From eccff191d77615af87795acb003f2fb2f87dcda5 Mon Sep 17 00:00:00 2001 From: Diana Krepinska Date: Sun, 5 May 2024 19:39:36 +0200 Subject: [PATCH] Add dynamic client ssl context example with reverse proxies --- dynamic-ssl-reverse-proxies/README.md | 36 ++++++++++++++++ dynamic-ssl-reverse-proxies/configure.cli | 52 +++++++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 dynamic-ssl-reverse-proxies/README.md create mode 100644 dynamic-ssl-reverse-proxies/configure.cli diff --git a/dynamic-ssl-reverse-proxies/README.md b/dynamic-ssl-reverse-proxies/README.md new file mode 100644 index 0000000..6127f16 --- /dev/null +++ b/dynamic-ssl-reverse-proxies/README.md @@ -0,0 +1,36 @@ +# Demonstrate the use of dynamic client SSL context by configuring 2 reverse proxies with different SSL context required + +## Generate certificates for 2 different mutual ssl contexts in $WILDFLY_HOME/standalone/configuration + +``` +keytool -genkeypair -alias localhost -keyalg RSA -keysize 2048 -validity 365 -keystore server1.keystore -dname "CN=localhost" -keypass secret -storepass secret + +keytool -genkeypair -alias client1 -keyalg RSA -keysize 2048 -validity 365 -keystore client1.keystore -dname "CN=client1" -keypass secret -storepass secret + +keytool -exportcert -keystore server1.keystore -alias localhost -keypass secret -storepass secret -file server1.cer + +keytool -exportcert -keystore client1.keystore -alias client1 -keypass secret -storepass secret -file client1.cer + +keytool -importcert -keystore server1.truststore -storepass secret -alias client1 -trustcacerts -file client1.cer + +keytool -importcert -keystore client1.truststore -storepass secret -alias localhost -trustcacerts -file server1.cer + +keytool -genkeypair -alias localhost -keyalg RSA -keysize 2048 -validity 365 -keystore server2.keystore -dname "CN=localhost" -keypass secret -storepass secret + +keytool -genkeypair -alias client2 -keyalg RSA -keysize 2048 -validity 365 -keystore client2.keystore -dname "CN=client2" -keypass secret -storepass secret + +keytool -exportcert -keystore server2.keystore -alias localhost -keypass secret -storepass secret -file server2.cer + +keytool -exportcert -keystore client2.keystore -alias client2 -keypass secret -storepass secret -file client2.cer + +keytool -importcert -keystore server2.truststore -storepass secret -alias client2 -trustcacerts -file client2.cer + +keytool -importcert -keystore client2.truststore -storepass secret -alias localhost -trustcacerts -file server2.cer +``` + +## Run the configure.cli file + +Examine the commands in the `configure.cli` file. The file configures ports 9443 and 10443 so that they require a different two-way TLS connection. The URL 8080/proxy has been configured as a reverse proxy, forwarding requests to port 9443, where there is a WildFly welcome page. Similarly, the URL 8080/proxy2 forwards requests to port 10443. These ports require different certificates as there is a different two-way TLS configured. + +# Test the dynamic client ssl context +Try accessing the http://localhost:8080/proxy and the http://localhost:8080/proxy2 . Both of these URLs will successfully return Welcome to WildFly page. The requests are able to connect and display the Welcome page on both of these URLs because the dynamic client SSL context has selected the appropriate SSL contexts to use for the connections. diff --git a/dynamic-ssl-reverse-proxies/configure.cli b/dynamic-ssl-reverse-proxies/configure.cli new file mode 100644 index 0000000..422433f --- /dev/null +++ b/dynamic-ssl-reverse-proxies/configure.cli @@ -0,0 +1,52 @@ +# Configure sockets listening on ports 9443 and 10443 +/socket-binding-group=standard-sockets/socket-binding=first-socket-binding:add(port=9443) +/socket-binding-group=standard-sockets/socket-binding=second-socket-binding:add(port=10443) + +# Configure server SSL context that will be used with port 9443 +/subsystem=elytron/key-store=twoWayKS1:add(path=server1.keystore,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=PKCS12) +/subsystem=elytron/key-store=twoWayTS1:add(path=server1.truststore,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=PKCS12) +/subsystem=elytron/key-manager=twoWayKM1:add(key-store=twoWayKS1,credential-reference={clear-text=secret}) +/subsystem=elytron/trust-manager=twoWayTM1:add(key-store=twoWayTS1) +/subsystem=elytron/server-ssl-context=twoWaySSC1:add(key-manager=twoWayKM1,protocols=["TLSv1.2"],trust-manager=twoWayTM1,need-client-auth=true) + +# Configure SSL context that will be used with port 10443 +/subsystem=elytron/key-store=twoWayKS2:add(path=server2.keystore,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=PKCS12) +/subsystem=elytron/key-store=twoWayTS2:add(path=server2.truststore,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=PKCS12) +/subsystem=elytron/key-manager=twoWayKM2:add(key-store=twoWayKS2,credential-reference={clear-text=secret}) +/subsystem=elytron/trust-manager=twoWayTM2:add(key-store=twoWayTS2) +/subsystem=elytron/server-ssl-context=twoWaySSC2:add(key-manager=twoWayKM2,protocols=["TLSv1.2"],trust-manager=twoWayTM2,need-client-auth=true) + +# Configure undertow HTTPS listeners to have above SSL contexts on the socket bindings +/subsystem=undertow/server=default-server/https-listener=first-listener:add(socket-binding=first-socket-binding,ssl-context=twoWaySSC1,enable-http2=true) +/subsystem=undertow/server=default-server/https-listener=second-listener:add(socket-binding=second-socket-binding,ssl-context=twoWaySSC2,enable-http2=true) + +# Configure client SSL contexts that will be sending outgoing requests from port 8080 to the port 9443 and 10443 +/subsystem=elytron/key-store=clientKS1:add(path=client1.keystore,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=PKCS12) +/subsystem=elytron/key-store=clientTS1:add(path=client1.truststore,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=PKCS12) +/subsystem=elytron/key-store=clientKS2:add(path=client2.keystore,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=PKCS12) +/subsystem=elytron/key-store=clientTS2:add(path=client2.truststore,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=PKCS12) +/subsystem=elytron/key-manager=clientKM1:add(key-store=clientKS1,credential-reference={clear-text=secret}) +/subsystem=elytron/trust-manager=clientTM1:add(key-store=clientTS1) +/subsystem=elytron/trust-manager=clientTM2:add(key-store=clientTS2) +/subsystem=elytron/key-manager=clientKM2:add(key-store=clientKS2,credential-reference={clear-text=secret}) + +/subsystem=elytron/client-ssl-context=client1-ssl-context:add(key-manager=clientKM1,protocols=["TLSv1.2"],trust-manager=clientTM1) +/subsystem=elytron/client-ssl-context=client2-ssl-context:add(key-manager=clientKM2,protocols=["TLSv1.2"],trust-manager=clientTM2) + +# Configure client authentication context that will be used with the dynamic SSL context +/subsystem=elytron/authentication-context=ac:add(match-rules=[{match-port=9443,ssl-context=client1-ssl-context},{match-port=10443,ssl-context=client2-ssl-context}]) + +# Configure a dynamic SSL context that uses the above authentication context and delegates to the appropriate SSL context based on the port of the outbound connection. +/subsystem=elytron/dynamic-client-ssl-context=dynamicClientSSLContext:add(authentication-context=ac) + +# Configure reverse proxy for 9443 port +/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=my-socket:add(host=localhost,port=9443) +/subsystem=undertow/configuration=handler/reverse-proxy=my-proxy:add() +/subsystem=undertow/configuration=handler/reverse-proxy=my-proxy/host=localhost:add(outbound-socket-binding=my-socket,ssl-context=dynamicClientSSLContext,scheme=https) +/subsystem=undertow/server=default-server/host=default-host/location=\/proxy:add(handler=my-proxy) + +# Configure reverse proxy for 10443 port +/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=my-socket2:add(host=localhost,port=10443) +/subsystem=undertow/configuration=handler/reverse-proxy=my-proxy2:add() +/subsystem=undertow/configuration=handler/reverse-proxy=my-proxy2/host=localhost:add(outbound-socket-binding=my-socket2,ssl-context=dynamicClientSSLContext,scheme=https) +/subsystem=undertow/server=default-server/host=default-host/location=\/proxy2:add(handler=my-proxy2)