Proxy Network Debug


  • ZEDEDA enterprise user account with privileges to edit edge nodes
  • Docker installed on your computer


When an edge node is installed on a network with a proxy as its only route to the Internet, it will need to connect through that proxy. This document aims to test the proxy settings from a computer to ensure they work before they are applied to the edge node.

Load tlsproxy Using Docker

The tlsproxy tool is available to download and run as a Docker container. When you are finished using the tool, type “exit” at the # command prompt. The docker run … command loads the tlsproxy tool from the zededa/proxy container.

docker run -it --rm zededa/proxy   
Unable to find image 'zededa/proxy:latest' locally
latest: Pulling from zededa/proxy
7ddbc47eeb70: Pull complete
c1bbdc448b72: Pull complete
8c3b70e39044: Pull complete
45d437916d57: Pull complete
49ad2211bd62: Pull complete
3e7b836198ea: Pull complete
8a5b51d3b282: Pull complete
5136aec8bfbe: Pull complete
91d7e9d7f6c9: Pull complete
dd662e1788e0: Pull complete
Digest: sha256:c04b81815b945269edc4199ea73dccdbc49791503b0a8fceee82bb8d8751a45d
Status: Downloaded newer image for zededa/proxy:latest

First type cd && ls to change to the /root directory where the tlsproxy script is located in order to run it. Execute with no arguments to see usage information.

root@a074ec40b270:~# cd && ls
root@a074ec40b270:~# ./tlsproxy  
Usage: tlsproxy <> [-proxy=<proxy ip address> -port=<proxy port>] [-cert=<proxy PEM file>] [-cipher=y] [-skip=y] [-showcerts=y]
    host can be or any remote https server
    if proxy/port is not specified, the https packet will be sent to remote host directly
    -cert proxy certificate can be specified in a PEM file when using the proxy
    -cipher option if specified, the more secure cipher suites will be used to negotiate
    -skip option is for skip the certificate security verify
    -showcerts option is for showing certificates from server or proxy server

Now run the tlsproxy tool with the configuration values you entered (or plan to enter) into the “Add Network” web page of your ZEDEDA enterprise (navigate to the Network tab in the Library section, then click the + icon to add a new network).

Note that the -host parameter should match the root FQDN of your ZEDEDA enterprise, which will be the circled value shown in the browser URL bar. Note also that the -proxy value should match the HTTP value you entered into the Add Network page configuration. This “Manual” proxy configuration example is defined by a server URL, IP address, and port number.

./tlsproxy -port=912

The response from the tool will identify if the configuration should work on your edge node or not. In the following example, the results shown are not successful (only partially ok). This example shows that the network route to the ZEDEDA server is ok "Status OK", but that authentication through the proxy server failed "Bad Request". Success would have shown "Status OK" for both the GET and POST operations.

root@fcdb64214a4f:~# ./tlsproxy -proxy=X.Y.Z.82 -port=13129
URL, server, proxy IP X.Y.Z.82, proxy http://X.Y.Z.82:13129
TLS handshake starts
TLS handshake done state: {Version:771 HandshakeComplete:true DidResume:false CipherSuite:49199 NegotiatedProtocol: NegotiatedProtocolIsMutual:true ServerName: PeerCertificates:[0xc0000cb600 0xc0000cbb80 0xc0000cc100] VerifiedChains:[[0xc0000cb600 0xc0000cab00]] SignedCertificateTimestamps:[] OCSPResponse:[] ekm:0x630ba0 TLSUnique:[185 149 101 93 155 88 129 183 210 250 157 201]}. error <nil>
TLS cipher negotiated TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Got RemoteAddr: X.Y.Z.82:13129, LocalAddr:
Wrote headers
Wrote request
First response byte!
Reply Contents: pong
Send https/GET to, "Status OK"
Got RemoteAddr: X.Y.Z.82:13129, LocalAddr:
Wrote headers
Wrote request
First response byte!
Reply Contents: { }
Send https/POST to, response len 50 received. Status code 400, "Bad Request"

There are several different ways a proxy network can be configured. Hopefully, this tool will help you determine whether or not your edge node should be able to connect through it to reach ZEDEDA servers.

Was this article helpful?
0 out of 0 found this helpful