feature: Hijack HTTPS by generating leaf TLS certs on the fly issued by user provided CA.

[YanzheL]

Signed-off-by: YanzheL lee.yanzhe@yanzhe.org

Ⅰ. Why do you propose this PR

The current implementation of HTTPS hijacking is simple but not correct.

It uses user provided TLS server cert df.crt and df.key to decrypt HTTPS connection. However, this cert cannot be a CA, which means every TLS connection is encrypted by the same cert from user point of view.

This is not a standard behavior of a HTTPS Man-In-The-Middle proxy, and will cause various issues.

1. The cert used by HTTPS hijacking cannot be automatically verified by applications because the Common Name (or Server-Alternative-Names) is always same and it doesn't match the host of every connection. So user have to configure their applications manually to force-ignore the TLS verification.

   This prevents dfclient be used as a general system-level HTTPS proxy without affecting user applications.

2. Some applications cannot be configured to trust a specific TLS cert or ignore TLS verification error (e.g. Google Chrome). Instead, the only way to achieve it is to configure them to trust the CA, or add the CA to system trust store.

II. Describe what this PR did

1. If df.crt and df.key is a CA key-pair, then dfclient use it to issue leaf TLS certs for every connection whose host matches pre-configured hijacking rules.

   User can either add the CA to system trust store, or configure individual application to trust it.

   Since the common name of leaf cert is set as the target host, the connection will be verified by user application automatically as normal.

2. If df.crt and df.key is not a CA key-pair, the behavior of dfclient is same as the old way: this cert is used in hijacking instead of generating new certs per connection.

3. So this PR is fully backward-compatible and will NOT break user applications.

ⅡI. Does this pull request fix one issue?

Potential issues are stated above.

IV. Potential use cases

1. Maybe now we can cache HTTPS docker registries (Probably fixes Why does Dragonfly can not support HTTPS mirror repositories well？ #525).

   The dfdaemon acts as a decrypting MITM HTTPS proxy, so it can 'see' the request body of docker image pull requests to remote private HTTPS registries. If we can see the body, then we can cache it as well.

2. Generic HTTPS caching proxy, just like squid. Cache anything in a distributed way, and not just for HTTP contents. We can also use dfdaemon to speed up normal webpage loading in browser.

V. Why don't you add test cases (unit test/integration test)? (你真的觉得不需要加测试吗？)

I'm working on unit tests, but currently I don't have much time....
For now, I just tested this feature in container, and everything seems good.

VI. Describe how to verify it

1. Prepare a self-signed CA with private key.

2. Configure dfdaemon to use this key pair, and also configure the hijack rules, proxy rules.

   proxies:
     - regx: blobs/sha256.* # Caching docker images
     - regx: '.*\.png' # Caching png files.
   hijack_https:
     cert: ca.crt
     key: ca.key
     hosts:
       - regx: '.*'    # Decrypt all sites, for test.

3. Setup dfdaemon as your system's http(s) proxy.

   export HTTP_PROXY=http://127.0.0.1:65001; export HTTPS_PROXY=http://127.0.0.1:65001;

4. Check the TLS cert return by target site.

   curl -vkL https://alibaba.com -o /dev/null

   This command will report that the TLS cert of alibaba.comis signed by your CA.

   The dfdaemon log will indicate that it is downloading png files of alibaba.com

ⅤII. Special notes for reviews

This PR reuses CA's private key (and signature algorithm) to generate per-connection certs. I think it can save key-generation overhead and there is no need to use new TLS private key for every connection since the generated cert is temporal (Default valid time is 24 hours).

As for security, if the private key of CA is leaked someway, generating new private key for every connection will not improve security (maybe???). So reusing CA private key does not bring much security issues.

If this is not appropriate, I can change it.

[pouchrobot]

We found this is your first time to contribute to Dragonfly, @YanzheL
👏 We really appreciate it.
Just remind that you have read the contribution guide: https://github.com/dragonflyoss/Dragonfly/blob/master/CONTRIBUTING.md
If you didn't, you should do that first. If done, welcome again and please enjoy hacking! 🍻

[codecov-io]

Codecov Report

Merging #1181 into master will decrease coverage by 0.37%.
The diff coverage is 0%.

@@            Coverage Diff             @@
##           master    #1181      +/-   ##
==========================================
- Coverage   48.27%   47.89%   -0.38%     
==========================================
  Files         116      117       +1     
  Lines        7263     7320      +57     
==========================================
  Hits         3506     3506              
- Misses       3477     3534      +57     
  Partials      280      280

Impacted Files	Coverage Δ
dfdaemon/proxy/cert.go	0% <0%> (ø)
dfdaemon/proxy/proxy.go	11.11% <0%> (-1.39%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6745cc8...96c3c82. Read the comment docs.

[inoc603]

@YanzheL Thanks a lot for your PR !

This has been a known issue we haven't yet fix. The current implementation indeed requires clients to explicitly ignore certificate errors. Adding a CA to the system cert store is the right way to do it. I'll review the code later today, meanwhile would you please:

1. Add some documentation on how to deploy the CA to a host machine, on both system level and application level (if there are some typical use cases).
2. Try using the CA as documented here, in the Use self-signed certificates section, to see if we can use it only for docker.

[YanzheL]

Thanks for your reply. I wrote a simple guide to test this feature.

How to use dfclient with custom CA

Generate Self-Signed CA

I recommend using CFSSL to do this step. For user's convenience, we can implement CA auto-generation in future.

If you do this with OpenSSL, please make sure the x509 Key Usage Extension contains Key Cert Sign and CRL Sign (The default is Any, which will not work).

1. Install CFSSL

   See CFSSL Documentation

2. prepare a CFSSL config file ca.json

   {
     "CN": "Dragonfly Fake Root CA",
     "names": [
       { "O": "Dragonfly" }
     ],
     "key": { "algo": "ecdsa", "size": 384 }
   }

3. Create the CA cert

   cfssl genkey \
       -initca ca.json \
   | cfssljson -bare ca
   
   mv ca.pem ca.crt
   mv ca-key.pem ca.key

Now we have a self-signed CA key-pair ca.key and ca.crt

Configure dfclient to use this CA

proxies:
  - regx: blobs/sha256.*
hijack_https:
  cert: /path/to/your/ca.crt
  key: /path/to/your/ca.key
  hosts:                     # We test some non-dockerhub HTTPS registries here.
    - regx: 'quay.io'.
    - regx: 'registry.gitlab.com'
    - regx: 'gcr.io'

Configure dockerd to use dfclient as HTTP proxy.

mkdir /etc/systemd/system/docker.service.d

cat >/etc/systemd/system/docker.service.d/http-proxy.conf<<-EOF
[Service]
Environment="HTTP_PROXY=http://127.0.0.1:65001" "HTTPS_PROXY=http://127.0.0.1:65001" "NO_PROXY=10.*.*.*,192.168.*.*,127.*.*.*"
EOF

systemctl daemon-reload

service docker restart

Note: Do not use dfclient as registry-mirrors, otherwise docker may complain 502 bad gateway.......

Configure CA trust

You can trust this CA either at system scope or application scope.

System scope

Debian/Ubuntu:

cp ca.crt /usr/local/share/ca-certificates/dragonfly-fake-ca.crt
update-ca-certificates

RHEL/CentOS:

cp ca.crt /etc/pki/ca-trust/source/anchors/dragonfly-fake-ca.crt
update-ca-trust extract

Windows:

• Double click ca.crt, choose "System Root Trust Store" as the certificate store location.

macOS:

• Double click ca.crt, it will be imported to "Keychain Access" automatically.
• Open Keychain Access App. Right-click Dragonfly Fake Root CA in Certificates tab and select Get Info. In new window, select Always trust in trust section.

Application Scope

Coming soon....

Test It

Pull from registry.gitlab.com

docker pull registry.gitlab.com/gitlab-org/cluster-integration/auto-build-image/master:stable

stable: Pulling from gitlab-org/cluster-integration/auto-build-image/master
89d9c30c1d48: Already exists 
8ef94372a977: Pull complete 
1ec62c064901: Pull complete 
e832ee05b41a: Pull complete 
cd554c28095e: Pull complete 
6bbe38466906: Pull complete 
e699fa91a067: Pull complete 
586c6953e86f: Pull complete 
879ed91f418f: Pull complete 
Digest: sha256:96545c036a09fb5160a6acd492c897da443a7ee6aca49f20c4f693e0b1a3f2c4
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/cluster-integration/auto-build-image/master:stable
registry.gitlab.com/gitlab-org/cluster-integration/auto-build-image/master:stable

dfclient.log shows:

2020-01-16 09:25:21.492 DEBU sign:1 : hijack https request to registry.gitlab.com:443
2020-01-16 09:25:21.492 DEBU sign:1 : hijack https request with CA <Dragonfly Fake Root CA>
2020-01-16 09:25:21.540 DEBU sign:1 : Generate temporal leaf TLS cert for host <registry.gitlab.com>
2020-01-16 09:25:22.526 ERRO sign:1 : failed to accept incoming HTTP connections: closed
2020-01-16 09:25:22.527 DEBU sign:1 : round trip directly: GET https://registry.gitlab.com/v2/
2020-01-16 09:25:25.580 DEBU sign:1 : Tunneling https request for gitlab.com:443
2020-01-16 09:25:26.910 DEBU sign:1 : hijack https request to registry.gitlab.com:443
2020-01-16 09:25:26.910 DEBU sign:1 : hijack https request with CA <Dragonfly Fake Root CA>
2020-01-16 09:25:26.959 DEBU sign:1 : Generate temporal leaf TLS cert for host <registry.gitlab.com>
2020-01-16 09:25:29.809 ERRO sign:1 : failed to accept incoming HTTP connections: closed
2020-01-16 09:25:29.809 DEBU sign:1 : round trip directly: GET https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/manifests/stable
2020-01-16 09:25:31.140 DEBU sign:1 : hijack https request to registry.gitlab.com:443
2020-01-16 09:25:31.140 DEBU sign:1 : hijack https request with CA <Dragonfly Fake Root CA>
2020-01-16 09:25:31.150 DEBU sign:1 : hijack https request to registry.gitlab.com:443
2020-01-16 09:25:31.150 DEBU sign:1 : hijack https request with CA <Dragonfly Fake Root CA>
2020-01-16 09:25:31.150 DEBU sign:1 : hijack https request to registry.gitlab.com:443
2020-01-16 09:25:31.150 DEBU sign:1 : hijack https request to registry.gitlab.com:443
2020-01-16 09:25:31.150 DEBU sign:1 : hijack https request with CA <Dragonfly Fake Root CA>
2020-01-16 09:25:31.150 DEBU sign:1 : hijack https request with CA <Dragonfly Fake Root CA>
2020-01-16 09:25:31.189 DEBU sign:1 : Generate temporal leaf TLS cert for host <registry.gitlab.com>
2020-01-16 09:25:31.201 DEBU sign:1 : Generate temporal leaf TLS cert for host <registry.gitlab.com>
2020-01-16 09:25:31.201 DEBU sign:1 : Generate temporal leaf TLS cert for host <registry.gitlab.com>
2020-01-16 09:25:31.202 DEBU sign:1 : Generate temporal leaf TLS cert for host <registry.gitlab.com>
2020-01-16 09:25:32.112 ERRO sign:1 : failed to accept incoming HTTP connections: closed
2020-01-16 09:25:32.112 DEBU sign:1 : round trip with dfget: https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:1ec62c064901392a6722bb47a377c01a381f4482b1ce094b6d28682b6b6279fd
2020-01-16 09:25:32.112 INFO sign:1 : start download url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:1ec62c064901392a6722bb47a377c01a381f4482b1ce094b6d28682b6b6279fd to d13ef171-2021-4095-80cc-38fd42e41ffb in repo
2020-01-16 09:25:32.117 ERRO sign:1 : failed to accept incoming HTTP connections: closed
2020-01-16 09:25:32.117 DEBU sign:1 : round trip with dfget: https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:e832ee05b41a07d84a81efa78b60a849db707c4a4e05f9f69e6c6b5251a77431
2020-01-16 09:25:32.117 INFO sign:1 : start download url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:e832ee05b41a07d84a81efa78b60a849db707c4a4e05f9f69e6c6b5251a77431 to 6c682c4d-ab07-450e-ab4c-1dee312125f9 in repo
2020-01-16 09:25:32.119 ERRO sign:1 : failed to accept incoming HTTP connections: closed
2020-01-16 09:25:32.119 DEBU sign:1 : round trip with dfget: https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:8ef94372a977c02d425f12c8cbda5416e372b7a869a6c2b20342c589dba3eae5
2020-01-16 09:25:32.119 INFO sign:1 : start download url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:8ef94372a977c02d425f12c8cbda5416e372b7a869a6c2b20342c589dba3eae5 to 4bd5dc1b-6a63-47de-a654-e7b3ec2fc548 in repo
2020-01-16 09:25:32.120 ERRO sign:1 : failed to accept incoming HTTP connections: closed
2020-01-16 09:25:32.120 DEBU sign:1 : round trip with dfget: https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:c114dffc16419102b42958970133bc5950c85961747ba2ed9d37741457d829df
2020-01-16 09:25:32.120 INFO sign:1 : start download url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:c114dffc16419102b42958970133bc5950c85961747ba2ed9d37741457d829df to 430dd867-c469-48ee-a171-3a8857beea80 in repo
2020-01-16 09:25:37.109 INFO sign:1 : dfget url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:8ef94372a977c02d425f12c8cbda5416e372b7a869a6c2b20342c589dba3eae5 [SUCCESS] cost:4.990s
2020-01-16 09:25:37.167 INFO sign:1 : dfget url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:1ec62c064901392a6722bb47a377c01a381f4482b1ce094b6d28682b6b6279fd [SUCCESS] cost:5.054s
2020-01-16 09:25:37.653 INFO sign:1 : dfget url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:c114dffc16419102b42958970133bc5950c85961747ba2ed9d37741457d829df [SUCCESS] cost:5.533s
2020-01-16 09:25:37.792 DEBU sign:1 : hijack https request to registry.gitlab.com:443
2020-01-16 09:25:37.792 DEBU sign:1 : hijack https request with CA <Dragonfly Fake Root CA>
2020-01-16 09:25:38.019 DEBU sign:1 : Generate temporal leaf TLS cert for host <registry.gitlab.com>
2020-01-16 09:25:38.176 DEBU sign:1 : hijack https request to registry.gitlab.com:443
2020-01-16 09:25:38.176 DEBU sign:1 : hijack https request with CA <Dragonfly Fake Root CA>
2020-01-16 09:25:38.522 DEBU sign:1 : Generate temporal leaf TLS cert for host <registry.gitlab.com>
2020-01-16 09:25:38.925 ERRO sign:1 : failed to accept incoming HTTP connections: closed
2020-01-16 09:25:38.926 DEBU sign:1 : round trip with dfget: https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:cd554c28095ed49610ff776669b000744e5fc3519287001c42f8953e11b74a70
2020-01-16 09:25:38.926 INFO sign:1 : start download url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:cd554c28095ed49610ff776669b000744e5fc3519287001c42f8953e11b74a70 to 72062b43-7e7d-4249-96ea-fe5dc830de91 in repo
2020-01-16 09:25:39.386 ERRO sign:1 : failed to accept incoming HTTP connections: closed
2020-01-16 09:25:39.387 DEBU sign:1 : round trip with dfget: https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:6bbe3846690692c5c44890a0e10d2fd97c7a31947d0f47bb614f6779ae065eed
2020-01-16 09:25:39.387 INFO sign:1 : start download url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:6bbe3846690692c5c44890a0e10d2fd97c7a31947d0f47bb614f6779ae065eed to 260a42bb-0139-4eb7-b2cc-d6c877ae582d in repo
2020-01-16 09:25:48.687 INFO sign:1 : dfget url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:cd554c28095ed49610ff776669b000744e5fc3519287001c42f8953e11b74a70 [SUCCESS] cost:9.761s
2020-01-16 09:25:48.741 DEBU sign:1 : hijack https request to registry.gitlab.com:443
2020-01-16 09:25:48.741 DEBU sign:1 : hijack https request with CA <Dragonfly Fake Root CA>
2020-01-16 09:25:48.861 DEBU sign:1 : Generate temporal leaf TLS cert for host <registry.gitlab.com>
2020-01-16 09:25:49.374 INFO sign:1 : dfget url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:e832ee05b41a07d84a81efa78b60a849db707c4a4e05f9f69e6c6b5251a77431 [SUCCESS] cost:17.257s
2020-01-16 09:25:49.837 ERRO sign:1 : failed to accept incoming HTTP connections: closed
2020-01-16 09:25:49.837 DEBU sign:1 : round trip with dfget: https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:e699fa91a067c674e8ee9d2365a5136a9f6fe18e6c88a7f07275156077fae2d8
2020-01-16 09:25:49.837 INFO sign:1 : start download url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:e699fa91a067c674e8ee9d2365a5136a9f6fe18e6c88a7f07275156077fae2d8 to 700c9049-534d-4c49-afde-52a2ff6d6a8e in repo
2020-01-16 09:25:50.999 INFO sign:1 : dfget url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:6bbe3846690692c5c44890a0e10d2fd97c7a31947d0f47bb614f6779ae065eed [SUCCESS] cost:11.612s
2020-01-16 09:25:51.255 DEBU sign:1 : hijack https request to registry.gitlab.com:443
2020-01-16 09:25:51.256 DEBU sign:1 : hijack https request with CA <Dragonfly Fake Root CA>
2020-01-16 09:25:51.336 DEBU sign:1 : Generate temporal leaf TLS cert for host <registry.gitlab.com>
2020-01-16 09:25:52.432 ERRO sign:1 : failed to accept incoming HTTP connections: closed
2020-01-16 09:25:52.432 DEBU sign:1 : round trip with dfget: https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:586c6953e86f73a2e14664ea01fdf66ecf246c83272428bf86bc64a6a7f19495
2020-01-16 09:25:52.432 INFO sign:1 : start download url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:586c6953e86f73a2e14664ea01fdf66ecf246c83272428bf86bc64a6a7f19495 to b6661acf-8acf-43a6-bc59-2915b2200567 in repo
2020-01-16 09:25:54.283 INFO sign:1 : dfget url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:e699fa91a067c674e8ee9d2365a5136a9f6fe18e6c88a7f07275156077fae2d8 [SUCCESS] cost:4.446s
2020-01-16 09:25:54.445 DEBU sign:1 : hijack https request to registry.gitlab.com:443
2020-01-16 09:25:54.445 DEBU sign:1 : hijack https request with CA <Dragonfly Fake Root CA>
2020-01-16 09:25:54.626 DEBU sign:1 : Generate temporal leaf TLS cert for host <registry.gitlab.com>
2020-01-16 09:25:55.520 ERRO sign:1 : failed to accept incoming HTTP connections: closed
2020-01-16 09:25:55.520 DEBU sign:1 : round trip with dfget: https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:879ed91f418fe97c5cfeed2aba114f9bbf7be766c17864cbefdd257de0f28efb
2020-01-16 09:25:55.520 INFO sign:1 : start download url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:879ed91f418fe97c5cfeed2aba114f9bbf7be766c17864cbefdd257de0f28efb to cce45622-afb9-47f6-9c27-4fc437c3483e in repo
2020-01-16 09:25:57.622 INFO sign:1 : dfget url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:586c6953e86f73a2e14664ea01fdf66ecf246c83272428bf86bc64a6a7f19495 [SUCCESS] cost:5.190s
2020-01-16 09:25:59.987 INFO sign:1 : dfget url:https://registry.gitlab.com/v2/gitlab-org/cluster-integration/auto-build-image/master/blobs/sha256:879ed91f418fe97c5cfeed2aba114f9bbf7be766c17864cbefdd257de0f28efb [SUCCESS] cost:4.467s
2020-01-16 09:27:12.852 INFO sign:1 : scan repo and clean expired files

From the log, it indicates that HTTPS connections are decrypted with our CA, and the docker image files are downloaded from dragonfly network, which means the cache is working.

There are some errors in the log, e.g. failed to accept incoming HTTP connections: closed. I don't know the reason for this and I'm not sure whether the error is related to this PR. Anyway, from docker side, the image pull is successful without error.

[starnop]

There are some errors in the log, e.g. failed to accept incoming HTTP connections: closed. I don't know the reason for this and I'm not sure whether the error is related to this PR. Anyway, from docker side, the image pull is successful without error.

In fact, this error is not related to this PR. Please ignore it.

[inoc603]

LGTM

Since this change is backward compatible, I think we can merge this PR now. @YanzheL would you please rebase the 3 commits into one and add a proper commit message.

Documentation and automatic CA generation are still needed though, I'll open an issue to track them. Thanks for the great work!

[YanzheL]

Thank you for reviewing. These commits are squashed now.