Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.x](backport #5802) proxytest: proxy HTTPS request using MITM #5867

Merged
merged 8 commits into from
Nov 4, 2024
Merged

[8.x](backport #5802) proxytest: proxy HTTPS request using MITM #5867

merged 8 commits into from
Nov 4, 2024

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Oct 28, 2024

What does this PR do?

It extends proxytest to support proxying HTTPS requests.

  • The proxy can now act as a MITM (man-in-the-middle) proxy for HTTPS, generating certificates on the fly for the target host.
  • The proxy assumes it should proxy an HTTPS request if it receives a CONNECT requests.

Why is it important?

It'll allow us to create integration tests for mTLS scenarios

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • [ ] I have added an entry in ./changelog/fragments using the changelog tool
  • [ ] I have added an integration test or an E2E test

Disruptive User Impact

  • None

How to test this PR locally

Run TestRunHTTPSProxy passing the example build tag and follow the instructions to perform a cRUL request using the proxytest:

  • run the test: go test -tags example -v -run TestRunHTTPSProxy$ ./testing/proxytest
  • run the provided curl command

Example:

$ go test -tags example -v -run TestRunHTTPSProxy$ ./testing/proxytest
=== RUN   TestRunHTTPSProxy
    proxytest_test.go:451: target server running on https://127.0.0.1:34355
    proxytest.go:100: [proxy-https] time=2024-10-16T11:14:33.982+02:00 level=INFO source=/home/ainsoph/devel/github.com/elastic/elastic-agent/testing/proxytest/proxytest.go:236 msg="running on https://127.0.0.1:40241 -> https://localhost:40241"
    proxytest_test.go:473: proxy running on https://localhost:40241
    proxytest_test.go:479: make request to "https://not-a-server.co" using proxy "https://localhost:40241"
    proxytest_test.go:481: curl \
        --proxy-cacert /tmp/TestRunHTTPSProxy3155179289/001/proxyCA.crt \
        --proxy-cert /tmp/TestRunHTTPSProxy3155179289/001/clientCert.crt \
        --proxy-key /tmp/TestRunHTTPSProxy3155179289/001/clientCert.key \
        --cacert /tmp/TestRunHTTPSProxy3155179289/001/proxyCA.crt \
        --proxy https://127.0.0.1:40241 \
        https://not-a-server.co
    proxytest_test.go:496: CTRL+C to stop
    proxytest.go:100: [proxy-https] time=2024-10-16T11:15:19.046+02:00 level=INFO source=/home/ainsoph/devel/github.com/elastic/elastic-agent/testing/proxytest/proxytest.go:183 msg="STARTING - CONNECT '//not-a-server.co:443' HTTP/1.1 127.0.0.1:40496"
    proxytest.go:100: [proxy-https] time=2024-10-16T11:15:19.046+02:00 level=DEBUG source=/home/ainsoph/devel/github.com/elastic/elastic-agent/testing/proxytest/https.go:22 msg="handling CONNECT" req_id=8a3b5c0f-50c0-40d1-84af-59412ed8bdc3
    proxytest.go:100: [proxy-https] time=2024-10-16T11:15:19.046+02:00 level=DEBUG source=/home/ainsoph/devel/github.com/elastic/elastic-agent/testing/proxytest/https.go:34 msg="hijacked request" req_id=8a3b5c0f-50c0-40d1-84af-59412ed8bdc3
    proxytest.go:100: [proxy-https] time=2024-10-16T11:15:19.092+02:00 level=DEBUG source=/home/ainsoph/devel/github.com/elastic/elastic-agent/testing/proxytest/proxytest.go:282 msg="original URL: https://not-a-server.co:443/, new URL: https://127.0.0.1:34355/"
    proxytest.go:100: [proxy-https] time=2024-10-16T11:15:19.097+02:00 level=DEBUG source=/home/ainsoph/devel/github.com/elastic/elastic-agent/testing/proxytest/https.go:129 msg="EOF reached, finishing HTTPS handler" req_id=8a3b5c0f-50c0-40d1-84af-59412ed8bdc3
    proxytest.go:100: [proxy-https] [8a3b5c0f-50c0-40d1-84af-59412ed8bdc3] DONE 0 - CONNECT //not-a-server.co:443 HTTP/1.1 127.0.0.1:40496
^Csignal: interrupt
$ curl \
        --proxy-cacert /tmp/TestRunHTTPSProxy3155179289/001/proxyCA.crt \
        --proxy-cert /tmp/TestRunHTTPSProxy3155179289/001/clientCert.crt \
        --proxy-key /tmp/TestRunHTTPSProxy3155179289/001/clientCert.key \
        --cacert /tmp/TestRunHTTPSProxy3155179289/001/proxyCA.crt \
        --proxy https://127.0.0.1:40241 \
        https://not-a-server.co
It works!

Related issues

Questions to ask yourself

  • How are we going to support this in production?
  • How are we going to measure its adoption?
  • How are we going to debug this?
  • What are the metrics I should take care of?
  • ...
This is an automatic backport of pull request #5802 done by [Mergify](https://mergify.com).

@AndersonQ @mergify
proxytest: proxy HTTPS request using MITM (#5802)
ed5129e 
The proxytest now can proxy HTTPS requests using a men in the middle (MITM) approach to allow to fully control the requests between the proxy and the target server.

(cherry picked from commit ad041d4)
@mergify mergify bot requested a review from a team as a code owner October 28, 2024 15:50
@mergify mergify bot added the backport label Oct 28, 2024
@mergify mergify bot requested review from kaanyalti and pchila and removed request for a team October 28, 2024 15:50
@AndersonQ AndersonQ requested review from AndersonQ and removed request for kaanyalti and pchila October 29, 2024 13:01
@AndersonQ AndersonQ mentioned this pull request Oct 31, 2024
Merged
1 task
@AndersonQ AndersonQ added the backport-8.16 Automated backport with mergify label Oct 31, 2024
@mergify Mergify
Copy link
Contributor Author

mergify bot commented Nov 4, 2024

This pull request has not been merged yet. Could you please review and merge it @AndersonQ? 🙏

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

@AndersonQ AndersonQ merged commit ec75170 into 8.x Nov 4, 2024
14 checks passed
@AndersonQ AndersonQ deleted the mergify/bp/8.x/pr-5802 branch November 4, 2024 13:23
mergify bot added a commit that referenced this pull request Nov 4, 2024
@mergify
proxytest: proxy HTTPS request using MITM (#5802) (#5867)
fd62727 
The proxytest now can proxy HTTPS requests using a men in the middle (MITM) approach to allow to fully control the requests between the proxy and the target server.

(cherry picked from commit ad041d4)

Co-authored-by: Anderson Queiroz <[email protected]>
(cherry picked from commit ec75170)
@mergify mergify bot mentioned this pull request Nov 4, 2024
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pierrehilbert pierrehilbert pierrehilbert approved these changes

@AndersonQ AndersonQ AndersonQ approved these changes

Assignees

@AndersonQ AndersonQ

Labels
backport backport-8.16 Automated backport with mergify
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AndersonQ @pierrehilbert