Question around accessing web targets

Hello all.
Looking at the getting started and announcement video and it looks great. One question I have is around how does accessing web ui’s work through Boundary
My main example would be something like Kibana using Elasticsearch xpack security.

Another question I have is what sort of auditing does the workers give and how protocol specific can it be. For example one of the products I work on have strict auditing requirements around how many documents a user has gotten from mongo that gets logged and sent off.

Its definitely peaked my interest

Web UIs are tricky; they can work if you set the host set and the port in the target such that you’re pointing to it, and then ensure that the address that the boundary connect proxy is running on is in the subject alternative names on you certificate (assuming you’re using TLS). In the future we hope to have better integration for fronting web UIs once we have protocol decoding for HTTP but for now it’s complicated as browser crypto stacks are very locked down so we can’t really manage it ourselves.

1 Like

Can a web target session be started through the proxy’s web UI or does it need to be done through CLI?

Currently all proxies need to be started through the CLI.

On this topic, I’m trying to proxy to a grafana dashboard hosted in EKS. When I try the cli command: “boundary connect http” against my deployed boundary cluster (in aws, with TLS on) I get this error:

curl: (60) SSL: no alternative certificate subject name matches target host name ‘127.0.0.1’

I’m connecting to a deployed boundary service, but it looks like it’s trying to run a local proxy. Any ideas what i’m doing wrong? Or should we just have TLS off at this point?

Or alternatively do we need to build a Go server to front our web UIs? I’m curious if fronting web uis is possible in any way at this point.

Thanks in advance.

@coguy450 - This is curl (the forked process that underpins connect http), saying there’s no alternative name for localhost in the TLS certificate. You have several options on the command line:

  1. Add the alternative name to the certificate on the target host
  2. Pass the -scheme and -host flags to connect http:
boundary connect http -scheme https -host <domain_name> -target-id ttcp_1234567890
  1. Tell curl to skip certificate verification using -k:
boundary connect http -target-id ttcp_1234567890 -- -k

Here’s an example of proxying Google over Boundary (somewhat similar situation you’re in being that it’s HTTPS over a TCP proxy):

For this example, I updated the following on the default dev target:

  1. Set max_connections to -1
  2. Set default_port to 443
  3. Set the target host address to google.com.

On the command line:

$ boundary connect http -scheme https -host google.com -target-id ttcp_1234567890 -- -L
<truncated>
* Connected to www.google.com (127.0.0.1) port 54265 (#1)

Note that I passed -L in this example to follow the redirects.

And for the browser use-case:

Make your browser believe localhost is in fact the remote domain you’re accessing over the proxy by setting it in /etc/hosts:

$ cat /etc/hosts
127.0.0.1 google.com

Then run a simple connect session to start a proxy session:

boundary connect -target-id ttcp_1234567890

Proxy listening information:
  Address:             127.0.0.1
  Connection Limit:    -1
  Expiration:          Thu, 29 Oct 2020 22:58:45 PDT
  Port:                54049
  Protocol:            tcp
  Session ID:          s_KQbPFnkXpu

Then, open a browser to the domain name you’re overriding in /etc/hosts but with the proxy port (don’t forget to use https://):

Screen Shot 2020-10-29 at 2.48.33 PM

You’ll also notice the certificate is verified:

Screen Shot 2020-10-29 at 2.48.50 PM

1 Like

@robrotheram This response around proxying HTTPS traffic over our TCP proxy might be useful for you.