Browser only workflow

Boundary
#1

Current workflow expects us to run the boundary CLI (or write our own tool using the SDK). I’m wondering what the vision might be for a browser-only workflow.

Here’s a scenario:

I want to expose an internal dashboard to my colleagues. Ideally, they can do it completely in the browser, particularly for less tech-savvy people.

Here’s a potential solution:

  1. DNS entry for service.mycorp.com points at Boundary
  2. Boundary does the auth (hurrah OIDC #1 on roadmap!)
  3. Boundary maps DNS entry to a host set
  4. Boundary proxies traffic to the actual service, along with auth tokens to potentially not have to authenticate more than once

Is this workflow currently possible? I’m not seeing it, but there’s a chance I’ve missed something.

If it isn’t possible, is this a flow that you’re considering? For me, this ability plus the integration with services like Vault that is discussed in this topic would be a comprehensive Zero Trust environment without further VPN solutions.

Edit: link to a relevant topic: Question around accessing web targets

Leveraging Boundary and Vault to use SSH signed certificates
Leveraging Boundary and Vault to use SSH signed certificates
#2

Hi @pete0emerson

The link to the relevant topic you have there is a good place to start on proxying websites. There isn’t a way to currently do the entire flow via a browser. That being said, we are working on a new client that will be an optional way of starting and maintaining sessions as an alternative to the CLI. This should make things more user friendly for folks not accustomed to a command line environment. Stay tuned for more on that…

Your best option today is to setup Boundary in a way that I described in that topic you linked. You can use domain names instead of IP addresses from that example.

Let me know if this helps, and thanks for trying out Boundary!

#3

The best option today is great for MVP and for engineers comfortable with overloading DNS entries in /etc/hosts.

This actually seems like a great opportunity for me to play with the Boundary SDK. I’d be fine with a tool that is sitting in the menubar and can interpret a DNS request and make the appropriate pass-through to Boundary. It would be little different from an end user perspective to how current VPN clients work: fire up the VPN, go to your resource in the browser.

#4

Totally, we want to eventually make this as turn key as possible. We’ll get there!

1 Like