You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -12,14 +12,15 @@ Smokescreen also allows us to centralize egress from Stripe, allowing us to give
financial partners stable egress IP addresses and abstracting away the details
of which Stripe service is making the request.
Smokescreen can be contacted over TLS. You can provide it with one or more client certificate authority certificates as well as their CRLs.
Smokescreen will warn you if you load a CA certificate with no associated CRL and will abort if you try to load a CRL which cannot be used (ex.: cannot be associated with loaded CA).
Smokescreen can be provided with an ACL to determine which remote
hosts a service is allowed to interact with. By default, Smokescreen
will identify clients by the "common name" in the TLS certificate they
present, if any. The client identification function can also be
easily replaced; more on this in the usage section.
In typical usage, clients contact Smokescreen over mTLS. Upon receiving a
connection, Smokescreen authenticates the client's certificate against a
configurable set of CAs and CRLs, extracts the client's identity, and checks
the client's requested CONNECT destination against a configurable per-client
ACL.
By default, Smokescreen will identify clients by the "common name" in the TLS
certificate they present, if any. The client identification function can also
be easily replaced; more on this in the usage section.
