- NATS TLS und Authentifizierung eingebaut

- RPM build für Centos 7 eingbaut

after-install-trigger-centos7.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+

before-uninstall-trigger-centos7.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+systemctl stop munchclient
+systemctl disable munchclient

build-rpm-centos7.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+
+DESTDIR=./dist
+VERSION=$(git describe --tag | sed 's/^v//')
+ITERATION=1
+BINARY=munchclient
+DEFAULTS_FILE="$BINARY"
+CONFIG_FILE="$BINARY.toml"
+SERVICE_FILE="$BINARY.service"
+PKG_TYPE=rpm
+DESCR="ScraperWall traffic collector"
+RPM_DIR=/opt/rpm.scraperwall.com/centos7
+
+
+rm -rf $DESTDIR
+install -d $DESTDIR/{usr/bin,etc/systemd/system,etc/default,etc/munchclient,usr/share/$BINARY}
+make
+
+install -v -m 755 $BINARY $DESTDIR/usr/bin/
+install -v -m 644 defaults/$DEFAULTS_FILE $DESTDIR/etc/default/
+install -v -m 644 defaults/$DEFAULTS_FILE $DESTDIR/usr/share/$BINARY/$DEFAULTS_FILE.defaults
+install -v -m 644 $SERVICE_FILE $DESTDIR/etc/systemd/system
+install -v -m 644 $BINARY.toml $DESTDIR/etc/$BINARY/
+install -v -m 644 $BINARY.toml $DESTDIR/usr/share/$BINARY/
+install -v -m 644 ca-chain.cert.pem $DESTDIR/etc/$BINARY/
+
+
+fpm -s dir -t $PKG_TYPE -C $DESTDIR --name $BINARY \
+  --version $VERSION \
+  --iteration $ITERATION \
+  --description "$DESCR" \
+  --config-files "etc/default/$BINARY" \
+  --config-files "etc/$BINARY/$CONFIG_FILE" \
+  --rpm-trigger-after-install "[]$BINARY: ./after-install-trigger-centos7.sh" \
+  --rpm-trigger-before-uninstall "[]$BINARY: ./before-uninstall-trigger-centos7.sh" \
+  -p rpms-centos7 \
+  --rpm-sign
+
+ok=$?
+
+rm -rf $DESTDIR
+
+exit
+
+rpm_file="$BINARY-$VERSION-$ITERATION.x86_64.rpm"
+if [ $ok -eq 0 -a -f "$rpm_file" ]; then
+	rm -f "$RPM_DIR/$BINARY-*.rpm"
+  cp "$rpm_file" "$RPM_DIR"
+
+	(cd "$RPM_DIR" && \
+   createrepo -v . && \
+   rsync -av --progress --delete . fender.spyz.org:/srv/http-vhosts/rpm.scraperwall.com/)
+fi

build-rpm.sh

@@ -21,6 +21,7 @@ install -v -m 644 defaults/$DEFAULTS_FILE $DESTDIR/etc/default/
 install -v -m 644 logrotate.d/munchclient $DESTDIR/etc/logrotate.d/
 install -v -m 644 munchclient.toml $DESTDIR/etc/
 install -v -m 644 munchclient.toml $DESTDIR/usr/share/munchclient/
+install -v -m 644 ca-bundle.cert.pem $DESTDIR/usr/share/munchclient/
 install -v -m 644 defaults/$DEFAULTS_FILE $DESTDIR/usr/share/munchclient/$DEFAULTS_FILE.defaults
 
 

ca-chain.cert.pem

@@ -0,0 +1,68 @@
+-----BEGIN CERTIFICATE-----
+MIIF3jCCA8agAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwfjELMAkGA1UEBhMCREUx
+DzANBgNVBAgMBkJheWVybjEUMBIGA1UEBwwLV2VuZGVsc3RlaW4xFDASBgNVBAoM
+C1NjcmFwZXJXYWxsMQswCQYDVQQLDAJJVDElMCMGCSqGSIb3DQEJARYWdG9iaWFz
+QHNjcmFwZXJ3YWxsLmNvbTAeFw0xNzA5MTgwOTA0NTNaFw0yNzA5MTYwOTA0NTNa
+MH4xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4xFDASBgNVBAoMC1NjcmFw
+ZXJXYWxsMQswCQYDVQQLDAJJVDEUMBIGA1UEAwwLU2NyYXBlcldhbGwxJTAjBgkq
+hkiG9w0BCQEWFnRvYmlhc0BzY3JhcGVyd2FsbC5jb20wggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQDscITdVey3lx4wtA02uozS3fN7MxQNeanS2bwn5cP/
+P2Yp79Lt9R0k22GNl8pizgUJDyzRVLhzTipeIYpqgRyyb4nzhI9r9ZSwsq2tZLAx
+efyLX1b900UauRCRji6Qu3LV27ckmv2+rEC97O7MqnBWzDEN2dtBmjpOjtqWPHRT
+KwySkidZeIM2jlTfNqm8K0hK/n8GZjIpN2AhbZlLkDuwwpzBNCT5pwU3lCWTwudp
+goBzLfdDf1dU0hriL1GINhn0rlk674hf8h7MStE8dsYA8+ceq2puODXa77c9qrie
+ueKubYXl306Flp7jcyHensoA+31UDT9NTdKM1ZyZ8kjbacFQx3a+XsQwIj5mrrl9
+8lJg90yjdHftSO3wJqGQ4L9Op6f0wF+z6iKZGoa8El/88F+J4lHZCfdoBd9zE5F/
+xGqiXflDsB/g+pmHu87MIAv3x52yeiaDcK7h7G2ZCgQPxraSHjKFbY3jM7mJvKgW
+wmrBwF9PMHOKaCjr9TZ5nHxMHbzryJI2xsVxxj7gNOP3oLGCRrwva8Sa6UPRNWWL
+fgvIgjn1l5s+XVGU9w8T86Yjwo8QzlCQJ5Mgzy9PUBub1b5SU81BQ7B6UcVw6Kul
+LGXqTJ5o0Z4QzhO8I6ON5qnrooMWrIu8ZqgOEAZHntL8vKPx+EfiJSSAMAkJSxZ8
+UQIDAQABo2YwZDAdBgNVHQ4EFgQUPhg5Ym+JOFJ4TWyuySLbENpqd9QwHwYDVR0j
+BBgwFoAUWu2Uegj36XRxbNIb7X7K9A9sK3cwEgYDVR0TAQH/BAgwBgEB/wIBADAO
+BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAIdJlZMYEPZeYUGiC76G
+L1fVrTTqlGa4Ayc2MAOXiqYk944cJk3gCd7UX4o4F6uuIje4f/nzmVYUJWFh6U78
+JvMLWf5fHmzWpx0KC8TIW9HbUtg+6TgQFTzN88uor7WwKZ+TuGxR3NlLQdr7soWP
+YSC3WeKuJWQ17O71L+nubcWkl5r0lPRFUg+u1hVTpxHigXOPCB3mh80iEUVy2/Vb
+lSIpnoRsHwshpgbuGZB2BEfI+pehRt7YfqfrnM7HzEswpF5cLl5SVa1fcA5dn4he
+p8axQJwxxjNXSsyAAnhxQ9gwgHfDkUjMGZlFR0y2jgXtF2rAgJv6Nuet73G5jC+e
+kmJ4/TiCh0A0YTi/YyhsEDMgOWn+2GCeb30/e9JRRup4frNysw/BpZUkhYBTW5nw
++kaJH+GrxMbyyOvjgjkMktKH4L4LfytQzOHYTA9syObRDwKodk7j/X/yis1Sbtps
+tHBXwp9ODhGt11XWYNciRiwSXeXHUoaO08891nchrnJOB5hIMrqbbIY8mOM+63dC
+a/nQUlT28b7SlTujZICHAgAQ66ZO2JPoKGNHCEPzfGCzdZhheyZVkpcP7fKwn1Gn
+dxrva5aXVHppWmbRNGqlRFijQFvi758O3DDVwjVee9ZiWjUfhli82ccWBoLp+ImT
+gL+CfQUsnKzqkyWlM4qz7Kli
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIF4jCCA8qgAwIBAgIJAIzyqj+PS969MA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNV
+BAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4xFDASBgNVBAcMC1dlbmRlbHN0ZWluMRQw
+EgYDVQQKDAtTY3JhcGVyV2FsbDELMAkGA1UECwwCSVQxJTAjBgkqhkiG9w0BCQEW
+FnRvYmlhc0BzY3JhcGVyd2FsbC5jb20wHhcNMTcwOTE4MDgzOTI4WhcNMzcwOTEz
+MDgzOTI4WjB+MQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMRQwEgYDVQQH
+DAtXZW5kZWxzdGVpbjEUMBIGA1UECgwLU2NyYXBlcldhbGwxCzAJBgNVBAsMAklU
+MSUwIwYJKoZIhvcNAQkBFhZ0b2JpYXNAc2NyYXBlcndhbGwuY29tMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAz3dediI2RUhnxF0AH1xKSk9o1AIm4CDA
+ZfH6FDTTmhwlY+Dzxl6PWzNs7VD/njtb/WzSlYz+xFACnI48bEnibEyTDy7F8KXy
++WPdBEjFRztO5ObUBaQj5O6UJ4kOFmmPqyJ7+gyOkzBq8pyJ6WJ3PWCbcypN1Qt5
+e3UASX5QBj1Y/gsCiYrlHXqKXRwsx4II30TWRLPPlvFgDs0ZoLaA9XNcTTy/Kmfr
+ct++48GP9Iqcl37eyavxK8PrZALBI9pvoS6v8gPnXmNqdGigIMaeMa3YDqzBaTdk
+9cRfgCQQNEuLVqfml+51DyYEITEpSTXpqhXSl/5QRGBXkgk+zh6YC98jlzJK6J6H
+Z0po1mzJCCxqRhC6YJXWsUZ//RxydwFMxZCNgmzcRuG2YTOmYDeSdclU9brD0pYe
+jYrdOITh07VS3YCsOlGbJlL38nv6L0eui81OFNBIkknt6Nx5eGmTCCMtum2k3ayC
+G/SXDklwx9O+B1/3RkgaWyCi8ABWbafo7zmoryrrUqEr6NU5Lkk8gSEVHTfT8aY6
+tCXBIam3pUw7Wg33pxfTUm75iCMOqY7mL6GYd/8c978FHBE8Jq4kUBpRtZzpcR5A
+Hz9UgUXBPBNqd7giawEg8bKzEnhs6BEB8CJQYx1rsK1DbdC8MjRGwcDjJAo7ZHU3
+E6h36BxwV1ECAwEAAaNjMGEwHQYDVR0OBBYEFFrtlHoI9+l0cWzSG+1+yvQPbCt3
+MB8GA1UdIwQYMBaAFFrtlHoI9+l0cWzSG+1+yvQPbCt3MA8GA1UdEwEB/wQFMAMB
+Af8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAjPzvwKyPswrHM
+LqlDXpCGRFu6utllGyXgmFd7zvtXrUHs49jl38BY4vvUX/y+jRc7/wzJckAmuVtA
+uKU5lhkK9GAKHhs96mzZmm2ysm+q62RD2O+iXYLjqbZtKKIe2Do548KRZNmpIQqw
+nJf1PZ2gLSocnqQfnM6+eoB8tcz2hz28VFqH+H6mdzRQ+npLJv6SlYWQVipDEhLW
+bgjYDG4RFPS7Z/Ov1tnToP/3w1JX0GPVmaciZzUFI0RkVVeE1xQ0y2xZoTP6vOCU
+sz5XtcHfVm5Yy2Jif7gKRJsgxZ+nZIYz3v1A1qQUBg7LInHRiOOpPWC3tNozHItG
+x7P5wnrlOonzBP0cVb/H6PseJiG8LcIV/wpBoDkI3xQeL6MpGZo/JVxce5nvo/wY
+4O4j0ZkaQ+nRuwURzSYEReJ9OZ6hI7SF05tbgLFWsCC2gbamjR1HlJbIvKWIrk9N
+DTgSBVQllZBBXGhA3sUtFwkK5kBspiSvJq69MgyNTaeWGhcQUxsCuLDauCdQoEkx
+i+RpSV9AFOppV84bdkb1p3dFw7kODmdYjYGRZKeXfEr22A3LdEMqnQG5aMM9nZhn
+FX5dpthz4spuQlN99y0xYMqT6fRD+xbywyNiUTxkn+huOsWB9CvN7Xcy3qfiQDPg
+5ssLsSm1nRwc9YF3pqWl4pcd8mJdSg==
+-----END CERTIFICATE-----

main.go

@@ -35,7 +35,10 @@ var (
 	filter                = flag.String("filter", "tcp", "PCAP filter expression")
 	promiscuous           = flag.Bool("promiscuous", false, "Switch interface into promiscuous mode?")
 	natsURL               = flag.String("nats-url", "nats://127.0.0.1:4222", "The URL of the NATS server")
+	natsUser              = flag.String("nats-user", "", "The user for NATS authentication")
+	natsPassword          = flag.String("nats-password", "", "The password for NATS authentication")
 	natsQueue             = flag.String("nats-queue", "requests", "The NATS queue name")
+	natsCA                = flag.String("nats-ca", "", "CA chain for NATS TLS")
 	sleepFor              = flag.Duration("sleep", 0, "Sleep this long between sending data (only when replaying a file)")
 	requestsFile          = flag.String("requests", "", "CSV file containing requests (IP and URL)")
 	protocol              = flag.String("protocol", "http", "which protocol to parse: http or ajp13")
@@ -69,6 +72,9 @@ type Config struct {
 	Promiscuous           bool
 	NatsURL               string
 	NatsQueue             string
+	NatsUser              string
+	NatsPassword          string
+	NatsCA                string
 	SleepFor              duration
 	RequestsFile          string
 	UseXForwardedAsSource bool
@@ -96,6 +102,9 @@ func (c Config) print() {
 	fmt.Printf("Promiscuous:           %t\n", c.Promiscuous)
 	fmt.Printf("NatsURL:               %s\n", c.NatsURL)
 	fmt.Printf("NatsQueue:             %s\n", c.NatsQueue)
+	fmt.Printf("NatsUser:              %s\n", c.NatsUser)
+	fmt.Printf("NatsPassword:          %s\n", c.NatsPassword)
+	fmt.Printf("NatsCA:                %s\n", c.NatsCA)
 	fmt.Printf("SleepFor:              %s\n", c.SleepFor.String())
 	fmt.Printf("RequestsFile:          %s\n", c.RequestsFile)
 	fmt.Printf("Apache Log:            %s\n", c.ApacheLog)
@@ -136,7 +145,14 @@ func main() {
 		log.Fatal("No NATS URL specified (-nats-url)!")
 	}
 
-	natsConn, err := nats.Connect(config.NatsURL)
+	var natsConn *nats.Conn
+	var err error
+
+	if config.NatsUser != "" && config.NatsPassword != "" && config.NatsCA != "" {
+		natsConn, err = nats.Connect(config.NatsURL, nats.UserInfo(config.NatsUser, config.NatsPassword), nats.RootCAs(config.NatsCA))
+	} else {
+		natsConn, err = nats.Connect(config.NatsURL)
+	}
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -541,6 +557,9 @@ func loadConfig() {
 	config.Promiscuous = *promiscuous
 	config.NatsURL = *natsURL
 	config.NatsQueue = *natsQueue
+	config.NatsUser = *natsUser
+	config.NatsPassword = *natsPassword
+	config.NatsCA = *natsCA
 	config.SleepFor.Duration = *sleepFor
 	config.RequestsFile = *requestsFile
 	config.UseXForwardedAsSource = *useXForwardedAsSource

munchclient.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=munch scraperwall blacklist processor
+After=network.target
+
+[Service]
+EnvironmentFile=-/etc/default/munchclient
+ExecStart=/usr/bin/munchclient -config /etc/munchclient/munchclient.toml
+User=root
+Group=root
+Restart=always
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target
+

munchclient.toml

@@ -4,6 +4,10 @@
 # Filter = "tcp dst port 80"
 # Promiscuous = false
 # NatsURL = "nats://192.168.122.1:4222"
+# NatsURL = "tls://nats-eval.scw.systems:4222"
+# NatsUser = NatsUser
+# NatsPassword = NatsPassword
+# NatsCA = /etc/munchclient/munchclient/ca-chain.cert.pem
 # NatsQueue = "requests"
 # UseXForwardedAsSource = true
 # Quiet = true