kontsevoy
commented
8 years ago @guanana have you tried launching tsh with tsh --proxy=host:port?
Closed guanana closed 8 years ago
kontsevoy
commented
8 years ago @guanana have you tried launching tsh with tsh --proxy=host:port?
guanana
commented
8 years ago Yes, when I made tsh --proxy=teleport-proxy.exmaple.local it works just fine, I sniff the connections and it connects to the proxy on the port 3023 as expected, but when I try to change the port it says:
tls: first record does not look like a TLS handshake
Also if I try to add the "default" port 3023 says that. I guess the binary add the port just before the host name and then all we add after the hostname is just a double appendix.
My guess is, when I try to add the port it creates something like tsh --proxy=teleport-proxy.exmaple.local:3023:3023
guanana
commented
8 years ago If it is useful for you I attach the debug for the two different instances in the same server (proxy). Neither of the instances complete the auth because is only a test, but you can see the behavior.
Works (instance default port) Server
INFO[0040] [::]:3023 accepted connection from XXX.XXX.XXX.XX:43818 file=sshutils/server.go:156
INFO[0041] missing session cookie file=web/web.go:1209 request=GET /webapi
WARN[0041] http: named cookie not present file=web/web.go:1211 request=GET /webapi
Client [root@teleport-auth teleport-infra]# tsh --proxy=teleport-proxy-1.example.local --user=test-infra ls Enter password for Teleport user test-infra:
Not works (port 3033 instead 3023)
Server
INFO[0027] [::]:3033 accepted connection from XX.XXX.XXX.XXX:36980 file=sshutils/server.go:156
Client
[root@teleport-auth teleport-infra]# tsh --proxy=teleport-proxy-1.example.local:3033 --user=test-infra ls
tls: first record does not look like a TLS handshake
If I try to execute it with 3023 port "force"
Server
INFO[0031] [::]:3023 accepted connection from XX.XX.XXX.XXX:43856 file=sshutils/server.go:156
INFO[0032] [::]:3023 accepted connection from XX.XXX.XXX.XXX:43858 file=sshutils/server.go:156Client
[root@teleport-auth teleport-infra]# tsh --proxy=teleport-proxy-1.example.local:3023 --user=test-infra ls
tls: first record does not look like a TLS handshake
kontsevoy
commented
8 years ago @guanana nice catch. It appears tsh does not have a way to configure two ports for --proxy switch: one for SSH proxy and another for HTTPS proxy.
I like your suggestion of using --proxy=host:port,port syntax. So if you have this config file (every "listen addr" is set to non-default value):
teleport:
log:
output: stderr
auth_service:
enabled: yes
listen_addr: 0.0.0.0:5025
ssh_service:
enabled: yes
listen_addr: 0.0.0.0:5022
proxy_service:
enabled: yes
listen_addr: 0.0.0.0:5023
tunnel_listen_addr: 0.0.0.0:5024
web_listen_addr: 0.0.0.0:5080... you can connect to it using tsh --proxy=host,5023,5080 (first comes SSH port, followed by HTTPS port).
This change will be published later today, see "Releases". Thanks.
Hi,
We are trying your solution and seems great but I found one problem. I saw someone else told you that on Jan but you close the ticket. I created two independent environments because I don't want all the users in one cluster could see the sessions of the other users. Basically I created two clusters for that reason and add trust relation between those. The problem is: to not duplicate my infra I create all the service on the same machines but changing all the port for different instances.
The instances by themselves work fine and they trust each other, but I cannot login with my user because I cannot specify the port of the proxy where I want to connect, and by default connects to the "incorrect one"
I downloaded the teleport from binaries pre-compiled (not compiled manually)
Teleport v1.0.0 git:v1.0.0-0-g8987e07
[root@teleport-auth teleport-infra]# tctl -c /etc/teleport-infra.yaml nodes ls INFO[0000] newTunClient(tctl) with auth: [{teleport-auth.example.local:3035 tcp } {teleport-auth.example.local:3035 tcp }] file=auth/tun.go:581 INFO[0000] TunClient[tctl].Dial() file=auth/tun.go:648 INFO[0000] tunClient(tctl).authServers: [{teleport-auth.example.local:3035 tcp } {teleport-auth.example.local:3035 tcp }] file=auth/tun.go:765 INFO[0000] TunClient[tctl].Dial() file=auth/tun.go:648 INFO[0000] tunClient(tctl).authServers: [{teleport-auth.example.local:3035 tcp } {teleport-auth.example.local:3035 tcp }] file=auth/tun.go:765 INFO[0000] TunClient[tctl]: authServersSyncLoop() started file=auth/tun.go:688 INFO[0000] TunClient[tctl].Dial() file=auth/tun.go:648 INFO[0000] tunClient(tctl).authServers: [{teleport-auth.example.local:3035 tcp } {teleport-auth.example.local:3035 tcp }] file=auth/tun.go:765 Node Name Node ID Address Labels
teleport-auth.XXXXX 434430c1-5110-4e10-xxxxxxxx XXX.XXX.XXX.XXX:3032 db_role=master,server_type=teleport-auth,arch=x86_64,hostname=teleport-auth.example.local teleport-proxy-infra-1.XXXXXX 9b2292ec-191e-40ca-b69e-xxxxxx YYY.YYY.YYY.YYY:3032 db_role=master,server_type=proxy,hostname=adminuk,arch=x86_64
[root@teleport-auth teleport-infra]# tctl nodes ls INFO[0000] newTunClient(tctl) with auth: [{teleport-auth.example.local:3025 tcp } {teleport-auth.example.local:3025 tcp }] file=auth/tun.go:581 INFO[0000] TunClient[tctl].Dial() file=auth/tun.go:648 INFO[0000] tunClient(tctl).authServers: [{teleport-auth.example.local:3025 tcp } {teleport-auth.example.local:3025 tcp }] file=auth/tun.go:765 INFO[0000] TunClient[tctl].Dial() file=auth/tun.go:648 INFO[0000] tunClient(tctl).authServers: [{teleport-auth.example.local:3025 tcp } {teleport-auth.example.local:3025 tcp }] file=auth/tun.go:765 INFO[0000] TunClient[tctl]: authServersSyncLoop() started file=auth/tun.go:688 INFO[0000] TunClient[tctl].Dial() file=auth/tun.go:648 INFO[0000] tunClient(tctl).authServers: [{teleport-auth.example.local:3025 tcp } {teleport-auth.example.local:3025 tcp }] file=auth/tun.go:765 Node Name Node ID Address Labels
ukapps-dev 7a1612e0-49f7-47cf-b09a-xxxx ZZ.ZZZ.ZZZ.ZZZ:3022 server_type=apps,db_role=node,environment=falcon,arch=x86_64,centos_version=CentOS release 6.5 (Final),java=java version "1.7.0_45"