search

aws-samples / aws-iot-securetunneling-localproxy

AWS Iot Secure Tunneling local proxy reference C++ implementation
https://docs.aws.amazon.com/iot/latest/developerguide/what-is-secure-tunneling.html
Apache License 2.0
73 stars 70 forks source link

Proxy server rejected web socket upgrade request #79

Closed leonjalfon1 closed 2 years ago

leonjalfon1 commented 2 years ago

I tried to run the local proxy on my mac (macOS Monterey v12.3.1) and I got the following error:

./localproxy -r us-west-2 -s 5555 -t 8ff64f4b-destinationAccessToken.txt -v6
[2022-04-21T21:10:22.492822]{64778}[warning] Found access token supplied via CLI arg. Consider using environment variable AWSIOT_TUNNEL_ACCESS_TOKEN instead
[2022-04-21T21:10:22.493370]{64778}[debug]   v2 local proxy starts with v1 local proxy format
[2022-04-21T21:10:22.493479]{64778}[debug]   /Users/leonj/Desktop/work/iot/aws-iot-securetunneling-localproxy/build/bin/config does not exist!
[2022-04-21T21:10:22.493524]{64778}[info]    Starting proxy in source mode
[2022-04-21T21:10:22.493545]{64778}[trace]   Setting up web socket...
[2022-04-21T21:10:22.610297]{64778}[trace]   Calling control_callback with type: websocket_stream_single_ssl_type
[2022-04-21T21:10:22.610359]{64778}[info]    Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.us-west-2.amazonaws.com:443
[2022-04-21T21:10:22.610369]{64778}[trace]   Resolving proxy server host: data.tunneling.iot.us-west-2.amazonaws.com
[2022-04-21T21:10:22.645232]{64778}[debug]   Resolved proxy server IP: 52.25.195.210
[2022-04-21T21:10:22.645286]{64778}[trace]   Calling lowest_layer with type: websocket_stream_single_ssl_type
[2022-04-21T21:10:22.893168]{64778}[debug]   Connected successfully with proxy server
[2022-04-21T21:10:22.893246]{64778}[trace]   Calling lowest_layer with type: websocket_stream_single_ssl_type
[2022-04-21T21:10:22.893300]{64778}[trace]   Calling lowest_layer with type: websocket_stream_single_ssl_type
[2022-04-21T21:10:22.893335]{64778}[trace]   Performing SSL handshake with proxy server
[2022-04-21T21:10:22.893358]{64778}[trace]   Calling set_verify_mode with type: single_ssl_stream
[2022-04-21T21:10:22.893388]{64778}[trace]   Calling set_verify_callback with type: single_ssl_stream
[2022-04-21T21:10:22.893403]{64778}[trace]   Calling next_layer().async_handshake with type: websocket_stream_single_ssl_type
[2022-04-21T21:10:23.399371]{64778}[debug]   Successfully completed SSL handshake with proxy server
[2022-04-21T21:10:23.399462]{64778}[trace]   Performing websocket handshake with proxy server
[2022-04-21T21:10:23.399506]{64778}[trace]   Calling async_handshake with type: websocket_stream_single_ssl_type
[2022-04-21T21:10:23.399811]{64778}[trace]   Web socket ugprade request(*not entirely final):
GET /tunnel?local-proxy-mode=source HTTP/1.1
Host: data.tunneling.iot.us-west-2.amazonaws.com
Upgrade: websocket
Connection: upgrade
Sec-WebSocket-Key: ibcuar0dux0Y0AK5r7GV5w==
Sec-WebSocket-Version: 13
Sec-WebSocket-Protocol: aws.iot.securetunneling-2.0
access-token: ***ACCESS_TOKEN_REMOVED***
User-Agent: localproxy Mac OS 64-bit/boost-1.76.0/openssl-1.1.1/protobuf-3.17.3

[2022-04-21T21:10:23.648593]{64778}[trace]   Web socket upgrade response:
HTTP/1.1 403 Forbidden
Date: Thu, 21 Apr 2022 18:10:23 GMT
Content-Type: text/plain
Content-Length: 20
Connection: keep-alive
channel-id: 06dfe6fffe4c2ae5-0000185c-0004d520-d9a9cd05dbdf0d4e-017213a3
X-Status-Reason: Invalid access-token

Invalid access-token
[2022-04-21T21:10:23.648645]{64778}[error]   Proxy server rejected web socket upgrade request: (HTTP/1.1 403 Forbidden) "Invalid access-token"
[2022-04-21T21:10:23.648666]{64778}[trace]   Calling is_open with type: websocket_stream_single_ssl_type
[2022-04-21T21:10:23.648674]{64778}[trace]   Calling lowest_layer with type: websocket_stream_single_ssl_type
[2022-04-21T21:10:23.648681]{64778}[trace]   Calling lowest_layer with type: websocket_stream_single_ssl_type

I also ran the localproxytest and get the following errors:

-------------------------------------------------------------------------------
Test source mode
-------------------------------------------------------------------------------
/Users/leonj/Desktop/work/iot/aws-iot-securetunneling-localproxy/test/AdapterTests.cpp:183
...............................................................................

/Users/leonj/Desktop/work/iot/aws-iot-securetunneling-localproxy/test/AdapterTests.cpp:218: FAILED:
  CHECK( ws_server.get_handshake_request().method() == boost::beast::http::verb::get )
with expansion:
  <unknown> == GET

/Users/leonj/Desktop/work/iot/aws-iot-securetunneling-localproxy/test/AdapterTests.cpp:219: FAILED:
  CHECK( ws_server.get_handshake_request().target() == "/tunnel?local-proxy-mode=source" )
with expansion:
   == "/tunnel?local-proxy-mode=source"

/Users/leonj/Desktop/work/iot/aws-iot-securetunneling-localproxy/test/AdapterTests.cpp:220: FAILED:
  CHECK( ws_server.get_handshake_request().base()["sec-websocket-protocol"] == "aws.iot.securetunneling-2.0" )
with expansion:
   == "aws.iot.securetunneling-2.0"

/Users/leonj/Desktop/work/iot/aws-iot-securetunneling-localproxy/test/AdapterTests.cpp:221: FAILED:
  CHECK( ws_server.get_handshake_request().base()["access-token"] == adapter_cfg.access_token )
with expansion:
   == "foobar_token"

Assertion failed: (ptr_), function get, file /usr/local/include/boost/optional/detail/optional_reference_spec.hpp, line 149.
/Users/leonj/Desktop/work/iot/aws-iot-securetunneling-localproxy/test/AdapterTests.cpp:221: FAILED:
  {Unknown expression after the reported line}
due to a fatal error condition:
  SIGABRT - Abort (abnormal termination) signal

===============================================================================
test cases:  2 |  1 passed | 1 failed
assertions: 43 | 38 passed | 5 failed

Any idea?

Thanks in advance!!

HarshGandhi-AWS commented 2 years ago

Hello @leonjalfon1 ,

Thank you for reaching out to us. It looks like your command for starting local proxy binary is incorrect; it has an extra .txt added after destination access token so I am assuming you are passing the access token file path. If you are using the -t command line option, please pass in the value of access token.

We do not recommend using -t CLI option as the client access token will appear in shell history or in process listings that show full commands and arguments and may unintentionally expose access to the tunnel. Use the environment variable or set the option via config input file instead.

You can use AWSIOT_TUNNEL_ACCESS_TOKEN environment variable for storing value of access token which local proxy binary can use while setting a connection to the tunnel.

More details can be found over here and here.

Can you please update your command as show below and try again to start local proxy? 

export AWSIOT_TUNNEL_ACCESS_TOKEN=$(cat 8ff64f4b-destinationAccessToken.txt)

./localproxy -r us-west-2 -s 5555 -v6

Regards, Harsh Gandhi

akhileshmoghe commented 2 years ago

Hello @leonjalfon1 & @HarshGandhi-AWS,

Is there any update on this issue? I am also facing the same issue on Apple Mac M1 Pro. I am using the docker build and run scripts to run the 'localproxy' from inside the container. I am getting the exact same error log.

Thanks in Advance!!

HarshGandhi-AWS commented 2 years ago

Hey @akhileshmoghe ,

Did you try the solution I have provided in the previous comment?

If you have tried and are still facing the same issue then can you share steps to reproduce this issue and log output you are getting.

akhileshmoghe commented 2 years ago

Hi @HarshGandhi-AWS,

Thanks for the reply, Issue got solved by using the appropriate region in above command.

HarshGandhi-AWS commented 2 years ago

I am glad I could help. Please feel free to open new issue if you start seeing any errors using localproxy or Device-Client which can be used on your destination IoT device.

Regards, Harsh Gandhi