Using the sec-wall Security Proxy

    Date07 Jun 2011
    CategoryFeatures
    215386
    Posted ByDave Wreski
    This article full of examples will show you various ways to test services secured using sec-wall, a feature-packed high performance security proxy. We'll be using cURL, a popular Linux command line tool and PycURL - a Python interface to cURL. As of version 1.0, sec-wall supports HTTP Basic auth, digest auth, custom HTTP headers, XPath-based authentication, WS-Security & SSL/TLS client certificates and each of the options is being shown below.

    View the introduction in sec-wall: Open Source Security Proxy

    It is assumed that you'll be using the sec-wall's config.py file as listed below so it's worth pointing out that the server's SSL certificate uses a commonName of MySampleServer which means that you need to add the line similiar to the one below

    127.0.0.1 MySampleServer
    

    to your /etc/hosts file. That's because the examples below do check the validity of the server's crypto material.

    The pki.zip (ZIP) attachment contains assorted keys and certificates while sec-wall-xpath_auth.xml and sec-wall-wsse_auth.xml contain data needed for invoking sec-wall using XPath-based and WS-Security authentication, respectively.

    config.py

    # -*- coding: utf-8 -*-
    
    # stdlib
    import os.path as path, uuid, sys
    
    # lxml
    from lxml import etree
    
    # Don't share it with anyone.
    INSTANCE_SECRET = '23e4da2148994e7ea0b85a9a03d01eb0'
    
    # May be shared with the outside world.
    INSTANCE_UNIQUE = uuid.uuid4().hex
    
    # Useful constants
    cur_dir = path.dirname(__file__)
    
    # Crypto
    keyfile = path.join(cur_dir, './crypto/server-key.pem')
    certfile = path.join(cur_dir, './crypto/server-cert.pem')
    ca_certs = path.join(cur_dir, './crypto/ca-chain.pem')
    
    server_type = 'https'
    
    # Where are we proxying the requests over to?
    target_host = 'http://example.com/'
    
    # Credentials
    username = 'abc'
    password = 'abc'
    realm = 'Secure area'
    
    # ##############################################################################
    
    def basic_auth():
        return {
            'basic-auth': True,
            'basic-auth-username': username,
            'basic-auth-password': password,
            'basic-auth-realm': realm,
            'host': target_host,
        }
    
    def digest_auth():
        return {
            'digest-auth': True,
            'digest-auth-username': username,
            'digest-auth-password': password,
            'digest-auth-realm': realm,
            'host': target_host,
        }
    
    def custom_http_headers():
        return {
            'custom-http': True,
            'custom-http-X-MyFancyUsername': username,
            'custom-http-X-MyFancyPassword': password,
            'host': target_host,
        }
    
    def xpath():
        return {
            'xpath': True,
            'xpath-1': etree.XPath("/a/b/username/text() = '{0}'".format(username)),
            'xpath-2': etree.XPath("//c/@password='{0}'".format(password)),
            'host': target_host,
        }
    
    def wsse():
        return {
            'wsse-pwd': True,
            'wsse-pwd-username': 'abc',
            'wsse-pwd-password': 'abc',
            'wsse-pwd-realm': realm,
            'wsse-pwd-reject-empty-nonce-creation': True,
            'wsse-pwd-reject-stale-tokens': True,
            'wsse-pwd-nonce-freshness-time': sys.maxint,
            'wsse-pwd-reject-expiry-limit': sys.maxint,
            'host': target_host,
        }
    
    def ssl_cert():
        return {
            'ssl': True,
            'ssl-cert': True,
            'ssl-cert-commonName': 'My Client',
            'ssl-cert-organizationName': 'My Company',
            'host': target_host
        }
    
    urls = [
        ('/basic_auth', basic_auth()),
        ('/digest_auth', digest_auth()),
        ('/custom_http_headers', custom_http_headers()),
        ('/xpath', xpath()),
        ('/wsse', wsse()),
        ('/ssl_cert', ssl_cert()),
    ]
    

    Basic auth

    cURL

    $ curl --basic -u abc:abc --cacert ./ca-chain.pem https://MySampleServer:15100/basic_auth
    

    PycURL

    import pycurl
    
    curl = pycurl.Curl()
    
    url = 'https://MySampleServer:15100/basic_auth'
    
    # --basic switch
    curl.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_BASIC)
    
    # -u switch
    curl.setopt(pycurl.USERPWD, 'abc:abc')
    
    # --cacert switch
    curl.setopt(pycurl.CAINFO, './ca-chain.pem')
    
    curl.setopt(pycurl.URL, url)
    curl.perform()
    

    Digest auth

    cURL

    $ curl --digest -u abc:abc --cacert ./ca-chain.pem https://MySampleServer:15100/digest_auth
    

    PycURL

    import pycurl
    
    curl = pycurl.Curl()
    
    url = 'https://MySampleServer:15100/digest_auth'
    
    # --digest switch
    curl.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_DIGEST)
    
    # -u switch
    curl.setopt(pycurl.USERPWD, 'abc:abc')
    
    # --cacert switch
    curl.setopt(pycurl.CAINFO, './ca-chain.pem')
    
    curl.setopt(pycurl.URL, url)
    curl.perform()
    

    Custom HTTP headers

    cURL

    $ curl -H "X-MyFancyUsername:abc" -H "X-MyFancyPassword:abc" --cacert ./ca-chain.pem https://MySampleServer:15100/custom_http_headers
    

    PycURL

    import pycurl
    
    curl = pycurl.Curl()
    
    url = 'https://MySampleServer:15100/custom_http_headers'
    
    # -H switches
    curl.setopt(pycurl.HTTPHEADER, ['X-MyFancyUsername:abc', 'X-MyFancyPassword:abc'])
    
    # --cacert switch
    curl.setopt(pycurl.CAINFO, './ca-chain.pem')
    
    curl.setopt(pycurl.URL, url)
    curl.perform()
    

    XPath-based auth

    cURL

    $ curl --data @xpath_auth.xml --cacert ./ca-chain.pem https://MySampleServer:15100/xpath
    

    PycURL

    import pycurl
    
    curl = pycurl.Curl()
    
    url = 'https://MySampleServer:15100/xpath'
    
    # --data switch
    # Note that it uses the file in Python instead of letting PycURL do it.
    curl.setopt(pycurl.POSTFIELDS, open('xpath_auth.xml').read())
    
    # --cacert switch
    curl.setopt(pycurl.CAINFO, './ca-chain.pem')
    
    curl.setopt(pycurl.URL, url)
    curl.perform()
    

    WS-Security

    cURL

    $ curl --data @wsse_auth.xml --cacert ./ca-chain.pem https://MySampleServer:15100/wsse
    

    PycURL

    import pycurl
    
    curl = pycurl.Curl()
    
    url = 'https://MySampleServer:15100/wsse'
    
    # --data switch
    # Note that it uses the file in Python instead of letting PycURL do it.
    curl.setopt(pycurl.POSTFIELDS, open('wsse_auth.xml').read())
    
    # --cacert switch
    curl.setopt(pycurl.CAINFO, './ca-chain.pem')
    
    curl.setopt(pycurl.URL, url)
    curl.perform()
    

    SSL client cert

    cURL

    $ curl --cert client-cert.pem --key client-key.pem --cacert ./ca-chain.pem https://MySampleServer:15100/ssl_cert
    

    PycURL

    import pycurl
    
    curl = pycurl.Curl()
    
    url = 'https://MySampleServer:15100/ssl_cert'
    
    # --key switch
    curl.setopt(pycurl.SSLKEY, './client-key.pem')
    
    # --cert switch
    curl.setopt(pycurl.SSLCERT, './client-cert.pem')
    
    # --cacert switch
    curl.setopt(pycurl.CAINFO, './ca-chain.pem')
    
    curl.setopt(pycurl.URL, url)
    curl.perform()
    

    Resources

    • Visit us at http://sec-wall.gefira.pl/
    • Contact Dariusz Suchojad <This email address is being protected from spambots. You need JavaScript enabled to view it.>
    • Download pki.zip (ZIP)
    • Download sec-wall-xpath_auth.xml
    • Download sec-wall-wsse_auth.xml

     

     

    You are not authorised to post comments.

    LinuxSecurity Poll

    Do you reuse passwords across multiple accounts?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    13
    radio
    [{"id":"55","title":"Yes","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"56","title":"No","votes":"0","type":"x","order":"2","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.