Simple ssl frontend with ability to route client connections to various backend depending on client certificate.
The main use case is to serve multiple connection types of various protocols with only one frontend SSL server (host:port). Most corporate firewalls restricts SSL connections to 443 port only.
mvn clean package docker:build -Pdocker
The command will build docker image netty-ssl-routing-proxy. -Pdocker profile is required to switch platform specific JNI for netty to linux-x86_64.
See example config.json
The path to the files "keyStore" and "trustStore" must be absolute. For example, if the keys store in the "/etc/keys/", config should be:
"keyStore": "/etc/keys/server.jks",
"keyAlias": "server",
"password": "password",
"trustStore": "/etc/keys/truststore.jks",
Routing conditions supported:
- Certificate subject substring matching (e.g. OU=SERVICE-NAME)
- Specific intermediate certificate in client certificate chain
Routing using an intermediate certificate, you must fully specify the Issuer from the certificate in "caSubject". For example, if the certificate issuer is "Issuer: CN=ca.test.com, OU=test.com, O=test.com, L=Moscow, ST=Moscow, C=RU", the rule should be:
"rules": [
{
"@name": "com.doublescoring.netty.proxy.config.rules.IntermediateCertificateRoutingRule",
"target": {
"host": "localhost",
"port": 1234
},
"caSubject": "CN=ca.test.com, OU=test.com, O=test.com, L=Moscow, ST=Moscow, C=RU"
}]
Deploying using docker-compose.yml:
proxy:
image: netty-ssl-routing-proxy
restart: always
volumes:
- /path-to-configs/config.json:/etc/netty-ssl-routing-proxy.conf:ro
- /path-to-configs/server.jks:ro
- /path-to-configs/truststore.jks:/etc/ssl/truststore.jks:ro
ports:
- "0.0.0.0:443:443"