helm: restrictions refacto

GitGuardian · Jan 12, 2025 · 6bd6710 · 6bd6710
1 parent 1ce98bd
commit 6bd6710
Show file tree

Hide file tree

Showing 6 changed files with 142 additions and 19 deletions.
diff --git a/helm/ggbridge/files/nginx.conf b/helm/ggbridge/files/nginx.conf
@@ -1,5 +1,3 @@
-{{- $tunnels :=  ternary .Values.client.reverseTunnels .Values.client.tunnels (eq .Values.mode "server") -}}
-
 {{- $webListeners := list -}}
 {{- with .Values.proxy.tunnels.web -}}
     {{- if .ingress.enabled -}}
@@ -90,12 +88,12 @@ stream {
     access_log /dev/stdout stream;
 
     map $ssl_preread_server_name $backend_name {
-        {{- if .Values.whitelist }}
-            {{- range $hostname := .Values.whitelist }}
-        {{ printf "%s %s:443;" $hostname $hostname }}
+        {{- if .Values.whitelist.hosts }}
+            {{- range $host := .Values.whitelist.hosts }}
+        {{ printf "%s %s;" $host $host }}
             {{- end }}
         {{- else }}
-        default $ssl_preread_server_name:443;
+        default $ssl_preread_server_name;
         {{- end }}
     }
 
@@ -107,7 +105,7 @@ stream {
     server {
         listen 127.0.0.1:{{ .Values.proxy.service.ports.tls.remoteContainerPort }} proxy_protocol;
         ssl_preread on;
-        proxy_pass $backend_name;
+        proxy_pass $backend_name:443;
         proxy_protocol {{ ternary "on" "off" .Values.proxyProtocol.enabled }};
     }
 }
diff --git a/helm/ggbridge/files/restrictions.yaml b/helm/ggbridge/files/restrictions.yaml
@@ -0,0 +1,116 @@
+# Doc: https://github.com/erebe/wstunnel/blob/main/restrictions.yaml
+restrictions:
+  - name: "health"
+    description: "Health restriction rules"
+    match:
+      - !Any
+    allow:
+      - !Tunnel
+        protocol:
+          - Tcp
+        port:
+          - {{ .Values.proxy.service.ports.health.remoteContainerPort }}
+        host: ^localhost$
+        cidr:
+          - 127.0.0.1/32
+          - ::1/128
+      - !ReverseTunnel
+        protocol:
+          - Tcp
+        port:
+          - {{ .Values.proxy.service.ports.health.containerPort }}
+        host: ^.*$
+        cidr:
+          - 0.0.0.0/0
+          - ::/0
+
+  - name: "socks"
+    description: "Socks restriction rules"
+    match:
+      - !Any
+    allow:
+      - !ReverseTunnel
+        protocol:
+          - Socks5
+        port:
+          - {{ .Values.proxy.service.ports.socks.containerPort }}
+        cidr:
+          - 0.0.0.0/0
+          - ::/0
+
+  - name: "tls"
+    description: "Tls restriction rules"
+    match:
+      - !Any
+    allow:
+      - !Tunnel
+        protocol:
+          - Tcp
+        port:
+          - {{ .Values.proxy.service.ports.tls.remoteContainerPort }}
+        host: ^localhost$
+        cidr:
+          - 127.0.0.1/32
+          - ::1/128
+      - !ReverseTunnel
+        protocol:
+          - Tcp
+        port:
+          - {{ .Values.proxy.service.ports.tls.containerPort }}
+        host: ^localhost$
+        cidr:
+          - 127.0.0.1/32
+          - ::1/128
+
+  - name: "web"
+    description: "web restriction rules"
+    match:
+      - !Any
+    allow:
+      - !Tunnel
+        protocol:
+          - Tcp
+        port:
+          - {{ .Values.proxy.service.ports.web.remoteContainerPort }}
+        host: ^localhost$
+        cidr:
+          - 127.0.0.1/32
+          - ::1/128
+      - !ReverseTunnel
+        protocol:
+          - Tcp
+        port:
+          - {{ .Values.proxy.service.ports.web.containerPort }}
+        host: ^localhost$
+        cidr:
+          - 127.0.0.1/32
+          - ::1/128
+
+  {{- with .Values.whitelist.cidr }}
+  - name: "cidr whitelist"
+    description: "cidr whitelist"
+    match:
+      - !Any
+    allow:
+      - !Tunnel
+        protocol:
+          - Tcp
+        port:
+          - 443
+        cidr: {{ toYaml .  | nindent 10 }}
+  {{- end }}
+
+  {{- range $host := .Values.whitelist.hosts }}
+  - name: {{ $host | quote}}
+    description: "{{ $host }} whitelist"
+    match:
+      - !Any
+    allow:
+      - !Tunnel
+        protocol:
+          - Tcp
+        port:
+          - 443
+        host: {{ printf "^%s$" $host }}
+        cidr: []
+  {{- end }}
diff --git a/helm/ggbridge/templates/server/configmap.yaml b/helm/ggbridge/templates/server/configmap.yaml
@@ -15,4 +15,6 @@ metadata:
 data:
   nginx.conf: |-
     {{ tpl (.Files.Get "files/nginx.conf") . | nindent 4 }}
+  restrictions.yaml: |-
+    {{ tpl (.Files.Get "files/restrictions.yaml") . | nindent 4 }}
 {{- end }}
diff --git a/helm/ggbridge/templates/server/deployment.yaml b/helm/ggbridge/templates/server/deployment.yaml
@@ -116,6 +116,8 @@ spec:
               value: {{ $.Values.proxy.service.ports.web.internalPort | quote }}
             - name: TUNNEL_WEB_REMOTE_PORT
               value: {{ $.Values.proxy.service.ports.web.remoteContainerPort | quote }}
+            - name: RESTRICT_CONFIG
+              value: /config/restrictions.yaml
             {{- if or $.Values.caBundle.certs $.Values.caBundle.existingSecret }}
             - name: SSL_CERT_FILE
               value: /ca-certs/ca-bundle.crt
@@ -141,6 +143,10 @@ spec:
             - name: ca-certs
               mountPath: /ca-certs
               readOnly: true
+            - name: config
+              mountPath: /config/restrictions.yaml
+              subPath: restrictions.yaml
+              readOnly: true
             {{- if and $.Values.tls.enabled (eq (include "ggbridge.server.trafficRouting.enabled" $) "false") }}
             - name: tls-secret
               mountPath: /certs

diff --git a/helm/ggbridge/values.yaml b/helm/ggbridge/values.yaml
@@ -201,8 +201,13 @@ tls:
 # -- Specify hosts whitelist (Only available for web and tls tunnel)
 ## e.g:
 ## whitelist:
-##   - hook.gitguardian.com
-whitelist: []
+##   hosts:
+##     - hook.gitguardian.com
+##   cidr:
+##     - 10.85.0.0/16
+whitelist:
+  hosts: []
+  cidr: []
 
 # -- Number of deployments
 deploymentCount: 3

diff --git a/main.go b/main.go
@@ -246,11 +246,7 @@ func buildServerCommand() []string {
 	serverPathPrefix := os.Getenv("SERVER_PATH_PREFIX")
 	pingFrequency := getEnv("PING_FREQUENCY", strconv.Itoa(DefaultPingFrequency))
 	dnsResolver := os.Getenv("DNS_RESOLVER")
-	tunnelHealthPort := getEnv("TUNNEL_HEALTH_PORT", strconv.Itoa(DefaultTunnelHealthPort))
-	tunnelHealthRemotePort := getEnv("TUNNEL_HEALTH_REMOTE_PORT", strconv.Itoa(DefaultTunnelHealthRemotePort))
-	tunnelSocksPort := getEnv("TUNNEL_SOCKS_PORT", strconv.Itoa(DefaultTunnelSocksPort))
-	tunnelTlsPort := getEnv("TUNNEL_TLS_PORT", strconv.Itoa(DefaultTunnelTlsPort))
-	tunnelTlsRemotePort := getEnv("TUNNEL_TLS_REMOTE_PORT", strconv.Itoa(DefaultTunnelTlsRemotePort))
+	restrictConfig := os.Getenv("RESTRICT_CONFIG")
 	tlsEnabled, err := strconv.ParseBool(getEnv("TLS_ENABLED", "false"))
 	if err != nil {
 		log.Fatalf("Invalid boolean for tlsEnabled:", err)
@@ -276,18 +272,18 @@ func buildServerCommand() []string {
 		"server",
 		serverUrl,
 		"--websocket-ping-frequency-sec", pingFrequency,
-		"--restrict-to", fmt.Sprintf("127.0.0.1:%s", tunnelHealthRemotePort),
-		"--restrict-to", fmt.Sprintf("127.0.0.1:%s", tunnelTlsRemotePort),
-		"--restrict-to", fmt.Sprintf("0.0.0.0:%s", tunnelHealthPort),
-		"--restrict-to", fmt.Sprintf("0.0.0.0:%s", tunnelSocksPort),
-		"--restrict-to", fmt.Sprintf("0.0.0.0:%s", tunnelTlsPort),
 	}
 
 	// Server will only accept connection from if this specific path prefix is used during websocket upgrade.
 	if serverPathPrefix != "" {
 		cmd = append(cmd, "--restrict-http-upgrade-path-prefix", serverPathPrefix)
 	}
 
+	// Load restriction rules from config file
+	if restrictConfig != "" {
+		cmd = append(cmd, "--restrict-config", restrictConfig)
+	}
+
 	// Add SSL flags if enabled
 	if tlsEnabled {
 		cmd = append(cmd, "--tls-client-ca-certs", "/certs/ca.crt")