New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permalinks / Static Ports #1537
Comments
Sorry for the tardy response on this, I've assigned it to our product manager to take a look! Thank you for the request! |
I'd vote for static ports please! I'm afraid that a custom protocol handler would be more complex to implement and manage in multiple platforms. Additionally, a static port would work better for APIs and scripts or anything command line. |
@PPacent Hi, will there be any priority on this item? This will make the usability miles ahead. |
|
Upvoting this issue. Static ports gonna be pretty useful. |
+1 for this issue as well. Our use case is using vault behind boundary using oidc/jwt authentication, which requires a static redirect URL. We tried using vault tokens as a credential store as well to replace oidc with tokens, but that didn't play nicely with boundary desktop either. So currently we don't really have a way to authenticate into vault for our users who need access to it without using static credentials. We could work around this limitation if we could have vault always exposed by boundary on a specific port (via boundary desktop as we have less tech savvy users as well), allowing us to set a static redirect url for oidc. |
I've also been thinking about permalinks and I want to build an app for it until a better alternative is built in: Here's what I have in mind
|
A proposal to made the access to HTTP targets more simple, https://medium.com/@jrhrmsll/access-to-boundary-http-targets-made-simple-6069dcb3aabe |
Hello, I am following up on this issue to see where it is in the roadmap and to ask how I can help. This is an essential feature for us; our Boundary-secured app notifications need to include contextual links back to the application. |
I have found a technique (and I'm implementing a solution based on it) to use boundary for using http targets from the browser without a local client and with static links. Here's the design: OverviewWe leverage:
Authentication flow
Let's assume we query something like If there is no session cookie or no valid session for that cookie we have to authenticate. The proxy queries Requesting resourcesThe user requests After a connection between the proxy and worker is established, the original request is proxied to that localhost address and back. FeedbackPlease reach out with feedback. Especially with security-related flaws. This solution addresses the most common use case in my experience. It's also very non-technical-user-friendly. It does add another piece to the infrastructure and slightly diminishes the benefit of distributed, target-aware workers. The lack of local client: a pro or a con?From user's perspective, it's great. I have mixed feelings about it from security perspective but it seems to me like a security win. You have to own the session cookie to be able access the http proxy. With boundary CLI it is possible start malicious connections from unrelated processes if only you get access to shell and boundary was previously authenticated. HA useThe HTTP proxy processes are stateful. But you can still deploy multiple instances of the proxy, you just might end up having multiple open sessions for a given user to a given target. Any risks here? |
Having static port would be really nice, we are using boundary to connect to RDS databases and every time a developer creates a session they get a new port which makes them change their client configurations many times, this becomes really painful when we have lots of databases :( |
@PPacent is there any priority for this issue? From the reactions, it seems many people need it. |
Hi everyone, work on web/https targets and static ports is important for us and something we are actively investigating |
Hey everyone, I was reading through this thread today and realized there hasn't been a mention of a
Passing this flag will give you a static port, and wanted to see if this solves this issue or if there are other use cases where setting a static port on the target resource directly would be of value. Thank you for your feedback! |
@malnick, I think this doesn’t resolve the issue. Firstly, an application developer would not know what static port is chosen by the user, and users could choose different static ports. Secondly, I have found that our users, at least, prefer using the UI. |
Thanks @micchickenburger - the UI use case is a compelling reason to add this to the target resource. We're going to dive into this more soon, but perhaps the flag can be a temporary work around for those on the CLI? More on this soon, thank you for all the feedback! |
Any news, how things are going with this request? |
@dmitryroshchin no updates yet, this is something we are keeping an eye on |
Hey all! We're excited to announce that in 0.13, Boundary introduced 'default_client_port', as a new, optional attribute on a TCP or SSH target, enabling the ability to the set the default port users can connect to their boundary worker over when looking to establish a proxied connection to a remote target. We also released a ton of new functionality in 0.13, which you can read about in the 0.13 release blog: https://www.hashicorp.com/blog/boundary-0-13-introduces-ssh-session-recording-boundary-enterprise-and-more |
Is your feature request related to a problem? Please describe.
We have a web app in the cloud, only accessible through Boundary, that sends notifications to a team messaging platform. The notifications should include links to the app. However, ports are ephemeral in Boundary so these links aren't possible.
Describe the solution you'd like
I see two possible solutions:
boundary://{target-id}/{path}
http://localhost:{well-known port}/{path}
. This would also be related to issue Modify /etc/hosts to provide a simple UX for non technical users accessing https sites #1398.I'm partial to option 1 since it may result in a better user experience.
The text was updated successfully, but these errors were encountered: