3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-01 11:26:29 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/docs/guides/tcp.md
Alex Fornuto 5332a752d0
Enterprise Docs (#2390) 
* install VuePress Plugin Tabs

https://www.npmjs.com/package/vuepress-plugin-tabs

* init Enterprise documentation section

* replace Vuepress tab plugin

now using https://github.com/superbiger/vuepress-plugin-tabs

* init Enterprise Quickstart

* block of enterprise doc updates

* Helm Quickstart Update (#2380)

* removed/fixed redundant or incorrect config

And some small copy edits

* Update docs/docs/quick-start/helm.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* init console with helm doc

* squash me

* codeblock fix

* init about page

* updates to Enterprise section

* consolidate on Postgres

* WIP helm updates

* update and align OS and Enterprise helm docs

* Enterprise settings docs (#2397)

* init console-specific reference docs files

* remove shortdoc for name

* init Enterprise Reference doc

* expanding Enterprise Reference

* init JS script for reference subpages

When reviewing please remember that I'm not a developer, be kind

* update script and apply

* remove errant dep

* document script and expand for CLI help output

* import pomerium-console_serve.yaml

In future iterations, this file should be sourced at build time as an artifact from the pomerium-console repo

* init new output file

* update script call and output

* fix anchor links

* BROKEN - import content from settings.yaml when dupe is true

* filtering WiP

* fix dupe script, more content

* replace if dupe with if not docs

* squash me

* squash me!

* add docs about PPL (#2404)

* squash meeeeee

* Update docs/enterprise/install/quickstart.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* symlink img dir from docs/reference

* squash mee

* update install reqs

* Fixed links throughout

* Update docs/enterprise/install/quickstart.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/enterprise/install/quickstart.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* remove internal note

* - format python with black
- format js with prettier

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* optimize images with imageOptim

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* run prettier on config.js

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* concepts.md

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* update concepts

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* copy edits

* typo

* symlink img dir from docs/reference

* modify TLS section in quick-start

* rm whitespace

* add common links postamble

* block of updates

* block of updates

* updates with @travisgroth

* turtles all the way down

* more content

* import all the things

* fill out reports

* fill out reports

* fix file extension

* fix links

* crosslink PPL ref

* document embedded prometheus

* expand example

* update reqs

* document non-directory users

* typo fix

* update metrics_address

* fix broken links in example configs

* update examples for route syntax

* replaced required with deprecated

Note that I didn't link to the route reference because I'm unsure what link formats are accepted when this file is used elsewhere. The warning block below includes a link.

* update enterprise/about

* Update docs/enterprise/console-settings.yaml

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/console-settings.yaml

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* remove commented config lines

* update non-domain user section in concepts

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/about.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* add console route to OSS conf

* update enterprise settings copy from source file

* Update docs/enterprise/concepts.md

* Update reports reference

* merge conflict resolution

* update sourced doc content, fix whitespace

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
2021-08-04 13:55:04 -05:00

174 lines
6.8 KiB
Markdown
Raw Blame History

---
title: TCP Services
lang: en-US
meta:
- name: keywords
content: pomerium identity-access-proxy ssh tcp postgres database redis mysql
description: >-
This guide covers how to use Pomerium to protect TCP services such as SSH, Postgres and Redis.
---
# Securing TCP based services
The following guide demonstrates how to use Pomerium's [TCP Proxying](/docs/topics/tcp-support.md) support with various TCP services such as databases and other non-HTTP protocols. It also covers integration points with them when possible.
The source files from this guide can be found on [GitHub](https://github.com/pomerium/pomerium/tree/master/examples/tcp/).
## Background
When replacing a traditional VPN, there are often non-HTTP based applications which must still be reachable. Pomerium is able to provide the same type of protection to these services by using a client side application to proxy TCP connections. Authentication and authorization configuration is shared with standard HTTP routes, and the underlying transport is still encrypted between the end-user and Pomerium.
Important notes:
- Pomerium authorizes HTTP on a request-by-request basis, but TCP is authorized on a per-connection basis.
- Pomerium is only authorizing the TCP *connection*. It does not interact with application level authorization systems at this time.
## How it works
* Create a standard Pomerium configuration for your [identity provider (IdP)](/docs/identity-providers/readme.md)
* `pomerium-cli` runs on your workstation, listening on loopback for TCP connections
* When an inbound connection is made, `pomerium-cli` proxies the connection through `pomerium`, authenticating the user if needed
* Pomerium authorizes the connection and forwards it to the upstream service
* The connecting application functions as normal
## Pre-requisites
This recipe is designed to run on a local docker-compose instance. The included configuration can be adopted for any TCP service, however.
* docker
* docker-compose
* A copy of the [example repo](https://github.com/pomerium/pomerium/tree/master/examples/tcp/) checked out
* Valid credentials for your OIDC provider
* The [Pomerium Client](/docs/releases.md#pomerium-cli) installed
* (Optional) `mkcert` to generate locally trusted certificates
## Certificates (optional)
This demo comes with its own certificates, but `pomerium-cli` and your browser will not trust them by default. You may instead provide your own or use [mkcert](https://github.com/FiloSottile/mkcert) to generate locally trusted certificates.
After installing `mkcert`, run the following inside the example repo:
```bash
mkcert -install
mkcert '*.localhost.pomerium.io'
```
This will install a trusted CA and generate a new wildcard certificate:
- `_wildcard.localhost.pomerium.io.pem`
- `_wildcard.localhost.pomerium.io-key.pem`
To provide your own certificates through another mechanism, please overwrite these files or update `docker-compose.yaml` accordingly.
## Configure
### Pomerium
Update `config.yaml` with your IdP settings and desired policy if adopting for your environment
<<< @/examples/tcp/config.yaml
### Docker Compose
Create a `docker-compose.yaml` file to run Pomerium and, optionally, the services being demonstrated.
Included in our compose file:
- SSH
- Postgres
- Redis
<<< @/examples/tcp/docker-compose.yaml
## Connect
To connect to your service, ensure [`pomerium-cli`](/docs/releases.md#pomerium-cli) is in your `$PATH` and run the `tcp` command, specifying the service you wish to reach.
```bash
pomerium-cli tcp [hostname]:[port]
```
`pomerium-cli` will select a random port on `localhost` by default, but you can specify a port manually if desired. Keep reading for some specific application examples using the sample `docker-compose.yaml`.
## Redis
```bash
# Start a proxy to redis in the background
% pomerium-cli tcp redis.localhost.pomerium.io:6379 --listen localhost:6379 &
3:01PM INF tcptunnel: listening on 127.0.0.1:6379
# Start the redis client
% redis-cli
3:01PM INF tcptunnel: opening connection dst=redis.localhost.pomerium.io:6379 proxy=redis.localhost.pomerium.io:443 secure=true
3:01PM INF tcptunnel: opening connection dst=redis.localhost.pomerium.io:6379 proxy=redis.localhost.pomerium.io:443 secure=true
3:01PM INF tcptunnel: connection established
127.0.0.1:6379> keys *
1) "type.googleapis.com/session.Session_last_version"
2) "type.googleapis.com/user.User"
3) "type.googleapis.com/session.Session"
4) "type.googleapis.com/user.User_version_set"
5) "type.googleapis.com/user.User_last_version"
6) "server_version_last_version"
7) "type.googleapis.com/session.Session_version_set"
8) "server_version_version_set"
9) "server_version"
10) "type.googleapis.com/directory.User_last_version"```
```
## Postgres
In our example docker-compose, we have configured `supersecret` as the password for the `postgres` user.
```bash
# Start a proxy to postgres in the background
% pomerium-cli tcp pgsql.localhost.pomerium.io:5432 --listen localhost:5432 &
3:07PM INF tcptunnel: listening on 127.0.0.1:5432
# Connect and list the schemas after password authentication
% psql -h localhost -W -U postgres -c '\dn'
Password:
3:06PM INF tcptunnel: opening connection dst=pgsql.localhost.pomerium.io:5432 proxy=pgsql.localhost.pomerium.io:443 secure=true
3:06PM INF tcptunnel: connection established
List of schemas
Name | Owner
--------+----------
public | postgres
(1 row)
```
## SSH
SSH clients can make use of external programs to establish a connection to a host. Most frequently, this is for using an SSH jump host to reach a target system. However, any transport application can be used. `pomerium-cli`'s `tcp` command can be used in conjunction with this configuration. Read on to see how.
More Info:
- [https://man.openbsd.org/ssh_config.5#ProxyCommand](https://man.openbsd.org/ssh_config.5#ProxyCommand)
- [https://www.redhat.com/sysadmin/ssh-proxy-bastion-proxyjump](https://www.redhat.com/sysadmin/ssh-proxy-bastion-proxyjump)
### Setup
To configure your SSH client to use Pomerium's TCP support for SSH routes, create an entry as follows in your `ssh_config` or `~/.ssh/config`:
```
Host *.localhost.pomerium.io
ProxyCommand pomerium-cli tcp --listen - %h:%p
```
* Be sure to substitute your domain for `localhost.pomerium.io`
* Be sure `pomerium-cli` is in your `$PATH`
### Connecting
That's it! A Pomerium proxy will be started *automatically* whenever you ssh to a host under `localhost.pomerium.io`.
In our example docker-compose, we have an SSH server configured with `supersecret` as the password for `myuser`.
```bash
% ssh myuser@ssh.localhost.pomerium.io
3:19PM INF tcptunnel: opening connection dst=ssh.localhost.pomerium.io:22 proxy=ssh.localhost.pomerium.io:443 secure=true
3:19PM INF tcptunnel: connection established
myuser@ssh.localhost.pomerium.io's password:
Welcome to OpenSSH Server
5c9f4fa5f5f7:~$
```
Reference in a new issue View git blame Copy permalink