This application provides a reverse proxy with TLS termination, supporting confidentialVM attestation for both client and server sides. It allows for secure communication between a client and a server, with attestation verification to ensure the integrity of the communication.
- Client-side TLS termination with confidentialVM attestation verification.
- Server-side TLS termination with confidentialVM attestation verification.
- Reverse proxy functionality to forward requests between client and server.
- TDX support only, SEV-SNP can be added
- uses edgeless systems constellation codebase to provide attestation on Azure using MAA
--listen-addr
: address to listen on (default: "127.0.0.1:8080")--target-addr
: address to proxy requests to (default: "https://localhost:80")--server-attestation-type
: type of attestation to present (none, azure-tdx) (default: "azure-tdx")--client-attestation-type
: type of attestation to expect and verify (none, azure-tdx) (default: "none")--client-measurements
: optional path to JSON measurements enforced on the client--log-json
: log in JSON format (default: false)--log-debug
: log debug messages (default: false)--help, -h
: show help
make build-proxy-server
sudo ./build/proxy-server --listen-addr=<listen-addr> --target-addr=<target-addr> [--server-attestation-type=<server-attestation-type>] [--client-attestation-type=<client-attestation-type>] [--client-measurements=<client-measurements>]
By default the server will present Azure TDX attestation, and you can modify that via the --server-attestation-type
flag.
By default the server will not verify client attestations, you can change that via --client-attestation-type
and --client-measurements
flags.
This repository contains a dummy http server that you can use for testing the server. Simply run go run ./cmd/dummy-server/main.go
and point your --target-addr=http://127.0.0.1:8085
. You can also use the sample measurements.json.
--listen-addr
: address to listen on (default: "127.0.0.1:8080")--target-addr
: address to proxy requests to (default: "https://localhost:80")--server-attestation-type
: type of attestation to expect and verify (none, azure-tdx) (default: "azure-tdx")--server-measurements
: optional path to JSON measurements enforced on the server--client-attestation-type
: type of attestation to present (none, azure-tdx) (default: "none")--log-json
: log in JSON format (default: false)--log-debug
: log debug messages (default: false)--help, -h
: show help
make build-proxy-client
./build/proxy-client --listen-addr=<listen-addr> --target-addr=<target-addr> [--server-measurements=<server-measurements-file>] [--server-attestation-type=<server-attestation-type>] [--client-attestation-type=<client-attestation-type>]
By default the client will expect the server to present an Azure TDX attestation, and you can modify that via the --server-attestation-type
and --server-measurements
flags.
By default the client will not present client attestations, you can change that via --client-attestation-type
flag.
This repository contains a sample measurements.json file that you can use. The client will (correctly) complain about unexpected measurements that you can then correct.
- Files in
internal/
are copied from https://github.com/edgelesssys/constellation