Question around accessing web targets

Hello all.
Looking at the getting started and announcement video and it looks great. One question I have is around how does accessing web ui’s work through Boundary
My main example would be something like Kibana using Elasticsearch xpack security.

Another question I have is what sort of auditing does the workers give and how protocol specific can it be. For example one of the products I work on have strict auditing requirements around how many documents a user has gotten from mongo that gets logged and sent off.

Its definitely peaked my interest

Web UIs are tricky; they can work if you set the host set and the port in the target such that you’re pointing to it, and then ensure that the address that the boundary connect proxy is running on is in the subject alternative names on you certificate (assuming you’re using TLS). In the future we hope to have better integration for fronting web UIs once we have protocol decoding for HTTP but for now it’s complicated as browser crypto stacks are very locked down so we can’t really manage it ourselves.

1 Like

Can a web target session be started through the proxy’s web UI or does it need to be done through CLI?

Currently all proxies need to be started through the CLI.

On this topic, I’m trying to proxy to a grafana dashboard hosted in EKS. When I try the cli command: “boundary connect http” against my deployed boundary cluster (in aws, with TLS on) I get this error:

curl: (60) SSL: no alternative certificate subject name matches target host name ‘127.0.0.1’

I’m connecting to a deployed boundary service, but it looks like it’s trying to run a local proxy. Any ideas what i’m doing wrong? Or should we just have TLS off at this point?

Or alternatively do we need to build a Go server to front our web UIs? I’m curious if fronting web uis is possible in any way at this point.

Thanks in advance.

@coguy450 - This is curl (the forked process that underpins connect http), saying there’s no alternative name for localhost in the TLS certificate. You have several options on the command line:

  1. Add the alternative name to the certificate on the target host
  2. Pass the -scheme and -host flags to connect http:
boundary connect http -scheme https -host <domain_name> -target-id ttcp_1234567890
  1. Tell curl to skip certificate verification using -k:
boundary connect http -target-id ttcp_1234567890 -- -k

Here’s an example of proxying Google over Boundary (somewhat similar situation you’re in being that it’s HTTPS over a TCP proxy):

For this example, I updated the following on the default dev target:

  1. Set max_connections to -1
  2. Set default_port to 443
  3. Set the target host address to google.com.

On the command line:

$ boundary connect http -scheme https -host google.com -target-id ttcp_1234567890 -- -L
<truncated>
* Connected to www.google.com (127.0.0.1) port 54265 (#1)

Note that I passed -L in this example to follow the redirects.

And for the browser use-case:

Make your browser believe localhost is in fact the remote domain you’re accessing over the proxy by setting it in /etc/hosts:

$ cat /etc/hosts
127.0.0.1 google.com

Then run a simple connect session to start a proxy session:

boundary connect -target-id ttcp_1234567890

Proxy listening information:
  Address:             127.0.0.1
  Connection Limit:    -1
  Expiration:          Thu, 29 Oct 2020 22:58:45 PDT
  Port:                54049
  Protocol:            tcp
  Session ID:          s_KQbPFnkXpu

Then, open a browser to the domain name you’re overriding in /etc/hosts but with the proxy port (don’t forget to use https://):

Screen Shot 2020-10-29 at 2.48.33 PM

You’ll also notice the certificate is verified:

Screen Shot 2020-10-29 at 2.48.50 PM

3 Likes

@robrotheram This response around proxying HTTPS traffic over our TCP proxy might be useful for you.

Hi @malnick , I have tried to simulate your guide, but I can’t access the webpage. Checking the log, a saw this message:

{
  "id": "iorBIVBFyi",
  "source": "https://hashicorp.com/boundary/dev-controller/boundary-dev",
  "specversion": "1.0",
  "type": "error",
  "data": {
    "error": "error dialing endpoint: dial tcp 127.0.0.1:443: connect: connection refused",
    "error_fields": {},
    "id": "e_dmkeaRcI2Q",
    "version": "v0.1",
    "op": "worker.(Worker).handleProxy",
    "info": {
      "endpoint": "tcp://google.com:443",
      "msg": "error handling proxy",
      "session_id": "s_lnjM8cwNAW"
    }
  },
  "datacontentype": "text/plain",
  "time": "2022-05-17T16:37:46.058739648-03:00"
}

All the configs (easy to set) is equal than you example.

Thanks.

What is the command you’re using to connect and what is the configuration of the Boundary target you’re connecting to?

Hello, @omkensey!

I’m running this command boundary connect http --scheme https -tls-insecure -target-id ttcp_a4MVT4pkQq -path=ui/ -addr=http://54.237.167.93:9200 -- -L which prints the HTML to my terminal, just that, and return. I’m confuse on how can I access the web target. The web target is Vault UI. Vault UI from HashiCorp Cloud. We have a VPC Peering. Boundary is on our VPC, in a public subnet. We got that working with StrongDM, and Teleport, but we can’t make that happen with Boundary. Best regards!

Ah, well, the good news is, you actually did get it working :grin: When you use the boundary connect http CLI mode, Boundary automatically invokes curl by default to connect to the target, so spitting out HTML is actually what you’re supposed to see from that. What you probably want though is to use a web browser to connect to the Vault UI, which you can do a couple of ways:

  • with the Boundary desktop app, which will open a connection and then give you the Boundary tunnel address to paste into your web browser

  • with the CLI, instead of using boundary connect http ..., just use boundary connect -target-id ttcp_a4MVT4pkQq -addr=http://54.237.167.93:9200 – that will then hold open a proxy connection and give you the address, which you can copy and paste into your web browser as above.

The one thing that may be a challenge is if the Vault server’s TLS certificate doesn’t include localhost as a subject name, then your web browser will throw a TLS warning at minimum and depending on the certificate, the browser and the browser configuration, may not allow you to connect at all (because of browser TLS behavior, not because of Boundary per se). You can either just accept the browser warning, or you can reconfigure how things work in your Boundary environment a bit and use an additional proxy as the Boundary target instead of the destination web site, then configure your web browser to use the Boundary tunnel address as its proxy. Besides resolving the TLS mismatch this will also allow you to use internal-only hostnames through the Boundary connection right in your web browser without needing a separate target for each one.

Hello @omkensey!

I tried that, which works (only in the CLI, for some reason Desktop doesn’t work). When I open the address in the browser, it shows: “Client sent an HTTP request to an HTTPS server.” and close connection :frowning:

Best regards!

This is my issue as well, I can’t create a persistent connection between a https webserver (in my case jenkins ui) and boundary.

If I do

boundary connect http -target-id=ttcp_hwWOdO7Nwm

it spits out the html file.

If I do

boundary connect -target-id=ttcp_hwWOdO7Nwm

It creates the persistent proxy connection, but I keep getting:

400 Bad Request

The plain HTTP request was sent to HTTPS port

Sadly, in our case, we moved to another solution to get everything working as we wanted.

May I ask what you guys moved to?

After our research we chose StrongDM, no regrets.