr := makeServer(t, "Streaming", frontendConfig) + _, cl, bc, _ := makeClient(t, false) + defer s.Stop() + + br, bw := io.Pipe() + go func() { + // First exchange - these writes must happen during the http.Client.Do call + // below, because the server writes headers at the end of the first message + // exchange. + + // Start with the magic number: + binary.Write(bw, binary.LittleEndian, magic) + + if _, err := bw.Write(makeWrapped()); err != nil { + t.Error(err) + } + }() + + u := url.URL{Scheme: "http", Host: addr, Path: "/streaming-message"} + req, err := http.NewRequest("POST", u.String(), br) + req.ContentLength = -1 + req.Close = true + req.Header.Set("Expect", "100-continue") + + cc := url.PathEscape(string(bc)) + req.Header.Set(clientCertHeader, cc) + if err != nil { + t.Fatal(err) + } + req = req.WithContext(ctx) + resp, err := cl.Do(req) + if err != nil { + t.Fatalf("Streaming post failed (%v): %v", resp, err) + } + // Read ContactData for first exchange. + body := bufio.NewReader(resp.Body) + cd, err := readContact(body) + if err != nil { + t.Error(err) + } + if cd.AckIndex != 0 { + t.Errorf("AckIndex of initial exchange should be unset, got %d", cd.AckIndex) + } + + for i := uint64(1); i < 10; i++ { + // Write another WrappedContactData. + if _, err := bw.Write(makeWrapped()); err != nil { + t.Error(err) + } + cd, err := readContact(body) + if err != nil { + t.Error(err) + } + if cd.AckIndex != i { + t.Errorf("Received ack for contact %d, but expected %d", cd.AckIndex, i) + } + } + + bw.Close() + resp.Body.Close() +} + +func TestHttpHeaderStreamingChecksum(t *testing.T) { + ctx := context.Background() + clientCertHeader := "ssl-client-cert" + clientCertChecksumHeader := "ssl-client-cert-checksum" + frontendConfig := &cpb.FrontendConfig{ + FrontendMode: &cpb.FrontendConfig_HttpHeaderChecksumConfig{ + HttpHeaderChecksumConfig: &cpb.HttpHeaderChecksumConfig{ + ClientCertificateHeader: clientCertHeader, + ClientCertificateChecksumHeader: clientCertChecksumHeader, + }, + }, + } + + s, _, addr := makeServer(t, "Streaming", frontendConfig) + _, cl, bc, fp := makeClient(t, false) + defer s.Stop() + + br, bw := io.Pipe() + go func() { + // First exchange - these writes must happen during the http.Client.Do call + // below, because the server writes headers at the end of the first message + // exchange. + + // Start with the magic number: + binary.Write(bw, binary.LittleEndian, magic) + + if _, err := bw.Write(makeWrapped()); err != nil { + t.Error(err) + } + }() + + u := url.URL{Scheme: "http", Host: addr, Path: "/streaming-message"} + req, err := http.NewRequest("POST", u.String(), br) + if err != nil { + t.Fatal(err) + } + req.ContentLength = -1 + req.Close = true + req.Header.Set("Expect", "100-continue") + + cc := url.PathEscape(string(bc)) + req.Header.Set(clientCertHeader, cc) + req.Header.Set(clientCertChecksumHeader, fp) + req = req.WithContext(ctx) + resp, err := cl.Do(req) + if err != nil { + t.Fatalf("Streaming post failed (%v): %v", resp, err) + } + // Read ContactData for first exchange. + body := bufio.NewReader(resp.Body) + cd, err := readContact(body) + if cd == nil { + t.Fatalf("Read Contact returned nil: %v", err) + } + if err != nil { + t.Error(err) + } + if cd.AckIndex != 0 { + t.Errorf("AckIndex of initial exchange should be unset, got %d", cd.AckIndex) + } + + for i := uint64(1); i < 10; i++ { + // Write another WrappedContactData. + if _, err := bw.Write(makeWrapped()); err != nil { + t.Error(err) + } + cd, err := readContact(body) + if err != nil { + t.Error(err) + } + if cd.AckIndex != i { + t.Errorf("Received ack for contact %d, but expected %d", cd.AckIndex, i) + } + } + + bw.Close() + resp.Body.Close() +} From 9215591dc8fdb3d016fdef82f5baec48e5132847 Mon Sep 17 00:00:00 2001 From: Dan Date: Wed, 8 Nov 2023 10:07:06 +0000 Subject: [PATCH 4/4] Addresses reviewer feedback --- .../src/server/components/components.go | 4 +- .../proto/fleetspeak_components/config.pb.go | 267 +++++++++--------- .../proto/fleetspeak_components/config.proto | 12 +- .../src/server/https/client_certificate.go | 12 +- .../server/https/client_certificate_test.go | 15 +- fleetspeak/src/server/https/https.go | 66 ++--- fleetspeak/src/server/https/https_test.go | 12 +- 7 files changed, 190 insertions(+), 198 deletions(-) diff --git a/fleetspeak/src/server/components/components.go b/fleetspeak/src/server/components/components.go index 4fa68ac8..cec90e49 100644 --- a/fleetspeak/src/server/components/components.go +++ b/fleetspeak/src/server/components/components.go @@ -58,8 +58,8 @@ func MakeComponents(cfg *cpb.Config) (*server.Components, error) { hcfg := cfg.HttpsConfig if hcfg != nil { switch { - case hcfg.GetFrontendConfig().GetHttpHeaderConfig() != nil, - hcfg.GetFrontendConfig().GetHttpHeaderChecksumConfig() != nil: + case hcfg.GetFrontendConfig().GetCleartextHeaderConfig() != nil, + hcfg.GetFrontendConfig().GetCleartextHeaderChecksumConfig() != nil: if hcfg.ListenAddress == "" { return nil, errors.New("http_config requires listen_address") } diff --git a/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go b/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go index 0efc59bb..d61aa613 100644 --- a/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go +++ b/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go @@ -352,7 +352,7 @@ func (x *HttpsHeaderChecksumConfig) GetClientCertificateChecksumHeader() string // original TLS connection to the frontend via an HTTP header. // The Fleetspeak frontend uses the certificate passed in this header to // identify the client. -type HttpHeaderConfig struct { +type CleartextHeaderConfig struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields @@ -362,8 +362,8 @@ type HttpHeaderConfig struct { ClientCertificateHeader string `protobuf:"bytes,1,opt,name=client_certificate_header,json=clientCertificateHeader,proto3" json:"client_certificate_header,omitempty"` } -func (x *HttpHeaderConfig) Reset() { - *x = HttpHeaderConfig{} +func (x *CleartextHeaderConfig) Reset() { + *x = CleartextHeaderConfig{} if protoimpl.UnsafeEnabled { mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -371,13 +371,13 @@ func (x *HttpHeaderConfig) Reset() { } } -func (x *HttpHeaderConfig) String() string { +func (x *CleartextHeaderConfig) String() string { return protoimpl.X.MessageStringOf(x) } -func (*HttpHeaderConfig) ProtoMessage() {} +func (*CleartextHeaderConfig) ProtoMessage() {} -func (x *HttpHeaderConfig) ProtoReflect() protoreflect.Message { +func (x *CleartextHeaderConfig) ProtoReflect() protoreflect.Message { mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[4] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -389,12 +389,12 @@ func (x *HttpHeaderConfig) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use HttpHeaderConfig.ProtoReflect.Descriptor instead. -func (*HttpHeaderConfig) Descriptor() ([]byte, []int) { +// Deprecated: Use CleartextHeaderConfig.ProtoReflect.Descriptor instead. +func (*CleartextHeaderConfig) Descriptor() ([]byte, []int) { return file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDescGZIP(), []int{4} } -func (x *HttpHeaderConfig) GetClientCertificateHeader() string { +func (x *CleartextHeaderConfig) GetClientCertificateHeader() string { if x != nil { return x.ClientCertificateHeader } @@ -414,7 +414,7 @@ func (x *HttpHeaderConfig) GetClientCertificateHeader() string { // The Fleetspeak frontend uses the certificate passed passed from the client // to identify it, and uses the hash from the intermediate actor to verify that // this certificate was in fact used in the original TLS connection. -type HttpHeaderChecksumConfig struct { +type CleartextHeaderChecksumConfig struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields @@ -427,8 +427,8 @@ type HttpHeaderChecksumConfig struct { ClientCertificateChecksumHeader string `protobuf:"bytes,2,opt,name=client_certificate_checksum_header,json=clientCertificateChecksumHeader,proto3" json:"client_certificate_checksum_header,omitempty"` } -func (x *HttpHeaderChecksumConfig) Reset() { - *x = HttpHeaderChecksumConfig{} +func (x *CleartextHeaderChecksumConfig) Reset() { + *x = CleartextHeaderChecksumConfig{} if protoimpl.UnsafeEnabled { mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -436,13 +436,13 @@ func (x *HttpHeaderChecksumConfig) Reset() { } } -func (x *HttpHeaderChecksumConfig) String() string { +func (x *CleartextHeaderChecksumConfig) String() string { return protoimpl.X.MessageStringOf(x) } -func (*HttpHeaderChecksumConfig) ProtoMessage() {} +func (*CleartextHeaderChecksumConfig) ProtoMessage() {} -func (x *HttpHeaderChecksumConfig) ProtoReflect() protoreflect.Message { +func (x *CleartextHeaderChecksumConfig) ProtoReflect() protoreflect.Message { mi := &file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[5] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -454,19 +454,19 @@ func (x *HttpHeaderChecksumConfig) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use HttpHeaderChecksumConfig.ProtoReflect.Descriptor instead. -func (*HttpHeaderChecksumConfig) Descriptor() ([]byte, []int) { +// Deprecated: Use CleartextHeaderChecksumConfig.ProtoReflect.Descriptor instead. +func (*CleartextHeaderChecksumConfig) Descriptor() ([]byte, []int) { return file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_rawDescGZIP(), []int{5} } -func (x *HttpHeaderChecksumConfig) GetClientCertificateHeader() string { +func (x *CleartextHeaderChecksumConfig) GetClientCertificateHeader() string { if x != nil { return x.ClientCertificateHeader } return "" } -func (x *HttpHeaderChecksumConfig) GetClientCertificateChecksumHeader() string { +func (x *CleartextHeaderChecksumConfig) GetClientCertificateChecksumHeader() string { if x != nil { return x.ClientCertificateChecksumHeader } @@ -491,8 +491,8 @@ type FrontendConfig struct { // *FrontendConfig_MtlsConfig // *FrontendConfig_HttpsHeaderConfig // *FrontendConfig_HttpsHeaderChecksumConfig - // *FrontendConfig_HttpHeaderConfig - // *FrontendConfig_HttpHeaderChecksumConfig + // *FrontendConfig_CleartextHeaderConfig + // *FrontendConfig_CleartextHeaderChecksumConfig FrontendMode isFrontendConfig_FrontendMode `protobuf_oneof:"frontend_mode"` } @@ -556,16 +556,16 @@ func (x *FrontendConfig) GetHttpsHeaderChecksumConfig() *HttpsHeaderChecksumConf return nil } -func (x *FrontendConfig) GetHttpHeaderConfig() *HttpHeaderConfig { - if x, ok := x.GetFrontendMode().(*FrontendConfig_HttpHeaderConfig); ok { - return x.HttpHeaderConfig +func (x *FrontendConfig) GetCleartextHeaderConfig() *CleartextHeaderConfig { + if x, ok := x.GetFrontendMode().(*FrontendConfig_CleartextHeaderConfig); ok { + return x.CleartextHeaderConfig } return nil } -func (x *FrontendConfig) GetHttpHeaderChecksumConfig() *HttpHeaderChecksumConfig { - if x, ok := x.GetFrontendMode().(*FrontendConfig_HttpHeaderChecksumConfig); ok { - return x.HttpHeaderChecksumConfig +func (x *FrontendConfig) GetCleartextHeaderChecksumConfig() *CleartextHeaderChecksumConfig { + if x, ok := x.GetFrontendMode().(*FrontendConfig_CleartextHeaderChecksumConfig); ok { + return x.CleartextHeaderChecksumConfig } return nil } @@ -586,12 +586,12 @@ type FrontendConfig_HttpsHeaderChecksumConfig struct { HttpsHeaderChecksumConfig *HttpsHeaderChecksumConfig `protobuf:"bytes,9,opt,name=https_header_checksum_config,json=httpsHeaderChecksumConfig,proto3,oneof"` } -type FrontendConfig_HttpHeaderConfig struct { - HttpHeaderConfig *HttpHeaderConfig `protobuf:"bytes,10,opt,name=http_header_config,json=httpHeaderConfig,proto3,oneof"` +type FrontendConfig_CleartextHeaderConfig struct { + CleartextHeaderConfig *CleartextHeaderConfig `protobuf:"bytes,10,opt,name=cleartext_header_config,json=cleartextHeaderConfig,proto3,oneof"` } -type FrontendConfig_HttpHeaderChecksumConfig struct { - HttpHeaderChecksumConfig *HttpHeaderChecksumConfig `protobuf:"bytes,11,opt,name=http_header_checksum_config,json=httpHeaderChecksumConfig,proto3,oneof"` +type FrontendConfig_CleartextHeaderChecksumConfig struct { + CleartextHeaderChecksumConfig *CleartextHeaderChecksumConfig `protobuf:"bytes,11,opt,name=cleartext_header_checksum_config,json=cleartextHeaderChecksumConfig,proto3,oneof"` } func (*FrontendConfig_MtlsConfig) isFrontendConfig_FrontendMode() {} @@ -600,9 +600,9 @@ func (*FrontendConfig_HttpsHeaderConfig) isFrontendConfig_FrontendMode() {} func (*FrontendConfig_HttpsHeaderChecksumConfig) isFrontendConfig_FrontendMode() {} -func (*FrontendConfig_HttpHeaderConfig) isFrontendConfig_FrontendMode() {} +func (*FrontendConfig_CleartextHeaderConfig) isFrontendConfig_FrontendMode() {} -func (*FrontendConfig_HttpHeaderChecksumConfig) isFrontendConfig_FrontendMode() {} +func (*FrontendConfig_CleartextHeaderChecksumConfig) isFrontendConfig_FrontendMode() {} type HttpsConfig struct { state protoimpl.MessageState @@ -614,11 +614,11 @@ type HttpsConfig struct { ListenAddress string `protobuf:"bytes,1,opt,name=listen_address,json=listenAddress,proto3" json:"listen_address,omitempty"` // A certificate chain which identifies the server to clients. Must lead to a // certificate known to the clients. x509 format. Required, if frontend mode is - // not cleartext (ie neither HttpHeaderConfig nor HttpHeaderChecksumConfig) + // not cleartext (ie neither CleartextHeaderConfig nor CleartextHeaderChecksumConfig) Certificates string `protobuf:"bytes,2,opt,name=certificates,proto3" json:"certificates,omitempty"` // The private key used to identify the server. Must match the first entry in // certificates. x509 format. Required, if frontend mode is not cleartext - // (ie neither HttpHeaderConfig nor HttpHeaderChecksumConfig) + // (ie neither CleartextHeaderConfig nor CleartextHeaderChecksumConfig) Key string `protobuf:"bytes,3,opt,name=key,proto3" json:"key,omitempty"` // If set, disables long running (streaming) connections. This type of // connection causes more active connections but can reduce database load and @@ -910,86 +910,89 @@ var file_fleetspeak_src_server_components_proto_fleetspeak_components_config_pro 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x1f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x65, 0x63, - 0x6b, 0x73, 0x75, 0x6d, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x22, 0x4e, 0x0a, 0x10, 0x48, 0x74, - 0x74, 0x70, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x3a, - 0x0a, 0x19, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x65, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x17, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x65, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x22, 0xa3, 0x01, 0x0a, 0x18, 0x48, - 0x74, 0x74, 0x70, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, - 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x3a, 0x0a, 0x19, 0x63, 0x6c, 0x69, 0x65, 0x6e, - 0x74, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x68, 0x65, - 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x17, 0x63, 0x6c, 0x69, 0x65, - 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x48, 0x65, 0x61, - 0x64, 0x65, 0x72, 0x12, 0x4b, 0x0a, 0x22, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x63, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x73, - 0x75, 0x6d, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x1f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, - 0x74, 0x65, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, - 0x22, 0x83, 0x04, 0x0a, 0x0e, 0x46, 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x64, 0x43, 0x6f, 0x6e, - 0x66, 0x69, 0x67, 0x12, 0x44, 0x0a, 0x0b, 0x6d, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, - 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, - 0x2e, 0x4d, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x48, 0x00, 0x52, 0x0a, 0x6d, - 0x74, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x5a, 0x0a, 0x13, 0x68, 0x74, 0x74, - 0x70, 0x73, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, - 0x65, 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x48, - 0x74, 0x74, 0x70, 0x73, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x48, 0x00, 0x52, 0x11, 0x68, 0x74, 0x74, 0x70, 0x73, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x73, 0x0a, 0x1c, 0x68, 0x74, 0x74, 0x70, 0x73, 0x5f, 0x68, - 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x5f, 0x63, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x66, 0x6c, - 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, - 0x6e, 0x74, 0x73, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x73, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, - 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x48, 0x00, 0x52, - 0x19, 0x68, 0x74, 0x74, 0x70, 0x73, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x68, 0x65, 0x63, - 0x6b, 0x73, 0x75, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x57, 0x0a, 0x12, 0x68, 0x74, - 0x74, 0x70, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, - 0x65, 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x48, - 0x74, 0x74, 0x70, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x48, - 0x00, 0x52, 0x10, 0x68, 0x74, 0x74, 0x70, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, - 0x66, 0x69, 0x67, 0x12, 0x70, 0x0a, 0x1b, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x68, 0x65, 0x61, 0x64, - 0x65, 0x72, 0x5f, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x5f, 0x63, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, - 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, - 0x2e, 0x48, 0x74, 0x74, 0x70, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x68, 0x65, 0x63, 0x6b, - 0x73, 0x75, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x48, 0x00, 0x52, 0x18, 0x68, 0x74, 0x74, - 0x70, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x43, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x0f, 0x0a, 0x0d, 0x66, 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, - 0x64, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x22, 0xf3, 0x01, 0x0a, 0x0b, 0x48, 0x74, 0x74, 0x70, 0x73, - 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x25, 0x0a, 0x0e, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, - 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, - 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x22, 0x0a, - 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, - 0x73, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, - 0x6b, 0x65, 0x79, 0x12, 0x2b, 0x0a, 0x11, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x73, - 0x74, 0x72, 0x65, 0x61, 0x6d, 0x69, 0x6e, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, - 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x69, 0x6e, 0x67, - 0x12, 0x4e, 0x0a, 0x0f, 0x66, 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x64, 0x5f, 0x63, 0x6f, 0x6e, - 0x66, 0x69, 0x67, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x66, 0x6c, 0x65, 0x65, - 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, - 0x73, 0x2e, 0x46, 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x52, 0x0e, 0x66, 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, 0x08, 0x06, 0x10, 0x07, 0x22, 0x34, 0x0a, 0x0b, - 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x25, 0x0a, 0x0e, 0x6c, - 0x69, 0x73, 0x74, 0x65, 0x6e, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x41, 0x64, 0x64, 0x72, 0x65, - 0x73, 0x73, 0x22, 0x27, 0x0a, 0x0b, 0x53, 0x74, 0x61, 0x74, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, - 0x67, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x22, 0x3a, 0x0a, 0x11, 0x48, - 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x12, 0x25, 0x0a, 0x0e, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, - 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, - 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x42, 0x5b, 0x5a, 0x59, 0x67, 0x69, 0x74, 0x68, 0x75, - 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x66, 0x6c, 0x65, - 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2f, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, - 0x61, 0x6b, 0x2f, 0x73, 0x72, 0x63, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x63, 0x6f, - 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x66, - 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x5f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, - 0x65, 0x6e, 0x74, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x6b, 0x73, 0x75, 0x6d, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x22, 0x53, 0x0a, 0x15, 0x43, 0x6c, + 0x65, 0x61, 0x72, 0x74, 0x65, 0x78, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, + 0x66, 0x69, 0x67, 0x12, 0x3a, 0x0a, 0x19, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x63, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x17, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x43, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x22, + 0xa8, 0x01, 0x0a, 0x1d, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x74, 0x65, 0x78, 0x74, 0x48, 0x65, 0x61, + 0x64, 0x65, 0x72, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, + 0x67, 0x12, 0x3a, 0x0a, 0x19, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x63, 0x65, 0x72, 0x74, + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x17, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x4b, 0x0a, + 0x22, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x5f, 0x68, 0x65, 0x61, + 0x64, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x1f, 0x63, 0x6c, 0x69, 0x65, 0x6e, + 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x65, 0x63, + 0x6b, 0x73, 0x75, 0x6d, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x22, 0xa1, 0x04, 0x0a, 0x0e, 0x46, + 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x44, 0x0a, + 0x0b, 0x6d, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x07, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2e, + 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x4d, 0x54, 0x6c, 0x73, 0x43, + 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x48, 0x00, 0x52, 0x0a, 0x6d, 0x74, 0x6c, 0x73, 0x43, 0x6f, 0x6e, + 0x66, 0x69, 0x67, 0x12, 0x5a, 0x0a, 0x13, 0x68, 0x74, 0x74, 0x70, 0x73, 0x5f, 0x68, 0x65, 0x61, + 0x64, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x28, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2e, 0x63, 0x6f, + 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x73, 0x48, 0x65, + 0x61, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x48, 0x00, 0x52, 0x11, 0x68, 0x74, + 0x74, 0x70, 0x73, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, + 0x73, 0x0a, 0x1c, 0x68, 0x74, 0x74, 0x70, 0x73, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, + 0x63, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, + 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, + 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x48, 0x74, + 0x74, 0x70, 0x73, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, + 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x48, 0x00, 0x52, 0x19, 0x68, 0x74, 0x74, 0x70, 0x73, + 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x43, 0x6f, + 0x6e, 0x66, 0x69, 0x67, 0x12, 0x66, 0x0a, 0x17, 0x63, 0x6c, 0x65, 0x61, 0x72, 0x74, 0x65, 0x78, + 0x74, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, + 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, + 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x43, 0x6c, + 0x65, 0x61, 0x72, 0x74, 0x65, 0x78, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, + 0x66, 0x69, 0x67, 0x48, 0x00, 0x52, 0x15, 0x63, 0x6c, 0x65, 0x61, 0x72, 0x74, 0x65, 0x78, 0x74, + 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x7f, 0x0a, 0x20, + 0x63, 0x6c, 0x65, 0x61, 0x72, 0x74, 0x65, 0x78, 0x74, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, + 0x5f, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, + 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, + 0x65, 0x61, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x43, + 0x6c, 0x65, 0x61, 0x72, 0x74, 0x65, 0x78, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, 0x68, + 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x48, 0x00, 0x52, 0x1d, + 0x63, 0x6c, 0x65, 0x61, 0x72, 0x74, 0x65, 0x78, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x43, + 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x0f, 0x0a, + 0x0d, 0x66, 0x72, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x64, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x22, 0xf3, + 0x01, 0x0a, 0x0b, 0x48, 0x74, 0x74, 0x70, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x25, + 0x0a, 0x0e, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x41, 0x64, + 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x22, 0x0a, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x65, 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, + 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2b, 0x0a, 0x11, 0x64, + 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x69, 0x6e, 0x67, + 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x53, + 0x74, 0x72, 0x65, 0x61, 0x6d, 0x69, 0x6e, 0x67, 0x12, 0x4e, 0x0a, 0x0f, 0x66, 0x72, 0x6f, 0x6e, + 0x74, 0x65, 0x6e, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x07, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x25, 0x2e, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2e, 0x63, + 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x46, 0x72, 0x6f, 0x6e, 0x74, 0x65, + 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x66, 0x72, 0x6f, 0x6e, 0x74, 0x65, + 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, + 0x08, 0x06, 0x10, 0x07, 0x22, 0x34, 0x0a, 0x0b, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x43, 0x6f, 0x6e, + 0x66, 0x69, 0x67, 0x12, 0x25, 0x0a, 0x0e, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x5f, 0x61, 0x64, + 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6c, 0x69, 0x73, + 0x74, 0x65, 0x6e, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x22, 0x27, 0x0a, 0x0b, 0x53, 0x74, + 0x61, 0x74, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, + 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, + 0x65, 0x73, 0x73, 0x22, 0x3a, 0x0a, 0x11, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, + 0x63, 0x6b, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x25, 0x0a, 0x0e, 0x6c, 0x69, 0x73, 0x74, + 0x65, 0x6e, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x0d, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x42, + 0x5b, 0x5a, 0x59, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x6f, + 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2f, + 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, 0x6b, 0x2f, 0x73, 0x72, 0x63, 0x2f, 0x73, + 0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, + 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x66, 0x6c, 0x65, 0x65, 0x74, 0x73, 0x70, 0x65, 0x61, + 0x6b, 0x5f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -1006,17 +1009,17 @@ func file_fleetspeak_src_server_components_proto_fleetspeak_components_config_pr var file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes = make([]protoimpl.MessageInfo, 11) var file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_goTypes = []interface{}{ - (*Config)(nil), // 0: fleetspeak.components.Config - (*MTlsConfig)(nil), // 1: fleetspeak.components.MTlsConfig - (*HttpsHeaderConfig)(nil), // 2: fleetspeak.components.HttpsHeaderConfig - (*HttpsHeaderChecksumConfig)(nil), // 3: fleetspeak.components.HttpsHeaderChecksumConfig - (*HttpHeaderConfig)(nil), // 4: fleetspeak.components.HttpHeaderConfig - (*HttpHeaderChecksumConfig)(nil), // 5: fleetspeak.components.HttpHeaderChecksumConfig - (*FrontendConfig)(nil), // 6: fleetspeak.components.FrontendConfig - (*HttpsConfig)(nil), // 7: fleetspeak.components.HttpsConfig - (*AdminConfig)(nil), // 8: fleetspeak.components.AdminConfig - (*StatsConfig)(nil), // 9: fleetspeak.components.StatsConfig - (*HealthCheckConfig)(nil), // 10: fleetspeak.components.HealthCheckConfig + (*Config)(nil), // 0: fleetspeak.components.Config + (*MTlsConfig)(nil), // 1: fleetspeak.components.MTlsConfig + (*HttpsHeaderConfig)(nil), // 2: fleetspeak.components.HttpsHeaderConfig + (*HttpsHeaderChecksumConfig)(nil), // 3: fleetspeak.components.HttpsHeaderChecksumConfig + (*CleartextHeaderConfig)(nil), // 4: fleetspeak.components.CleartextHeaderConfig + (*CleartextHeaderChecksumConfig)(nil), // 5: fleetspeak.components.CleartextHeaderChecksumConfig + (*FrontendConfig)(nil), // 6: fleetspeak.components.FrontendConfig + (*HttpsConfig)(nil), // 7: fleetspeak.components.HttpsConfig + (*AdminConfig)(nil), // 8: fleetspeak.components.AdminConfig + (*StatsConfig)(nil), // 9: fleetspeak.components.StatsConfig + (*HealthCheckConfig)(nil), // 10: fleetspeak.components.HealthCheckConfig } var file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_depIdxs = []int32{ 7, // 0: fleetspeak.components.Config.https_config:type_name -> fleetspeak.components.HttpsConfig @@ -1026,8 +1029,8 @@ var file_fleetspeak_src_server_components_proto_fleetspeak_components_config_pro 1, // 4: fleetspeak.components.FrontendConfig.mtls_config:type_name -> fleetspeak.components.MTlsConfig 2, // 5: fleetspeak.components.FrontendConfig.https_header_config:type_name -> fleetspeak.components.HttpsHeaderConfig 3, // 6: fleetspeak.components.FrontendConfig.https_header_checksum_config:type_name -> fleetspeak.components.HttpsHeaderChecksumConfig - 4, // 7: fleetspeak.components.FrontendConfig.http_header_config:type_name -> fleetspeak.components.HttpHeaderConfig - 5, // 8: fleetspeak.components.FrontendConfig.http_header_checksum_config:type_name -> fleetspeak.components.HttpHeaderChecksumConfig + 4, // 7: fleetspeak.components.FrontendConfig.cleartext_header_config:type_name -> fleetspeak.components.CleartextHeaderConfig + 5, // 8: fleetspeak.components.FrontendConfig.cleartext_header_checksum_config:type_name -> fleetspeak.components.CleartextHeaderChecksumConfig 6, // 9: fleetspeak.components.HttpsConfig.frontend_config:type_name -> fleetspeak.components.FrontendConfig 10, // [10:10] is the sub-list for method output_type 10, // [10:10] is the sub-list for method input_type @@ -1091,7 +1094,7 @@ func file_fleetspeak_src_server_components_proto_fleetspeak_components_config_pr } } file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*HttpHeaderConfig); i { + switch v := v.(*CleartextHeaderConfig); i { case 0: return &v.state case 1: @@ -1103,7 +1106,7 @@ func file_fleetspeak_src_server_components_proto_fleetspeak_components_config_pr } } file_fleetspeak_src_server_components_proto_fleetspeak_components_config_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*HttpHeaderChecksumConfig); i { + switch v := v.(*CleartextHeaderChecksumConfig); i { case 0: return &v.state case 1: @@ -1179,8 +1182,8 @@ func file_fleetspeak_src_server_components_proto_fleetspeak_components_config_pr (*FrontendConfig_MtlsConfig)(nil), (*FrontendConfig_HttpsHeaderConfig)(nil), (*FrontendConfig_HttpsHeaderChecksumConfig)(nil), - (*FrontendConfig_HttpHeaderConfig)(nil), - (*FrontendConfig_HttpHeaderChecksumConfig)(nil), + (*FrontendConfig_CleartextHeaderConfig)(nil), + (*FrontendConfig_CleartextHeaderChecksumConfig)(nil), } type x struct{} out := protoimpl.TypeBuilder{ diff --git a/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto b/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto index 099a30cd..f9b8d754 100644 --- a/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto +++ b/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto @@ -110,7 +110,7 @@ message HttpsHeaderChecksumConfig { // original TLS connection to the frontend via an HTTP header. // The Fleetspeak frontend uses the certificate passed in this header to // identify the client. -message HttpHeaderConfig { +message CleartextHeaderConfig { // The name of the HTTP header set by the intermediary that contains the // forwarded client certificate. Required. string client_certificate_header = 1; @@ -129,7 +129,7 @@ message HttpHeaderConfig { // The Fleetspeak frontend uses the certificate passed passed from the client // to identify it, and uses the hash from the intermediate actor to verify that // this certificate was in fact used in the original TLS connection. -message HttpHeaderChecksumConfig { +message CleartextHeaderChecksumConfig { // The name of the HTTP header set by the client that contains the original // client certificate. Required. string client_certificate_header = 1; @@ -150,8 +150,8 @@ message FrontendConfig { MTlsConfig mtls_config = 7; HttpsHeaderConfig https_header_config = 8; HttpsHeaderChecksumConfig https_header_checksum_config = 9; - HttpHeaderConfig http_header_config = 10; - HttpHeaderChecksumConfig http_header_checksum_config = 11; + CleartextHeaderConfig cleartext_header_config = 10; + CleartextHeaderChecksumConfig cleartext_header_checksum_config = 11; } } @@ -164,12 +164,12 @@ message HttpsConfig { // A certificate chain which identifies the server to clients. Must lead to a // certificate known to the clients. x509 format. Required, if frontend mode is - // not cleartext (ie neither HttpHeaderConfig nor HttpHeaderChecksumConfig) + // not cleartext (ie neither CleartextHeaderConfig nor CleartextHeaderChecksumConfig) string certificates = 2; // The private key used to identify the server. Must match the first entry in // certificates. x509 format. Required, if frontend mode is not cleartext - // (ie neither HttpHeaderConfig nor HttpHeaderChecksumConfig) + // (ie neither CleartextHeaderConfig nor CleartextHeaderChecksumConfig) string key = 3; // If set, disables long running (streaming) connections. This type of diff --git a/fleetspeak/src/server/https/client_certificate.go b/fleetspeak/src/server/https/client_certificate.go index 08e6ad01..2f4008d4 100644 --- a/fleetspeak/src/server/https/client_certificate.go +++ b/fleetspeak/src/server/https/client_certificate.go @@ -26,17 +26,17 @@ func GetClientCert(req *http.Request, frontendConfig *cpb.FrontendConfig) (*x509 switch { case frontendConfig.GetMtlsConfig() != nil: return getCertFromTLS(req) - case frontendConfig.GetHttpHeaderConfig() != nil: - return getCertFromHeader(frontendConfig.GetHttpHeaderConfig().GetClientCertificateHeader(), req.Header) + case frontendConfig.GetCleartextHeaderConfig() != nil: + return getCertFromHeader(frontendConfig.GetCleartextHeaderConfig().GetClientCertificateHeader(), req.Header) case frontendConfig.GetHttpsHeaderConfig() != nil: return getCertFromHeader(frontendConfig.GetHttpsHeaderConfig().GetClientCertificateHeader(), req.Header) - case frontendConfig.GetHttpHeaderChecksumConfig() != nil: - cert, err := getCertFromHeader(frontendConfig.GetHttpHeaderChecksumConfig().GetClientCertificateHeader(), req.Header) + case frontendConfig.GetCleartextHeaderChecksumConfig() != nil: + cert, err := getCertFromHeader(frontendConfig.GetCleartextHeaderChecksumConfig().GetClientCertificateHeader(), req.Header) if err != nil { return nil, err } - err = verifyCertSha256Checksum(req.Header.Get(frontendConfig.GetHttpHeaderChecksumConfig().GetClientCertificateHeader()), - req.Header.Get(frontendConfig.GetHttpHeaderChecksumConfig().GetClientCertificateChecksumHeader())) + err = verifyCertSha256Checksum(req.Header.Get(frontendConfig.GetCleartextHeaderChecksumConfig().GetClientCertificateHeader()), + req.Header.Get(frontendConfig.GetCleartextHeaderChecksumConfig().GetClientCertificateChecksumHeader())) if err != nil { return nil, err } diff --git a/fleetspeak/src/server/https/client_certificate_test.go b/fleetspeak/src/server/https/client_certificate_test.go index 17a53904..7bed0116 100644 --- a/fleetspeak/src/server/https/client_certificate_test.go +++ b/fleetspeak/src/server/https/client_certificate_test.go @@ -123,7 +123,6 @@ func makeTestClient(t *testing.T, clearText bool) (common.ClientID, *http.Client Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, }).Dial, - TLSHandshakeTimeout: 10 * time.Second, ExpectContinueTimeout: 1 * time.Second, } } @@ -288,12 +287,12 @@ func TestFrontendMode_HEADER_TLS_CHECKSUM(t *testing.T) { } } -func TestFrontendMode_HEADER_HTTP(t *testing.T) { +func TestFrontendMode_HEADER_CLEARTEXT(t *testing.T) { clientCertHeader := "ssl-client-cert" frontendConfig := &cpb.FrontendConfig{ - FrontendMode: &cpb.FrontendConfig_HttpHeaderConfig{ - HttpHeaderConfig: &cpb.HttpHeaderConfig{ - ClientCertificateHeader: clientCertHeader, + FrontendMode: &cpb.FrontendConfig_CleartextHeaderConfig{ + CleartextHeaderConfig: &cpb.CleartextHeaderConfig{ + ClientCertificateHeader: clientCertHeader, }, }, } @@ -333,12 +332,12 @@ func TestFrontendMode_HEADER_HTTP(t *testing.T) { } } -func TestFrontendMode_HEADER_HTTP_CHECKSUM(t *testing.T) { +func TestFrontendMode_HEADER_CLEARTEXT_CHECKSUM(t *testing.T) { clientCertHeader := "ssl-client-cert" clientCertChecksumHeader := "ssl-client-cert-checksum" frontendConfig := &cpb.FrontendConfig{ - FrontendMode: &cpb.FrontendConfig_HttpHeaderChecksumConfig{ - HttpHeaderChecksumConfig: &cpb.HttpHeaderChecksumConfig{ + FrontendMode: &cpb.FrontendConfig_CleartextHeaderChecksumConfig{ + CleartextHeaderChecksumConfig: &cpb.CleartextHeaderChecksumConfig{ ClientCertificateHeader: clientCertHeader, ClientCertificateChecksumHeader: clientCertChecksumHeader, }, diff --git a/fleetspeak/src/server/https/https.go b/fleetspeak/src/server/https/https.go index dcbd520d..8ddac10b 100644 --- a/fleetspeak/src/server/https/https.go +++ b/fleetspeak/src/server/https/https.go @@ -108,53 +108,43 @@ func NewCommunicator(p Params) (*Communicator, error) { } mux := http.NewServeMux() - var httpServer http.Server - switch { - case p.FrontendConfig.GetHttpHeaderConfig() != nil, - p.FrontendConfig.GetHttpHeaderChecksumConfig() != nil: - httpServer = http.Server{ + h := Communicator{ + p: p, + hs: http.Server{ Handler: mux, ReadTimeout: 20 * time.Minute, ReadHeaderTimeout: 10 * time.Second, WriteTimeout: 20 * time.Minute, IdleTimeout: 30 * time.Second, - } - default: + }, + stopping: make(chan struct{}), + } + + if p.FrontendConfig.GetCleartextHeaderConfig() == nil && + p.FrontendConfig.GetCleartextHeaderChecksumConfig() == nil { c, err := tls.X509KeyPair(p.Cert, p.Key) if err != nil { return nil, err } - httpServer = http.Server{ - Handler: mux, - TLSConfig: &tls.Config{ - ClientAuth: tls.RequestClientCert, - Certificates: []tls.Certificate{c}, - CipherSuites: []uint16{ - // We may as well allow only the strongest (as far as we can guess) - // ciphers. Note that TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is - // required by the https library. - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, - // Correctly implementing session tickets means sharing and rotating a - // secret key between servers, with implications if it leaks. Simply - // disable for the moment. - SessionTicketsDisabled: true, - MinVersion: tls.VersionTLS12, - NextProtos: []string{"h2"}, - }, - ReadTimeout: 20 * time.Minute, - ReadHeaderTimeout: 10 * time.Second, - WriteTimeout: 20 * time.Minute, - IdleTimeout: 30 * time.Second, + h.hs.TLSConfig = &tls.Config{ + ClientAuth: tls.RequestClientCert, + Certificates: []tls.Certificate{c}, + CipherSuites: []uint16{ + // We may as well allow only the strongest (as far as we can guess) + // ciphers. Note that TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is + // required by the https library. + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, + // Correctly implementing session tickets means sharing and rotating a + // secret key between servers, with implications if it leaks. Simply + // disable for the moment. + SessionTicketsDisabled: true, + MinVersion: tls.VersionTLS12, + NextProtos: []string{"h2"}, } } - h := Communicator{ - p: p, - hs: httpServer, - stopping: make(chan struct{}), - } mux.Handle("/message", messageServer{&h}) if p.Streaming { mux.Handle("/streaming-message", newStreamingMessageServer(&h, p.MaxPerClientBatchProcessors)) @@ -186,8 +176,8 @@ func (c *Communicator) Setup(fs comms.Context) error { func (c *Communicator) Start() error { switch { - case c.p.FrontendConfig.GetHttpHeaderConfig() != nil, - c.p.FrontendConfig.GetHttpHeaderChecksumConfig() != nil: + case c.p.FrontendConfig.GetCleartextHeaderConfig() != nil, + c.p.FrontendConfig.GetCleartextHeaderChecksumConfig() != nil: go c.serve(c.p.Listener) default: go c.serve(tls.NewListener(c.p.Listener, c.hs.TLSConfig)) diff --git a/fleetspeak/src/server/https/https_test.go b/fleetspeak/src/server/https/https_test.go index a2fabe99..91fdf869 100644 --- a/fleetspeak/src/server/https/https_test.go +++ b/fleetspeak/src/server/https/https_test.go @@ -544,12 +544,12 @@ func TestHeaderStreamingChecksum(t *testing.T) { resp.Body.Close() } -func TestHttpHeaderStreaming(t *testing.T) { +func TestCleartextHeaderStreaming(t *testing.T) { ctx := context.Background() clientCertHeader := "ssl-client-cert" frontendConfig := &cpb.FrontendConfig{ - FrontendMode: &cpb.FrontendConfig_HttpHeaderConfig{ - HttpHeaderConfig: &cpb.HttpHeaderConfig{ + FrontendMode: &cpb.FrontendConfig_CleartextHeaderConfig{ + CleartextHeaderConfig: &cpb.CleartextHeaderConfig{ ClientCertificateHeader: clientCertHeader, }, }, @@ -617,13 +617,13 @@ func TestHttpHeaderStreaming(t *testing.T) { resp.Body.Close() } -func TestHttpHeaderStreamingChecksum(t *testing.T) { +func TestCleartextHeaderStreamingChecksum(t *testing.T) { ctx := context.Background() clientCertHeader := "ssl-client-cert" clientCertChecksumHeader := "ssl-client-cert-checksum" frontendConfig := &cpb.FrontendConfig{ - FrontendMode: &cpb.FrontendConfig_HttpHeaderChecksumConfig{ - HttpHeaderChecksumConfig: &cpb.HttpHeaderChecksumConfig{ + FrontendMode: &cpb.FrontendConfig_CleartextHeaderChecksumConfig{ + CleartextHeaderChecksumConfig: &cpb.CleartextHeaderChecksumConfig{ ClientCertificateHeader: clientCertHeader, ClientCertificateChecksumHeader: clientCertChecksumHeader, },