├── .gitignore
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── Dockerfile
├── LICENSE
├── README.md
├── aws_proxy_pattern.png
├── provider.tf
├── proxy
    ├── proxy_user_data.sh
    ├── root.tf
    └── variables.tf
├── root.tf
├── variables.tf
└── vpc
    ├── root.tf
    └── variables.tf


/.gitignore:
--------------------------------------------------------------------------------
1 | *.swp
2 | *.tfstate*
3 | .terraform/
4 | terraform.tfvars
5 | 


--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
 1 | # Contributor Covenant Code of Conduct
 2 | 
 3 | ## Our Pledge
 4 | 
 5 | In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
 6 | 
 7 | ## Our Standards
 8 | 
 9 | Examples of behavior that contributes to creating a positive environment include:
10 | 
11 | * Using welcoming and inclusive language
12 | * Being respectful of differing viewpoints and experiences
13 | * Gracefully accepting constructive criticism
14 | * Focusing on what is best for the community
15 | * Showing empathy towards other community members
16 | 
17 | Examples of unacceptable behavior by participants include:
18 | 
19 | * The use of sexualized language or imagery and unwelcome sexual attention or advances
20 | * Trolling, insulting/derogatory comments, and personal or political attacks
21 | * Public or private harassment
22 | * Publishing others' private information, such as a physical or electronic address, without explicit permission
23 | * Other conduct which could reasonably be considered inappropriate in a professional setting
24 | 
25 | ## Our Responsibilities
26 | 
27 | Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
28 | 
29 | Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
30 | 
31 | ## Scope
32 | 
33 | This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
34 | 
35 | ## Enforcement
36 | 
37 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at opensource@nearform.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
38 | 
39 | Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
40 | 
41 | ## Attribution
42 | 
43 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
44 | 
45 | [homepage]: http://contributor-covenant.org
46 | [version]: http://contributor-covenant.org/version/1/4/
47 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Welcome to XYZ!
 2 | 
 3 | Please take a second to read over this before opening an issue. Providing complete information upfront will help us address any issue (and ship new features!) faster.
 4 | 
 5 | We greatly appreciate bug fixes, documentation improvements and new features, however when contributing a new major feature, it is a good idea to idea to first open an issue, to make sure the feature it fits with the goal of the project, so we don't waste your or our time.
 6 | 
 7 | ## Bug Reports
 8 | 
 9 | A perfect bug report would have the following:
10 | 
11 | 1. Summary of the issue you are experiencing.
12 | 2. Details on what versions of node and XZY you are using (`node -v`).
13 | 3. A simple repeatable test case for us to run. Please try to run through it 2-3 times to ensure it is completely repeatable.
14 | 
15 | We would like to avoid issues that require a follow up questions to identify the bug. These follow ups are difficult to do unless we have a repeatable test case.
16 | 
17 | 
18 | ## For Developers
19 | 
20 | All contributions should fit the [standard](https://github.com/standard/standard) linter, and pass the tests.
21 | You can test this by running:
22 | 
23 | ```
24 | npm test
25 | ```
26 | 
27 | In addition, make sure to add tests for any new features.
28 | You can test the test coverage by running:
29 | 
30 | ```
31 | npm run ci-cov
32 | ```
33 | 
34 | ## For Collaborators
35 | 
36 | Make sure to get a `:thumbsup:`, `+1` or `LGTM` from another collaborator before merging a PR. If you aren't sure if a release should happen, open an issue.
37 | 
38 | Release process:
39 | 
40 | - `npm test`
41 | - `npm version <major|minor|patch>`
42 | - `git push && git push --tags`
43 | - `npm publish`
44 | 
45 | -----------------------------------------
46 | 
47 | <a id="developers-certificate-of-origin"></a>
48 | ## Developer's Certificate of Origin 1.1
49 | 
50 | By making a contribution to this project, I certify that:
51 | 
52 | * (a) The contribution was created in whole or in part by me and I
53 |   have the right to submit it under the open source license
54 |   indicated in the file; or
55 | 
56 | * (b) The contribution is based upon previous work that, to the best
57 |   of my knowledge, is covered under an appropriate open source
58 |   license and I have the right under that license to submit that
59 |   work with modifications, whether created in whole or in part
60 |   by me, under the same open source license (unless I am
61 |   permitted to submit under a different license), as indicated
62 |   in the file; or
63 | 
64 | * (c) The contribution was provided directly to me by some other
65 |   person who certified (a), (b) or (c) and I have not modified
66 |   it.
67 | 
68 | * (d) I understand and agree that this project and the contribution
69 |   are public and that a record of the contribution (including all
70 |   personal information I submit with it, including my sign-off) is
71 |   maintained indefinitely and may be redistributed consistent with
72 |   this project or the open source license(s) involved.
73 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM alpine:latest
2 | 
3 | RUN apk add squid
4 | 
5 | ENTRYPOINT ["squid", "-NYCd 1"]
6 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright 2018 nearForm
 2 | 
 3 | Licensed under the Apache License, Version 2.0 (the "License");
 4 | you may not use this file except in compliance with the License.
 5 | You may obtain a copy of the License at
 6 | 
 7 |     http://www.apache.org/licenses/LICENSE-2.0
 8 | 
 9 | Unless required by applicable law or agreed to in writing, software
10 | distributed under the License is distributed on an "AS IS" BASIS,
11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | See the License for the specific language governing permissions and
13 | limitations under the License.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # aws-proxy-pattern
 2 | 
 3 | ## Description
 4 | 
 5 | ![high level design](aws_proxy_pattern.png)
 6 | 
 7 | A fairly common security best practice is to send outbound internet traffic
 8 | through a proxy to facilitate monitoring and filtering. Transparent proxies
 9 | make this easier by not requiring any specific configuration on the hosts.
10 | 
11 | This repository contains terraform modules to create such a proxy with an
12 | example network in AWS VPC to show how it works.
13 | 
14 | The blog article related to this repo can be found at:
15 | 
16 | https://www.nearform.com/blog/building-a-transparent-proxy-in-aws-vpc-with-terraform-and-squid/
17 | 
18 | ## Building
19 | 
20 | 1. `terraform init` in the project root
21 | 2. Change the `provider.tf` profile if necessary to match your
22 |    `~/.aws/credentials` profile name if it is not `default`.
23 | 3. Create a new EC2 key pair or use an existing one and provide the key pair
24 |    name to terraform as a variable, this will be used to protect access to the
25 |    instances in the example network. An easy way to do this is to add a file
26 |    called `terraform.tfvars` to the root of the project containing the line:
27 |    `key_pair_name = "<your_key_pair_name_here>"`
28 | 4. `terraform plan`
29 | 5. `terraform apply`
30 | 
31 | ## Testing
32 | 
33 | Use the IP addresses output by terraform to SSH into the example host through
34 | the management host. Ensure you have SSH agent forwarding on to make this work,
35 | see the blog article for specific steps.
36 | 
37 | Running `curl http://www.amazonaws.com` and `curl http://baddomain.com` should
38 | show that traffic is going through and being filtered by the proxy. This can be
39 | further verified over SSH to the proxy directly by tailing
40 | `/var/log/squid/access.log`.
41 | 
42 | ## License
43 | 
44 | Copyright nearForm Ltd 2018. Licensed under [Apache 2.0 license](LICENSE)
45 | 
46 | ## Contributing
47 | 
48 | We have a [contributing guide](CONTRIBUTING.md) and a [code of conduct](CODE_OF_CONDUCT.md).
49 | 


--------------------------------------------------------------------------------
/aws_proxy_pattern.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nearform/aws-proxy-pattern/cbd67437c447b388938b2a100f1e34f74e7c9e7d/aws_proxy_pattern.png


--------------------------------------------------------------------------------
/provider.tf:
--------------------------------------------------------------------------------
1 | # Uses ~/.aws/credentials, default profile
2 | provider "aws" {
3 |     region = "${var.region}"
4 |     profile = "default"
5 | }
6 | 
7 | 


--------------------------------------------------------------------------------
/proxy/proxy_user_data.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -x
 3 | 
 4 | # Install latest Docker
 5 | apt update
 6 | apt-get install -y \
 7 |     apt-transport-https \
 8 |     ca-certificates \
 9 |     curl \
10 |     software-properties-common
11 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
12 | add-apt-repository \
13 |     "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
14 |     $(lsb_release -cs) \
15 |     stable"
16 | apt update
17 | apt install -y docker-ce
18 | 
19 | # Create squid configuration
20 | mkdir /etc/squid
21 | cat | tee /etc/squid/squid.conf <<EOF
22 | visible_hostname squid
23 | 
24 | #Handling HTTP requests
25 | http_port 3129 intercept
26 | acl allowed_http_sites dstdomain .amazonaws.com
27 | acl allowed_http_sites dstdomain .security.ubuntu.com
28 | http_access allow allowed_http_sites
29 | 
30 | #Handling HTTPS requests
31 | https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
32 | acl SSL_port port 443
33 | http_access allow SSL_port
34 | acl allowed_https_sites ssl::server_name .amazonaws.com
35 | acl allowed_https_sites ssl::server_name .badssl.com
36 | acl allowed_https_sites ssl::server_name .security.ubuntu.com
37 | acl step1 at_step SslBump1
38 | acl step2 at_step SslBump2
39 | acl step3 at_step SslBump3
40 | ssl_bump peek step1 all
41 | ssl_bump peek step2 allowed_https_sites
42 | ssl_bump splice step3 allowed_https_sites
43 | ssl_bump terminate step3 all
44 | 
45 | http_access deny all
46 | EOF
47 | 
48 | # Create certificates for SSL peek
49 | mkdir /etc/squid/ssl && cd /etc/squid/ssl
50 | openssl genrsa -out squid.key 2048
51 | openssl req -new -key squid.key -out squid.csr -subj "/C=XX/ST=XX/L=squid/O=squid/CN=squid"
52 | openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt
53 | cat squid.key squid.crt | tee squid.pem
54 | 
55 | # Allow access to uid 31 (squid in container, unknown on host) to /var/log/squid/
56 | mkdir /var/log/squid
57 | chown 31:31 /var/log/squid/
58 | chmod u+rwx /var/log/squid/
59 | 
60 | # Pull squid image and run using config and cert setup above
61 | docker pull karlhopkinsonturrell/squid-alpine
62 | docker run -it -d --net host \
63 |     --mount type=bind,src=/etc/squid/squid.conf,dst=/etc/squid/squid.conf \
64 |     --mount type=bind,src=/etc/squid/ssl,dst=/etc/squid/ssl \
65 |     --mount type=bind,src=/var/log/squid/,dst=/var/log/squid/ \
66 |     karlhopkinsonturrell/squid-alpine
67 | 
68 | # Route inbound traffic into squid
69 | iptables -t nat -I PREROUTING 1 -s 10.0.2.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3129
70 | iptables -t nat -I PREROUTING 1 -s 10.0.2.0/24 -p tcp --dport 443 -j REDIRECT --to-port 3130
71 | 
72 | 


--------------------------------------------------------------------------------
/proxy/root.tf:
--------------------------------------------------------------------------------
 1 | # Data inputs
 2 | data "aws_ami" "ubuntu" {
 3 |     most_recent = true
 4 | 
 5 |     filter {
 6 |         name = "name"
 7 |         values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
 8 |     }
 9 | 
10 |     filter {
11 |         name = "virtualization-type"
12 |         values = ["hvm"]
13 |     }
14 | 
15 |     owners = ["099720109477"]
16 | }
17 | 
18 | # The proxy instance with interface specified separately to make it easier to
19 | # associate with a route table
20 | resource "aws_network_interface" "proxy" {
21 |     subnet_id = "${var.subnet_id}"
22 | 
23 |     # Important to disable this check to allow traffic not addressed to the
24 |     # proxy to be received
25 |     source_dest_check = false
26 | }
27 | 
28 | resource "aws_instance" "proxy" {
29 |     ami = "${data.aws_ami.ubuntu.id}"
30 |     instance_type = "${var.proxy_instance_type}"
31 | 
32 |     key_name = "${var.key_pair_name}"
33 | 
34 |     user_data = "${file("proxy/proxy_user_data.sh")}"
35 | 
36 |     network_interface {
37 |         network_interface_id = "${aws_network_interface.proxy.id}"
38 |         device_index = 0
39 |     }
40 | 
41 |     tags {
42 |         Name = "aws_proxy_pattern_proxy"
43 |     }
44 | }
45 | 
46 | # Outputs
47 | output "proxy_public_ip" {
48 |     value = "${aws_instance.proxy.public_ip}"
49 | }
50 | 
51 | output "proxy_network_interface_id" {
52 |     value = "${aws_network_interface.proxy.id}"
53 | }
54 | 


--------------------------------------------------------------------------------
/proxy/variables.tf:
--------------------------------------------------------------------------------
 1 | # Subnet to place proxy in
 2 | variable "subnet_id" {}
 3 | 
 4 | # SSH key pair inside AWS to use to access proxy
 5 | variable "key_pair_name" {}
 6 | 
 7 | # AWS instance type to use for proxy
 8 | variable "proxy_instance_type" {
 9 |     type = "string"
10 |     default = "t2.micro"
11 | }
12 | 


--------------------------------------------------------------------------------
/root.tf:
--------------------------------------------------------------------------------
 1 | module "vpc" {
 2 |     source = "vpc"
 3 |     key_pair_name = "${var.key_pair_name}"
 4 |     proxy_network_interface_id = "${module.proxy.proxy_network_interface_id}"
 5 | }
 6 | 
 7 | module "proxy" {
 8 |     source = "proxy"
 9 |     key_pair_name = "${var.key_pair_name}"
10 |     subnet_id = "${module.vpc.public_subnet_id}"
11 | }
12 | 
13 | output "host_private_ip" {
14 |     value = "${module.vpc.host_private_ip}"
15 | }
16 | 
17 | output "management_host_public_ip" {
18 |     value = "${module.vpc.management_public_ip}"
19 | }
20 | 
21 | output "proxy_public_ip" {
22 |     value = "${module.proxy.proxy_public_ip}"
23 | }
24 | 
25 | 


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "region" {
 2 |     type = "string"
 3 |     default = "eu-west-2"
 4 | }
 5 | 
 6 | # Key pair to use for instances
 7 | variable "key_pair_name" {
 8 |     type = "string"
 9 | }
10 | 
11 | 


--------------------------------------------------------------------------------
/vpc/root.tf:
--------------------------------------------------------------------------------
  1 | # Data inputs
  2 | data "aws_ami" "ubuntu" {
  3 |     most_recent = true
  4 | 
  5 |     filter {
  6 |         name = "name"
  7 |         values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
  8 |     }
  9 | 
 10 |     filter {
 11 |         name = "virtualization-type"
 12 |         values = ["hvm"]
 13 |     }
 14 | 
 15 |     owners = ["099720109477"]
 16 | }
 17 | 
 18 | # VPC Resources
 19 | resource "aws_vpc" "aws_proxy_pattern_vpc" {
 20 |     cidr_block = "${var.cidr_block}"
 21 | 
 22 |     tags {
 23 |         Name = "aws_proxy_pattern_vpc"
 24 |     }
 25 |     enable_dns_support = true
 26 |     enable_dns_hostnames = true
 27 | }
 28 | 
 29 | resource "aws_internet_gateway" "igw" {
 30 |     vpc_id = "${aws_vpc.aws_proxy_pattern_vpc.id}"
 31 | }
 32 | 
 33 | # The proxy will live here, think of it as the DMZ where everything gets
 34 | # internet access if it has a public IP
 35 | resource "aws_subnet" "public_subnet" {
 36 |     vpc_id = "${aws_vpc.aws_proxy_pattern_vpc.id}"
 37 |     cidr_block = "${var.cidr_public_subnet}"
 38 |     map_public_ip_on_launch = true
 39 | 
 40 |     tags {
 41 |         Name = "aws_proxy_pattern_public_subnet"
 42 |     }
 43 | }
 44 | 
 45 | # The private host will live here and default routes traffic out to the public
 46 | # subnet
 47 | resource "aws_subnet" "private_subnet" {
 48 |     vpc_id = "${aws_vpc.aws_proxy_pattern_vpc.id}"
 49 |     cidr_block = "${var.cidr_private_subnet}"
 50 | 
 51 |     tags {
 52 |         Name = "aws_proxy_pattern_private_subnet"
 53 |     }
 54 | }
 55 | 
 56 | # Route tables for each type of subnet
 57 | resource "aws_route_table" "public_routes" {
 58 |     vpc_id = "${aws_vpc.aws_proxy_pattern_vpc.id}"
 59 | 
 60 |     route {
 61 |         cidr_block = "0.0.0.0/0"
 62 |         gateway_id = "${aws_internet_gateway.igw.id}"
 63 |     }
 64 | 
 65 |     tags {
 66 |         Name = "public_routes"
 67 |     }
 68 | }
 69 | 
 70 | resource "aws_route_table" "private_routes" {
 71 |     vpc_id = "${aws_vpc.aws_proxy_pattern_vpc.id}"
 72 | 
 73 |     tags {
 74 |         Name = "private_routes"
 75 |     }
 76 | }
 77 | 
 78 | resource "aws_route" "proxy_route" {
 79 |     route_table_id = "${aws_route_table.private_routes.id}"
 80 |     destination_cidr_block = "0.0.0.0/0"
 81 |     network_interface_id = "${var.proxy_network_interface_id}"
 82 | }
 83 | 
 84 | resource "aws_route_table_association" "public_routes_association" {
 85 |     subnet_id = "${aws_subnet.public_subnet.id}"
 86 |     route_table_id = "${aws_route_table.public_routes.id}"
 87 | }
 88 | 
 89 | resource "aws_route_table_association" "private_routes_association" {
 90 |     subnet_id = "${aws_subnet.private_subnet.id}"
 91 |     route_table_id = "${aws_route_table.private_routes.id}"
 92 | }
 93 | 
 94 | # The example host instance
 95 | resource "aws_instance" "host" {
 96 |     ami = "${data.aws_ami.ubuntu.id}"
 97 |     instance_type = "t2.micro"
 98 |     subnet_id = "${aws_subnet.private_subnet.id}"
 99 | 
100 |     key_name = "${var.key_pair_name}"
101 | 
102 |     tags {
103 |         Name = "aws_proxy_pattern_host"
104 |     }
105 | }
106 | 
107 | # A host that will enable us to SSH to the private host for testing
108 | resource "aws_instance" "management_host" {
109 |     ami = "${data.aws_ami.ubuntu.id}"
110 |     instance_type = "t2.micro"
111 |     subnet_id = "${aws_subnet.public_subnet.id}"
112 | 
113 |     key_name = "${var.key_pair_name}"
114 | 
115 |     tags {
116 |         Name = "aws_proxy_pattern_management_host"
117 |     }
118 | }
119 | 
120 | output "public_subnet_id" {
121 |     value = "${aws_subnet.public_subnet.id}"
122 | }
123 | 
124 | output "host_private_ip" {
125 |     value = "${aws_instance.host.private_ip}"
126 | }
127 | 
128 | output "management_public_ip" {
129 |     value = "${aws_instance.management_host.public_ip}"
130 | }
131 | 
132 | 


--------------------------------------------------------------------------------
/vpc/variables.tf:
--------------------------------------------------------------------------------
 1 | # SSH key pair inside AWS to use to access example host / mgmt host
 2 | variable "key_pair_name" {}
 3 | 
 4 | # Network interface ID for the proxy to use as a default route
 5 | variable "proxy_network_interface_id" {}
 6 | 
 7 | # CIDR block for example VPC
 8 | variable "cidr_block" {
 9 |     type = "string"
10 |     default = "10.0.0.0/16"
11 | }
12 | 
13 | # CIDR block for public subnet
14 | variable "cidr_public_subnet" {
15 |     type = "string"
16 |     default = "10.0.1.0/24"
17 | }
18 | 
19 | # CIDR block for private subnet
20 | variable "cidr_private_subnet" {
21 |     type = "string"
22 |     default = "10.0.2.0/24"
23 | }
24 | 


--------------------------------------------------------------------------------