Skip to content

johnterickson/devproxy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

40 Commits
.vscode
.vscode
 
 
Proxy
Proxy
 
 
Test
Test
 
 
titanium-web-proxy @ 6d74467
titanium-web-proxy @ 6d74467
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
NuGet.Config
NuGet.Config
 
 
README.md
README.md
 
 
dirs.proj
dirs.proj
 
 

Repository files navigation

Presentation PDF

Instead of putting caching, auth, etc into every single tool, put it in a proxy and route the tools through it. See also: https://github.com/zjrunner/prism

Since we don't want just anybody to be able to route traffic through this proxy and act with your auth, we need to limit access to this proxy itself.

First, this proxy will only listen for connections coming from the local machine. This means that requests from other computers will be ignored - even if the firewall is opened.

Additionally, the proxy will require an additional level of auth to ensure that not just any random program on a computer can make requests through this proxy. Example options:

  • The connection to the proxy provides a session token as proxy basic auth.
  • The connection to the proxy can be linked back to a process tree that has a trusted root process. E.g. you start your dev environment shell and all processes launched from that shell will be able to access the proxy.

Example output of starting proxy:

For most apps: $env:http_proxy = "$(D:\src\DevProxy\Proxy\bin\Release\net5.0\DevProxy.exe --get_proxy)" For windows git (via config): git config --add http.sslcainfo C:/Users/jerick/.devproxy/certs/root.devproxy.pem For windows git (via env var): GIT_PROXY_SSL_CAINFO=C:/Users/jerick/.devproxy/certs/root.devproxy.pem For WSL2 (Ubuntu tested): 1. Once, install root cert sudo apt install ca-certificates sudo cp /mnt/c/Users/jerick/.devproxy/certs/root.devproxy.pem /etc/ssl/certs/devproxy.pem sudo update-ca-certificates --verbose --fresh | grep -i devproxy 2. Set envvars to enable (add this to .bashrc) export http_proxy=$(/mnt/d/src/DevProxy/Proxy/bin/Release/net5.0/DevProxy.exe --get_wsl_proxy) export https_proxy=$http_proxy export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/devproxy.pem

Example using proxy from powershell:

  • AuthToProxyPlugins: [ProxyAuthorizationHeaderProxyAuthPlugin]
  • RequestPlugins: [AzureDevOpsAuthRequestPlugin]
PS C:\Users\jerick> $env:HTTPS_PROXY = "http://$(D:\src\DevProxy\bin\Debug\net5.0\win10-x64\publish\DevProxy.exe --get_token)@localhost:8888" PS C:\Users\jerick> curl.exe --ssl-no-revoke https://dev.azure.com/mseng -D headers.txt -o out.txt; findstr DevProxy headers.txt X-DevProxy-AuthToProxy-ProxyPasswordAuthPlugin: Authenticated_UserMatch_SHA512=5034090E X-DevProxy-AzureDevOpsAuthPlugin-TokenType: WindowsIntegratedAuth X-DevProxy-AzureDevOpsAuthPlugin-TokenSHA512: 12C88899

Example using proxy from WSL2:

  • AuthToProxyPlugins: [ProxyAuthorizationHeaderProxyAuthPlugin]
  • RequestPlugins: [AzureDevOpsAuthRequestPlugin]
john@jerick-hpz440:~$ export HTTP_PROXY=http://$(/mnt/d/src/DevProxy/bin/Debug/net5.0/win10-x64/publish/DevProxy.exe --get_token)@172.28.160.1:8888 john@jerick-hpz440:~$ export HTTPS_PROXY=$HTTP_PROXY john@jerick-hpz440:~$ curl https://dev.azure.com/mseng -D headers.txt -o body.txt && grep DevProxy headers.txt X-DevProxy-AuthToProxy-ProxyPasswordAuthPlugin: Authenticated_UserMatch_SHA512=5034090E X-DevProxy-AzureDevOpsAuthPlugin-TokenType: WindowsIntegratedAuth X-DevProxy-AzureDevOpsAuthPlugin-TokenSHA512: F22C0ACA

Example of automatically creating minimal SAS signatures for each request (set STORAGE_CONNECTION_STRING before starting proxy):

  • AuthToProxyPlugins: [ProxyAuthorizationHeaderProxyAuthPlugin]
  • RequestPlugins: [AzureBlobSasRequestPlugin]
john@jerick-hpz440:~$ curl -v -X PUT -d "From DevProxy: Hello, Azure Storage! $(date)"$'\n' -H "x-ms-blob-type: BlockBlob" https://jerickbuildcache.blob.core.windows.net/devproxytest/hello.txt 2>&1 | grep DevProxy * issuer: CN=DevProxy for jerick < X-DevProxy-AuthToProxy-ProxyAuthorizationHeaderProxyAuthPluginInstance: Authenticated_PasswordMatch_SHA512=07A6974FB90B91F566F502033A4B4BA7 < X-DevProxy-AzureBlobSasRequestPlugin-SAS: racwdxltmei_2021-10-13T20:45:44 john@jerick-hpz440:~$ curl -v https://jerickbuildcache.blob.core.windows.net/devproxytest/hello.txt 2>&1 | grep DevProxy * issuer: CN=DevProxy for jerick < X-DevProxy-AuthToProxy-ProxyAuthorizationHeaderProxyAuthPluginInstance: Authenticated_PasswordMatch_SHA512=07A6974FB90B91F566F502033A4B4BA7 < X-DevProxy-AzureBlobSasRequestPlugin-SAS: r_2021-10-13T20:46:01 From DevProxy: Hello, Azure Storage! Wed Oct 13 13:40:44 PDT 2021

Example of both authenticating to Azure DevOps via AAD and then caching the download of packages:

  • AuthToProxyPlugins: [ProxyAuthorizationHeaderProxyAuthPlugin]
  • RequestPlugins: [AzureDevOpsAuthRequestPlugin,BlobStoreCacheRequestPlugin]
curl -v -L https://outlookweb.pkgs.visualstudio.com/_packaging/owa-npm/npm/registry/@fluentui/keyboard-key/-/keyboard-key-0.2.17.tgz -o keyboard.tgz < HTTP/1.1 303 See Other < Location: https://9bgvsblobprodeus2185.vsblob.vsassets.io/b-c8701bf2aece44c9baedcf8a12ad5bd3/60FF07D444210A44BD5062A4113A2BAFF6DEB8718C8FA82756DCF0B9A4D931F700.blob?[redacted] < X-DevProxy-AuthToProxy-ProxyAuthorizationHeaderProxyAuthPluginInstance: Authenticated_PasswordMatch_SHA512=32A0F8A39718B9774B36A8AA6CF5D14A < X-DevProxy-AzureDevOpsAuthRequestPlugin-TokenNotes: AAD < X-DevProxy-AzureDevOpsAuthRequestPlugin-TokenSHA512: 7E1D09E8D6F0F9876E97424CBF2F2069 > CONNECT 9bgvsblobprodeus2185.vsblob.vsassets.io:443 HTTP/1.1 > GET /b-c8701bf2aece44c9baedcf8a12ad5bd3/60FF07D444210A44BD5062A4113A2BAFF6DEB8718C8FA82756DCF0B9A4D931F700.blob?[redacted] < X-DevProxy-AuthToProxy-ProxyAuthorizationHeaderProxyAuthPluginInstance: Authenticated_PasswordMatch_SHA512=32A0F8A39718B9774B36A8AA6CF5D14A < X-DevProxy-BlobStoreCacheRequestPlugin-Cache: HIT

Example using process tree to authenticate:

  • AuthToProxyPlugins: [ProcessTreeProxyAuthPlugin]
  • RequestPlugins: [AzureDevOpsAuthRequestPlugin]
echo http_proxy=%http_proxy% https_proxy=%https_proxy% && \src\DevProxy\Proxy\bin\Debug\net5.0\DevProxy.exe --run curl.exe -v --ssl-no-revoke https://dev.azure.com/mseng 2>&1 | findstr DevProxy http_proxy=http://localhost:8888 https_proxy=http://localhost:8888 < X-DevProxy-AuthToProxy-AuthorizationHeaderProxyAuthPlugin: NoOpinion_NoHeader=Authorization < X-DevProxy-AuthToProxy-ProxyAuthorizationHeaderProxyAuthPluginInstance: NoOpinion_NoHeader=Proxy-Authorization < X-DevProxy-AuthToProxy-ProcessTreeProxyAuthPlugin: Authenticated_RootProcessId=21872 < X-DevProxy-AzureDevOpsAuthRequestPlugin-TokenNotes: AAD < X-DevProxy-AzureDevOpsAuthRequestPlugin-TokenSHA512: 7E1D09E8D6F0F9876E97424CBF2F2069

Revoking all active PATs:

curl "https://vssps.dev.azure.com/mseng/_apis/tokens/pats?displayFilterOption=active&api-version=6.1-preview.1" | jq .patTokens[].authorizationId | xargs -I '{}' curl -X DELETE "https://vssps.dev.azure.com/mseng/_apis/tokens/pats?authorizationId={}&api-version=6.1-preview.1"

About

Seamlessly add modern auth and content caching to old tools and CI

Resources

Readme
Activity

Stars

2 stars

Watchers

3 watching

Forks

0 forks
Report repository

Contributors

Languages