Smokescreen

Smokescreen is a HTTP CONNECT proxy. It proxies most traffic from Stripe to the external world (e.g., webhooks).

Smokescreen restricts which URLs it connects to:

• It uses a pre-configured hostname ACL to only allow requests addressed to certain allow-listed hostnames, to ensure that no malicious code is attempting to make requests to unexpected services.
• It also resolves each domain name that is requested, and ensures that it is a publicly routable IP address and not an internal IP address. This prevents a class of attacks where, for instance, our own webhooks infrastructure is used to scan Stripe’s internal network. Smokescreen can also be further configured to allow or deny specific IP addresses or ranges.

Smokescreen also allows us to centralize egress from Stripe, allowing us to give financial partners stable egress IP addresses and abstracting away the details of which Stripe service is making the request.

In typical usage, clients contact Smokescreen over mTLS. Upon receiving a connection, Smokescreen authenticates the client's certificate against a configurable set of CAs and CRLs, extracts the client's identity, and checks the client's requested CONNECT destination against a configurable per-client ACL.

By default, Smokescreen will identify clients by the "common name" in the TLS certificate they present, if any. The client identification function can also be easily replaced; more on this in the usage section.

Dependencies

Smokescreen uses go modules to manage dependencies. The linked page contains documentation, but some useful commands are reproduced below:

• Adding a dependency: go build go test go mod tidy will automatically fetch the latest version of any new dependencies. Running go mod vendor will vendor the dependency.
• Updating a dependency: go get dep@v1.1.1 or go get dep@commit-hash will bring in specific versions of a dependency. The updated dependency should be vendored using go mod vendor.

Smokescreen uses a custom fork of goproxy to allow us to support context passing and setting granular timeouts on proxy connections.

Generally, Smokescreen will only support the two most recent Go versions. See the test configuration for details.

Usage

CLI

Here are the options you can give Smokescreen:

   --help                                      Show this help text.
   --config-file FILE                          Load configuration from FILE.  Command line options override values in the file.
   --listen-ip IP                              Listen on interface with address IP.
                                                 This argument is ignored when running under Einhorn. (default: any)
   --listen-port PORT                          Listen on port PORT.
                                                 This argument is ignored when running under Einhorn. (default: 4750)
   --timeout DURATION                          Time out after DURATION when connecting. (default: 10s)
   --proxy-protocol                            Enable PROXY protocol support.
   --deny-range RANGE                          Add RANGE(in CIDR notation) to list of blocked IP ranges.  Repeatable.
   --allow-range RANGE                         Add RANGE (in CIDR notation) to list of allowed IP ranges.  Repeatable.
   --deny-address value                        Add IP[:PORT] to list of blocked IPs.  Repeatable.
   --allow-address value                       Add IP[:PORT] to list of allowed IPs.  Repeatable.
   --egress-acl-file FILE                      Validate egress traffic against FILE
   --expose-prometheus-metrics                 Exposes metrics via a Prometheus scrapable endpoint.
   --prometheus-endpoint ENDPOINT              Specify endpoint to host Prometheus metrics on. (default: "/metrics")
                                                 Requires `--expose-prometheus-metrics` to be set.
   --prometheus-port PORT                      Specify port to host Prometheus metrics on. (default "9810")
                                                 Requires `--expose-prometheus-metrics` to be set.
   --resolver-address ADDRESS                  Make DNS requests to ADDRESS (IP:port).  Repeatable.
   --statsd-address ADDRESS                    Send metrics to statsd at ADDRESS (IP:port). (default: "127.0.0.1:8200")
   --tls-server-bundle-file FILE               Authenticate to clients using key and certs from FILE
   --tls-client-ca-file FILE                   Validate client certificates using Certificate Authority from FILE
   --tls-crl-file FILE                         Verify validity of client certificates against Certificate Revocation List from FILE
   --additional-error-message-on-deny MESSAGE  Display MESSAGE in the HTTP response if proxying request is denied
   --disable-acl-policy-action POLICY ACTION   Disable usage of a POLICY ACTION such as "open" in the egress ACL
   --stats-socket-dir DIR                      Enable connection tracking. Will expose one UDS in DIR going by the name of "track-{pid}.sock".
                                                 This should be an absolute path with all symlinks, if any, resolved.
   --stats-socket-file-mode FILE_MODE          Set the filemode to FILE_MODE on the statistics socket (default: "700")
   --max-concurrent-requests value             Maximum simultaneous requests. 0 = unlimited (default: 0)
   --max-request-rate value                    Maximum requests per second. 0 = unlimited (default: 0)
   --max-request-burst value                   Maximum burst capacity. Must be > max-request-rate when specified.
                                                 Omit to use default (2x max-request-rate).
   --max-concurrent-connect-tunnels value      Maximum number of concurrent CONNECT tunnels.
                                                 Unlike max-concurrent-requests, this limits actual long-lived connections.
                                                 0 = unlimited (default: 0)
   --dns-timeout DURATION                      Maximum time to wait for DNS resolution (default: 5s)
   --version, -v                               print the version

Client Identification

In order to override how Smokescreen identifies its clients, you must:

• Create a new go project
• Import Smokescreen
• Create a Smokescreen configuration using cmd.NewConfiguration
• Replace smokescreen.Config.RoleFromRequest with your own func(request *http.Request) (string, error)
• Call smokescreen.StartWithConfig
• Build your new project and use the resulting executable through its CLI

Here is a fictional example that would split a client certificate's OrganizationalUnit on commas and use the first particle as the service name.

package main

import (...)

func main() {
	// Here is an opportunity to pass your logger
	conf, err := cmd.NewConfiguration(nil, nil)
	if err != nil {
		log.Fatal(err)
	}
	if conf == nil {
		os.Exit(1)
	}

	conf.RoleFromRequest = func(request *http.Request) (string, error) {
		fail := func(err error) (string, error) { return "", err }

		subject := request.TLS.PeerCertificates[0].Subject
		if len(subject.OrganizationalUnit) == 0 {
			fail(fmt.Errorf("warn: Provided cert has no 'OrganizationalUnit'. Can't extract service role."))
		}
		return strings.SplitN(subject.OrganizationalUnit[0], ".", 2)[0], nil
	}

	smokescreen.StartWithConfig(conf, nil)
}

IP Filtering

To control the routing of requests to specific IP addresses or IP blocks, use the deny-address, allow-address, deny-range, and allow-range options in the config.

Rate Limiting

Smokescreen supports rate and concurrency limiting to protect against overload:

| Option | Description | | ------ | ----------- | | max-concurrent-requests | Limits simultaneous in-flight requests. Excess requests receive 503 Service Unavailable. | | max-request-rate | Limits requests per second using a token bucket algorithm. Excess requests receive 429 Too Many Requests. | | max-request-burst | Sets token bucket capacity. Must be greater than max-request-rate. Defaults to 2x the rate if omitted. | | max-concurrent-connect-tunnels | Limits the number of active CONNECT tunnels (long-lived connections). Unlike max-concurrent-requests which only tracks request processing time, this limits actual tunnel connections and prevents resource exhaustion from unbounded CONNECT tunnels. Excess requests receive 429 Too Many Requests. |

Note: max-concurrent-requests limits the number of requests being processed, while max-concurrent-connect-tunnels limits the number of active tunnel connections. For CONNECT requests, the request processing completes quickly but the tunnel connection remains open. Use both settings together for complete protection against resource exhaustion.

Example (CLI):

smokescreen --max-concurrent-requests=100 --max-request-rate=50 --max-concurrent-connect-tunnels=50

Example (YAML):

max_concurrent_requests: 100
max_request_rate: 50
max_request_burst: 150  # optional, defaults to 2x rate
max_concurrent_connect_tunnels: 50  # limits active CONNECT tunnel connections

Hostname ACLs

A hostname ACL can be described in a YAML formatted file. The ACL, at its top-level, contains a list of services as well as a default behavior.

Three policies are supported:

| Policy | Behavior | | ------- | ------