The Formal Connector is a protocol-aware reverse proxy that interprets various wire-protocols (HTTP, Postgres, MySQL, Kubernetes, and much more) to provide security teams better visibility and control of their data flows.
Customers often start using Formal for one type of data store and then over time Formal covers more data stores in their stack. To keep the Formal deployment simple we built a feature that enables the Formal Connector to listen on a single port for multiple technologies. This feature works by detecting the incoming wire-protocol and then automatically loading the right wire-protocol interpreter.
Initial approach
The initial approach involved reading the first few bytes of any TCP connection to identify the protocol before forwarding the packets to the appropriate protocol interpreter:
The []byte data read from the connection was then passed and explicitly written before using io.Copy to forward the traffic. This approach worked well for most protocols but encountered issues with MongoDB due to its unique protocol framing.
MongoDB expects specific framing for its messages. Sending the initial bytes separately disrupted the framing structure, resulting in communication errors. The misaligned initial bytes caused failed connections and protocol misinterpretations.
