Prerequisites
- ZEDEDA enterprise user account with privileges to edit edge nodes
- Docker installed on your computer
Purpose
When an edge node is installed on a network with a proxy as its only route to the Internet, it will need to connect through that proxy. This document aims to test the proxy settings from a computer to ensure they work before they are applied to the edge node.
Load tlsproxy Using Docker
The tlsproxy
tool is available to download and run as a Docker container. When you are finished using the tool, type “exit” at the # command prompt. The docker run …
command loads the tlsproxy
tool from the zededa/proxy
container.
docker run -it --rm zededa/proxy
Unable to find image 'zededa/proxy:latest' locally
latest: Pulling from zededa/proxy
7ddbc47eeb70: Pull complete
c1bbdc448b72: Pull complete
8c3b70e39044: Pull complete
45d437916d57: Pull complete
49ad2211bd62: Pull complete
3e7b836198ea: Pull complete
8a5b51d3b282: Pull complete
5136aec8bfbe: Pull complete
91d7e9d7f6c9: Pull complete
dd662e1788e0: Pull complete
Digest: sha256:c04b81815b945269edc4199ea73dccdbc49791503b0a8fceee82bb8d8751a45d
Status: Downloaded newer image for zededa/proxy:latest
root@a074ec40b270:/#
First type cd && ls
to change to the /root
directory where the tlsproxy
script is located in order to run it. Execute with no arguments to see usage information.
root@a074ec40b270:~# cd && ls
tlsproxy
root@a074ec40b270:~# ./tlsproxy
Usage: tlsproxy <-host=zedcloud.gamma.zededa.net> [-proxy=<proxy ip address> -port=<proxy port>] [-cert=<proxy PEM file>] [-cipher=y] [-skip=y] [-showcerts=y]
host can be zedcloud.gamma.zededa.net or any remote https server
if proxy/port is not specified, the https packet will be sent to remote host directly
-cert proxy certificate can be specified in a PEM file when using the proxy
-cipher option if specified, the more secure cipher suites will be used to negotiate
-skip option is for skip the certificate security verify
-showcerts option is for showing certificates from server or proxy server
Now run the tlsproxy
tool with the configuration values you entered (or plan to enter) into the “Add Network” web page of your ZEDEDA enterprise (navigate to the Network tab in the Library section, then click the + icon to add a new network).
Note that the -host
parameter should match the root FQDN of your ZEDEDA enterprise, which will be the circled value shown in the browser URL bar. Note also that the -proxy
value should match the HTTP value you entered into the Add Network page configuration. This “Manual” proxy configuration example is defined by a server URL, IP address, and port number.
./tlsproxy -host=zedcloud.gmwtus.zededa.net -proxy=proxy.example.com -port=912
The response from the tool will identify if the configuration should work on your edge node or not. In the following example, the results shown are not successful (only partially ok). This example shows that the network route to the ZEDEDA server is ok "Status OK"
, but that authentication through the proxy server failed "Bad Request"
. Success would have shown "Status OK"
for both the GET and POST operations.
root@fcdb64214a4f:~# ./tlsproxy -host=zedcloud.gmwtus.zededa.net -proxy=X.Y.Z.82 -port=13129
URL https://zedcloud.gmwtus.zededa.net, server name:zedcloud.gmwtus.zededa.net, proxy IP X.Y.Z.82, proxy http://X.Y.Z.82:13129
====GET:====
TLS handshake starts
TLS handshake done state: {Version:771 HandshakeComplete:true DidResume:false CipherSuite:49199 NegotiatedProtocol: NegotiatedProtocolIsMutual:true ServerName: PeerCertificates:[0xc0000cb600 0xc0000cbb80 0xc0000cc100] VerifiedChains:[[0xc0000cb600 0xc0000cab00]] SignedCertificateTimestamps:[] OCSPResponse:[] ekm:0x630ba0 TLSUnique:[185 149 101 93 155 88 129 183 210 250 157 201]}. error <nil>
TLS cipher negotiated TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Got RemoteAddr: X.Y.Z.82:13129, LocalAddr: 172.17.0.2:35398
Wrote headers
Wrote request
First response byte!
Reply Contents: pong
Send https/GET to https://zedcloud.gmwtus.zededa.net/api/v1/edgedevice/ping, "Status OK"
====POST:====
Got RemoteAddr: X.Y.Z.82:13129, LocalAddr: 172.17.0.2:35398
Wrote headers
Wrote request
First response byte!
Reply Contents: { }
Send https/POST to https://zedcloud.gmwtus.zededa.net/api/v1/edgedevice/hello, response len 50 received. Status code 400, "Bad Request"
root@fcdb64214a4f:~#
There are several different ways a proxy network can be configured. Hopefully, this tool will help you determine whether or not your edge node should be able to connect through it to reach ZEDEDA servers.