Add support for TLS based HTTP connections. (#158)

bryannolen · web-flow · commit db804474d32e · 2025-02-13T20:54:22.000+01:00
* Add support for TLS based HTTP connections, With Unit Tests.
diff --git a/parser/configurations_parser.go b/parser/configurations_parser.go
@@ -68,6 +68,8 @@ type BeelzebubServiceConfiguration struct {
 	Description            string    `yaml:"description"`
 	Banner                 string    `yaml:"banner"`
 	Plugin                 Plugin    `yaml:"plugin"`
+	TLSCertPath            string    `yaml:"tlsCertPath"`
+	TLSKeyPath             string    `yaml:"tlsKeyPath"`
 }
 
 // Command is the struct that contains the configurations of the commands
diff --git a/parser/configurations_parser_test.go b/parser/configurations_parser_test.go
@@ -49,6 +49,8 @@ func mockReadfilebytesBeelzebubServiceConfiguration(filePath string) ([]byte, er
 apiVersion: "v1"
 protocol: "http"
 address: ":8080"
+tlsCertPath: "/tmp/cert.crt"
+tlsKeyPath: "/tmp/cert.key"
 commands:
   - regex: "wp-admin"
     handler: "login"
@@ -135,6 +137,8 @@ func TestReadConfigurationsServicesValid(t *testing.T) {
 	assert.Equal(t, firstBeelzebubServiceConfiguration.Plugin.LLMModel, "llama3")
 	assert.Equal(t, firstBeelzebubServiceConfiguration.Plugin.Host, "localhost:1563")
 	assert.Equal(t, firstBeelzebubServiceConfiguration.Plugin.Prompt, "hello world")
+	assert.Equal(t, firstBeelzebubServiceConfiguration.TLSCertPath, "/tmp/cert.crt")
+	assert.Equal(t, firstBeelzebubServiceConfiguration.TLSKeyPath, "/tmp/cert.key")
 }
 
 func TestGelAllFilesNameByDirName(t *testing.T) {
diff --git a/protocols/strategies/http.go b/protocols/strategies/http.go
@@ -2,16 +2,16 @@ package strategies
 
 import (
 	"fmt"
-	"github.com/mariocandela/beelzebub/v3/parser"
-	"github.com/mariocandela/beelzebub/v3/plugins"
-	"github.com/mariocandela/beelzebub/v3/tracer"
 	"io"
 	"net"
 	"net/http"
 	"regexp"
 	"strings"
 
 	"github.com/google/uuid"
+	"github.com/mariocandela/beelzebub/v3/parser"
+	"github.com/mariocandela/beelzebub/v3/plugins"
+	"github.com/mariocandela/beelzebub/v3/tracer"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -67,13 +67,25 @@ func (httpStrategy HTTPStrategy) Init(beelzebubServiceConfiguration parser.Beelz
 				}
 
 				setResponseHeaders(responseWriter, command.Headers, command.StatusCode)
-				fmt.Fprintf(responseWriter, responseHTTPBody)
+				fmt.Fprint(responseWriter, responseHTTPBody)
 				break
 			}
 		}
 	})
 	go func() {
-		err := http.ListenAndServe(httpStrategy.beelzebubServiceConfiguration.Address, serverMux)
+		var err error
+		// Launch a TLS supporting server if we are supplied a TLS Key and Certificate.
+		// If relative paths are supplied, they are relative to the CWD of the binary.
+		// The can be self-signed, only the client will validate this (or not).
+		if httpStrategy.beelzebubServiceConfiguration.TLSKeyPath != "" && httpStrategy.beelzebubServiceConfiguration.TLSCertPath != "" {
+			err = http.ListenAndServeTLS(
+				httpStrategy.beelzebubServiceConfiguration.Address,
+				httpStrategy.beelzebubServiceConfiguration.TLSCertPath,
+				httpStrategy.beelzebubServiceConfiguration.TLSKeyPath,
+				serverMux)
+		} else {
+			err = http.ListenAndServe(httpStrategy.beelzebubServiceConfiguration.Address, serverMux)
+		}
 		if err != nil {
 			log.Errorf("Error during init HTTP Protocol: %s", err.Error())
 			return
@@ -95,7 +107,7 @@ func traceRequest(request *http.Request, tr tracer.Tracer, HoneypotDescription s
 	}
 	host, port, _ := net.SplitHostPort(request.RemoteAddr)
 
-	tr.TraceEvent(tracer.Event{
+	event := tracer.Event{
 		Msg:             "HTTP New request",
 		RequestURI:      request.RequestURI,
 		Protocol:        tracer.HTTP.String(),
@@ -111,7 +123,13 @@ func traceRequest(request *http.Request, tr tracer.Tracer, HoneypotDescription s
 		SourcePort:      port,
 		ID:              uuid.New().String(),
 		Description:     HoneypotDescription,
-	})
+	}
+	// Capture the TLS details from the request, if provided.
+	if request.TLS != nil {
+		event.Msg = "HTTPS New Request"
+		event.TLSServerName = request.TLS.ServerName
+	}
+	tr.TraceEvent(event)
 }
 
 func mapHeaderToString(headers http.Header) string {
diff --git a/tracer/tracer.go b/tracer/tracer.go
@@ -2,10 +2,11 @@
 package tracer
 
 import (
-	log "github.com/sirupsen/logrus"
 	"sync"
 	"time"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
 )
@@ -36,6 +37,7 @@ type Event struct {
 	Description     string
 	SourceIp        string
 	SourcePort      string
+	TLSServerName   string
 }
 
 type (

Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,8 @@ type BeelzebubServiceConfiguration struct {`
`68`	`68`	Description string `yaml:"description"`
`69`	`69`	Banner string `yaml:"banner"`
`70`	`70`	Plugin Plugin `yaml:"plugin"`
	`71`	+ TLSCertPath string `yaml:"tlsCertPath"`
	`72`	+ TLSKeyPath string `yaml:"tlsKeyPath"`
`71`	`73`	`}`
`72`	`74`
`73`	`75`	`// Command is the struct that contains the configurations of the commands`