Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add proxy command #56

Merged
merged 1 commit into from
May 12, 2022
Merged

Add proxy command #56

merged 1 commit into from
May 12, 2022

Conversation

aelg
Copy link
Contributor

@aelg aelg commented Apr 21, 2022

Adds a command for running pomerium-cli as a proxy.
Requests matching a domain will be proxied over a tcp tunnel via
pomerium.
All other connections will be transparently proxied.

Summary

This feature solves some of the problems of running https-based services behind Pomerium.
For example when running a docker repository the docker daemon cannot perform authentication with Pomerium.
The same issue is there if running a python registry to be used by for example pip.
The proxy command implemented here solves some of these issues by letting pomerium-cli act as a https-proxy.
Many of these kinds of services support configuring a proxy either natively or by using the HTTPS_PROXY environment variable.

Caveats

This proxy sidesteps the normal audit trail of Pomerium, since the HTTPS service is served over a TCP tunnel individual request will not have an audit trail, only the setup of the tunnel will.

The service behind pomerium needs it's own TLS certificate as Pomerium is not terminating TLS in the tunnel.

Currently there seems to be a bug, most likely in envoy, that prevents tcp tunnels with frontend port 443 to work.
This PR just have a hardcoded rewrite of port 443 to port 8000 when setting up the tunnel, which is not ideal.

Related issues

This approach was suggested in issue #1837 and is based on the implementation suggested there.

@aelg aelg requested a review from a team as a code owner April 21, 2022 15:10
@aelg aelg requested a review from wasaga April 21, 2022 15:10
@CLAassistant
Copy link

CLAassistant commented Apr 21, 2022
edited
Loading

CLA assistant check
All committers have signed the CLA.

@aelg
Copy link
Contributor Author

aelg commented Apr 22, 2022

I have signed the CLA and added the commit email address. Do I need to do something else to get the above checks okayed?

@desimone desimone added enhancement New feature or request accepted labels May 9, 2022
@aelg aelg force-pushed the proxy-cmd branch 2 times, most recently from 14c955d to 7c37a55 Compare May 11, 2022 13:43
@wasaga wasaga self-assigned this May 11, 2022
@aelg
Add proxy command
ce5ef66 
Adds a command for running pomerium cli as a proxy.
Requests matching a domain will be proxied over a tcp tunnel via
pomerium.
All other connections will be transparently proxied.
@wasaga wasaga merged commit b38936e into pomerium:main May 12, 2022
@desimone desimone mentioned this pull request Jun 16, 2022
Closed
@desimone desimone mentioned this pull request Oct 24, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wasaga wasaga wasaga approved these changes

Assignees

@wasaga wasaga

Labels
accepted enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aelg @CLAassistant @wasaga @desimone