When configured according to this tutorial, the policy.py file of Application-level Gateway should look something like this:
Configuring TLS proxying:
EncryptionPolicy(
name="MyTLSEncryption",
encryption=TwoSidedEncryption(
client_verify=ClientNoneVerifier(),
client_tls_options=ClientTLSOptions(),
server_verify=ServerCertificateVerifier(
verify_ca_directory="/etc/ca.d/certs/",
verify_crl_directory="/etc/ca.d/crls/",
trusted=TRUE, verify_depth=4,
permit_invalid_certificates=FALSE,
permit_missing_crl=FALSE,
check_subject=TRUE
),
server_tls_options=ServerTLSOptions(
ciphers=TLS_CIPHERS_DEFAULT, timeout=300,
tls_min_version=TLS_VERSION_1_3,
),
client_certificate_generator=StaticCertificate(
certificates=(
Certificate.fromFile(
certificate_file_path="/etc/key.d/VMS_Engine/cert.pem",
private_key=PrivateKey.fromFile(
"/etc/key.d/VMS_Engine/key.pem")),
))
))
def demo() :
Service(
name='demo/intra_HTTPS_inter',
router=TransparentRouter(),
chainer=ConnectChainer(),
proxy_class=HttpProxy,
max_instances=0,
max_sessions=0,
keepalive=V_KEEPALIVE_NONE,
encryption_policy="MyTLSEncryption"
)
Rule(
rule_id=300,
src_subnet=('192.168.1.1/32', ),
dst_zone=('internet', ),
proto=6,
service='demo/intra_HTTPS_inter'
)If keybridging is performed:
EncryptionPolicy(
name="KeybridgingEncryption",
encryption=TwoSidedEncryption(
client_verify=ClientNoneVerifier(),
client_tls_options=ClientTLSOptions(),
server_verify=ServerCertificateVerifier(),
server_tls_options=ServerTLSOptions(),
client_certificate_generator=DynamicCertificate(
private_key=PrivateKey.fromFile(key_file_path="/etc/key.d/TLS-bridge/key.pem"),
trusted_ca=Certificate.fromFile(
certificate_file_path="/etc/ca.d/certs/CA_for_Trusted_certs.pem",
private_key=PrivateKey.fromFile("/etc/ca.d/keys/CA_for_Trusted_certs.pem")),
untrusted_ca=Certificate.fromFile(
certificate_file_path="/etc/ca.d/certs/CA_for_Untrusted_certs.pem",
private_key=PrivateKey.fromFile("/etc/ca.d/keys/CA_for_Untrusted_certs.pem")),
cache_directory="/var/lib/vela/tls-bridge")
))
def demo_instance() :
Service(name='demo/intra_HTTPS_Keybridge_inter', router=TransparentRouter(), chainer=ConnectChainer(), proxy_class=HttpProxy, max_instances=0, max_sessions=0, keepalive=V_KEEPALIVE_NONE, encryption_policy="KeybridgingEncryption")
Rule(rule_id=20,
src_zone=('intra', ),
dst_zone=('internet', ),
proto=6,
service='demo_instance/intra_HTTPS_Keybridge_inter'
)© 2021 BalaSys IT Security.
Send your comments to support@balasys.hu
