Using the sec-wall Security Proxy
3 - 5 min read
Jun 07, 2011
This article full of examples will show you various ways to test services secured using sec-wall, a feature-packed high performance security proxy. We'll be using cURL, a popular Linux command line tool and PycURL - a Python interface to cURL. As of version 1.0, sec-wall supports HTTP Basic auth, digest auth, custom HTTP headers, XPath-based authentication, WS-Security & SSL/TLS client certificates and each of the options is being shown below.
View the introduction in sec-wall: Open Source Security Proxy
It is assumed that you'll be using the sec-wall's config.py file as listed below so it's worth pointing out that the server's SSL certificate uses a commonName of MySampleServer which means that you need to add the line similiar to the one below
127.0.0.1 MySampleServer
to your /etc/hosts file. That's because the examples below do check the validity of the server's crypto material.
The pki.zip (ZIP) attachment contains assorted keys and certificates while sec-wall-xpath_auth.xml and sec-wall-wsse_auth.xml contain data needed for invoking sec-wall using XPath-based and WS-Security authentication, respectively.
config.py
# -*- coding: utf-8 -*-# stdlib
import os.path as path, uuid, sys
# lxml
from lxml import etree
# Don't share it with anyone.
INSTANCE_SECRET = '23e4da2148994e7ea0b85a9a03d01eb0'
# May be shared with the outside world.
INSTANCE_UNIQUE = uuid.uuid4().hex
# Useful constants
cur_dir = path.dirname(__file__)
# Crypto
keyfile = path.join(cur_dir, './crypto/server-key.pem')
certfile = path.join(cur_dir, './crypto/server-cert.pem')
ca_certs = path.join(cur_dir, './crypto/ca-chain.pem')
server_type = 'https'
# Where are we proxying the requests over to?
target_host = 'http:///'
# Credentials
username = 'abc'
password = 'abc'
realm = 'Secure area'
# ##############################################################################
def basic_auth():
return {
'basic-auth': True,
'basic-auth-username': username,
'basic-auth-password': password,
'basic-auth-realm': realm,
'host': target_host,
}
def digest_auth():
return {
'digest-auth': True,
'digest-auth-username': username,
'digest-auth-password': password,
'digest-auth-realm': realm,
'host': target_host,
}
def custom_http_headers():
return {
'custom-http': True,
'custom-http-X-MyFancyUsername': username,
'custom-http-X-MyFancyPassword': password,
'host': target_host,
}
def xpath():
return {
'xpath': True,
'xpath-1': etree.XPath("/a/b/username/text() = '{0}'".format(username)),
'xpath-2': etree.XPath("//c/@password='{0}'".format(password)),
'host': target_host,
}
def wsse():
return {
'wsse-pwd': True,
'wsse-pwd-username': 'abc',
'wsse-pwd-password': 'abc',
'wsse-pwd-realm': realm,
'wsse-pwd-reject-empty-nonce-creation': True,
'wsse-pwd-reject-stale-tokens': True,
'wsse-pwd-nonce-freshness-time': sys.maxint,
'wsse-pwd-reject-expiry-limit': sys.maxint,
'host': target_host,
}
def ssl_cert():
return {
'ssl': True,
'ssl-cert': True,
'ssl-cert-commonName': 'My Client',
'ssl-cert-organizationName': 'My Company',
'host': target_host
}
urls = [
('/basic_auth', basic_auth()),
('/digest_auth', digest_auth()),
('/custom_http_headers', custom_http_headers()),
('/xpath', xpath()),
('/wsse', wsse()),
('/ssl_cert', ssl_cert()),
]
Basic auth
cURL
$ curl --basic -u abc:abc --cacert ./ca-chain.pem
PycURL
import pycurl curl = pycurl.Curl() url = ' ' # --basic switch curl.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_BASIC) # -u switch curl.setopt(pycurl.USERPWD, 'abc:abc') # --cacert switch curl.setopt(pycurl.CAINFO, './ca-chain.pem') curl.setopt(pycurl.URL, url) curl.perform()
Digest auth
cURL
$ curl --digest -u abc:abc --cacert ./ca-chain.pem
PycURL
import pycurl curl = pycurl.Curl() url = ' ' # --digest switch curl.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_DIGEST) # -u switch curl.setopt(pycurl.USERPWD, 'abc:abc') # --cacert switch curl.setopt(pycurl.CAINFO, './ca-chain.pem') curl.setopt(pycurl.URL, url) curl.perform()
Custom HTTP headers
cURL
$ curl -H "X-MyFancyUsername:abc" -H "X-MyFancyPassword:abc" --cacert ./ca-chain.pem
PycURL
import pycurl curl = pycurl.Curl() url = ' ' # -H switches curl.setopt(pycurl.HTTPHEADER, ['X-MyFancyUsername:abc', 'X-MyFancyPassword:abc']) # --cacert switch curl.setopt(pycurl.CAINFO, './ca-chain.pem') curl.setopt(pycurl.URL, url) curl.perform()
XPath-based auth
cURL
$ curl --data @xpath_auth.xml --cacert ./ca-chain.pem
PycURL
import pycurl
curl = pycurl.Curl()
url = ' '
# --data switch
# Note that it uses the file in Python instead of letting PycURL do it.
curl.setopt(pycurl.POSTFIELDS, open('xpath_auth.xml').read())
# --cacert switch
curl.setopt(pycurl.CAINFO, './ca-chain.pem')
curl.setopt(pycurl.URL, url)
curl.perform()
WS-Security
cURL
$ curl --data @wsse_auth.xml --cacert ./ca-chain.pem
PycURL
import pycurl
curl = pycurl.Curl()
url = ' '
# --data switch
# Note that it uses the file in Python instead of letting PycURL do it.
curl.setopt(pycurl.POSTFIELDS, open('wsse_auth.xml').read())
# --cacert switch
curl.setopt(pycurl.CAINFO, './ca-chain.pem')
curl.setopt(pycurl.URL, url)
curl.perform()
SSL client cert
cURL
$ curl --cert client-cert.pem --key client-key.pem --cacert ./ca-chain.pem
PycURL
import pycurl curl = pycurl.Curl() url = ' ' # --key switch curl.setopt(pycurl.SSLKEY, './client-key.pem') # --cert switch curl.setopt(pycurl.SSLCERT, './client-cert.pem') # --cacert switch curl.setopt(pycurl.CAINFO, './ca-chain.pem') curl.setopt(pycurl.URL, url) curl.perform()
Resources
- Visit us at http://sec-wall.gefira.pl/
- Contact Dariusz Suchojad <
This email address is being protected from spambots. You need JavaScript enabled to view it. > - Download pki.zip (ZIP)
- Download sec-wall-xpath_auth.xml
- Download sec-wall-wsse_auth.xml
