eyakubovich
commented
1 year ago As a workaround, one can run a proxy that listens on a TCP port and then issues an HTTP CONNECT to a predefined host/port. One such tool is the socat utility (available on most distros). Create an entrypoint script that looks like this:
# The Enclaver sets `http_proxy` env variable that looks like "http://127.0.0.1:9000"
# but it's a bit tricky to parse it in the shell script. The port 9000 is the default used by Enclaver
# unless overridden in the enclaver.yaml
proxy_host=127.0.0.1
proxy_port=9000
# The host and port that you want to egress to. Be sure to add the host or IP to the
# egress.allow list in enclaver.yaml
remote_host="mysql-database.local"
remote_port=3306
# Start the TCP tunnel
socat TCP4-LISTEN:${remote_port},reuseaddr,fork PROXY:${proxy_host}:${remote_host}:${remote_port},proxyport=$proxy_port &
# Run your regular entrypoint
mysql --host="$remote_host" mydatabase
Enable processes in enclaves to transparently resolve and connect to any hostname or IP address permitted by the egress policy, without explicit use of any proxy.
We can likely accomplish this through some combination of providing a custom DNS resolver, to track the processes mapping of host names to IP addresses, and transparent TCP redirection to our proxy via nftables or iptables.
We should support UDP while we’re at it, if it is easy.