Using the sec-wall Security Proxy
Source: Dariusz Suchojad - Posted by Dave Wreski   
Features This article full of examples will show you various ways to test services secured using sec-wall, a feature-packed high performance security proxy. We'll be using cURL, a popular Linux command line tool and PycURL - a Python interface to cURL. As of version 1.0, sec-wall supports HTTP Basic auth, digest auth, custom HTTP headers, XPath-based authentication, WS-Security & SSL/TLS client certificates and each of the options is being shown below.

View the introduction in sec-wall: Open Source Security Proxy

It is assumed that you'll be using the sec-wall's config.py file as listed below so it's worth pointing out that the server's SSL certificate uses a commonName of MySampleServer which means that you need to add the line similiar to the one below

127.0.0.1 MySampleServer

to your /etc/hosts file. That's because the examples below do check the validity of the server's crypto material.

The pki.zip (ZIP) attachment contains assorted keys and certificates while sec-wall-xpath_auth.xml and sec-wall-wsse_auth.xml contain data needed for invoking sec-wall using XPath-based and WS-Security authentication, respectively.

config.py

# -*- coding: utf-8 -*-

# stdlib
import os.path as path, uuid, sys

# lxml
from lxml import etree

# Don't share it with anyone.
INSTANCE_SECRET = '23e4da2148994e7ea0b85a9a03d01eb0'

# May be shared with the outside world.
INSTANCE_UNIQUE = uuid.uuid4().hex

# Useful constants
cur_dir = path.dirname(__file__)

# Crypto
keyfile = path.join(cur_dir, './crypto/server-key.pem')
certfile = path.join(cur_dir, './crypto/server-cert.pem')
ca_certs = path.join(cur_dir, './crypto/ca-chain.pem')

server_type = 'https'

# Where are we proxying the requests over to?
target_host = 'http://example.com/'

# Credentials
username = 'abc'
password = 'abc'
realm = 'Secure area'

# ##############################################################################

def basic_auth():
    return {
        'basic-auth': True,
        'basic-auth-username': username,
        'basic-auth-password': password,
        'basic-auth-realm': realm,
        'host': target_host,
    }

def digest_auth():
    return {
        'digest-auth': True,
        'digest-auth-username': username,
        'digest-auth-password': password,
        'digest-auth-realm': realm,
        'host': target_host,
    }

def custom_http_headers():
    return {
        'custom-http': True,
        'custom-http-X-MyFancyUsername': username,
        'custom-http-X-MyFancyPassword': password,
        'host': target_host,
    }

def xpath():
    return {
        'xpath': True,
        'xpath-1': etree.XPath("/a/b/username/text() = '{0}'".format(username)),
        'xpath-2': etree.XPath("//c/@password='{0}'".format(password)),
        'host': target_host,
    }

def wsse():
    return {
        'wsse-pwd': True,
        'wsse-pwd-username': 'abc',
        'wsse-pwd-password': 'abc',
        'wsse-pwd-realm': realm,
        'wsse-pwd-reject-empty-nonce-creation': True,
        'wsse-pwd-reject-stale-tokens': True,
        'wsse-pwd-nonce-freshness-time': sys.maxint,
        'wsse-pwd-reject-expiry-limit': sys.maxint,
        'host': target_host,
    }

def ssl_cert():
    return {
        'ssl': True,
        'ssl-cert': True,
        'ssl-cert-commonName': 'My Client',
        'ssl-cert-organizationName': 'My Company',
        'host': target_host
    }

urls = [
    ('/basic_auth', basic_auth()),
    ('/digest_auth', digest_auth()),
    ('/custom_http_headers', custom_http_headers()),
    ('/xpath', xpath()),
    ('/wsse', wsse()),
    ('/ssl_cert', ssl_cert()),
]

Basic auth

cURL

$ curl --basic -u abc:abc --cacert ./ca-chain.pem https://MySampleServer:15100/basic_auth

PycURL

import pycurl

curl = pycurl.Curl()

url = 'https://MySampleServer:15100/basic_auth'

# --basic switch
curl.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_BASIC)

# -u switch
curl.setopt(pycurl.USERPWD, 'abc:abc')

# --cacert switch
curl.setopt(pycurl.CAINFO, './ca-chain.pem')

curl.setopt(pycurl.URL, url)
curl.perform()

Digest auth

cURL

$ curl --digest -u abc:abc --cacert ./ca-chain.pem https://MySampleServer:15100/digest_auth

PycURL

import pycurl

curl = pycurl.Curl()

url = 'https://MySampleServer:15100/digest_auth'

# --digest switch
curl.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_DIGEST)

# -u switch
curl.setopt(pycurl.USERPWD, 'abc:abc')

# --cacert switch
curl.setopt(pycurl.CAINFO, './ca-chain.pem')

curl.setopt(pycurl.URL, url)
curl.perform()

Custom HTTP headers

cURL

$ curl -H "X-MyFancyUsername:abc" -H "X-MyFancyPassword:abc" --cacert ./ca-chain.pem https://MySampleServer:15100/custom_http_headers

PycURL

import pycurl

curl = pycurl.Curl()

url = 'https://MySampleServer:15100/custom_http_headers'

# -H switches
curl.setopt(pycurl.HTTPHEADER, ['X-MyFancyUsername:abc', 'X-MyFancyPassword:abc'])

# --cacert switch
curl.setopt(pycurl.CAINFO, './ca-chain.pem')

curl.setopt(pycurl.URL, url)
curl.perform()

XPath-based auth

cURL

$ curl --data @xpath_auth.xml --cacert ./ca-chain.pem https://MySampleServer:15100/xpath

PycURL

import pycurl

curl = pycurl.Curl()

url = 'https://MySampleServer:15100/xpath'

# --data switch
# Note that it uses the file in Python instead of letting PycURL do it.
curl.setopt(pycurl.POSTFIELDS, open('xpath_auth.xml').read())

# --cacert switch
curl.setopt(pycurl.CAINFO, './ca-chain.pem')

curl.setopt(pycurl.URL, url)
curl.perform()

WS-Security

cURL

$ curl --data @wsse_auth.xml --cacert ./ca-chain.pem https://MySampleServer:15100/wsse

PycURL

import pycurl

curl = pycurl.Curl()

url = 'https://MySampleServer:15100/wsse'

# --data switch
# Note that it uses the file in Python instead of letting PycURL do it.
curl.setopt(pycurl.POSTFIELDS, open('wsse_auth.xml').read())

# --cacert switch
curl.setopt(pycurl.CAINFO, './ca-chain.pem')

curl.setopt(pycurl.URL, url)
curl.perform()

SSL client cert

cURL

$ curl --cert client-cert.pem --key client-key.pem --cacert ./ca-chain.pem https://MySampleServer:15100/ssl_cert

PycURL

import pycurl

curl = pycurl.Curl()

url = 'https://MySampleServer:15100/ssl_cert'

# --key switch
curl.setopt(pycurl.SSLKEY, './client-key.pem')

# --cert switch
curl.setopt(pycurl.SSLCERT, './client-cert.pem')

# --cacert switch
curl.setopt(pycurl.CAINFO, './ca-chain.pem')

curl.setopt(pycurl.URL, url)
curl.perform()

Resources

 

 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!