Static Sockets plugin
Adding static sockets
From the same CLI we just used, using your favourite text editor, open border0.yaml file and create new “sockets” section eg:
sockets:
- webserver-connector-lab:
port: 8000
type: http
host: 127.0.0.1
policies: [my-policy]
The yaml configuration file should look something like this:
[email protected]:~$ cat border0.yaml
connector:
name: "my-awesome-connector"
credentials:
user: [email protected]
password: AVeryLongAndSecurePassword
# token: AVeryLongAndSecurePasswordThingyTokenLikeStuffGeneratedInThePortal
sockets:
- webserver-connector-lab:
port: 8000
type: http
host: 127.0.0.1
policies: [my-policy]
Running connector and sockets
We are now ready to run our connector for the first time, to help demonstrate the full end-to-end connectivity and workflow we are going to start a simple web server on the same host so our http socket can point at something.
Run simple python based web server in the background so that we have something to test against:
[email protected]:~$ python3 -m http.server &
[1] 2416
[email protected]:~$ Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Now with simple http server listening in the background we can run our connector
$ border0 connector start --config border0.yaml
2022/08/03 17:55:24 starting the connector service
Welcome to Border0.com
NAME-OF-MY-SOCKET - https://NAME-OF-MY-SOCKET.border0.io
=======================================================
Logs
=======================================================
GREAT!
The connector detected our yaml config, created the defined socket and started a connector for us in the background.
We can now navigate to our new socket in the web browser: https://NAME-OF-MY-SOCKET.border0.io
Additionally, we can the new socket in the portal https://portal.border0.com/mysockets
While the console should output some logs
127.0.0.1 - - [19/May/2022 22:00:46] "GET / HTTP/1.1" 200 -
70.36.54.184 - - [19/May/2022:22:00:46 +0000] "GET / HTTP/1.1" 200 408 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36" response_time="0.032 secs"
127.0.0.1 - - [19/May/2022 22:00:46] code 404, message File not found
127.0.0.1 - - [19/May/2022 22:00:46] "GET /favicon.ico HTTP/1.1" 404 -
70.36.54.184 - - [19/May/2022:22:00:46 +0000] "GET /favicon.ico HTTP/1.1" 404 323 "https://NAME-OF-MY-SOCKET.border0.io/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36" response_time="0.040 secs"
Additional socket types for databases and ssh
The other main types of sockets are SSH and Database sockets
An example of AWS RDS database socket
The following yaml template under the “sockets:” section creates static database socket for RDS instance in AWS. The assumption is that the connector code has network connectivity to the DB host and port
sockets:
- rds-us-east-2:
port: 3306
host: my-rds-instance.cluster-giberish.us-east-2.rds.amazonaws.com
type: database
policies: [my-policy]
upstream_type: mysql
upstream_user: fancy_db_user
upstream_password: AVeryLongAndSecurePasswordThingyTokenLikeStuff
Example of SSH type socket
There are multiple ways to make your server available with Border0, the most secure way is using Certificates, but this also requires a change in the ssh server configuration. You can also configure the upstream credentials statically by using specifying the username and password or a private key. You can also use AWS session manager as an upstream. If you want to expose the connector host itself you can also use the built-in ssh server.
Built-in ssh server
This example will expose the connector itself by using the build-in ssh server:
sockets:
- ssh-connector-lab:
type: ssh
sshserver: true
policies: [my-policy]
Static credentials
Example configuration for static credentials:
sockets:
- ssh-connector-lab:
port: 22
host: 127.0.0.1
type: ssh
upstream_user: user
upstream_password: password
policies: [my-policy]
Example configuration with a private key:
sockets:
- ssh-connector-lab:
port: 22
host: 127.0.0.1
type: ssh
upstream_user: user
upstream_identity_file: /Users/user/.ssh/id_rsa
policies: [my-policy]
Certificates
For this socket we will need end system configuration alongside yaml socket definition.
sockets:
- ssh-connector-lab:
port: 22
host: 127.0.0.1
type: ssh
policies: [my-policy]
Open-ssh daemon configuration extension
Step 1: extract your organisation SSH Authority Certificate
The Certificate can be found:
- in the dashboard under Org setting https://portal.border0.com/organizations/current
- via border0 cli: :~$ border0 organization show
We will use the cli method:
[email protected]:~$ border0 organization show | grep ecdsa-sha2-nistp256 | awk '{print $5,$6}' | sudo tee /etc/ssh-ca.pub
This file can now be distributed to other SSH hosts we want to enable ssh sockets for.
Step 2: Enable ssh authorised principals
Once we obtain and distribute the SSH Certificate open-ssh daemon has to be told where to find it.
[email protected]:~$ echo -e 'TrustedUserCAKeys /etc/ssh-ca.pub\nAuthorizedPrincipalsFile %h/.ssh/authorized_principals' | sudo tee /etc/ssh/sshd_config.d/border0_mgmt.conf
Step 3: allow user login using socket certificate
With this action we are allowing our user(ubuntu in this case) to be authenticated with the certificate alongside any other methods
[email protected]:~$ echo 'mysocket_ssh_signed' | sudo tee ~/.ssh/authorized_principals
[email protected]:~$ sudo systemctl restart ssh
Step 4: connect to SSH socket with border0 tool
Make sure you run the latest version of border0 connector.
All version of the tool can be found at: https://download.border0.com
[email protected]:~$ border0 client ssh --username ubuntu --host NAME_OF_MY_SSH_SOCKET.border0.io
Step 5(optional): update to your client ssh config file and use ssh directly.
This assumes you have installed the border0 tool on your system.
By adding this to your ssh client you can connect to ssh sockets directly via open-ssh client
[email protected]:~$ cat .ssh/config
Match host *.border0.io exec "border0 client ssh-keysign --host %h"
IdentitiesOnly yes
IdentityFile ~/.ssh/%h
ProxyCommand border0 client tls --host %h
ServerAliveInterval 120
ServerAliveCountMax 2
StrictHostKeyChecking no
Now, we can ssh directly to the socket we created earlier
[email protected]:~$ ssh [email protected]_OF_MY_SSH_SOCKET.border0.io
Warning: Permanently added 'NAME_OF_MY_SSH_SOCKET.border0.io' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.10.0-0.bpo.9-amd64 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Thu May 19 23:22:44 2022 from 127.0.0.1
[email protected]:~$
AWS Session Manager
EC2 Instance:
sockets:
- ssh-connector-lab:
type: ssh
upstream_type: aws-ssm
aws_ec2_target: <instance id>
policies: [my-policy]
ECS Cluster:
sockets:
- ecs-cluster:
type: ssh
upstream_type: aws-ssm
aws_ecs_cluster: <cluser name>
policies: [my-policy]
Optionally you can also filter tasks/service/containers in the cluster with the following optional parameters:
sockets:
- ecs-cluster:
type: ssh
upstream_type: aws-ssm
awsecs_cluster: <cluser name>
aws_ecs_tasks:
- api
aws_ecs_services:
- serviceB
aws_ecs_containers:
- backend
- frontend
policies: [my-policy]
Optionally you can specify the AWS region in the socket using the aws-regionand/or aws-profilesetting in the connector section. For example:
connector:
name: "my-awesome-connector"
aws-region: "eu-central-1"
aws-profile: "prod"
Updated about 1 month ago