February 25, 2019 David Thorman Company Integrating with on-prem apps via the Kloudless Connect proxy Kloudless is a Unified API that abstracts away differences between different APIs to create a uniform interface for developers. Users can connect any supported service account without developers having to integrate each service into their apps individually. Applications that access user data sometimes need to connect to on-premises services. This is a common situation for developers building with Kloudless Enterprise, our self-hosted Docker containers. End-customers’ IT staff may be uncomfortable exposing their internal services via a public IP, or there may be compliance restrictions that prevent them from doing so. In order to allow these users to securely connect their private services to Kloudless Enterprise, we’ve created the Kloudless Connect proxy. Some of the most commonly used protocols and apps it supports include the following: SMBWebDAVAdobe CQ5CMISAlfresco The Kloudless Connect Proxy is an agent that runs in the customer’s environment. It establishes a tunnel via an encrypted outbound connection. API requests to the Kloudless server pass through the tunnel in the reverse direction to reach the private service in the customer’s environment without requiring firewall changes. This post covers the developer and end-user experience of using the Kloudless Connect proxy. Configuring the Kloudless server On the Kloudless Enterprise server, remote proxies’ access is managed via the ke_manage_remote_networks utility. This utility manages “remote networks”, each of which represents a single remote Kloudless Connect Proxy. The command takes in a user provided public key and a label. The keys used are SSH keys which can be generated using ssh-keygen. The following command creates an example remote network using a customer’s public key: ke_manage_remote_add example_customer --pub-key example_rsa.pub 12 ke_manage_remote_add example_customer --pub-key example_rsa.pub Customer environment configuration The Kloudless Connect Proxy runs in the customer’s premise as a Docker container, or a package installed on a Debian-based Linux (Ubuntu 14.04LTS or later) server. The following commands install the proxy: Once the agent is installed, modify the default configuration at /etc/kloudless/connect.yaml to describe the services to proxy. This example shows the configuration to connect an internal SMB file server: appliance: "kloudless.example.com:22" ssh_key: "/etc/kloudless/example_rsa" repositories: test_group: - kloudless_smb: "smb://samba.example.com:139" 12345 appliance: "kloudless.example.com:22"ssh_key: "/etc/kloudless/example_rsa"repositories: test_group: - kloudless_smb: "smb://samba.example.com:139" Reload the daemon once the configuration is in place: sudo service kloudless_connect reload 12 sudo service kloudless_connect reload Connecting an Account After the tunnel is running, the developer needs a “Group Key” from the Application Details page on the appliance Developer Portal: The Group Key is a secret that lets an end-user choose a proxied service during the authentication flow. This value is set in the group query parameter in the URL used to connect the account, for example: https://kloudless.example.com/v1/oauth/?client_id=APP_ID&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback&state=CSRF_PREVENTION_TOKEN&group=EXAMPLEGROUPKEY&scope=smb.storage 1 https://kloudless.example.com/v1/oauth/?client_id=APP_ID&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback&state=CSRF_PREVENTION_TOKEN&group=EXAMPLEGROUPKEY&scope=smb.storage The user will now be able to choose a service from the drop-down instead of manually specifying the host: Once the user connects their account, all requests performed to the Kloudless appliance are proxied through the Kloudless Connect tunnel. Aside from the small change during authentication, the account behaves just like a normal account! More Information For a more detailed walkthrough of the setup process or for other possible configurations, please reach out to us at firstname.lastname@example.org.