search

hashicorp / boundary

Boundary enables identity-based access management for dynamic infrastructure.
https://boundaryproject.io
Other
3.85k stars 289 forks source link

Boundary with HTTP(S) endpoints #844

Closed gunhu closed 3 years ago

gunhu commented 3 years ago

Is your feature request related to a problem? Please describe. Using Boundary to connect to HTTP(S) endpoints using a browser is something you planned to add when you have tackled all features listed in your roadmap?

Describe the solution you'd like Execute the following command: boundary connect http[s] -target-id ttcp_1234567890

And then open a web browser to navigate to the target previously opened.

Describe alternatives you've considered Using boundary with SSL tunneling: boundary connect -exec ssh -target-id ttcp_1234567890 -- -L 127.0.0.1:[80-443]:IP_ADDRESS:[80-443]

malnick commented 3 years ago

This isn't currently implemented but we are working on adding it soon. In the meantime, I did a write up around how to front UI's with Boundary here: https://discuss.hashicorp.com/t/question-around-accessing-web-targets/15710/6

stefansedich commented 3 years ago

@malnick is there any updates on this feature? we are looking at replacing our current VPN with Bounary but access to web applications is a must, the currently linked solution proxying is a little verbose and adds complications with internal auth and random ports.

brancz commented 3 years ago

This isn't currently implemented but we are working on adding it soon.

Fantastic! Any issue that we could subscribe to? :)

Love boundary btw, finally a great path towards beyondcorp for the rest of us!

pratiyush05 commented 1 year ago

Hi @malnick , we are trying to connect to a HTTPS target ( AWS Opensearch ) using Boundary desktop application . After clicking on "connect" on Boundary desktop app , it does create a session with 127.0.0.1 and port .But when I put this in Chrome , it says - "400 Bad Request - The plain HTTP request was sent to HTTPS port" . On adding https:// in start of the endpoint ,chrome says the connection is unsecure . How can we create a secure connection for HTTPS targets using Boundary desktop app?

May be a related finding - I saw one root certificate authority being added - "Starfield Services Root Certificate Authority - G2" over the certificate chain of our AWS Opensearch target . Is this certificate chain creating trouble ? Please guide us through this . Thanks in advance .

xingluw commented 1 year ago

Hi @pratiyush05, this is an important feature we are considering for the roadmap, but we don't have any updates at the moment. There is a current workaround by using an additional proxy, which you can learn more about here:

jrhrmsll commented 1 year ago

Hi @pratiyush05, this is an important feature we are considering for the roadmap, but we don't have any updates at the moment. There is a current workaround by using an additional proxy, which you can learn more about here:

Thanks for mention it, with the introduction of default ports v0.13.0 this will be more easy now, opening the possibility from the UI.

https://github.com/alqasr contains the implementation for the Squid Proxy external ACL (to enforce boundary permissions via API calls) and a simple PAC server to avoid manual configurations on the clients.