Skip to content

epk/envoy-egress-mitm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits

cfssl

cfssl

 
 

cmd

cmd

 
 

e2e

e2e

 
 

envoy

envoy

 
 

types

types

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

docker-compose.yml

docker-compose.yml

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

tools.go

tools.go

 
 

Repository files navigation

Envoy Egress MITM

A proof of concept that:

  • Starts as a L4 SNI forward proxy
  • Mints self signed certificates based on SNI
  • Hijacks/MITMs subsequent requests for the given SNI host

This is highly experimental.

Getting started

Running

# Download deps
export CGO_ENABLED=0
go mod download

# Create root and intermediate CA
cd cfssl
go run github.com/cloudflare/cfssl/cmd/cfssl gencert -initca ca.json | go run github.com/cloudflare/cfssl/cmd/cfssljson -bare ca
go run github.com/cloudflare/cfssl/cmd/cfssl gencert -initca intermediate-ca.json | go run github.com/cloudflare/cfssl/cmd/cfssljson -bare intermediate-ca
go run github.com/cloudflare/cfssl/cmd/cfssl sign -ca ca.pem -ca-key ca-key.pem -config cfssl.json -profile intermediate-ca intermediate-ca.csr | go run github.com/cloudflare/cfssl/cmd/cfssljson -bare intermediate-ca
# rename keys
mv ca-key.pem ca.key
mv intermediate-ca-key.pem intermediate-ca.key
# rename certificates
mv ca.pem ca.crt
mv intermediate-ca.pem intermediate-ca.crt
# combine cacertificates
cat ca.crt >> combined.crt
cat intermediate-ca.crt >> combined.crt
cd ..

# Start up Envoy + ALS service + xDS service
docker-compose up --force-recreate --build -d --wait

Demo

# Make some requests
curl -sv -o /dev/null https://www.google.com --connect-to www.google.com:443:localhost:8443

# Second request should fail
curl -sv -o /dev/null https://www.google.com --connect-to www.google.com:443:localhost:8443

# Try again with self signed CA
curl -sv -o /dev/null https://www.google.com --connect-to www.google.com:443:localhost:8443 --cacert ./cfssl/combined.crt


# Repeat for any other hosts of your liking
# First request over L4
curl -sv -o /dev/null https://www.reddit.com --connect-to www.reddit.com:443:localhost:8443

# Second request fails
curl -sv -o /dev/null https://www.reddit.com --connect-to www.reddit.com:443:localhost:8443

# Request with self signed CA goes through
curl -sv -o /dev/null https://www.reddit.com --connect-to www.reddit.com:443:localhost:8443 --cacert ./cfssl/combined.crt

# Or run an e2e script that tests the top 500 domains
go run ./e2e -i 5 -p
cat results.csv

About

envoy-egress-mitm

Resources

Readme
Activity

Stars

5 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages