Static Sockets plugin

Adding static sockets

From the same CLI we just used, using your favourite text editor, open border0.yaml file and create new “sockets” section eg:

sockets:
   - webserver-connector-lab:
      port: 8000
      type: http
      host: 127.0.0.1
      policies: [my-policy]

The yaml configuration file should look something like this:

ubuntu@connector01:~$ cat border0.yaml 
connector:
   name: "my-awesome-connector"

credentials:
   user: [email protected]
   password: AVeryLongAndSecurePassword
   # token: AVeryLongAndSecurePasswordThingyTokenLikeStuffGeneratedInThePortal

sockets:
   - webserver-connector-lab:
      port: 8000
      type: http
      host: 127.0.0.1
      policies: [my-policy]

Running connector and sockets

We are now ready to run our connector for the first time, to help demonstrate the full end-to-end connectivity and workflow we are going to start a simple web server on the same host so our http socket can point at something.
Run simple python based web server in the background so that we have something to test against:

ubuntu@connector01:~$ python3 -m http.server & 
[1] 2416
ubuntu@connector01:~$ Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Now with simple http server listening in the background we can run our connector

$ border0 connector start --config border0.yaml
2022/08/03 17:55:24 starting the connector service
Welcome to Border0.com
NAME-OF-MY-SOCKET - https://NAME-OF-MY-SOCKET.border0.io

=======================================================
Logs
=======================================================

GREAT!

The connector detected our yaml config, created the defined socket and started a connector for us in the background.

We can now navigate to our new socket in the web browser: https://NAME-OF-MY-SOCKET.border0.io

Additionally, we can the new socket in the portal https://portal.border0.com/mysockets

While the console should output some logs

127.0.0.1 - - [19/May/2022 22:00:46] "GET / HTTP/1.1" 200 -
70.36.54.184 - - [19/May/2022:22:00:46 +0000] "GET / HTTP/1.1" 200 408 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36" response_time="0.032 secs"
127.0.0.1 - - [19/May/2022 22:00:46] code 404, message File not found
127.0.0.1 - - [19/May/2022 22:00:46] "GET /favicon.ico HTTP/1.1" 404 -
70.36.54.184 - - [19/May/2022:22:00:46 +0000] "GET /favicon.ico HTTP/1.1" 404 323 "https://NAME-OF-MY-SOCKET.border0.io/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36" response_time="0.040 secs"

Additional socket types for databases and ssh

The other main types of sockets are SSH and Database sockets

An example of AWS RDS database socket

The following yaml template under the “sockets:” section creates static database socket for RDS instance in AWS. The assumption is that the connector code has network connectivity to the DB host and port

sockets:
   - rds-us-east-2:
       port: 3306
       host: my-rds-instance.cluster-giberish.us-east-2.rds.amazonaws.com
       type: database
       policies: [my-policy]
       upstream_type: mysql
       upstream_user: fancy_db_user
       upstream_password: AVeryLongAndSecurePasswordThingyTokenLikeStuff

Example of SSH type socket

There are multiple ways to make your server available with Border0, the most secure way is using Certificates, but this also requires a change in the ssh server configuration. You can also configure the upstream credentials statically by using specifying the username and password or a private key. You can also use AWS session manager as an upstream. If you want to expose the connector host itself you can also use the built-in ssh server.

Built-in ssh server

This example will expose the connector itself by using the build-in ssh server:

sockets:
   - ssh-connector-lab:
       type: ssh
       sshserver: true
       policies: [my-policy]

Static credentials

Example configuration for static credentials:

sockets:
   - ssh-connector-lab:
       port: 22
       host: 127.0.0.1
       type: ssh
       upstream_user: user
       upstream_password: password
       policies: [my-policy]

Example configuration with a private key:

sockets:
   - ssh-connector-lab:
       port: 22
       host: 127.0.0.1
       type: ssh
       upstream_user: user
       upstream_identity_file: /Users/user/.ssh/id_rsa
       policies: [my-policy]

Certificates

For this socket we will need end system configuration alongside yaml socket definition.

sockets:
   - ssh-connector-lab:
       port: 22
       host: 127.0.0.1
       type: ssh
       policies: [my-policy]

Open-ssh daemon configuration extension

Step 1: extract your organisation SSH Authority Certificate

The Certificate can be found:

ubuntu@connector01:~$ border0 organization show | grep ecdsa-sha2-nistp256 | awk '{print $5,$6}' | sudo tee /etc/ssh-ca.pub

This file can now be distributed to other SSH hosts we want to enable ssh sockets for.

Step 2: Enable ssh authorised principals

Once we obtain and distribute the SSH Certificate open-ssh daemon has to be told where to find it.

ubuntu@connector01:~$ echo -e 'TrustedUserCAKeys /etc/ssh-ca.pub\nAuthorizedPrincipalsFile %h/.ssh/authorized_principals' | sudo tee /etc/ssh/sshd_config.d/border0_mgmt.conf

Step 3: allow user login using socket certificate

With this action we are allowing our user(ubuntu in this case) to be authenticated with the certificate alongside any other methods

ubuntu@connector01:~$ echo 'mysocket_ssh_signed' | sudo tee ~/.ssh/authorized_principals
ubuntu@connector01:~$ sudo systemctl restart ssh

Step 4: connect to SSH socket with border0 tool

Make sure you run the latest version of border0 connector.
All version of the tool can be found at: https://download.border0.com

greg@xps15:~$ border0 client ssh --username ubuntu --host NAME_OF_MY_SSH_SOCKET.border0.io

Step 5(optional): update to your client ssh config file and use ssh directly.

This assumes you have installed the border0 tool on your system.
By adding this to your ssh client you can connect to ssh sockets directly via open-ssh client

awesome-employee@my-work-laptop:~$ cat .ssh/config 
Match host *.border0.io exec "border0 client ssh-keysign --host %h"
  IdentitiesOnly yes
  IdentityFile ~/.ssh/%h
  ProxyCommand border0 client tls --host %h
  ServerAliveInterval 120
  ServerAliveCountMax 2
  StrictHostKeyChecking no

Now, we can ssh directly to the socket we created earlier

awesome-employee@my-work-laptop:~$ ssh ubuntu@NAME_OF_MY_SSH_SOCKET.border0.io
Warning: Permanently added 'NAME_OF_MY_SSH_SOCKET.border0.io' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.10.0-0.bpo.9-amd64 x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Thu May 19 23:22:44 2022 from 127.0.0.1
ubuntu@connector01:~$ 

AWS EC2 Connect

sockets:
   - ssh-ec2connect:
       type: ssh
       port: 22
       host: 1.2.3.4
       aws_ec2_connect: true
       aws_ec2_target: <instance id>
       aws_availability_zone: eu-central-1b
       policies: [my-policy]

AWS Session Manager

EC2 Instance:

sockets:
   - ssh-connector-lab:
       type: ssh
       upstream_type: aws-ssm
       aws_ec2_target: <instance id>
       policies: [my-policy]

ECS Cluster:

sockets:
   - ecs-cluster:
       type: ssh
       upstream_type: aws-ssm
       aws_ecs_cluster: <cluser name>
       policies: [my-policy]

Optionally you can also filter tasks/service/containers in the cluster with the following optional parameters:

sockets:
   - ecs-cluster:
       type: ssh
       upstream_type: aws-ssm
       awsecs_cluster: <cluser name>
       aws_ecs_tasks:
       - api
       aws_ecs_services:
       - serviceB
       aws_ecs_containers:
       - backend
       - frontend
       policies: [my-policy]

Optionally you can specify the AWS region in the socket using the aws-regionand/or aws-profilesetting in the connector section. For example:

connector:
   name: "my-awesome-connector"
   aws-region: "eu-central-1"
   aws-profile: "prod"