Merge pull request #64 from UKHomeOffice/verify-upstream

daniel-ac-martin · web-flow · commit 88a11a20b633 · 2016-10-28T14:37:40.000+01:00
Add support for verifying the upstream server's cert
diff --git a/README.md b/README.md
@@ -38,6 +38,7 @@ rules to be specified without downloading or mounting in a rule file.
  for easy tracking in down stream logs e.g. `nginxId=50c91049-667f-4286-c2f0-86b04b27d3f0`.
  If set to `HEADER` it will add `nginxId` to the headers, not append to the get params.
 * `CLIENT_CERT_REQUIRED` - if set to `TRUE`, will deny access at this location, see [Client Certs](#client-certs).
+* `VERIFY_SERVER_CERT` - if set to `TRUE`, will verify the upstream server's TLS certificate is valid and signed by the CA, see [Verifying Upstream Server](#verifying-upstream-server).
 * `USE_UPSTREAM_CLIENT_CERT` - if set to `TRUE`, will use the set of upstream client certs when connecting upstream, see [Upstream Client Certs](#upstream-client-certs).
 * `ERROR_REDIRECT_CODES` - Can override when Nginx will redirect requests to its own error page. Defaults to
 "`500 501 502 503 504`". To support a new code, say `505`, an error page must be provided at
@@ -102,6 +103,12 @@ N.B. see HTTP(S)_LISTEN_PORT above
   signed one is provided if they have not been mounted.
 * `/etc/keys/client-ca` If a client CA is mounted here, it will be loaded and configured. 
 See `CLIENT_CERT_REQUIRED` above in [Environment Variables](#environment-variables).
+* `/etc/keys/upstream-server-ca` A CA public cert must be mounted here when verifying the upstream server's certificate is required.
+See `VERIFY_SERVER_CERT` above in [Environment Variables](#environment-variables).
+* `/etc/keys/upstream-client-crt` A public client cert must be mounted here when when the upstream server requires client cert authentication.
+See `USE_UPSTREAM_CLIENT_CERT` above in [Environment Variables](#environment-variables).
+* `/etc/keys/upstream-client-key` A private client key must be mounted here when when the upstream server requires client cert authentication.
+See `USE_UPSTREAM_CLIENT_CERT` above in [Environment Variables](#environment-variables).
 * `/usr/local/openresty/naxsi/*.conf` - [Naxsi](https://github.com/nbs-system/naxsi) rules location in default 
 nginx.conf.
 * `/usr/local/openresty/nginx/html/$CODE.shtml` - HTML (with SSI support) displayed when a the status code $CODE
@@ -243,7 +250,22 @@ docker run -e 'PROXY_SERVICE_HOST=https://stackexchange.com' \
            -v "/path/to/client-public.crt:/etc/keys/upstream-client-crt" \
            -v "/path/to/client-private.key:/etc/keys/upstream-client-key" \
            -p 8443:443 \
-           quay.io/ukhomeofficedigital/nginx-proxy:v1.8.0
+           quay.io/ukhomeofficedigital/nginx-proxy:v2.1.0
+```
+
+#### Verifying Upstream Server
+
+If the environment variable `VERIFY_SERVER_CERT` is set to `TRUE` then
+the upstream server's certificate will be validated against the CA
+public cert at `/etc/keys/upstream-server-ca`.
+
+```shell
+docker run -e 'PROXY_SERVICE_HOST=https://stackexchange.com' \
+           -e 'PROXY_SERVICE_PORT=443' \
+           -e 'VERIFY_SERVER_CERT=TRUE' \
+           -v "/path/to/ca.crt:/etc/keys/upstream-server-ca" \
+           -p 8443:443 \
+           quay.io/ukhomeofficedigital/nginx-proxy:v2.1.0
 ```
 
 #### Arbitrary Config
diff --git a/ci-build.sh b/ci-build.sh
@@ -6,12 +6,14 @@ TAG=ngx
 PORT=8443
 START_INSTANCE="docker run --privileged=true "
 DOCKER_HOST_NAME=127.0.0.1
+MUTUAL_TLS="mutual-tls"
+STANDARD_TLS="standard-tls"
 
 function tear_down_container() {
     container=$1
     if docker ps -a | grep "${container}" &>/dev/null ; then
         if docker ps | grep "${container}" &>/dev/null ; then
-            docker kill "${container}" &>/dev/null
+            docker kill "${container}" &>/dev/null || true
         fi
         docker rm "${container}" &>/dev/null || true
     fi
@@ -25,6 +27,8 @@ function clean_up() {
     rm -f /tmp/file.txt
     tear_down_container mockserver
     tear_down_container slowmockserver
+    tear_down_container ${MUTUAL_TLS}
+    tear_down_container ${STANDARD_TLS}
     tear_down_container ${TAG}
 }
 
@@ -253,7 +257,6 @@ wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${P
      --private-key=./client_certs/client.key
 
 echo "Test upstream client certs..."
-MUTUAL_TLS="mutual-tls"
 ${STD_CMD} -d \
            -e "PROXY_SERVICE_HOST=http://www.w3.org" \
            -e "PROXY_SERVICE_PORT=80" \
@@ -273,6 +276,51 @@ echo "Test it's up and working..."
 wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}/
 tear_down_container "${MUTUAL_TLS}"
 
+echo "Test failure to verify upstream server cert..."
+${STD_CMD} -d \
+           -e "PROXY_SERVICE_HOST=http://www.w3.org" \
+           -e "PROXY_SERVICE_PORT=80" \
+           --name="${STANDARD_TLS}" ${TAG}
+docker run --link "${STANDARD_TLS}:${STANDARD_TLS}" --rm martin/wait
+start_test "Start with failing upstream server verification" "${STD_CMD} \
+           -e \"PROXY_SERVICE_HOST=https://${STANDARD_TLS}\" \
+           -e \"PROXY_SERVICE_PORT=443\" \
+           -e \"DNSMASK=TRUE\" \
+           -e \"VERIFY_SERVER_CERT=TRUE\" \
+           -v \"${PWD}/client_certs/ca.crt:/etc/keys/upstream-server-ca\" \
+           --link \"${STANDARD_TLS}:${STANDARD_TLS}\" "
+echo "Test it blocks the request, returning a 502..."
+if curl -ki https://${DOCKER_HOST_NAME}:${PORT}/ | grep "502 Bad Gateway" ; then
+    echo "Passed failure to verify upstream server cert"
+else
+    echo "Failed failure to verify upstream server cert"
+    exit 1
+fi
+tear_down_container "${STANDARD_TLS}"
+
+echo "Test successfully verifying upstream server cert..."
+cd ./client_certs/
+./create_server_csr_and_key.sh
+./sign_server_key_with_ca.sh
+cd ..
+${STD_CMD} -d \
+           -e "PROXY_SERVICE_HOST=http://www.w3.org" \
+           -e "PROXY_SERVICE_PORT=80" \
+           -v "${PWD}/client_certs/server.crt:/etc/keys/crt" \
+           -v "${PWD}/client_certs/server.key:/etc/keys/key" \
+           --name="${STANDARD_TLS}" ${TAG}
+docker run --link "${STANDARD_TLS}:${STANDARD_TLS}" --rm martin/wait
+start_test "Start with succeeding upstream server verification" "${STD_CMD} \
+           -e \"PROXY_SERVICE_HOST=https://${STANDARD_TLS}\" \
+           -e \"PROXY_SERVICE_PORT=443\" \
+           -e \"DNSMASK=TRUE\" \
+           -e \"VERIFY_SERVER_CERT=TRUE\" \
+           -v \"${PWD}/client_certs/ca.crt:/etc/keys/upstream-server-ca\" \
+           --link \"${STANDARD_TLS}:${STANDARD_TLS}\" "
+echo "Test it allows the request through..."
+wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}/
+tear_down_container "${STANDARD_TLS}"
+
 start_test "Start with Custom error pages redirect off" "${STD_CMD} \
            -e \"PROXY_SERVICE_HOST=http://mockserver\" \
            -e \"PROXY_SERVICE_PORT=8080\" \
diff --git a/client_certs/.gitignore b/client_certs/.gitignore
@@ -1,2 +1,3 @@
-ca.*
-client.*
+*.crt
+*.csr
+*.key
diff --git a/client_certs/create_server_csr_and_key.sh b/client_certs/create_server_csr_and_key.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+. ./settings.cfg
+openssl genrsa -out server.key 4096
+openssl req -new -key server.key  -subj "${DN}/CN=standard-tls" -out server.csr
diff --git a/client_certs/sign_server_key_with_ca.sh b/client_certs/sign_server_key_with_ca.sh
@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
diff --git a/enable_location.sh b/enable_location.sh
@@ -20,6 +20,7 @@ NAXSI_USE_DEFAULT_RULES=$(get_id_var ${LOCATION_ID} NAXSI_USE_DEFAULT_RULES)
 EXTRA_NAXSI_RULES=$(get_id_var ${LOCATION_ID} EXTRA_NAXSI_RULES)
 CLIENT_CERT_REQUIRED=$(get_id_var ${LOCATION_ID} CLIENT_CERT_REQUIRED)
 USE_UPSTREAM_CLIENT_CERT=$(get_id_var ${LOCATION_ID} USE_UPSTREAM_CLIENT_CERT)
+VERIFY_SERVER_CERT=$(get_id_var ${LOCATION_ID} VERIFY_SERVER_CERT)
 PORT_IN_HOST_HEADER=$(get_id_var ${LOCATION_ID} PORT_IN_HOST_HEADER)
 ENABLE_UUID_PARAM=$(get_id_var ${LOCATION_ID} ENABLE_UUID_PARAM)
 ERROR_REDIRECT_CODES=$(get_id_var ${LOCATION_ID} ERROR_REDIRECT_CODES)
@@ -125,6 +126,15 @@ if [ "${USE_UPSTREAM_CLIENT_CERT}" == "TRUE" ]; then
 else
     SSL_CERTIFICATE=""
 fi
+if [ "${VERIFY_SERVER_CERT}" == "TRUE" ]; then
+    if [ ! -f /etc/keys/upstream-server-ca ]; then
+        exit_error_msg "Missing server CA cert at location:/etc/keys/upstream-server-ca"
+    fi
+    msg "Will require '${LOCATION}'s certificate to be verified."
+    SSL_VERIFY="proxy_ssl_trusted_certificate /etc/keys/upstream-server-ca; proxy_ssl_verify on;"
+else
+    SSL_VERIFY=""
+fi
 
 if [ "${PORT_IN_HOST_HEADER}" == "FALSE" ]; then
     msg "Setting host only proxy header"
@@ -212,6 +222,7 @@ location ${LOCATION} {
     ${WEB_SOCKETS}
     $(cat /location_template.conf)
     ${SSL_CERTIFICATE}
+    ${SSL_VERIFY}
     proxy_set_header Host ${PROXY_HOST_SETTING};
     proxy_set_header X-Username "$ssl_client_s_dn_cn";
     proxy_set_header X-Real-IP \$${REMOTE_IP_VAR};

-Original file line number
+Diff line change
@@ @@ -1,2 +1,3 @@ @@
 -ca.*
 -client.*
 +*.crt
 +*.csr
 +*.key
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+#!/usr/bin/env bash`
	`2`	`+openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt`