FAQ
Frequently asked questions
Can I use the OpenSSH client when using Border0?
Yes, you can! ie, you will be able to ssh to machines just like you were used to before like this:
ssh [email protected]
To do that, make sure you add the following to your SSH configuration.
Match host *border0.io exec "border0 client ssh-keysign --host %h"
IdentitiesOnly yes
IdentityFile ~/.ssh/%h
ProxyCommand border0 client tls --host %h
ServerAliveInterval 120
ServerAliveCountMax 2
Here we use the SSH ProxyCommand to make sure traffic goes through Border0. Note that the border0
client needs to be installed on your system. This is needed so we can help authenticate the user and tunnel the traffic securely through the Border0 cloud to your connector.
A simple one-liner to add this to your ssh config can be found below:
echo -e "Match host *border0.io exec \"border0 client ssh-keysign --host %h\""\
"\n IdentitiesOnly yes"\
"\n IdentityFile ~/.ssh/%h"\
"\n ProxyCommand border0 client tls --host %h"\
"\n ServerAliveInterval 120"\
"\n ServerAliveCountMax 2" | tee -a ~/.ssh/config
Can I use Ansible when using Border0?
Yes, you can! Make sure to update your ssh config file as described here and it should just work!
How about Ansible Tower/AWX?
Absolutely! We are big fans of automation and at scale! Ansible AWX article explains Border0 enriched AWX deployment.
What database clients does Border0 support?
Border0 integrates with a various database clients. This means you can use the Border0 cli, discover all database you have access to as a client, and Border0 can help you start your favorite database client with the correct configuration. Currently the following database clients are supported:
- mysql
- mysqlworkbench
- mycli
- dbeaver
- datagrip
- psql
- pgcli
Can I use any database client to connect to a database through Border0?
Yes, you can connect any database client to a local listerner like this (select "local listener" as a client).
$ border0 client db
? choose a host: rnacentral-border0-demo.border0.io [created by andree]
? choose a client: local listener
listening on 127.0.0.1:58808
This will start a TCP listener on the printed port, in this example 127.0.0.1 port 58808. You can now use any database client to connect to that local listener and connect to your database through Border0.
Are there any example or sandbox server I can connect to?
Absolutely! To help you get hands-on experience with Border0, we offer a variety of sandbox servers that serve as Socket origin servers. These servers are designed to let you test different functionalities, including SSH, HTTP, MySQL, and PostgreSQL connections. Below are the details:
Type | DNS Name | credentials |
---|---|---|
SSH | ssh.playground.border0.io port 22 | username: border0 password: Border0<3Ssh |
HTTP | http.playground.border0.io port 80 (http) | no auth required |
MySQL | mysql.playground.border0.io port 3306 | username: border0 password: Border0<3MySql |
PostgreSQL | psql.playground.border0.io port 5432 | username: border0 password: Border0<3Psql |
VNC | vnc.playground.border0.io port 5900 | password: Border0<3VNC |
RDP | vnc.playground.border0.io port 3389 | username: border0 password: Border0<3RDP |
TCP Echo | tcp.playground.border0.io port 9000 | no auth required |
You can use these servers to test various functionalities and configurations of Border0. It's a safe way to understand how the system works and to validate your use-cases. Note these instances will be periodically wiped and are monitored for abuse.
How do I make sure a user has read-only access to my Mysql or Psql database
Using border0 policies you can configure what type of commands, or queries a user is allowed to perform on your mysql or postgres database.
A read only policy would look like this
{
"permissions": {
"database": {
"allowed_databases": [
{
"database": "*",
"allowed_query_types": [
"ReadOnly"
]
}
]
}
},
"condition": {
"when": {
"after": "2022-02-02T22:22:22Z",
"before": null,
"time_of_day_after": "00:00 UTC",
"time_of_day_before": "23:59 UTC"
},
"where": {
"allowed_ip": [
"0.0.0.0/0",
"::/0"
],
"country": null,
"country_not": null
},
"who": {
"email": [
"[email protected]"
]
}
},
"version": "v1"
}
For more information see this section on database policies.
How do I modify the left side menu in client.border0.com?
The client portal, as shown below, allows Border0 administrators to group sockets for easy and convenient navigation. The grouping is then represented as the left-side menu, as seen below. Grouping can be modified by adding tags to your sockets. The following tag naming convention is used:
key | Description |
---|---|
border0_client_category | This is the name used as the main categorization. If the it contains the string aws , gcp , google or azure we'll automatically assign the corresponding icon. For any other type, we'll use a generic icon.If the value looks like an AWS account number, then we'll also add an AWS icon. |
border0_client_subcategory | Is shown as a sub-menu under the border0_client_category item. |
border0_client_icon | If present, the value of this will be rendered as the icon on the socket tile. The following reserved values will render the corresponding icons: aws_ec2 aws_ecs aws_rds docker kubernetes network mysql postgresql Alternatively, you can pick any icon name from https://icon-sets.iconify.design/ to be rendered as the icon. For example: octicon:thumbsup-16 |
border0_client_icon_url | same as border0_client_icon , and can take any img url which will be shown as the icon, Takes precedence over border0_client_icon |
border0_client_icon_text | This text string will be used as the tooltip text a user sees when hovering over the border0_client_icon (see above). This can be any text string. |
Tags can be added to a Socket at any time by editing the Socket details and add/delete/modify the tags.
How do I run the Border0 connector as a Docker container?
Running the connector from a container is easy. As long as the Border0 binary is available on the container and you have a connector token.
First create, create a new connector, or select one from your existing connectors here
From there, navigate to token tab, and create a new token for your connector.
Now you can start the connector like this from Docker.
BORDER0_TOKEN=xxxx border0 connector start
You can also use the Border0 Docker image, and use it like this, this basically gives you an instant Bastion host.
$ docker run -ti -e BORDER0_TOKEN=$CONNECTORTOKEN ghcr.io/borderzero/border0 connector start
Alternatively, you can store the token in a file, and mount it as a volume, and provide the connetcor with the appropriate config file like below
$ cat ~/config.yaml
token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ-REST_OF-TOKEN
$ docker run -ti -v ~/config.yaml:/etc/border0/config.yaml ghcr.io/borderzero/border0 connector start --config /etc/border0/config.yaml
{"level":"info","ts":"2023-09-13T21:21:11Z","msg":"reading the config","config_path":"/etc/border0.conf"}
{"level":"info","ts":"2023-09-13T21:21:11Z","msg":"starting the connector service"}
{"level":"info","ts":"2023-09-13T21:21:11Z","msg":"connecting to connector server","server":"capi.border0.com:443"}
{"level":"info","ts":"2023-09-13T21:21:12Z","msg":"new socket","socket":"7e4a4fdd-c23c-4b84-9c85-1a9da3498753"}
Welcome to Border0.com
docker-connector-ssh - https://client.border0.com/#/ssh/docker-connector-ssh-border0-demo.border0.io
=======================================================
Logs
=======================================================
How do I accesses my Kubernetes containers
Using Border0, you can make kubectl exec
functionality available to users without these users needing a VPN and using just their SSO credentials.
Border0 admins can create an SSH socket with service type 'kubectl exec'. Make sure that the connector has the correct permissions to connect to the Kubernetes API. For more details, also see kubernetes example and docs here
I have a web app in a Docker container, how do I make that available?
There are various ways to do this. In this FAQ we'll assume you have a one-off web app, say an internal web app that runs on one container, and you'd like to make it available to your SSO users. To do this we'll run the border0 connector and the webapp in Docker with the help of supervisord. In this example we'll use a simple http python web server that runs on localhost port 12345.
Follow the steps below, Also see this video for video demo of these steps
- create a new connector in the portal
- Create a token for that connector in the portal (token tab) and record the token.
- Create an HTTP socket linked to your connector. Record the Socket name for later. Use the web app as upstream information, in this case
http://localhost:12345
- create a
supervisord.conf
config file that looks like this. This start a python web server and the border0 connector.
[supervisord]
nodaemon=true
[program:python_server]
command=python3 -m http.server 12345
autostart=true
autorestart=true
startretries=3
[program:border0]
command=/border0 connector start --config /etc/border0.yaml
autostart=true
autorestart=true
startretries=3
- create a
border0.yaml
file with the token:
token: eyJhbGxxxxx..
- Create a
Dockerfile
# Use a base image with Python installed
FROM python:3.8-slim
# Install 'border0' package and supervisord
RUN apt-get update && apt-get install -y supervisor
# Copy our supervisord.conf file from our project directory into the Docker container
COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
ADD https://download.border0.com/linux_amd64/border0 /
run chmod a+rx /border0
COPY border0.yaml /etc/border0.yaml
# Run supervisord
CMD ["/usr/bin/supervisord"]
Now build and start the docker container:
docker build . -t border0container
docker run border0container
Alternatively, you can provide the BORDER0_TOKEN as an enviroment variable to Docker like below. In that case remove --config /etc/border0.yaml
from the supervisord
file.
docker run -e BORDER0_TOKEN=$CONNECTORTOKEN border0container
Your HTTP Service should now be available through border0 using the socket name recorded in step 3 above.
How do I know what my Border0 org name is?
You can find the organization name in the top left corner of the admin portal. The org name shown there is the one you're currently logged into. Note that as an administrator you can have multiple organizations. Listing them and changing between them can be from the Organizations page
What Single sign-on Identity providers are supported
By default the following identity providers are enabled for Clients to log in and authenticate in order to access Sockets.
- Github
- Azure
Premium Border0 customers can use the "bring your own identity provider" feature. This allows you to integrate with existing identity providers such as Google Workspace, Okta, or any OpenID Connect (OIDC) or SAML provider. For more details see our docs on identity providers and this blog: Introducing Custom Identity Providers for Border0.
How do I delete my border0 account?
To request your personal information be deleted, contact [email protected].
Can I get a notification when my connectors is offline?
Yes, you can configure each connector to send a state notifications message from the organization notification settings page.
So note: you need a notification profile. More documentation about notifications can be found at https://docs.border0.com/docs/setup-notifications
To enable a notification for Connector status changes, make sure you enable this event type in the notification profile.
By default, all connectors will send a notification message when it's offline for more than 10 minutes and when they return online. The duration interval can be configured in the connector details page.
Updated 6 months ago