starred/the-bastion
1
0
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2026-05-09 08:25:27 +02:00
Code Issues 46 Projects Packages Wiki Activity

[GH-ISSUE #166] Documentation on HTTP Proxy #39

New issue
Closed
opened 2026-05-07 00:17:57 +02:00 by BreizhHardware · 4 comments
BreizhHardware commented 2026-05-07 00:17:57 +02:00
Owner
Copy link

Originally created by @sdktr on GitHub (Mar 25, 2021).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/166

Hi team,
Is there any hints you can provide regarding the current and intended functionality of the 'http proxy'?
Is it serving the same purpose of the SSH bastion, but for HTTPS <--> HTTPS connections? What authentication methods does it support on the ingress/egress side?

Originally created by @sdktr on GitHub (Mar 25, 2021). Original GitHub issue: https://github.com/ovh/the-bastion/issues/166 Hi team, Is there any hints you can provide regarding the current and intended functionality of the '[http proxy](https://github.com/ovh/the-bastion/blob/d67141b10af49a451a58951b7ddb5535ea9cc2f7/bin/proxy/osh-http-proxy-worker)'? Is it serving the same purpose of the SSH bastion, but for HTTPS <--> HTTPS connections? What authentication methods does it support on the ingress/egress side?
BreizhHardware commented 2026-05-07 00:17:58 +02:00
Author
Owner
Copy link

@speed47 commented on GitHub (Mar 29, 2021):

Hello @sdktr ,

You're right, the HTTP Proxy is lacking documentation, that's why it's more or less an hidden feature for now, and it's not advertised too much, it'll be when we have written the documentation. But I can give you a few insights, so you can determine whether this fits the use case you have or not. If it does, it might be a good time for us to allocate some time writing the doc :)

We've developed this feature mainly to manage network devices, that now start having HTTPS APIs instead of just plain old SSH. The idea is to keep the principle of "identity Ix with credentials Cx on the ingress connection, might give access to a set of identities Iy with credentials Cy to a list of network devices". In that case, the credentials are different on the ingress and egress side, and the actual credentials that give access to the device are only present on the bastion. It's useful to have traceability even if for some reason you have service accounts on the egress side that might be used by several different entities. Under the hood, it works in a similar way than for SSH: the request is executed under the user's system account, which can only read the credentials they're allowed to. This also means that there is a non-negligible overhead (to sudo to the proper user) of around 150ms (depending on your hardware obviously). For the use case we designed it for (sending commands to network devices), it doesn't matter, but it might be a problem if response time is a very important metric in your use case.

As we wanted to be compatible with libraries and such, on the ingress side, that would expect to be talking to the remote device directly, we support only HTTPS with Basic-auth on the ingress side (that's what network devices support and expect), and same thing on the egress side.

If that sounds interesting to you, I'll try to draft some documentation soon.

<!-- gh-comment-id:809447334 --> @speed47 commented on GitHub (Mar 29, 2021): Hello @sdktr , You're right, the HTTP Proxy is lacking documentation, that's why it's more or less an hidden feature for now, and it's not advertised too much, it'll be when we have written the documentation. But I can give you a few insights, so you can determine whether this fits the use case you have or not. If it does, it might be a good time for us to allocate some time writing the doc :) We've developed this feature mainly to manage network devices, that now start having HTTPS APIs instead of just plain old SSH. The idea is to keep the principle of "identity Ix with credentials Cx on the ingress connection, might give access to a set of identities Iy with credentials Cy to a list of network devices". In that case, the credentials are different on the ingress and egress side, and the actual credentials that give access to the device are only present on the bastion. It's useful to have traceability even if for some reason you have service accounts on the egress side that might be used by several different entities. Under the hood, it works in a similar way than for SSH: the request is executed under the user's system account, which can only read the credentials they're allowed to. This also means that there is a non-negligible overhead (to `sudo` to the proper user) of around 150ms (depending on your hardware obviously). For the use case we designed it for (sending commands to network devices), it doesn't matter, but it might be a problem if response time is a very important metric in your use case. As we wanted to be compatible with libraries and such, on the ingress side, that would expect to be talking to the remote device directly, we support only HTTPS with Basic-auth on the ingress side (that's what network devices support and expect), and same thing on the egress side. If that sounds interesting to you, I'll try to draft some documentation soon.
BreizhHardware commented 2026-05-07 00:17:58 +02:00
Author
Owner
Copy link

@sdktr commented on GitHub (Apr 8, 2021):

Thank you very much for this detailed explanation!
A different auth method between in- and egress legs would make this an absolute killer feature. For automated network tooling the current Basic method is propably enough for most of the tools, cert based (mtls) login would be even better. But endusers would greatly benifit from OIDC validated logins on the ingress while protecting the egress leg credentials on the bastion.

Like a combination of mysocketio or other fancy http 'frontend proxies' with the authorization framework and jumphost functionality of The Bastion

<!-- gh-comment-id:815882071 --> @sdktr commented on GitHub (Apr 8, 2021): Thank you very much for this detailed explanation! A different auth method between in- and egress legs would make this an absolute killer feature. For automated network tooling the current Basic method is propably enough for most of the tools, cert based (mtls) login would be even better. But endusers would greatly benifit from OIDC validated logins on the ingress while protecting the egress leg credentials on the bastion. Like a combination of [mysocketio](https://mysocket.readthedocs.io/en/latest/mysocketctl/mysocket.html#quick-connect-options) or other fancy http 'frontend proxies' with the authorization framework and jumphost functionality of The Bastion
BreizhHardware commented 2026-05-07 00:17:59 +02:00
Author
Owner
Copy link

@tolgaulas commented on GitHub (May 9, 2021):

@speed47 yes, a small documentation will be very helpful, pretty please.

<!-- gh-comment-id:835877451 --> @tolgaulas commented on GitHub (May 9, 2021): @speed47 yes, a small documentation will be very helpful, pretty please.
BreizhHardware commented 2026-05-07 00:17:59 +02:00
Author
Owner
Copy link

@speed47 commented on GitHub (Jun 30, 2021):

There is now some documentation about the HTTPS Proxy and its configuration file. It can still be improved but at least now there's something to look at :)

<!-- gh-comment-id:871524650 --> @speed47 commented on GitHub (Jun 30, 2021): There is now some documentation about the [HTTPS Proxy](https://ovh.github.io/the-bastion/using/http_proxy.html) and its [configuration file](https://ovh.github.io/the-bastion/administration/configuration/osh-http-proxy_conf.html). It can still be improved but at least now there's something to look at :)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
expifix
groupcreate_fix_uid
fix_group_gid_fast
gh-pages
clush
expiration
jsonvalidator
v3.23.01
v3.23.00
v3.22.00
v3.21.00
v3.20.00
v3.19.01
v3.19.00
v3.18.99-rc1
v3.18.00
v3.17.01
v3.17.00
v3.16.99-rc3
v3.16.99-rc2
v3.16.99-rc1
v3.16.01
v3.16.00
v3.15.00
v3.14.16
v3.14.15
v3.14.00
v3.13.01
v3.13.00
v3.12.00
v3.11.02
v3.11.01
v3.11.00
v3.10.00
v3.09.02
v3.09.00-really
v3.09.00
v3.09.00-rc3
v3.09.00-rc2
v3.09.00-rc1
v3.08.01
v3.08.00
v3.07.00
v3.06.00
v3.05.01
v3.05.00
v3.04.00
v3.03.99-rc2
v3.03.99-rc1
v3.03.01
v3.03.00
v3.02.00
v3.01.99-rc4
v3.01.99-rc3
v3.01.99-rc2
v3.01.99-rc1
v3.01.03
v3.01.02
v3.01.01
v3.01.00
v3.00.02
v3.00.01
v3.00.00
Labels
Clear labels   
answered

   
bug

   
documentation

   
enhancement

   
enhancement

   
feature

   
feature

   
kept-open-for-info

   
pull-request
Mirrored from GitHub Pull Request

  
question
No labels
answered
bug
documentation
enhancement
enhancement
feature
feature
kept-open-for-info
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/the-bastion#39
No description provided.