{"id":13526923,"url":"https://github.com/stripe/smokescreen","last_synced_at":"2025-05-14T09:06:36.225Z","repository":{"id":9821209,"uuid":"62414746","full_name":"stripe/smokescreen","owner":"stripe","description":"A simple HTTP proxy that fogs over naughty URLs    ","archived":false,"fork":false,"pushed_at":"2025-05-09T17:30:05.000Z","size":21385,"stargazers_count":1166,"open_issues_count":21,"forks_count":75,"subscribers_count":78,"default_branch":"master","last_synced_at":"2025-05-14T09:05:21.820Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stripe.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-07-01T19:14:36.000Z","updated_at":"2025-05-12T02:45:46.000Z","dependencies_parsed_at":"2023-02-11T11:15:57.682Z","dependency_job_id":"d7bbf1a7-a174-44b6-af2f-3218e45b6b05","html_url":"https://github.com/stripe/smokescreen","commit_stats":{"total_commits":480,"total_committers":48,"mean_commits":10.0,"dds":0.7208333333333333,"last_synced_commit":"8c0fa26edf63f35d5632ba7682d78ff07a306819"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stripe%2Fsmokescreen","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stripe%2Fsmokescreen/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stripe%2Fsmokescreen/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stripe%2Fsmokescreen/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stripe","download_url":"https://codeload.github.com/stripe/smokescreen/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254110374,"owners_count":22016391,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T06:01:37.550Z","updated_at":"2025-05-14T09:06:36.202Z","avatar_url":"https://github.com/stripe.png","language":"Go","readme":"# Smokescreen [![Test](https://github.com/stripe/smokescreen/workflows/Test/badge.svg?branch=master\u0026event=push)](https://github.com/stripe/smokescreen/actions?query=workflow%3ATest+branch%3Amaster) [![Coverage Status](https://coveralls.io/repos/github/stripe/smokescreen/badge.svg?branch=master)](https://coveralls.io/github/stripe/smokescreen?branch=master)\n\nSmokescreen is a HTTP CONNECT proxy. It proxies most traffic from Stripe to the\nexternal world (e.g., webhooks).\n\nSmokescreen restricts which URLs it connects to:\n- It uses a pre-configured hostname ACL to only allow requests addressed to certain allow-listed hostnames, \nto ensure that no malicious code is attempting to make requests to unexpected services.\n- It also resolves each domain name that is requested, and ensures that it is a publicly routable \nIP address and not an internal IP address. This prevents a class of attacks where, for instance, \nour own webhooks infrastructure is used to scan Stripe’s internal network. Smokescreen \ncan also be further configured to allow or deny specific IP addresses or ranges.\n\nSmokescreen also allows us to centralize egress from Stripe, allowing us to give\nfinancial partners stable egress IP addresses and abstracting away the details\nof which Stripe service is making the request.\n\nIn typical usage, clients contact Smokescreen over mTLS. Upon receiving a\nconnection, Smokescreen authenticates the client's certificate against a\nconfigurable set of CAs and CRLs, extracts the client's identity, and checks\nthe client's requested CONNECT destination against a configurable per-client\nACL.\n\nBy default, Smokescreen will identify clients by the \"common name\" in the TLS\ncertificate they present, if any. The client identification function can also\nbe easily replaced; more on this in the usage section.\n\n## Dependencies\n\nSmokescreen uses [go modules][mod] to manage dependencies. The\nlinked page contains documentation, but some useful commands are reproduced\nbelow:\n\n- **Adding a dependency**: `go build` `go test` `go mod tidy` will automatically fetch the latest version of any new dependencies. Running `go mod vendor` will vendor the dependency.\n- **Updating a dependency**: `go get dep@v1.1.1` or `go get dep@commit-hash` will bring in specific versions of a dependency. The updated dependency should be vendored using `go mod vendor`.\n\nSmokescreen uses a [custom fork](https://github.com/stripe/goproxy) of goproxy to allow us to support context passing and setting granular timeouts on proxy connections.\n\nGenerally, Smokescreen will only support the two most recent Go versions. See\n[the test configuration](.github/workflows/test.yml) for details.\n\n[mod]: https://github.com/golang/go/wiki/Modules\n\n## Usage\n\n### CLI\n\nHere are the options you can give Smokescreen:\n\n```\n   --help                                      Show this help text.\n   --config-file FILE                          Load configuration from FILE.  Command line options override values in the file.\n   --listen-ip IP                              Listen on interface with address IP.\n                                                 This argument is ignored when running under Einhorn. (default: any)\n   --listen-port PORT                          Listen on port PORT.\n                                                 This argument is ignored when running under Einhorn. (default: 4750)\n   --timeout DURATION                          Time out after DURATION when connecting. (default: 10s)\n   --proxy-protocol                            Enable PROXY protocol support.\n   --deny-range RANGE                          Add RANGE(in CIDR notation) to list of blocked IP ranges.  Repeatable.\n   --allow-range RANGE                         Add RANGE (in CIDR notation) to list of allowed IP ranges.  Repeatable.\n   --deny-address value                        Add IP[:PORT] to list of blocked IPs.  Repeatable.\n   --allow-address value                       Add IP[:PORT] to list of allowed IPs.  Repeatable.\n   --egress-acl-file FILE                      Validate egress traffic against FILE\n   --expose-prometheus-metrics                 Exposes metrics via a Prometheus scrapable endpoint.\n   --prometheus-endpoint ENDPOINT              Specify endpoint to host Prometheus metrics on. (default: \"/metrics\")\n                                                 Requires `--expose-prometheus-metrics` to be set.\n   --prometheus-port PORT                      Specify port to host Prometheus metrics on. (default \"9810\")\n                                                 Requires `--expose-prometheus-metrics` to be set.\n   --resolver-address ADDRESS                  Make DNS requests to ADDRESS (IP:port).  Repeatable.\n   --statsd-address ADDRESS                    Send metrics to statsd at ADDRESS (IP:port). (default: \"127.0.0.1:8200\")\n   --tls-server-bundle-file FILE               Authenticate to clients using key and certs from FILE\n   --tls-client-ca-file FILE                   Validate client certificates using Certificate Authority from FILE\n   --tls-crl-file FILE                         Verify validity of client certificates against Certificate Revocation List from FILE\n   --additional-error-message-on-deny MESSAGE  Display MESSAGE in the HTTP response if proxying request is denied\n   --disable-acl-policy-action POLICY ACTION   Disable usage of a POLICY ACTION such as \"open\" in the egress ACL\n   --stats-socket-dir DIR                      Enable connection tracking. Will expose one UDS in DIR going by the name of \"track-{pid}.sock\".\n                                                 This should be an absolute path with all symlinks, if any, resolved.\n   --stats-socket-file-mode FILE_MODE          Set the filemode to FILE_MODE on the statistics socket (default: \"700\")\n   --version, -v                               print the version\n```\n\n### Client Identification\n\nIn order to override how Smokescreen identifies its clients, you must:\n\n- Create a new go project\n- Import Smokescreen\n- Create a Smokescreen configuration using cmd.NewConfiguration\n- Replace `smokescreen.Config.RoleFromRequest` with your own `func(request *http.Request) (string, error)`\n- Call smokescreen.StartWithConfig\n- Build your new project and use the resulting executable through its CLI\n\nHere is a fictional example that would split a client certificate's `OrganizationalUnit` on commas and use the first particle as the service name.\n\n```go\npackage main\n\nimport (...)\n\nfunc main() {\n\t// Here is an opportunity to pass your logger\n\tconf, err := cmd.NewConfiguration(nil, nil)\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\tif conf == nil {\n\t\tos.Exit(1)\n\t}\n\n\tconf.RoleFromRequest = func(request *http.Request) (string, error) {\n\t\tfail := func(err error) (string, error) { return \"\", err }\n\n\t\tsubject := request.TLS.PeerCertificates[0].Subject\n\t\tif len(subject.OrganizationalUnit) == 0 {\n\t\t\tfail(fmt.Errorf(\"warn: Provided cert has no 'OrganizationalUnit'. Can't extract service role.\"))\n\t\t}\n\t\treturn strings.SplitN(subject.OrganizationalUnit[0], \".\", 2)[0], nil\n\t}\n\n\tsmokescreen.StartWithConfig(conf, nil)\n}\n```\n### IP Filtering\n\nTo control the routing of requests to specific IP addresses or IP blocks, use the `deny-address`, `allow-address`, `deny-range`, and `allow-range` options in the config. \n\n### Hostname ACLs\n\nA hostname ACL can be described in a YAML formatted file. The ACL, at its top-level, contains a list of services as well as a default behavior.\n\nThree policies are supported:\n\n| Policy  | Behavior                                                                                                       |\n| ------- | -------------------------------------------------------------------------------------------------------------- |\n| Open    | Allows all traffic for this service                                                                            |\n| Report  | Allows all traffic for this service and warns if client accesses a remote host which is not in the list        |\n| Enforce | Only allows traffic to remote hosts provided in the list. Will warn and deny if remote host is not in the list |\n\n\u003e :warning: **The ACL is only applied to hostnames *as they appear in the request*!** If you want to allow or deny traffic based on the destination IP address *after DNS resolution*, you should be using the config options instead (see the `IP Filtering` section above).\n\nA host can be specified with or without a globbing prefix. The host (without the globbing prefix) must be in Punycode to prevent ambiguity.\n\n| host                | valid   |\n| ------------------- | ------- |\n| `example.com`       | yes     |\n| `*.example.com`     | yes     |\n| `api.*.example.com` | no      |\n| `*example.com`      | no      |\n| `ex*ample.com`      | no      |\n| `éxämple.com`       | no      |\n| `example.*`         | hell no |\n\n[Here](https://github.com/stripe/smokescreen/blob/master/pkg/smokescreen/acl/v1/testdata/sample_config.yaml) is a sample ACL.\n\n#### Global Hostname Allow/Deny Lists\n\nOptionally, you may specify a global allow list and a global deny list for hostnames in your ACL config.\n\nThese lists override the policy, but do not override the `allowed_domains` list for each role.\n\nFor example, specifying `example.com` in your global_allow_list will allow traffic for that domain on that role, even if that role is set to `enforce` and does not specify `example.com` in its allowed domains.\n\nSimilarly, specifying `malicious.com` in your global_deny_list will deny traffic for that domain on a role, even if that role is set to `report` or `open`.\nHowever, if the host specifies `malicious.com` in its `allowed_domains`, traffic to `malicious.com` will be allowed on that role, regardless of policy.\n\n\u003e :warning: **The global_deny_list will only block specific *hostnames*, not entire *destinations*.** For example, if `malicious.com` is in the global_deny_list but the IP address that it resolves to is not, roles with an `open` policy will still be able to access the destination by using its IP address directly. For this reason, **we recommend using allowlists instead of denylists** whenever it is possible to do so, and **blocking IP addresses via config options, not the ACL** (see the `IP Filtering` section above).\n\nIf a domain matches both the `global_allow_list` and the `global_deny_list`, the `global_deny_list` behavior takes priority.\n\n[Here](https://github.com/stripe/smokescreen/blob/master/pkg/smokescreen/acl/v1/testdata/sample_config_with_global.yaml) is a sample ACL specifying these options.\n\n# Development and Testing\n\nSee [Development.md](Development.md)\n\n# Contributors\n\n- Aditya Mukerjee\n- Andreas Fuchs\n- Andrew Dunham\n- Andrew Metcalf\n- Aniket Joshi\n- Ben Ransford\n- Carl Jackson\n- Craig Shannon\n- Evan Broder\n- Marc-André Tremblay\n- Ryan Koppenhaver\n- Harold Simpson\n","funding_links":[],"categories":["Go","Tools"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstripe%2Fsmokescreen","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstripe%2Fsmokescreen","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstripe%2Fsmokescreen/lists"}