Applications that access user data sometimes need to connect to on-premises services. This is a common situation for developers building with Kloudless Enterprise, our self-hosted Docker containers. End-customers’ IT staff may be uncomfortable exposing their internal services via a public IP, or there may be compliance restrictions that prevent them from doing so. In order to allow these users to securely connect their private services to Kloudless Enterprise, we’ve created the Kloudless Connect proxy. Some of the most commonly used protocols and apps it supports include the following:
- Adobe CQ5
The Kloudless Connect Proxy is an agent that runs in the customer’s environment. It establishes a tunnel via an encrypted outbound connection. API requests to the Kloudless server pass through the tunnel in the reverse direction to reach the private service in the customer’s environment without requiring firewall changes. This post covers the developer and end-user experience of using the Kloudless Connect proxy.
Configuring the Kloudless server
On the Kloudless Enterprise server, remote proxies’ access is managed via the
ke_manage_remote_networks utility. This utility manages “remote networks”, each of which represents a single remote Kloudless Connect Proxy. The command takes in a user provided public key and a label. The keys used are SSH keys which can be generated using
ssh-keygen. The following command creates an example remote network using a customer’s public key:
1 ke_manage_remote_add example_customer --pub-key example_rsa.pub
Customer environment configuration
The Kloudless Connect Proxy runs in the customer’s premise as a Docker container, or a package installed on a Debian-based Linux (Ubuntu 14.04LTS or later) server. The following commands install the proxy:
123 wget "https://s3.amazonaws.com/kloudless-enterprise/debs/python-ke-connect_1.0.1_all.deb"sudo dpkg -i python-ke-connect_1.0.1_all.debsudo apt-get install -f
Once the agent is installed, modify the default configuration at
/etc/kloudless/connect.yaml to describe the services to proxy. This example shows the configuration to connect an internal SMB file server:
12345 appliance: "kloudless.example.com:22"ssh_key: "/etc/kloudless/example_rsa"repositories:test_group:- kloudless_smb: "smb://samba.example.com:139"
Reload the daemon once the configuration is in place:
1 sudo service kloudless_connect reload
Connecting an Account
After the tunnel is running, the developer needs a “Group Key” from the Application Details page on the appliance Developer Portal:
The Group Key is a secret that lets an end-user choose a proxied service during the authentication flow. This value is set in the
group query parameter in the URL used to connect the account, for example:
The user will now be able to choose a service from the drop-down instead of manually specifying the host:
Once the user connects their account, all requests performed to the Kloudless appliance are proxied through the Kloudless Connect tunnel. Aside from the small change during authentication, the account behaves just like a normal account!
For a more detailed walkthrough of the setup process or for other possible configurations, please reach out to us at firstname.lastname@example.org.