[GH-ISSUE #560] Using HTTP Proxy over Group Access ? #144

New issue

Closed

opened 2026-05-07 00:19:22 +02:00 by BreizhHardware · 4 comments

BreizhHardware commented 2026-05-07 00:19:22 +02:00

Owner

Copy link

Originally created by @DavidutzDev on GitHub (Jul 7, 2025).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/560

Hello,
I tried for the past few days to setup HTTP Proxy and it worked wonderfully until I tried to setup Group Accesses. I followed the documentation and all works with the self access method (using accountAddPersonalAccess and the selfGenerateProxyPassword). However, I'm not sure if I do something wrong or there's a misunderstanding. I couldn't make it work with the groupAddServer, it's the same server with the exact same port and same configuration. My user is owner of the group but when I try to make the request in the same way as the "self access method" I get an error saying that I don't have access using the auth method (self/default).

Looking longer to the documentation, it seems like there's no documentation about the errors (or this specific one).

Here's the error I get using the curl verbose mode :

curl -v -k -u davidutz@root@10.10.0.3 https://10.10.0.2:8443
Enter host password for user 'davidutz@root@10.10.0.3':
*   Trying 10.10.0.2:8443...
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* Connected to 10.10.0.2 (10.10.0.2) port 8443
* using HTTP/1.x
* Server auth using Basic with user 'davidutz@root@10.10.0.3'
> GET / HTTP/1.1
> Host: 10.10.0.2:8443
> Authorization: Basic ZGF2aWR1dHpAcm9vdEAxMC4xMC4wLjM6RW5nbCpfcXFDfTMpXTluanshMm9XaT8rST5kPUVkaSk=
> User-Agent: curl/8.13.0
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* Request completely sent off
* schannel: server close notification received (close_notify)
* HTTP 1.0, assume close after body
< HTTP/1.0 403 Access Denied (access denied to remote this way)
< Date: Mon Jul  7 16:31:09 2025 GMT
< Connection: close
< Server: The Bastion 3.20.00
< X-Bastion-Instance: main-bastion
< X-Bastion-ReqID: 666a790cf5ce
< X-Bastion-Remote-IP: 10.10.0.3
< X-Bastion-Request-Length: 0
< X-Bastion-Auth-Mode: self/default
< X-Bastion-Local-Status: 403 Access Denied (access denied to remote this way)
< Content-Type: text/plain
<
This account doesn't have access to root@10.10.0.3:443 using this auth mode (self/default)

* schannel: server indicated shutdown in a prior call
* shutting down connection #0```


Thanks for reading and I hope someone would be able to help me with this situation.

Originally created by @DavidutzDev on GitHub (Jul 7, 2025). Original GitHub issue: https://github.com/ovh/the-bastion/issues/560 Hello, I tried for the past few days to setup HTTP Proxy and it worked wonderfully until I tried to setup Group Accesses. I followed the documentation and all works with the self access method (using `accountAddPersonalAccess` and the `selfGenerateProxyPassword`). However, I'm not sure if I do something wrong or there's a misunderstanding. I couldn't make it work with the `groupAddServer`, it's the same server with the exact same port and same configuration. My user is owner of the group but when I try to make the request in the same way as the "self access method" I get an error saying that I don't have access using the auth method (self/default). Looking longer to the documentation, it seems like there's no documentation about the errors (or this specific one). Here's the error I get using the curl verbose mode : ``` curl -v -k -u davidutz@root@10.10.0.3 https://10.10.0.2:8443 Enter host password for user 'davidutz@root@10.10.0.3': * Trying 10.10.0.2:8443... * schannel: disabled automatic use of client certificate * schannel: using IP address, SNI is not supported by OS. * ALPN: curl offers http/1.1 * ALPN: server did not agree on a protocol. Uses default. * Connected to 10.10.0.2 (10.10.0.2) port 8443 * using HTTP/1.x * Server auth using Basic with user 'davidutz@root@10.10.0.3' > GET / HTTP/1.1 > Host: 10.10.0.2:8443 > Authorization: Basic ZGF2aWR1dHpAcm9vdEAxMC4xMC4wLjM6RW5nbCpfcXFDfTMpXTluanshMm9XaT8rST5kPUVkaSk= > User-Agent: curl/8.13.0 > Accept: */* > * schannel: remote party requests renegotiation * schannel: renegotiating SSL/TLS connection * schannel: SSL/TLS connection renegotiated * schannel: remote party requests renegotiation * schannel: renegotiating SSL/TLS connection * schannel: SSL/TLS connection renegotiated * Request completely sent off * schannel: server close notification received (close_notify) * HTTP 1.0, assume close after body < HTTP/1.0 403 Access Denied (access denied to remote this way) < Date: Mon Jul 7 16:31:09 2025 GMT < Connection: close < Server: The Bastion 3.20.00 < X-Bastion-Instance: main-bastion < X-Bastion-ReqID: 666a790cf5ce < X-Bastion-Remote-IP: 10.10.0.3 < X-Bastion-Request-Length: 0 < X-Bastion-Auth-Mode: self/default < X-Bastion-Local-Status: 403 Access Denied (access denied to remote this way) < Content-Type: text/plain < This account doesn't have access to root@10.10.0.3:443 using this auth mode (self/default) * schannel: server indicated shutdown in a prior call * shutting down connection #0``` Thanks for reading and I hope someone would be able to help me with this situation.

BreizhHardware closed this issue 2026-05-07 00:19:22 +02:00

BreizhHardware commented 2026-05-07 00:19:23 +02:00

Author

Owner

Copy link

@speed47 commented on GitHub (Jul 8, 2025):

You're saying that your user is the owner of the group, can you also confirm that it's a member of the group? Membership is required to get access to the group's servers (you can be owner without being a member, even if, being an owner, you may grant yourself gatekeepership, which it turn makes it possible to grant yourself membership).

Can you also confirm that you're seeing this access listed with the command selfListAccesses?

<!-- gh-comment-id:3047772347 --> @speed47 commented on GitHub (Jul 8, 2025): You're saying that your user is the owner of the group, can you also confirm that it's a member of the group? Membership is required to get access to the group's servers (you can be owner without being a member, even if, being an owner, you may grant yourself gatekeepership, which it turn makes it possible to grant yourself membership). Can you also confirm that you're seeing this access listed with the command `selfListAccesses`?

BreizhHardware commented 2026-05-07 00:19:23 +02:00

Author

Owner

Copy link

@DavidutzDev commented on GitHub (Jul 8, 2025):

Thanks for your reply,

After checking what you asked me here's the accesses and my user is member of my group (see following logs). I'm not sure if there's another factor that can play on my error. Thanks again !

davidutz@main-bastion(master)> groupInfo --group SuperSysadmin
╭──main-bastion───────────────────────────────────────────the-bastion-3.20.00───
│ ▶ group info
├───────────────────────────────────────────────────────────────────────────────
│ Group SuperSysadmin's Owners are: davidutz
│ Group SuperSysadmin's GateKeepers (managing the members/guests list) are: davidutz
│ Group SuperSysadmin's ACLKeepers (managing the group servers list) are: davidutz
│ Group SuperSysadmin's Members (with access to ALL the group servers) are: davidutz
│ Group SuperSysadmin's Guests (with access to SOME of the group servers) are: -
│
│ The public key of this group is:
│
│ fingerprint: SHA256:zd0bmwUqO8Fmd/jpHlw4DxHES/wNsHWpa7yIYiZFPLU (ED25519-256) [ID = id7722bde0]
│ keyline follows, please copy the *whole* line:
from="10.10.0.2" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6OWg/8S5f8PPnw+dph0dHpPSGKbZfygciDJEKooEJ+ SuperSysadmin@main-bastion:1751898050
│
╰────────────────────────────────────────────────────────────────</groupInfo>───

davidutz@main-bastion(master)> groupListServers --group SuperSysadmin
╭──main-bastion───────────────────────────────────────────the-bastion-3.20.00───
│ ▶ list of servers pertaining to the group
├───────────────────────────────────────────────────────────────────────────────
│        IP PORT USER            ACCESS-BY ADDED-BY   ADDED-AT
│ --------- ---- ---- -------------------- -------- ----------
│ 10.10.0.3   22 root SuperSysadmin(group) davidutz 2025-07-07
│ 10.10.0.3  443 root SuperSysadmin(group) davidutz 2025-07-07
│
│ 2 accesses listed
╰─────────────────────────────────────────────────────────</groupListServers>───

davidutz@main-bastion(master)> selfListAccesses
╭──main-bastion───────────────────────────────────────────the-bastion-3.20.00───
│ ▶ your access list
├───────────────────────────────────────────────────────────────────────────────
│ Dear davidutz, you have access to the following servers:
│        IP PORT USER                   ACCESS-BY ADDED-BY   ADDED-AT
│ --------- ---- ---- --------------------------- -------- ----------
│ 10.10.0.3   22 root SuperSysadmin(group-member) davidutz 2025-07-07
│ 10.10.0.3  443 root SuperSysadmin(group-member) davidutz 2025-07-07
│
│ 2 accesses listed
╰─────────────────────────────────────────────────────────</selfListAccesses>───

Persisting error :

curl -v -k -u davidutz@root@10.10.0.3 https://10.10.0.2:8443                                                                                                   ~1m 43.286s
Enter host password for user 'davidutz@root@10.10.0.3':
*   Trying 10.10.0.2:8443...
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* Connected to 10.10.0.2 (10.10.0.2) port 8443
* using HTTP/1.x
* Server auth using Basic with user 'davidutz@root@10.10.0.3'
> GET / HTTP/1.1
> Host: 10.10.0.2:8443
> Authorization: Basic ZGF2aWR1dHpAcm9vdEAxMC4xMC4wLjM6RW5nbCpfcXFDfTMpXTluanshMm9XaT8rST5kPUVkaSk=
> User-Agent: curl/8.13.0
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* Request completely sent off
* schannel: server close notification received (close_notify)
* HTTP 1.0, assume close after body
< HTTP/1.0 403 Access Denied (access denied to remote this way)
< Date: Tue Jul  8 10:43:48 2025 GMT
< Connection: close
< Server: The Bastion 3.20.00
< X-Bastion-Instance: main-bastion
< X-Bastion-ReqID: 45f160417cd5
< X-Bastion-Remote-IP: 10.10.0.3
< X-Bastion-Request-Length: 0
< X-Bastion-Auth-Mode: self/default
< X-Bastion-Local-Status: 403 Access Denied (access denied to remote this way)
< Content-Type: text/plain
<
This account doesn't have access to root@10.10.0.3:443 using this auth mode (self/default)

* schannel: server indicated shutdown in a prior call
* shutting down connection #0

<!-- gh-comment-id:3048375029 --> @DavidutzDev commented on GitHub (Jul 8, 2025): Thanks for your reply, After checking what you asked me here's the accesses and my user is member of my group (see following logs). I'm not sure if there's another factor that can play on my error. Thanks again ! ``` davidutz@main-bastion(master)> groupInfo --group SuperSysadmin ╭──main-bastion───────────────────────────────────────────the-bastion-3.20.00─── │ ▶ group info ├─────────────────────────────────────────────────────────────────────────────── │ Group SuperSysadmin's Owners are: davidutz │ Group SuperSysadmin's GateKeepers (managing the members/guests list) are: davidutz │ Group SuperSysadmin's ACLKeepers (managing the group servers list) are: davidutz │ Group SuperSysadmin's Members (with access to ALL the group servers) are: davidutz │ Group SuperSysadmin's Guests (with access to SOME of the group servers) are: - │ │ The public key of this group is: │ │ fingerprint: SHA256:zd0bmwUqO8Fmd/jpHlw4DxHES/wNsHWpa7yIYiZFPLU (ED25519-256) [ID = id7722bde0] │ keyline follows, please copy the *whole* line: from="10.10.0.2" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6OWg/8S5f8PPnw+dph0dHpPSGKbZfygciDJEKooEJ+ SuperSysadmin@main-bastion:1751898050 │ ╰────────────────────────────────────────────────────────────────</groupInfo>─── ``` ``` davidutz@main-bastion(master)> groupListServers --group SuperSysadmin ╭──main-bastion───────────────────────────────────────────the-bastion-3.20.00─── │ ▶ list of servers pertaining to the group ├─────────────────────────────────────────────────────────────────────────────── │ IP PORT USER ACCESS-BY ADDED-BY ADDED-AT │ --------- ---- ---- -------------------- -------- ---------- │ 10.10.0.3 22 root SuperSysadmin(group) davidutz 2025-07-07 │ 10.10.0.3 443 root SuperSysadmin(group) davidutz 2025-07-07 │ │ 2 accesses listed ╰─────────────────────────────────────────────────────────</groupListServers>─── ``` ``` davidutz@main-bastion(master)> selfListAccesses ╭──main-bastion───────────────────────────────────────────the-bastion-3.20.00─── │ ▶ your access list ├─────────────────────────────────────────────────────────────────────────────── │ Dear davidutz, you have access to the following servers: │ IP PORT USER ACCESS-BY ADDED-BY ADDED-AT │ --------- ---- ---- --------------------------- -------- ---------- │ 10.10.0.3 22 root SuperSysadmin(group-member) davidutz 2025-07-07 │ 10.10.0.3 443 root SuperSysadmin(group-member) davidutz 2025-07-07 │ │ 2 accesses listed ╰─────────────────────────────────────────────────────────</selfListAccesses>─── ``` Persisting error : ``` curl -v -k -u davidutz@root@10.10.0.3 https://10.10.0.2:8443 ~1m 43.286s Enter host password for user 'davidutz@root@10.10.0.3': * Trying 10.10.0.2:8443... * schannel: disabled automatic use of client certificate * schannel: using IP address, SNI is not supported by OS. * ALPN: curl offers http/1.1 * ALPN: server did not agree on a protocol. Uses default. * Connected to 10.10.0.2 (10.10.0.2) port 8443 * using HTTP/1.x * Server auth using Basic with user 'davidutz@root@10.10.0.3' > GET / HTTP/1.1 > Host: 10.10.0.2:8443 > Authorization: Basic ZGF2aWR1dHpAcm9vdEAxMC4xMC4wLjM6RW5nbCpfcXFDfTMpXTluanshMm9XaT8rST5kPUVkaSk= > User-Agent: curl/8.13.0 > Accept: */* > * schannel: remote party requests renegotiation * schannel: renegotiating SSL/TLS connection * schannel: SSL/TLS connection renegotiated * schannel: remote party requests renegotiation * schannel: renegotiating SSL/TLS connection * schannel: SSL/TLS connection renegotiated * Request completely sent off * schannel: server close notification received (close_notify) * HTTP 1.0, assume close after body < HTTP/1.0 403 Access Denied (access denied to remote this way) < Date: Tue Jul 8 10:43:48 2025 GMT < Connection: close < Server: The Bastion 3.20.00 < X-Bastion-Instance: main-bastion < X-Bastion-ReqID: 45f160417cd5 < X-Bastion-Remote-IP: 10.10.0.3 < X-Bastion-Request-Length: 0 < X-Bastion-Auth-Mode: self/default < X-Bastion-Local-Status: 403 Access Denied (access denied to remote this way) < Content-Type: text/plain < This account doesn't have access to root@10.10.0.3:443 using this auth mode (self/default) * schannel: server indicated shutdown in a prior call * shutting down connection #0 ```

BreizhHardware commented 2026-05-07 00:19:23 +02:00

Author

Owner

Copy link

@speed47 commented on GitHub (Jul 8, 2025):

OK I see what is your problem here. This part is not very well documented because only a few people use it, there's clearly room for improvement on that!

When you want to use a group access with the HTTPS proxy, you have to tell it explicitely, because otherwise it defaults checking your personal accesses (that's what self/default means). This is the case because contrary to SSH, we don't want to try multiple access ways (which would be multiple different passwords), whereas for SSH we can try multiple keys.

There's a hint in the error message when you're not providing a valid Authorization line:

Expected an Authorization line with credentials of the form 'BASTIONACCOUNT@USEREXPR@HOSTEXPR:PASSWORD' where
USEREXPR can be either 'DEVICEUSER' or 'group=BASTIONGROUP,user=DEVICEUSER' or 'user=DEVICEUSER'
HOSTEXPR can be either a 'HOST' or 'HOST%PORT', with HOST being a resolvable hostname or IP

But it should be better documented indeed. Long story short, in your case, this should work:

curl -v -k -u davidutz@group=SuperSysadmin,user=root@10.10.0.3 https://10.10.0.2:8443

<!-- gh-comment-id:3048576074 --> @speed47 commented on GitHub (Jul 8, 2025): OK I see what is your problem here. This part is not very well documented because only a few people use it, there's clearly room for improvement on that! When you want to use a group access with the HTTPS proxy, you have to tell it explicitely, because otherwise it defaults checking your personal accesses (that's what `self/default` means). This is the case because contrary to SSH, we don't want to try multiple access ways (which would be multiple different passwords), whereas for SSH we can try multiple keys. There's a hint in the error message when you're not providing a valid Authorization line: ``` Expected an Authorization line with credentials of the form 'BASTIONACCOUNT@USEREXPR@HOSTEXPR:PASSWORD' where USEREXPR can be either 'DEVICEUSER' or 'group=BASTIONGROUP,user=DEVICEUSER' or 'user=DEVICEUSER' HOSTEXPR can be either a 'HOST' or 'HOST%PORT', with HOST being a resolvable hostname or IP ``` But it should be better documented indeed. Long story short, in your case, this should work: ``` curl -v -k -u davidutz@group=SuperSysadmin,user=root@10.10.0.3 https://10.10.0.2:8443 ```

BreizhHardware commented 2026-05-07 00:19:23 +02:00

Author

Owner

Copy link

@DavidutzDev commented on GitHub (Jul 8, 2025):

Thank you so much for your help.

Now everything work perfectly thanks to you. There's definitely room for improvement concerning the documentation of The Bastion, but I really appreciate your work and that's an amazing project I will follow and try to incorporate in my own stacks.
In my opinion, The Bastion can be more than just a SSH gateway, there's already a few supported protocols and that are such interesting features I am eager to explore.

I don't know your vision for this project or the one OVH have in mind but I hope this project will continue to have updates and maybe even new features. Thanks for your work and making this opensource project living !

<!-- gh-comment-id:3048665182 --> @DavidutzDev commented on GitHub (Jul 8, 2025): Thank you so much for your help. Now everything work perfectly thanks to you. There's definitely room for improvement concerning the documentation of The Bastion, but I really appreciate your work and that's an amazing project I will follow and try to incorporate in my own stacks. In my opinion, The Bastion can be more than just a SSH gateway, there's already a few supported protocols and that are such interesting features I am eager to explore. I don't know your vision for this project or the one OVH have in mind but I hope this project will continue to have updates and maybe even new features. Thanks for your work and making this opensource project living !

BreizhHardware referenced this issue 2026-05-07 00:20:07 +02:00

[PR #144] [MERGED] Implement #17 #18 #273

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

expifix

groupcreate_fix_uid

fix_group_gid_fast

gh-pages

clush

expiration

jsonvalidator

v3.23.01

v3.23.00

v3.22.00

v3.21.00

v3.20.00

v3.19.01

v3.19.00

v3.18.99-rc1

v3.18.00

v3.17.01

v3.17.00

v3.16.99-rc3

v3.16.99-rc2

v3.16.99-rc1

v3.16.01

v3.16.00

v3.15.00

v3.14.16

v3.14.15

v3.14.00

v3.13.01

v3.13.00

v3.12.00

v3.11.02

v3.11.01

v3.11.00

v3.10.00

v3.09.02

v3.09.00-really

v3.09.00

v3.09.00-rc3

v3.09.00-rc2

v3.09.00-rc1

v3.08.01

v3.08.00

v3.07.00

v3.06.00

v3.05.01

v3.05.00

v3.04.00

v3.03.99-rc2

v3.03.99-rc1

v3.03.01

v3.03.00

v3.02.00

v3.01.99-rc4

v3.01.99-rc3

v3.01.99-rc2

v3.01.99-rc1

v3.01.03

v3.01.02

v3.01.01

v3.01.00

v3.00.02

v3.00.01

v3.00.00

Labels

Clear labels   

answered

  

bug

  

documentation

  

enhancement

  

enhancement

  

feature

  

feature

  

kept-open-for-info

  

pull-request

Mirrored from GitHub Pull Request

  

question

No labels

answered

bug

documentation

enhancement

enhancement

feature

feature

kept-open-for-info

pull-request

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/the-bastion#144

No description provided.