pay-tcp-proxy's Introduction

pay-tcp-proxy

As of August 2021 this repository is no longer maintained by the GOV.UK Pay team.

An Nginx proxy using the Nginx stream module to forward TCP traffic from a static address (NLB) to a service endpoint.

For more information see: http://nginx.org/en/docs/stream/ngx_stream_core_module.html

Licence

Responsible Disclosure

GOV.UK Pay aims to stay secure for everyone. If you are a security researcher and have discovered a security vulnerability in this code, we appreciate your help in disclosing it to us in a responsible manner. We will give appropriate credit to those reporting confirmed issues. Please e-mail [email protected] with details of any issue you find, we aim to reply quickly.

Local Testing

If you wish you test the tcp proxy locally you can use the included docker-compose file.

This will run 3 components.

nginx-frontend: Mimics the NLB sitting in front of the pay-tcp-proxy. The connection from this to the pay-tcp-proxy has proxy-protocol enabled
pay-tcp-proxy: The pay-tcp-proxy container as built from the current directory. This has proxy-protocol enabled for inbound connections only providing us with remote client information.
nginx-backend: Provides a simple https web server which the pay-tcp-proxy forwards onto. This auto generates a self-signed SSL certificate if it has not already. This component mimics the public GOV.UK Pay API

  |--------|          |----------------|                         |---------------|          |---------------|
  | client |--https-->| nginx-frontend |--TCP + Proxy Protocol-->| pay-tcp-proxy |--https-->| nginx-backend |
  |--------|          |----------------|                         |---------------|          |---------------|

                        1. Mimics NLB                             2. pay-tcp-proxy          3. mimics pay api

You can start this up as follows: