CLI
Sockets are the public endpoint that border0 creates on behalf of users. Each socket will come with a unique DNS name. The following types are supported:
- HTTP: Use this when your local service is a http service.
- SSH. Used for handling ssh connections to remote or local systems .
- Database. Use when working with mysql, mssql or postgres type databases.
- TLS. Use this when your local service is a non-http service.
In this case the platform will proxy a encrypted tcp session. This is used for example for ssh or https services.
Note that in this case border0 will, in addition to a unique DNS name, also create a TCP port number just for your
service. - RDP: Used for Remote Desktop services.
- VNC: Used for VNC services.
- VPN: Used for VPN services.
border0 socket
Displays all available socket specific commands and their flags
border0 socket
Manage your sockets
Usage:
border0 socket [command]
Available Commands:
connect Connect a socket
create Create a new socket
delete Delete a socket
ls List your sockets
policy Manage your global Policies
show Show socket details
Flags:
-h, --help help for socket
-s, --socket_id string Socket ID
Use "border0 socket [command] --help" for more information about a command.
border0 socket create
socket create sub-command allows for adding new sockets of types listed at the top.
$ border0 socket create
Create a new socket
Usage:
border0 socket create [flags]
border0 socket create [command]
Available Commands:
database Create a new database socket
http Create a new http socket
rdp Create a new rdp socket
ssh Create a new ssh socket
tls Create a new tls socket
vnc Create a new vnc socket
vpn Create a new vpn socket
Flags:
-h, --help help for create
Global Flags:
--json Print output in JSON format
--print_input_json Print input in JSON format
Use "border0 socket create [command] --help" for more information about a command.
border0 socket create ssh
border0 socket create ssh --help
Create a new ssh socket
Usage:
border0 socket create ssh [flags]
Flags:
--allowed_docker_container strings Allowed docker container to connect to
--allowed_namespace strings Allowed namespace to connect to
--auth_type string Authentication type (for standard upstream_type) to use to connect to the target: username_and_password, ssh_key or border0_certificate
--aws_access_key_id string AWS Access Key ID
--aws_profile string AWS Profile
--aws_secret_access_key string AWS Secret Access Key
--aws_session_token string AWS Session Token
--connector string Connector to attach to the socket, UUID or name of the connector
-d, --description string Socket description
--ec2_instance_id string AWS EC2 Instance ID
--ec2_region string AWS EC2 region
--ecs_cluster string AWS ECS Cluster
--ecs_region string AWS ECS Cluster
--ecs_service string AWS ECS Cluster
--eks_cluster string AWS EKS Cluster
--eks_region string AWS EKS Cluster
-h, --help help for ssh
--host string Target host: Control where inbound traffic goes
--kubectl_exec_kube_config_path string Kubectl exec kube config path
--kubectl_exec_master_url string Kubectl exec master url
--kubectl_exec_type string Kubectl exec type: standard or aws-eks (default "standard")
-n, --name string Socket name
--namespace_selectors_allowlist string JSON string of namespace selectors allowlist: {"namespace": {"key": ["value"]}}
--password string Password used to connect to target
--port uint16 Target port: the port where inbound traffic goes (default 22)
--recording_enabled Enables session recording (default true)
--ssh_key string Ssh key used to connect to target
--ssm_target_type string AWS SSM target type: ec2 or ecs
--tag stringToString Tags for the socket (key=value) (default [])
--upstream_type string Upstream type to use to connect upstream: standard, aws_ssm, aws_ec2_instance_connect, connector_built_in_ssh_service, docker_exec or kubectl_exec (default "standard")
--username string Username used to connect to target
--username_type string Username type (for builtin-sshserver upstream_type and border0_certificate auth_type): use_connector_user, prompt_client or defined
Global Flags:
--json Print output in JSON format
--print_input_json Print input in JSON format
Examples:
border0 socket create ssh \
--name remote-ssh \
--connector connector1 \
--upstream_type standard \
--host ssh.playground.border0.io \
--auth_type username_and_password \
--username someuser \
--password somepassword
This example will create a SSH socket with the name remote-ssh
attached to the connector1
connector.
It will use the provides username and password to connect to host ssh.playground.border0.io
.
border0 socket create ssh \
--name new-ssh-local \
--connector connector1 \
--upstream_type connector_built_in_ssh_service \
--username_type use_connector_user
This example will create a SSH socket with the name new-ssh-local
which is also attached to connector connector1
. This socket will be using the connector built-in ssh service and will use the user
the connector runs as for the sessions.
border0 socket create database
border0 socket create database --help
Create a new database socket
Usage:
border0 socket create database [flags]
Flags:
--auth_type string Authentication type to use to connect to the target: username_and_password, tls, aws_iam, cloudsql_connector, cloudsql_connector_iam, sql_authentication, kerberos, azure_ad_password or azure_ad_integrated
--ca_certificate string CA certificate used to connect to target
--client_certificate string Client certificate used to connect to target
--client_key string Client key used to connect to target
--cloudsql_instance_id string Google Cloud SQL instance ID
--connector string Connector to attach to the socket, UUID or name of the connector
-d, --description string Socket description
--gcp_credentials_json string Google Cloud SQL credentials JSON
-h, --help help for database
--host string Target host: Control where inbound traffic goes
-n, --name string Socket name
--password string Password used to connect to target
--port int Target port: the port where inbound traffic goes
--rds_region string AWS RDS region
--recording_enabled Enables session recording (default true)
--tag stringToString Tags for the socket (key=value) (default [])
--upstream_type string Upstream type to use to connect upstream: mysql, postgres or mssql
--username string Username used to connect to target
Global Flags:
--json Print output in JSON format
--print_input_json Print input in JSON format
Examples:
border0 socket create database \
--name mysqltest \
--upstream_type mysql \
--host mysql.playground.border0.io \
--auth_type username_and_password \
--username someuser \
--password somepassword
In this example a socket will be created with the name mysqltest
for a mysql server that runs on host mysql.playground.border0.io
. For authentication it will use username and password with the provides credentials.
border0 socket create http
border0 socket create http --help
Create a new http socket
Usage:
border0 socket create http [flags]
Flags:
--connector string Connector to attach to the socket, UUID or name of the connector
-d, --description string Socket description
-h, --help help for http
--host string Target host: Control where inbound traffic goes
--http_hostname string Http host/sni header
-n, --name string Socket name
--port int Target port: the port where inbound traffic goes
--recording_enabled Enables session recording
--tag stringToString Tags for the socket (key=value) (default [])
--upstream_type string Protocol type to use to connect upstream: http or https (default "http")
Global Flags:
--json Print output in JSON format
--print_input_json Print input in JSON format
Example:
border0 socket create http \
--name webservice \
--upstream_type https \
--host httpbin.org \
--port 443 \
--tag somekey=somevalue \
--recording_enabled \
--connector connector1 \
--json
In this example we will create an http socket with the name webservice
attached to connector connector1
. The output of the create commands will be in json format with details about the created socket. This socket is using https://httpbin.org:443
as the target URL. Also recording for this socket will be enabled and the socket has a tag with key somekey
and value somevalue
.
border0 socket create tls
border0 socket create tls --help
Create a new tls socket
Usage:
border0 socket create tls [flags]
Flags:
--connector string Connector to attach to the socket, UUID or name of the connector
-d, --description string Socket description
-h, --help help for tls
--host string Target host: Control where inbound traffic goes
-n, --name string Socket name
--port int Target port: the port where inbound traffic goes
--tag stringToString Tags for the socket (key=value) (default [])
Global Flags:
--json Print output in JSON format
--print_input_json Print input in JSON format
Example:
border0 socket create tls \
-name tlstest \
--host localhost \
--port 1234 \
--description "a tls socket" \
--connector connector1
In this example we create a TLS socket with nane tlstest
connector to connector connector1
. The socket will have a description a tls socket
and will use localhost as the target on port 1234.
border0 socket create vpn
border0 socket create vpn --help
Create a new vpn socket
Usage:
border0 socket create vpn [flags]
Flags:
--advertised_route strings Routes to advertise to clients
--connector string Connector to attach to the socket, UUID or name of the connector
-d, --description string Socket description
--dhcp_pool_subnet string VPN Client DHCP pool subnet. ie 10.42.0.0/22
-h, --help help for vpn
-n, --name string Socket name
--tag stringToString Tags for the socket (key=value) (default [])
Global Flags:
--json Print output in JSON format
--print_input_json Print input in JSON format
border0 socket create vnc
$ border0 socket create vnc --help
Create a new vnc socket
Usage:
border0 socket create vnc [flags]
Flags:
--connector string Connector to attach to the socket, UUID or name of the connector
-d, --description string Socket description
-h, --help help for vnc
--host string Target host: Control where inbound traffic goes
-n, --name string Socket name
--port uint16 Target port: the port where inbound traffic goes (default 5900)
--tag stringToString Tags for the socket (key=value) (default [])
Global Flags:
--json Print output in JSON format
--print_input_json Print input in JSON format
border0 socket create rdp
$ border0 socket create rdp --help
Create a new rdp socket
Usage:
border0 socket create rdp [flags]
Flags:
--connector string Connector to attach to the socket, UUID or name of the connector
-d, --description string Socket description
-h, --help help for rdp
--host string Target host: Control where inbound traffic goes
-n, --name string Socket name
--port uint16 Target port: the port where inbound traffic goes (default 3389)
--tag stringToString Tags for the socket (key=value) (default [])
Global Flags:
--json Print output in JSON format
--print_input_json Print input in JSON format
border0 socket ls
Once we've created some sockets we can list them in easy to read table form.
Socket FQDNs
After creation your socket DNS are compiled from socket_name + org_name + dorder0_TLD
$ocket-server@xps15:~$ border0 socket ls
┌──────────────────────────────────────┬───────────────────────────────────────────────┬─────────┬──────────┬──────────────────────────────────────────────────────────────┐
│ SOCKET ID │ DNS NAME │ PORT(S) │ TYPE │ DESCRIPTION │
├──────────────────────────────────────┼───────────────────────────────────────────────┼─────────┼──────────┼──────────────────────────────────────────────────────────────┤
│ 6fb21ee7-e5db-4ff9-b54c-f9aebcbf6fd6 │ my-http-service-the-greg-rnd.border0.io │ 80, 443 │ http │ This is a socket my amazing HTTP server I am really proud of │
│ 0cc18cf2-c22f-412b-ba83-2a4cb468b210 │ my-db-service-the-greg-rnd.border0.io │ 20844 │ database │ Super secret database only for the few │
└──────────────────────────────────────┴───────────────────────────────────────────────┴─────────┴──────────┴──────────────────────────────────────────────────────────────┘
border0 socket show
Show command prints out information for given socket_id with -s, --socket_id flag
$ border0 socket show --socket_id 0cc18cf2-c22f-412b-ba83-2a4cb468b210
┌──────────────────────────────────────┬─────────────────────────────────────────────┬─────────┬──────────┬────────────────────────────────────────┐
│ SOCKET ID │ DNS NAME │ PORT(S) │ TYPE │ DESCRIPTION │
├──────────────────────────────────────┼─────────────────────────────────────────────┼─────────┼──────────┼────────────────────────────────────────┤
│ 0cc18cf2-c22f-412b-ba83-2a4cb468b210 │ my-db-service-the-greg-rnd.border0.io │ 20844 │ database │ Super secret database only for the few │
└──────────────────────────────────────┴─────────────────────────────────────────────┴─────────┴──────────┴────────────────────────────────────────┘
border0 socket connect
Once we have our socket created it is time to connect it and expose our resources to desired audience.
$ border0 socket connect
Connect a socket
Usage:
border0 socket connect [flags]
Flags:
-h, --help help for connect
--host string Target host: Control where inbound traffic goes. Default localhost (default "127.0.0.1")
--httpserver Start a local http server to accept http connections on this host
--httpserver_dir string Directory to serve http connections on this host
-i, --identity_file string Identity File
-p, --port int Port number
--proxy string Proxy host used for connection to border0.com
-s, --socket_id string Socket ID
-l, --sshserver Start a local SSH server to accept SSH sessions on this host
Connecting your fist test socket
border0 socket connect my-http-socket --httpserver
--httpserver
Probably the fastest way to get full end to end connectivity through a socket is to use a built in HTTP server
$ border0 socket connect my-http-socket --httpserver
Connecting to Server: tunnel.border0.com
Welcome to Border0.io
my-http-service - https://my-http-socket-the-greg-rnd.border0.io
=======================================================
Logs
=======================================================
216.xxx.xxx.152 - - [07/Oct/2022:17:57:46 +0000] "GET / HTTP/1.1" 200 643 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" response_time="0.044 secs"
216.xxx.xxx.152 - - [07/Oct/2022:17:57:47 +0000] "GET /favicon.ico HTTP/1.1" 200 643 "https://my-http-service-the-greg-rnd.border0.io/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" response_time="0.089 secs"
HOWTOs for connecting sockets
For more information on how to expose resource via sockets visit our HOWTO
border0 socket delete
Deletes a socket
$ border0 socket delete my-http-socket
Socket deleted
border0 socket policy
List all policies attached to the socket given the ID with -s, --socket_id flag
$ border0 socket policy --socket_id 0cc18cf2-c22f-412b-ba83-2a4cb468b210
Socket deleted
Updated 6 months ago