Boundary Reverse Proxy

Are there any plans to allow proxying connections to Boundary via a reverse proxy?

Ideally, I would like to be able to expose the API and worker port via the standard HTTPS port, however, based on what I can see, this is not currently possible.

It seems like trying to proxy the client-to-worker connection in any manner results in an error such as:

Error dialing the worker: failed to WebSocket dial: failed to send handshake request: Get "https://boundaryw.removed.com:443/v1/proxy": x509: certificate is valid for default, not s_XsSU4VHSW1

Current setup is to have the controller exposed at https://boundary.removed.com and the worker exposed via https://boundaryw.removed.com and using SNI matching in Traefik to route between the two.

Even though Traefik is set to pass-through the TLS session, it seems to present the wrong certificate.

Is there a recommended method of load balancing the worker connections?

1 Like

@Just-Insane did you ever get this to work?

I was successful at getting Boundary to work using HAProxy through port 443. Initially, I did use the default 9202/tcp port through my firewall but discovered that some networks actively block uncommon ports.

So now, all my HTTPs (ingress/web/boundary/etc) traffic goes through 443/tcp. :slight_smile: Very happy with that.

This works by using HAProxy tcp inspection and SNI routing. I’m not sure if Traeffic does this.

My HAProxy config snippet:

frontend SSL_PassThrough
    bind *:{{ env "NOMAD_PORT_https" }}
    mode tcp

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    use_backend boundary_worker if { req_ssl_sni -m beg s_ }

    default_backend TCP_to_Frontend_SSL_Termination

backend TCP_to_Frontend_SSL_Termination
    mode tcp
    server haproxy-https 127.0.0.1:8443 verify none

frontend SSL_Termination
    bind 127.0.0.1:8443 ssl crt "${NOMAD_SECRETS_DIR}/certs"
    mode http
...
1 Like

A more complete picture of my HAProxy config:

frontend SSL_PassThrough
    bind *:{{ env "NOMAD_PORT_https" }}
    mode tcp

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    use_backend boundary_worker if { req_ssl_sni -m beg s_ }

    default_backend TCP_to_Frontend_SSL_Termination

backend TCP_to_Frontend_SSL_Termination
    mode tcp
    server haproxy-https 127.0.0.1:8443 verify none

frontend SSL_Termination
    bind 127.0.0.1:8443 ssl crt "${NOMAD_SECRETS_DIR}/certs"
    mode http

...

backend boundary_worker
    mode tcp
    balance roundrobin
    server-template boundary_worker 4 _boundary-worker-internal._tcp.service.consul resolvers consul resolve-opts allow-dup-ip resolve-prefer ipv4 check verify none

I would like to know from the Boundary devs if the partial host string s_ is safe to use for the SNI routing I utilized with HAProxy. I really couldn’t conceive another way since the internal Worker TLS stack seems to choose s_ consistently for mTLS.