search

GSA-TTS / cg-egress-proxy

Provides controlled egress for apps in a restricted-egress cloud.gov space
Other
11 stars 4 forks source link

`aws s3 ls s3://...` doesn't work in a proxied app #5

Open mogul opened 2 years ago

mogul commented 2 years ago

There's code to auto-include appropriate S3 endpoints in the egress proxy config, so proxied apps can still reach their bound S3 buckets. HOWEVER, this code is not enough for aws s3 ls s3://... to function properly inside a proxied app.

We need to work with cloud.gov and AWS support to figure out what additional hosts beyond the S3 endpoint hostnames must be included in order for aws s3 ls s3://... to work.

robert-bryson commented 2 years ago 
   2022-04-18T12:15:26.80-0700 [APP/PROC/WEB/0] ERR raise SSLError(endpoint_url=request.url, error=e)
   2022-04-18T12:15:26.80-0700 [APP/PROC/WEB/0] ERR botocore.exceptions.SSLError: SSL validation failed for https://s3-us-gov-west-1.amazonaws.com/cg-efc8a388-5300-46f2-97a7-62792fb14b53 [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)

I'm running into this issue when trying to get the egress proxy to work for inventory. When the public_network_egress policy is unbound to the space (meaning public egress is not allowed), inventory crashes. When pubic egress is allowed, the inventory app comes up normally. I have narrowed the issue to the error above.

mogul commented 2 years ago

I think this might have to do with Nick's finding that we're not including all provided certificates when configuring Caddy.

mogul commented 2 years ago

I think this might have to do with Nick's finding that we're not including all provided certificates when configuring Caddy.

Oh wait, that makes no sense whatsoever... Those certs are used for the client-side connection, not the server-side connection. Oops.

OTOH, I think this might have to do with the AWS client itself only recently having grown the ability to configure the proxy-ca-bundle. If that change has made it into a release then we might try configuring it correctly (to refer to the CA bundle that AWS provides) and see what's what.

mogul commented 2 years ago

It looks like the PR is still pending, so to test this theory we'd need to either figure out how to configure it with a file or do something clever(*) to add the AWS CA cert bundle to the system-level one that the container is populated with.

mogul commented 1 year ago

OK, this is all moot now... Someone else found the solution, and we can point people to the article about this on the cloud.gov site. I'm leaving this issue open until we add that documentation!