Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Boundary 0.18: boundary worker not reachable via corporate http proxy. #5279

Open
ecNicolov opened this issue Nov 24, 2024 · 0 comments
Open
Labels
bug Something isn't working

Comments

@ecNicolov
Copy link

Describe the bug

Boundary controller and worker have public IP addresses.
Boundary client is located behind a corporate HTTP proxy.

The client first authenticates to the Boundary controller without issue.
Then, the client try to access a resource protected by a boundary worker.
The connection to the worker fails.
Network traces show that the authenticate connection reaches the controller via the corporate proxy but the connect connection does tries to reach the worker directly without going through the corporate http proxy.

To Reproduce
Steps to reproduce the behavior:

  1. Set the corporate proxy via https_proxy variable.
    export https_proxy=http://user:[email protected]:3128

  2. Run boundary authenticate ...

boundary  authenticate password  -addr=https://controller.xxx.:9200  -scope-id=o_9oFaXugvAS   -login-name=xxx
Please enter the password (it will be hidden): 

Authentication information:
  Account ID:      acctpw_FuAD8xu3uh
  Auth Method ID:  ampw_oLQCiHpRoE
  Expiration Time: Sun, 01 Dec 2024 18:37:26 CET
  User ID:         u_OyLPs9P6BA
  1. Run boundary connect ...
boundary  connect ssh   -token env://BOUNDARY_TOKEN  -addr=https://controller.xxxx:9200  -target-id=ttcp_QVx6lOE9yT
  1. Error
kex_exchange_identification: read: Connection reset by peer
Connection reset by 127.0.0.1 port 4321
client IP:  192.168.3.159
proxy IP:   192.168.5.11
worker IP:  54.38.32.240

18:56:35.615663 IP 192.168.3.159.56322 > 192.168.5.11.3128: Flags [P.], seq 1768:2028, ack 2791, win 523, options [nop,nop,TS val 1760770923 ecr 3909221258], length 260
18:56:35.615714 IP 192.168.3.159.56322 > 192.168.5.11.3128: Flags [P.], seq 2028:2061, ack 2791, win 523, options [nop,nop,TS val 1760770923 ecr 3909221258], length 33
18:56:35.629589 IP 192.168.5.11.3128 > 192.168.3.159.56322: Flags [.], ack 1768, win 1002, options [nop,nop,TS val 3909221285 ecr 1760770923], length 0
18:56:35.629765 IP 192.168.5.11.3128 > 192.168.3.159.56322: Flags [.], ack 2061, win 1002, options [nop,nop,TS val 3909221286 ecr 1760770923], length 0
18:56:35.641458 IP 192.168.5.11.3128 > 192.168.3.159.56322: Flags [P.], seq 2791:2896, ack 2061, win 1002, options [nop,nop,TS val 3909221297 ecr 1760770923], length 105
18:56:35.641517 IP 192.168.3.159.56322 > 192.168.5.11.3128: Flags [P.], seq 2061:2092, ack 2896, win 523, options [nop,nop,TS val 1760770949 ecr 3909221297], length 31
18:56:35.697834 IP 192.168.5.11.3128 > 192.168.3.159.56322: Flags [.], ack 2092, win 1002, options [nop,nop,TS val 3909221354 ecr 1760770949], length 0
18:56:35.748062 IP 192.168.5.11.3128 > 192.168.3.159.56322: Flags [P.], seq 4234:4294, ack 2092, win 1002, options [nop,nop,TS val 3909221404 ecr 1760770949], length 60
18:56:35.748070 IP 192.168.3.159.56322 > 192.168.5.11.3128: Flags [.], ack 2896, win 544, options [nop,nop,TS val 1760771055 ecr 3909221354,nop,nop,sack 1 {4234:4294}], length 0
18:56:35.748109 IP 192.168.5.11.3128 > 192.168.3.159.56322: Flags [.], seq 2896:4234, ack 2092, win 1002, options [nop,nop,TS val 3909221404 ecr 1760770949], length 1338
18:56:35.748115 IP 192.168.3.159.56322 > 192.168.5.11.3128: Flags [.], ack 4294, win 566, options [nop,nop,TS val 1760771055 ecr 3909221404], length 0

18:56:36.583599 IP 192.168.3.159.36430 > 54.38.32.240.9202: Flags [S], seq 1249932824, win 64240, options [mss 1460,sackOK,TS val 1051474173 ecr 0,nop,wscale 7], length 0**
18:56:37.605661 IP 192.168.3.159.36430 > 54.38.32.240.9202: Flags [S], seq 1249932824, win 64240, options [mss 1460,sackOK,TS val 1051475195 ecr 0,nop,wscale 7], length 0
18:56:38.618995 IP 192.168.3.159.36430 > 54.38.32.240.9202: Flags [S], seq 1249932824, win 64240, options [mss 1460,sackOK,TS val 1051476208 ecr 0,nop,wscale 7], length 0
18:56:39.632329 IP 192.168.3.159.36430 > 54.38.32.240.9202: Flags [S], seq 1249932824, win 64240, options [mss 1460,sackOK,TS val 1051477222 ecr 0,nop,wscale 7], length 0
18:56:40.645661 IP 192.168.3.159.36430 > 54.38.32.240.9202: Flags [S], seq 1249932824, win 64240, options [mss 1460,sackOK,TS val 1051478235 ecr 0,nop,wscale 7], length 0
18:56:41.658998 IP 192.168.3.159.36430 > 54.38.32.240.9202: Flags [S], seq 1249932824, win 64240, options [mss 1460,sackOK,TS val 1051479248 ecr 0,nop,wscale 7], length 0
18:56:43.738994 IP 192.168.3.159.36430 > 54.38.32.240.9202: Flags [S], seq 1249932824, win 64240, options [mss 1460,sackOK,TS val 1051481328 ecr 0,nop,wscale 7], length 0
18:56:47.792326 IP 192.168.3.159.36430 > 54.38.32.240.9202: Flags [S], seq 1249932824, win 64240, options [mss 1460,sackOK,TS val 1051485382 ecr 0,nop,wscale 7], length 0
18:56:55.898994 IP 192.168.3.159.36430 > 54.38.32.240.9202: Flags [S], seq 1249932824, win 64240, options [mss 1460,sackOK,TS val 1051493488 ecr 0,nop,wscale 7], length 0

18:57:07.205666 IP 192.168.3.159.56322 > 192.168.5.11.3128: Flags [.], ack 4294, win 566, options [nop,nop,TS val 1760802513 ecr 3909221404], length 0
18:57:07.219665 IP 192.168.5.11.3128 > 192.168.3.159.56322: Flags [.], ack 2092, win 1002, options [nop,nop,TS val 3909252875 ecr 1760771055], length 0
18:57:08.282881 IP 192.168.3.159.41178 > 192.168.9.1.3128: Flags [P.], seq 3537487383:3537487422, ack 2410411280, win 606, options [nop,nop,TS val 293446377 ecr 2320091248], length 39
18:57:08.282975 IP 192.168.3.159.41178 > 192.168.9.1.3128: Flags [P.], seq 39:63, ack 1, win 606, options [nop,nop,TS val 293446377 ecr 2320091248], length 24
18:57:08.282984 IP 192.168.3.159.41178 > 192.168.9.1.3128: Flags [F.], seq 63, ack 1, win 606, options [nop,nop,TS val 293446377 ecr 2320091248], length 0
18:57:08.305409 IP 192.168.9.1.3128 > 192.168.3.159.41178: Flags [.], ack 64, win 501, options [nop,nop,TS val 2320143833 ecr 293446377], length 0
18:57:08.305447 IP 192.168.9.1.3128 > 192.168.3.159.41178: Flags [F.], seq 1, ack 64, win 501, options [nop,nop,TS val 2320143833 ecr 293446377], length 0
18:57:08.305457 IP 192.168.3.159.41178 > 192.168.9.1.3128: Flags [.], ack 2, win 606, options [nop,nop,TS val 293446400 ecr 2320143833], length 0

Expected behavior
Both connections for boundary authenticate and boundary connect should use the http proxy.

Additional context

Version information:
  Build Date:          2024-11-18T16:36:03Z
  Git Revision:        7f5cae7f400fa3e64488e3ed4aa48105b246d18b
  Version Number:      0.18.1
@ecNicolov ecNicolov added the bug Something isn't working label Nov 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant