Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pluto: Add hyper-proxy as a module #3439

Merged
merged 2 commits into from
Sep 25, 2023
Merged

pluto: Add hyper-proxy as a module #3439

merged 2 commits into from
Sep 25, 2023

Conversation

jpculp
Copy link
Member

@jpculp jpculp commented Sep 8, 2023
edited
Loading

Description of changes:

The hyper_proxy module is a clone of tafia/hyper-proxy, but modified to take advantage of newer Rust dependencies.
Since Bottlerocket only uses 'rustls', other features and unused lines of code have been removed.

Also bumps webpki to 0.22.1.

Testing done:

Launched instance using an aws-k8s-1.25 AMI with user-data that includes the following:

[settings.network]
https-proxy = "<my-proxy>:9898"

Checked proxy server logs and found all traffic from my private IP being tunneled, including the EKS API calls for DescribeCluster:

1694211359.018    163 192.168.81.185 TCP_TUNNEL/200 9071 CONNECT eks.us-west-2.amazonaws.com:443 - HIER_DIRECT/35.164.66.95 -
1694211359.263    147 192.168.81.185 TCP_TUNNEL/200 9071 CONNECT eks.us-west-2.amazonaws.com:443 - HIER_DIRECT/35.164.66.95 -
1694211361.058    340 192.168.81.185 TCP_TUNNEL/200 20319 CONNECT api.ecr.us-west-2.amazonaws.com:443 - HIER_DIRECT/34.223.26.183 -
1694211361.070     77 192.168.81.185 TCP_TUNNEL/200 9528 CONNECT api.ecr.us-west-2.amazonaws.com:443 - HIER_DIRECT/34.223.26.183 -
1694211361.070     49 192.168.81.185 TCP_TUNNEL/200 7644 CONNECT api.ecr.us-west-2.amazonaws.com:443 - HIER_DIRECT/34.223.26.183 -

Checking CloudTrail, I can see that the DescribeCluster API call source IP is my proxy server:

    "eventTime": "2023-09-08T22:15:59Z",
    "eventSource": "eks.amazonaws.com",
    "eventName": "DescribeCluster",
    "awsRegion": "us-west-2",
    "sourceIPAddress": <my-proxy>,
    "userAgent": "aws-sdk-rust/0.55.3 os/linux lang/rust/1.71.1",

I set no-proxy for the EKS API endpoint and reboot like so:

apiclient set --json '{"settings":{"network":{"no-proxy":["eks.us-west-2.amazonaws.com"]}}}'
apiclient reboot

Then I can see that EKS API calls do not get proxied and the source IP is my actual instance's public IP:

    "eventTime": "2023-09-08T22:22:05Z",
    "eventSource": "eks.amazonaws.com",
    "eventName": "DescribeCluster",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "54.212.110.209",
    "userAgent": "aws-sdk-rust/0.55.3 os/linux lang/rust/1.71.1",

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@jpculp
Copy link
Member Author

jpculp commented Sep 8, 2023

I've included a temp commit to make it easier to see what changed in the hyper-proxy code, which I plan to squash prior to merge.

@jpculp
Copy link
Member Author

jpculp commented Sep 9, 2023

In its current state --no-default-features or setting the feature to rustls-base (which you shouldn't), results in compilation errors. Since we only ever plan on using rustls, we can simply remove the conditional compilation blocks. Does anyone have any opinions on that?

@jpculp
Copy link
Member Author

jpculp commented Sep 11, 2023

Removed extraneous (to Bottlerocket) features and re-tested.

bcressey
bcressey reviewed Sep 12, 2023
View reviewed changes
sources/deny.toml Outdated Show resolved Hide resolved
sources/hyper-proxy-shim/README.md Outdated Show resolved Hide resolved
sources/hyper-proxy-shim/src/stream.rs Outdated Show resolved Hide resolved
bcressey
bcressey reviewed Sep 12, 2023
View reviewed changes
sources/Cargo.toml Outdated Show resolved Hide resolved
sources/hyper-proxy-shim/Cargo.toml Outdated Show resolved Hide resolved
sources/hyper-proxy-shim/Cargo.toml Outdated Show resolved Hide resolved
webern
webern reviewed Sep 14, 2023
View reviewed changes
tools/Cargo.lock Outdated Show resolved Hide resolved
@jpculp jpculp changed the title Add hyper-proxy-shim pluto: Add hyper-proxy as a module Sep 18, 2023
@jpculp
Copy link
Member Author

jpculp commented Sep 18, 2023

Rather than adding hyper-proxy to sources, we'll just add it as a module for pluto.

webern
webern approved these changes Sep 18, 2023
View reviewed changes
Copy link
Contributor

@webern webern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me.

sources/api/pluto/src/proxy.rs Outdated Show resolved Hide resolved
@jpculp
Copy link
Member Author

jpculp commented Sep 18, 2023

Re-based, re-tested, and ready for review.

@jpculp jpculp marked this pull request as ready for review September 18, 2023 21:12
bcressey
bcressey reviewed Sep 18, 2023
View reviewed changes
COPYRIGHT Outdated Show resolved Hide resolved
sources/api/pluto/Cargo.toml Show resolved Hide resolved
@jpculp
pluto: add hyper-proxy as a module
cccc16c 
The 'hyper_proxy' module is clone of tafia/hyper-proxy, but modified to
take advantage of newer Rust dependencies. Since Bottlerocket only uses
'rustls', other features and unused lines of code have been removed.
@jpculp
copyright: remove macros/rust and macros/cargo
56a3efb
@jpculp jpculp merged commit 750ac7b into bottlerocket-os:develop Sep 25, 2023
48 checks passed
@jpculp jpculp deleted the hyper-proxy-shim branch September 25, 2023 21:17
@stmcginnis stmcginnis mentioned this pull request Oct 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcressey bcressey bcressey approved these changes

@cbgbt cbgbt cbgbt approved these changes

@webern webern webern approved these changes

@etungsten etungsten etungsten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jpculp @bcressey @cbgbt @webern @etungsten