From 6f52008eff418271f9b1749d2479fa08688afe2b Mon Sep 17 00:00:00 2001 From: Ben Ransford Date: Wed, 30 Nov 2022 15:08:39 -0800 Subject: [PATCH 1/5] copyedit mTLS bits --- README.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index cffff3ad..a706531b 100644 --- a/README.md +++ b/README.md @@ -12,14 +12,15 @@ Smokescreen also allows us to centralize egress from Stripe, allowing us to give financial partners stable egress IP addresses and abstracting away the details of which Stripe service is making the request. -Smokescreen can be contacted over TLS. You can provide it with one or more client certificate authority certificates as well as their CRLs. -Smokescreen will warn you if you load a CA certificate with no associated CRL and will abort if you try to load a CRL which cannot be used (ex.: cannot be associated with loaded CA). - -Smokescreen can be provided with an ACL to determine which remote -hosts a service is allowed to interact with. By default, Smokescreen -will identify clients by the "common name" in the TLS certificate they -present, if any. The client identification function can also be -easily replaced; more on this in the usage section. +In typical usage, clients contact Smokescreen over mTLS. Upon receiving a +connection, Smokescreen authenticates the client's certificate against a +configurable set of CAs and CRLs, extracts the client's identity, and checks +the client's requested CONNECT destination against a configurable per-client +ACL. + +By default, Smokescreen will identify clients by the "common name" in the TLS +certificate they present, if any. The client identification function can also +be easily replaced; more on this in the usage section. ## Dependencies From 75d40220e977bdf20872f25e122ee76778971261 Mon Sep 17 00:00:00 2001 From: Ben Ransford Date: Wed, 30 Nov 2022 15:09:06 -0800 Subject: [PATCH 2/5] remove redundant Go version refs --- README.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a706531b..cb78dcdf 100644 --- a/README.md +++ b/README.md @@ -33,10 +33,8 @@ below: Smokescreen uses a [custom fork](https://github.com/stripe/goproxy) of goproxy to allow us to support context passing and setting granular timeouts on proxy connections. -Smokescreen is built and tested using the following Go releases. Generally, Smokescreen will only support the two most recent Go versions. - -- go1.18.x -- go1.17.x +Generally, Smokescreen will only support the two most recent Go versions. See +[the test configuration](.github/workflows/test.yaml) for details. [mod]: https://github.com/golang/go/wiki/Modules From 2b8b2a8c0a9167c780d7e140ee178149ea43cc26 Mon Sep 17 00:00:00 2001 From: Ben Ransford Date: Wed, 30 Nov 2022 15:11:11 -0800 Subject: [PATCH 3/5] fix header --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cb78dcdf..3284c565 100644 --- a/README.md +++ b/README.md @@ -71,7 +71,7 @@ Here are the options you can give Smokescreen: --version, -v print the version ``` -### Importing +### Client Identification In order to override how Smokescreen identifies its clients, you must: From 876673818f42f943400eba78dab44ae4f99869a9 Mon Sep 17 00:00:00 2001 From: Ben Ransford Date: Wed, 30 Nov 2022 15:23:40 -0800 Subject: [PATCH 4/5] instructions for local testing --- README.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/README.md b/README.md index 3284c565..2171b21d 100644 --- a/README.md +++ b/README.md @@ -154,6 +154,44 @@ If a domain matches both the `global_allow_list` and the `global_deny_list`, the [Here](https://github.com/stripe/smokescreen/blob/master/pkg/smokescreen/acl/v1/testdata/sample_config_with_global.yaml) is a sample ACL specifying these options. +# Development and Testing + +## Running locally + +To run Smokescreen locally, you can provide a minimal configuration file and use `curl` as a client. For example: + +```yaml +# config.yaml +--- +allow_missing_role: true # skip mTLS client validation +statsd_address: 127.0.0.1:8200 +``` + +If you want to see metrics Smokescreen emits, listen on a local port: + +```shellsession +$ nc -uklv 127.0.0.1 8200 +``` + +Build and run Smokescreen: + +```shellsession +$ go run . --config-file config.yaml +{"level":"info","msg":"starting","time":"2022-11-30T15:19:08-08:00"} +``` + +Make a request using `curl`: + +```shellsession +$ curl --proxytunnel -x localhost:4750 https://stripe.com/ +``` + +## Testing + +```shellsession +$ go test ./... +``` + # Contributors - Aditya Mukerjee From e67044e6946f3eb1059fd7d8739f4e7be82abaf3 Mon Sep 17 00:00:00 2001 From: Ben Ransford Date: Wed, 30 Nov 2022 15:27:53 -0800 Subject: [PATCH 5/5] typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2171b21d..d7936e84 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ below: Smokescreen uses a [custom fork](https://github.com/stripe/goproxy) of goproxy to allow us to support context passing and setting granular timeouts on proxy connections. Generally, Smokescreen will only support the two most recent Go versions. See -[the test configuration](.github/workflows/test.yaml) for details. +[the test configuration](.github/workflows/test.yml) for details. [mod]: https://github.com/golang/go/wiki/Modules