Force SSL redirection to target service host for all protocols

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Force SSL redirection to target service host for all protocols

vergil
Hi,

I want all my client applications make call to the service host via proxy.
And the hosted services are TLSv1.2 enabled. Clients are not in a position
to upgrade. Hence I want to enforce the SSL encryption when the call
routed/redirected to the target from proxy.

I have seen few blogs that talks about HTTP to HTTPS redirection. I want to
do that for all protocols like TCPS, UDPS(DTLS), SMTPS, IIOPS.

Can you please share your suggestions on this?


Thanks,
Siva

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288541,288541#msg-288541

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Force SSL redirection to target service host for all protocols

vergil
Can somebody please comment on this?

Thanks,
Siva

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288541,288565#msg-288565

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Force SSL redirection to target service host for all protocols

Francis Daly
In reply to this post by vergil
On Fri, Jul 03, 2020 at 09:12:56AM -0400, siva.pannier wrote:

Hi there,

> I want all my client applications make call to the service host via proxy.
> And the hosted services are TLSv1.2 enabled. Clients are not in a position
> to upgrade. Hence I want to enforce the SSL encryption when the call
> routed/redirected to the target from proxy.

I may be misunderstanding the terminology, but I think your scenario is
that your clients speak their protocol over a "normal" (non-encrypted)
network connection; and your (upstream) servers allow the protocol both
directly over a "normal" connection, or over a SSL-wrapped connection.

An you want your clients to talk to nginx without encryption, and for
nginx to talk to upstream with encryption.

If nginx does not already have a dedicated module for the protocol you
care about, then possibly the "stream" module with "proxy_ssl" will work
for you.

http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html

That *does* depend on the nature of the protocol, of course -- if the
protocol does not easily allow proxying, then it is not going to easily
work through the nginx stream proxy.

> I have seen few blogs that talks about HTTP to HTTPS redirection. I want to
> do that for all protocols like TCPS, UDPS(DTLS), SMTPS, IIOPS.
>
> Can you please share your suggestions on this?

If my protocol writes IP addresses or ports within the content payload,
then a "blind" traffic-forwarder (as "stream" mostly is) will probably
not be able to reliably proxy things that use my protocol.

For the specific protocols you care about: can they be proxied?

I suspect that the list will be interested in the results of your testing,
if you are willing to share them.

Thanks,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Force SSL redirection to target service host for all protocols

vergil
Hi..

> An you want your clients to talk to nginx without encryption, and for
> nginx to talk to upstream with encryption.

Yup this is what I am trying to achieve. Started testing on these scenarios.
Will you keep you all posted on the results.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288541,288663#msg-288663

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Force SSL redirection to target service host for all protocols

vergil
In reply to this post by Francis Daly
Hi there,

I have tried doing TCP redirection to a backend TCP server with SSL enabled
following the below URL.

https://docs.nginx.com/nginx/admin-guide/security-controls/securing-tcp-traffic-upstream/

My TCP (non-ssl) client is able to hit the TCP Server (SSL enabled) via the
Nginx (proxy_ssl) but buffered reader gets back only 'null'

Client code:
##########
Socket socket = new Socket(hostname, port);
InputStream input = socket.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(input));
String time = reader.readLine(); //returns only null
System.out.println(time);

Server code:
#########
    ServerSocketFactory ssf = SSLServerSocketFactory.getDefault();
    int port = 8091;
    ServerSocket ss = ssf.createServerSocket(port);

    while (true) {
      Socket sock = ss.accept();
      try {
     System.out.println("New client connected");
          //BufferedReader br = new BufferedReader(new
InputStreamReader(sock.getInputStream()));
          //String data = br.readLine();
          PrintWriter pw = new PrintWriter(sock.getOutputStream());
          pw.println(new Date().toString() + " from port: "+port);
          pw.flush();
          pw.close();
          sock.close();
    ....
    ....

Nginx Conf:
############
stream {
    upstream backend {
        server backend1.example.com:12345;
   }

    server {
        listen     8091;
        proxy_pass backend;
        proxy_ssl  on;

        proxy_ssl_certificate         /etc/ssl/certs/backend.crt;
        proxy_ssl_certificate_key     /etc/ssl/certs/backend.key;
        proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
        proxy_ssl_ciphers             HIGH:!aNULL:!MD5;
        proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt;

        proxy_ssl_verify        on;
        proxy_ssl_verify_depth  2;
        proxy_ssl_session_reuse on;
    }
}


can somebody please suggest what is wrong with the above configuration?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288541,288680#msg-288680

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Force SSL redirection to target service host for all protocols

Francis Daly
On Mon, Jul 13, 2020 at 02:57:34PM -0400, siva.pannier wrote:

Hi there,

> https://docs.nginx.com/nginx/admin-guide/security-controls/securing-tcp-traffic-upstream/
>
> My TCP (non-ssl) client is able to hit the TCP Server (SSL enabled) via the
> Nginx (proxy_ssl) but buffered reader gets back only 'null'

When my client is "nc", and my server is "openssl s_server -port 12345",
things seem to work for me. Anything I write on one end is shown on the
other, with nginx handling the ssl/no-ssl translation.

> Server code:
> #########
>     ServerSocketFactory ssf = SSLServerSocketFactory.getDefault();
>     int port = 8091;
>     ServerSocket ss = ssf.createServerSocket(port);

This looks like your server wants to listen on port 8091.

Your nginx configuration suggests that nginx listens on 8091, and talks
to the server on 12345.

> Nginx Conf:
> ############
> stream {
>     upstream backend {
>         server backend1.example.com:12345;
>    }
>
>     server {
>         listen     8091;
>         proxy_pass backend;
>         proxy_ssl  on;

Match the ports, and it should work.

Cheers,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Force SSL redirection to target service host for all protocols

vergil
Extremely sorry, I mentioned the wrong port in that post.. Actually I am
using the correct port number..

Client (Windows + non SSL):8091  ==> Nginx host (ubuntu vm+ SSL redirection)
==> TCP server (Windows + SSL enabled)

TCP server listening on 8091
Nginx Server listening on 8091
Client makes call to Nginx on 8091

I modified my server code for additional debugging as below

#################
    ServerSocketFactory ssf = SSLServerSocketFactory.getDefault();
    int port = 8091;
    ServerSocket ss = ssf.createServerSocket(port);

    while (true) {

      try {
          Socket sock = ss.accept();
          System.out.println("Timeout set is " + sock.getSoTimeout());
     System.out.println("New client connected");

          PrintWriter pw = new PrintWriter(sock.getOutputStream());
          pw.println(new Date().toString() + " from port: "+port);
          System.out.println("Data ready to sent to client");
          pw.flush();
          //pw.close();
          System.out.println("Data sent to client");
         
          System.out.println("Ready to read client data");
          BufferedReader br = new BufferedReader(new
InputStreamReader(sock.getInputStream()));
          String data = br.readLine();
          System.out.println("Data received from Client: "+ data);
          //br.close();
         
          sock.close();
          System.out.println("Socket closed");
########################

Output from the server when client initiated the connection is..
#####################
Timeout set is 0
New client connected
Data ready to sent to client
Data sent to client
Ready to read client data
I/O error: Connection has been shutdown:
javax.net.ssl.SSLHandshakeException: no cipher suites in common
Exception in thread "main" javax.net.ssl.SSLException: Connection has been
shutdown: javax.net.ssl.SSLHandshakeException: no cipher suites in common
        at sun.security.ssl.SSLSocketImpl.checkEOF(Unknown Source)
        at sun.security.ssl.AppInputStream.read(Unknown Source)
        at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
        at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
        at sun.nio.cs.StreamDecoder.read(Unknown Source)
        at java.io.InputStreamReader.read(Unknown Source)
        at java.io.BufferedReader.fill(Unknown Source)
        at java.io.BufferedReader.readLine(Unknown Source)
        at java.io.BufferedReader.readLine(Unknown Source)
        at com.att.tcp.server.TCPSServer.main(TCPSServer.java:37)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)
        at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source)
        at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)
        at sun.security.ssl.Handshaker.processLoop(Unknown Source)
        at sun.security.ssl.Handshaker.process_record(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
        at sun.security.ssl.AppOutputStream.write(Unknown Source)
        at sun.nio.cs.StreamEncoder.writeBytes(Unknown Source)
        at sun.nio.cs.StreamEncoder.implFlushBuffer(Unknown Source)
        at sun.nio.cs.StreamEncoder.implFlush(Unknown Source)
        at sun.nio.cs.StreamEncoder.flush(Unknown Source)
        at java.io.OutputStreamWriter.flush(Unknown Source)
        at java.io.BufferedWriter.flush(Unknown Source)
        at java.io.PrintWriter.flush(Unknown Source)
        at com.att.tcp.server.TCPSServer.main(TCPSServer.java:31)

Error was thrown on the line  "pw.flush();" in the above code

####################################


Output from the client is
#####################

I/O error: Connection reset
Exception in thread "main" java.net.SocketException: Connection reset
        at java.net.SocketInputStream.read(Unknown Source)
        at java.net.SocketInputStream.read(Unknown Source)
        at sun.security.ssl.InputRecord.readFully(Unknown Source)
        at sun.security.ssl.InputRecord.read(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at com.att.client.tcp.TimeClient.main(TimeClient.java:34)

Error is thrown on the client code " socket.startHandshake(); "
##########################

> When my client is "nc", and my server is "openssl s_server -port 12345",
> things seem to work for me. Anything I write on one end is shown on the
> other, with nginx handling the ssl/no-ssl translation.

Are you able to run a similar configuration?

May be I would have done something wrong on SSL settings or on self-signed
certificate. Let me start things from scratch again..

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288541,288696#msg-288696

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Force SSL redirection to target service host for all protocols

Francis Daly
On Tue, Jul 14, 2020 at 09:55:04AM -0400, siva.pannier wrote:

Hi there,

> Output from the server when client initiated the connection is..
> #####################

> javax.net.ssl.SSLHandshakeException: no cipher suites in common

That suggests that the ssl client (nginx) and the ssl server (your code)
are unable to agree on how to set up a suitable ssl session.

Possibly the nginx side will have (debug) logs showing what it tried
and what response it got.

Your nginx config does say what ciphers nginx should try; does your
server accept one of those?

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Force SSL redirection to target service host for all protocols

vergil
Thanks Francis!

I was able to resolve that after a creating a Keystore jks with my cert &
key and pointing my java code to that store using the system property, after
that added keystore manager to the SSL context.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288541,288716#msg-288716

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx