Access HTTPS resources behind SSH Servers

[Atroskelis]

Hello!

We have one teleport server and auth in the central hub and about a dozen SSH Servers with the teleport agents on them that connect to HQ behind client firewalls

We wish to know if its possible to connect to a HTTPS host behind the ssh servers or we're condemned to use something like X11 / XRDP /VNC in desktop mode ( the linux servers have no desktop)

Anticipated thanks!

[webvictim]

If you mean an HTTPS application running on those servers (or somewhere else on the remote networks they have connectivity to) then yes - this is exactly what Teleport's app_service does!

Follow the steps in this guide: https://goteleport.com/docs/enroll-resources/application-access/guides/connecting-apps/#start-the-teleport-application-service-with-a-config-file

You'll need to:

• add the app_service block from that config to your existing Teleport config files on the server
• replace the token in the config file with one valid for node,app
  • running tctl tokens add --type=node,app while logged into your cluster from a local machine should generate one for you
• make sure you have valid TLS certificates for all the app subdomains you're trying to access
  • if your app is called grafana and your cluster is teleport.example.com, you need certs for:
    • teleport.example.com
    • grafana.teleport.example.com (or a wildcard *.teleport.example.com)
• point the DNS for grafana.teleport.example.com (or *.teleport.example.com) to your Teleport proxy
• restart Teleport on your proxy and then on the remote agent

[Atroskelis]

If you mean an HTTPS application running on those servers (or somewhere else on the remote networks they have connectivity to) then yes - this is exactly what Teleport's app_service does!

Follow the steps in this guide: https://goteleport.com/docs/enroll-resources/application-access/guides/connecting-apps/#start-the-teleport-application-service-with-a-config-file

You'll need to:

• add the app_service block from that config to your existing Teleport config files on the server

• replace the token in the config file with one valid for node,app

  • running tctl tokens add --type=node,app while logged into your cluster from a local machine should generate one for you

• make sure you have valid TLS certificates for all the app subdomains you're trying to access

  • if your app is called grafana and your cluster is teleport.example.com, you need certs for:

    • teleport.example.com
    • grafana.teleport.example.com (or a wildcard *.teleport.example.com)

• point the DNS for grafana.teleport.example.com (or *.teleport.example.com) to your Teleport proxy

• restart Teleport on your proxy and then on the remote agent

The context is as follows

HQ Teleport + Auth <-> Client SSH Server with teleport agent (private IP) <-> firewall that exposes HTTPS/SSH (Private IP)

What i dont quite understand:

1. The URI is then supposed to the Firewall MGMT Page ?
2. Is there an option without the A record? Couldnt we just use Teleport Connect exclusively for this?

Thanks!

[webvictim]

The URI is the hostname or address of the HTTPS interface that you want to expose through Teleport. For example, if your SSH server can see the firewall on 192.168.10.12, you'd put:

app_service:
  enabled: true
  apps:
  - name: firewall
    uri: https://192.168.10.12

This app would then be available on https://firewall.teleport.example.com with a layer of Teleport authentication in front of it.

You should technically be able to connect to this without the A record by doing this:

• tsh app login firewall
• tsh proxy app --port 11123 firewall
• then connect your browser to https://localhost:11123

You can also do this proxy setup through Teleport Connect.