-
Notifications
You must be signed in to change notification settings - Fork 1
Technical Summary
Drawbridge is a reverse proxy. It currently can create TCP tunnels only.
Drawbridge creates a TCP server on port 3100 (by default). An Emissary client can attempt to connect on this port and present a TLS certificate to the server for mTLS.
Once connected, Emissary will request a list of “Protected Services”. A Protected Service is a resource Drawbridge will expose to an authorized Emissary client.
Emissary will receive the Protected Services list and show them to the user. Emissary will create a local TCP server, requiring no authentication, for each Protected Service in Drawbridge.
Currently the admin has no say in what ports the services will listen on. This non-determinism will be fixed in a future update.
When the user running an Emissary client attempts to connect to the local TCP server for a specific Protected Service, Emissary will send a “PS_CONN” string in the TCP connection, followed by the name of the Protected Service e.g “PS_CONN my minecraft server”.
Drawbridge will then route the TCP traffic from Emissary to the requested Protected Service.
Drawbridge admins should be able to specify if the connection made to a Protected Service should attempt to use TLS. This is currently not possible.
Since Drawbridge and Emissary are designed to secure your applications, we have taken steps to secure the tunnel between them.
Drawbridge uses ECDSA P-384 for the Certificste Authority and the Drawbridge Server certificate. This was chosen due to easy implementation. P-384 was chosen merely because it is bigger than P-256. If performance issues are encountered during benchmarks, we may use a smaller curve.
The minimum TLS version for Drawbridge and Emissary is set to TLSv1.3.