Following the PKI Hacking for Fun and Profit article, I've created a simple example of an event logging agent that allows devices to use a customer owned mTLS server.
Blog Log Agent
This is a simple Docker Compose application that can run on a LmP device. It periodically scans files under
/var/run/events and will upload them as events to the blog log server using mTLS settings that were created when the device was registered with foundries.io (
Blog Log Server
This is a Docker Compose application you'll run on an internet connected computer. It exposes Nginx with TLS certificates configured for your Factory. It simply accepts any valid connection and returns an
HTTP 200 "OK". The idea of this project is to give users the skeleton they need for doing their own custom service.
Internet connected server with port 443 exposed
Access to the PKI certs set up by the FoundriesFactory administrator. This directory will have files like:
LmP Device that has been registered with the Foundries backend (lmp-device-register has been run).
Part 1: Create TLS certs
From the computer with your Factory PKI certificates, run this create_new_server script. For example:
# ./create_new_server <PATH TO PKI KEYS> <YOUR DOMAIN>
# For example:
$ ./create_new_server /secure-pki-keys andy-corp.io
Part 2: Start the server
These steps will be run from your internet connected server:
$ git clone https://github.com/doanac/blog-log-server
$ cd blog-log-server
# Copy the certificates created from part 1, to ./certs/.
# This should leave you with:
# ./certs/ca-chain.pem, ./certs/tls.key, ./certs/tls.pem
$ docker-compose up
You now have an mTLS server up and running waiting for connections.
Part 3: Start the agent
These steps need to be run from an LmP device:
$ git clone https://github.com/doanac/blog-log-agent
$ cd blog-log-agent
# Build the container
$ docker-compose build
# Launch the agent with the proper EVENTS_URL:
# EVENTS_URL=<URL> docker-compose up.
# For example:
$ EVENTS_URL="https://andy.corp.io/" docker-compose up
You can now test things work from another terminal by running something like:
$ sudo -s
$ echo hello_world > /var/run/events/event-1
The log agent looks every 10 seconds for new events and will remove the
event-1 file once its been successfully processed. You can watch the output of the agent to see when it uploads to the server.