Skip to content

Instantly share code, notes, and snippets.

@bbuechler

bbuechler/PROXY.md

Last active December 22, 2022 19:19
Show Gist options
  • Save bbuechler/ccca74c6ae2f05938ff69d9b02f2f6e4 to your computer and use it in GitHub Desktop.
Save bbuechler/ccca74c6ae2f05938ff69d9b02f2f6e4 to your computer and use it in GitHub Desktop.
Download ZIP
Setup and Configure sock5 proxy over SSM to access Cumulus Dashboard.
Raw
PROXY.md

MacOS/Linux - console and Firefox

Generate AWS Long Term Access keys for the appropriate CloudTamer Project (like asf-application-cumulus-uat-7211)

Save the keys to your ~/.aws/credentials:

[cumulus-uat-appdev]
aws_access_key_id = AKIAVA2VMIABCDEFGH12
aws_secret_access_key = 35IkW2dkPUsg5St4ioKB9MKXZjYYJ3lpNI527pXXYXXFIds8so

Set the defaults for accessing this account

> export AWS_DEFAULT_REGION=us-west-2
> export AWS_DEFAULT_PROFILE=cumulus-uat-appdev

Get Bastion information

NEW EDC accounts no longer come with SSM BASTION.

If you know your account does not have a SSM-enabled bastion host, OR the output of the next step is "None", you will need to deploy an SSM Baston for your account. To deploy a SSM Bastion, see build-a-bastion.sh.

Look up BASTION Instance ID based on bastion name.

By Default, NGAP uses NGAP SSH Bastion for Bastion name. If you are not deploying your own SSM Bastion from the previous step, try that name instead.

> export ssm_bastion="SSM Bastion"
> export SSMBASTION=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=$ssm_bastion" --query "Reservations[].Instances[].InstanceId" --output=text)
> echo Bastion host is $SSMBASTION

Get the API Address to add to the proxy.pac file:

Pull the API name from the CloudFormation Stack (you might need to adjust MATURITY

If you have more than one deployment in an account, you'll probably need to use the DEPLOYMENT_PREFIX prefix value to select the correct API Gateway instance.

> export MATURITY="dev" # Generally, UAT="test", SBX="dev", but this depends on your Cumulus Deployment.
> export DEPLOYMENT_PREFIX=""
> API=$(aws apigateway get-rest-apis --query "items[?ends_with(name, '-archive') && starts_with(name,'$DEPLOYMENT_PREFIX')].id" --output=text)
> APIROOT=$(echo "https://${API}.execute-api.${AWS_DEFAULT_REGION}.amazonaws.com/${MATURITY}/")
> echo $APIROOT
https://l3h5z0uk10.execute-api.us-west-2.amazonaws.com/dev/

You can also get this value from the AWS Console:

From the AWS Console, got to the API Gateway service, find and click on your API, it will end with -archive. Then, on the left, click "Dashboard". API Console

Update the proxy.pac file to redirect that url.

You can probably do this in chrome, but to the best of my knowlege, Chrome has 2 major drawbacks:

  1. Chrome cannot do DNS resolution over socks5 proxy (Firefox can!)
  2. Chrome PAC files MUST download, they cannot be local file. (Firefox can use local files)

Load (or reload!) the proxy.pac file into FireFox's proxy settings

function FindProxyForURL(url, host) {

    if (dnsDomainIs(host, "l3h5z0uk10.execute-api.us-west-2.amazonaws.com"))
        return "SOCKS5 localhost:8001";

    // by default use no proxy
    return "DIRECT";
}

⚠️⚠️⚠️ Also be sure you're enabling DNS resolution over socks5: ⚠️⚠️⚠️

✅Proxy DNS while using SOCKS v5 proxy config If this is not enabled, Firefox will not be able to resolve the DNS name.

Handling SSH keys

If NGAP has provided you with a SSM/SSH Bastion, you'll need to follow the steps in SSH Bastion Key Upload - Self-Service to upload SSH keys for programmatic SSM Access. The instructions also work if you've deployed your own SSM Bastion using the instructions above. Either way, you'll need to set the SSH_KEY variable for the next step. Generally, keys are kept in ~/.ssh/<key> and ~/.ssh/<key>.pub

> export SSH_KEY=/path/to/your/id_rsa_key

Connection the NASA EDGATE VPN.

Fire up the Socks Proxy:

To connect to the SSM Bastion, you need to have the Session Manager Plugin installed.

> ssh -o ProxyCommand="sh -c 'aws  ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=22'" -i $SSH_KEY -fN -D 127.0.0.1:8001 ec2-user@$SSMBASTION 
> SSH=$(pgrep -f 'ssh -o ProxyCommand')

Access the Console!

Go to dashboard and log in (make sure your EDL userid has been added)

For example http://<your-hosted-dashabord>.s3-website-us-west-2.amazonaws.com/

See Also standalone-md for running Building & Running the cumulus dashboard in a local Docker Containter.

Close the SSH tunnel

When you're done using the proxy to access the dasboard, close the SSH proxy

kill -9 $SSH

Troubleshooting:

NGAP periodically rotates Bastion Hosts, so you MAY get a "man in the middle" attach warning.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.

Simply find the Bastion's record in your ~/.ssh/known_hosts file and remove it.

If your Cumulus Dashboard starts flipping out with random errors, check that your VPN is still connected and that your socks proxy connection hasn't dropped

You can test your proxy by running this command:

> curl --proxy socks5h://localhost:8001 ${APIROOT}/version
{"response_version":"v1","api_version":"1.14.2"}

If you get some other response than the above JSON payload, something has gone wrong

If Firefox tells you try to log into the cumulus dashboard, and you see an error that is like "... cannot resolve DNS for l3h5z0uk10.execute-api.us-wes-2.amazonaws.com ... ",

This is indicative of there being a problem with the proxy settings and the request is NOT going over the socks proxy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment