Securing A GOPROXY With A Sidecar Container

2019-03-24

This post assumes that you are familiar with Go Modules, The Download Protocol, and GOPROXY implementations such as Athens.

Since Go 1.12 came out I've noticed more demand from users to try Athens. The core benefit of Athens is its ability to retain a copy of all your dependencies, accessible to the Go command whenever needed.

Security

Currently there are minimal security mechanisms within the GOPROXY in GO 1.12. This means that when you run a proxy that has access to your private code, assuming they know your module path, anyone can access your proxy and download your private code.

In the ongoing discussion surrounding how these security risks can be addressed in Go 1.13, the most likely solution seems to be the inclusion of authentication headers, which Go can be configured to send. In the meantime I have outlined three workarounds, the last of which I recommend.

Current Options:

Bad Option: Encode credentials within the URL, also known as Basic Auth.

If your proxy is running at https://coolproxy.go you can then instruct Go to pass credentials as such:

GOPROXY=https://someuser:somepassword@coolproxy.go go get github.com/private/repo@latest

This is highly not recommended and is only marginally better than publicly exposing your GOPROXY server. This is because your credentials will show in the URL of your proxy. The same URL is also exposed in the Go toolchain. For example if you run 'go env', or when Go logs out a status failure during a build.

Better Option: Put the proxy behind a VPN.

This is a reasonably more secure option as only the trusted individuals within your VPN can reach your code, and this solution can be implimented in partnership with option 1 for an extra layer of security. However, many companies, individuals, and open source members cannot use VPNs. On the other hand, many VPNs impose restrictions on pulling in code from public repositories such as Github, making it a non-option to begin with.

The Best Option Until Go1.13: Run a side-car container that handles authentication to GOPROXY.

How to impliment:

Step 1: Have a GOPROXY deployed on a domain name that can only be accessed with the proper authentication header. For example Authorization: Bearer <token>.

Step 2: Create a reverse proxy configured to send that exact header to that exact domain running in the same local network as your Go command.

Step 3: Tell the Go command to proxy all its module requests to the local reverse proxy from Step 2.

This means that your reverse-proxy is only accessible locally. As long as you trust your local set-up (dev machine and CI/CD) the GOPROXY, despite technically being reachable via the internet, will not leak any private code unless provided with a valid authentication token.

How to Code this?

Step 1: Write the reverse proxy. You can do this in just a few lines of code:

 1package main
 2
 3import (
 4    "net/http"
 5    "net/http/httputil"
 6    "net/url"
 7    "os"
 8)
 9
10func main() {
11    token := os.Getenv("MY_AUTH_TOKEN")
12    targetURL := os.Getenv("UPSTREAM_URL")
13    target, _ := url.Parse(upstream) // handle error
14    handler := httputil.NewSingleHostReverseProxy(target)
15    proxy.Transport = &roundTripper{token}
16    http.ListenAndServe(":9090", handler)
17}
18
19type roundTripper struct {
20    token string
21}
22
23func (rt *roundTripper) RoundTrip(r *Request) (*Response, error) {
24    r.Header.Set("Authorization", "Bearer " + rt.token)
25    return http.DefaultTranposrt.RoundTrip(r)
26}

Step 2: Build the local reverse proxy. Assuming you have a GOPROXY on the other side that will validate the given token, you just have to build your project with the local reverse proxy. Something like this:

1~ cd myproject
2~ GOPROXY=http://localhost:9090 go build

Step 3: In a CI/CD system you will most likely put this reverse-proxy inside a Docker Image and spin it up during a build. In Drone this is what it would look like:

 1kind: pipeline
 2name: default
 3
 4steps:
 5- name: build
 6  image: golang:1.12
 7  commands:
 8  # wait for the proxy to be ready.
 9  - sleep 3 
10  # build
11  - go build 
12  environment:
13    GO111MODULE: on
14    GOPROXY: http://side-car:9090
15  when:
16    branch:
17      - master
18    event:
19      - push
20      - pull_request
21
22
23# Here we can add any backend storage that can be tested.
24services:
25- name: side-car
26  image: me/my-reverse-proxy
27  environment:
28    MY_AUTH_TOKEN: xyz123
29    UPSTREAM_URL: https://my.secure.proxy.go
30  ports:
31  - 9090

Does Athens support a Bearer Token?

Not yet. We are waiting on the Go team to finalize the security designs before implementing it in Athens.

That said, there are many cloud providers you can put an Athens server behind that give you tokenized authentication for free. In GCP this is done through Service Accounts.

What's next?

In the next post I will get into the details of how to deploy a secure Athens server on GCP serverless solutions.