Static Sockets plugin

Adding static sockets

From the same CLI we just used, using your favourite text editor, open border0.yaml file and create new “sockets” section eg:

   - webserver-connector-lab:
      port: 8000
      type: http
      policies: [my-policy]

The yaml configuration file should look something like this:

[email protected]:~$ cat border0.yaml 
   name: "my-awesome-connector"

   user: [email protected]
   password: AVeryLongAndSecurePassword
   # token: AVeryLongAndSecurePasswordThingyTokenLikeStuffGeneratedInThePortal

   - webserver-connector-lab:
      port: 8000
      type: http
      policies: [my-policy]

Running connector and sockets

We are now ready to run our connector for the first time, to help demonstrate the full end-to-end connectivity and workflow we are going to start a simple web server on the same host so our http socket can point at something.
Run simple python based web server in the background so that we have something to test against:

[email protected]:~$ python3 -m http.server & 
[1] 2416
[email protected]:~$ Serving HTTP on port 8000 ( ...

Now with simple http server listening in the background we can run our connector

$ border0 connector start --config border0.yaml
2022/08/03 17:55:24 starting the connector service
Welcome to



The connector detected our yaml config, created the defined socket and started a connector for us in the background.

We can now navigate to our new socket in the web browser:

Additionally, we can the new socket in the portal

While the console should output some logs - - [19/May/2022 22:00:46] "GET / HTTP/1.1" 200 - - - [19/May/2022:22:00:46 +0000] "GET / HTTP/1.1" 200 408 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36" response_time="0.032 secs" - - [19/May/2022 22:00:46] code 404, message File not found - - [19/May/2022 22:00:46] "GET /favicon.ico HTTP/1.1" 404 - - - [19/May/2022:22:00:46 +0000] "GET /favicon.ico HTTP/1.1" 404 323 "" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36" response_time="0.040 secs"

Additional socket types for databases and ssh

The other main types of sockets are SSH and Database sockets

An example of AWS RDS database socket

The following yaml template under the “sockets:” section creates static database socket for RDS instance in AWS. The assumption is that the connector code has network connectivity to the DB host and port

   - rds-us-east-2:
       port: 3306
       type: database
       policies: [my-policy]
       upstream_type: mysql
       upstream_user: fancy_db_user
       upstream_password: AVeryLongAndSecurePasswordThingyTokenLikeStuff

Example of SSH type socket

For this socket we will need end system configuration alongside yaml socket definition.

   - ssh-connector-lab:
       port: 22
       type: ssh
       policies: [my-policy]

Open-ssh daemon configuration extension

Step 1: extract your organisation SSH Authority Certificate

The Certificate can be found:

[email protected]:~$ border0 organization show | grep ecdsa-sha2-nistp256 | awk '{print $5,$6}' | sudo tee /etc/

This file can now be distributed to other SSH hosts we want to enable ssh sockets for.

Step 2: Enable ssh authorised principals

Once we obtain and distribute the SSH Certificate open-ssh daemon has to be told where to find it.

[email protected]:~$ echo -e 'TrustedUserCAKeys /etc/\nAuthorizedPrincipalsFile %h/.ssh/authorized_principals' | sudo tee /etc/ssh/sshd_config.d/border0_mgmt.conf

Step 3: allow user login using socket certificate

With this action we are allowing our user(ubuntu in this case) to be authenticated with the certificate alongside any other methods

[email protected]:~$ echo 'mysocket_ssh_signed' | sudo tee ~/.ssh/authorized_principals
[email protected]:~$ sudo systemctl restart ssh

Step 4: connect to SSH socket with border0 tool

Make sure you run the latest version of border0 connector.
All version of the tool can be found at:

[email protected]:~$ border0 client ssh --username ubuntu --host

Step 5(optional): update to your client ssh config file and use ssh directly.

This assumes you have installed the border0 tool on your system.
By adding this to your ssh client you can connect to ssh sockets directly via open-ssh client

[email protected]:~$ cat .ssh/config 
Match host * exec "border0 client ssh-keysign --host %h"
  IdentitiesOnly yes
  IdentityFile ~/.ssh/%h
  ProxyCommand border0 client tls --host %h
  ServerAliveInterval 120
  ServerAliveCountMax 2
  StrictHostKeyChecking no

Now, we can ssh directly to the socket we created earlier

[email protected]:~$ ssh [email protected]
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.10.0-0.bpo.9-amd64 x86_64)
 * Documentation:
 * Management:
 * Support:
Last login: Thu May 19 23:22:44 2022 from
[email protected]:~$