Explicit Proxy for a Publisher

Explicit Proxy for a Publisher

Definitions

NPA Publisher Explicit Proxy Configuration: Enable NPA Publisher to establish connections to dependent services through explicit proxy excluding Private Applications.

Introduction

The Publisher is one of the major components of Netskope Private Access. Unlike other NPA components, such as Gateway, Stitcher, and management services that are residing in the Netskope private cloud, NPA Publisher is residing in the customer network where it can access the private services of customers.

Without a explicit proxy configuration, the network firewall of your network has to allow the NPA Publisher to establish direct connection to dependent services, such as NPA stitcher and management services for NPA operation, and also OS package and container image service for upgrade-related operations.

When your network is in explicit proxy configuration, Publisher admin can configure the proxy settings. When the proxy settings is enabled, NPA Publisher will establish connections to dependent services through the proxy.

Background

A common practice is to specify network firewall rules to block all outgoing traffic for security. In such cases, explicit proxy is usually the default measure for connecting to external network services.

In Linux, a common practice for proxy settings is using HTTPS_PROXY environment variable for specifying the proxy server and port, and NO_PROXY for a list of domains or addresses where the proxy should be bypassed. The /etc/environment file is a common place for HTTPS_PROXY and NO_PROXY environment variables.

When a destination is specified in the bypass list, it means the connections to the destination are established directly. It usually applies specific firewall rules for allowing the traffic to the destinations.

Publisher Version R122

Starting with version R122, upgrades are no longer needed and the Proxy configuration will be available to all users in Beta. Please ensure your Publisher is upgraded before proceeding.

Enabling Explicit Proxy

A Publisher admin uses the Publisher Wizard for enabling explicit proxy configuration. On startup, Publisher Wizard reads proxy settings from HTTPS_PROXY and NO_PROXY of the /etc/environment file. When proxy settings are changed, the Publisher Wizard saves the configuration to the /etc/environment file. The Publisher Wizard also populates the current proxy settings to the configuration of APT in /etc/apt/apt.conf.d/00publisherwizard and Docker daemon in /etc/systemd/system/docker.service.d/publisherwizard.conf.

Notes

  • A Standard HTTPS Proxy with bypass authentication (No authentication) and no ssl inspection should be supported.
  • This feature covers all standard Netskope components, Ubuntu updates and Docker, other components are not guaranteed to use the proxy configuration and traffic to private applications never uses the proxy configuration regardless of a bypass list or not.

The menu of Proxy settings is under the menu of Network settings as below:

Configuration menu:
1. Upgrade
2. Network settings
3. Syslog settings
4. Troubleshooter
5. Log settings
6. Exit

Press 2 for Network settings.

Network settings:
Network settings:
       Local IP addresses: 172.31.17.115 Gateway: 172.31.16.1
       DNS: 172.31.0.2
       EDNS: Enabled for Stitcher connectivity
       Default search domain: us-west-2.compute.internal
       Warning: Connectivity to the Netskope Dataplane could not be verified. Please check your firewall settings or (re)configure network settings.
       Proxy settings:
             Disabled

Network interfaces: 
       eth0

       Warning: This NPA Publisher appears to be running in a Public Cloud environment, please manage all network configurations, except for proxy settings, directly via the Cloud Provider Console.

Configuration menu:
1. Use DHCP
2. Use Static IP
3. Disable EDNS
4. Configure proxy settings
5. Return to previous menu

Press 4 for Proxy Settings.

Proxy server: ip-172-31-24-80.us-west-2.compute.internal
Proxy port: 3128 Proxy bypass:

Proxy server and port are required.

Proxy bypass is optional and usually is not needed. The destinations needed for internal functions are automatically added.

  • FQDN, Wildcards, IP, CIDR can be added in the bypass list
  • Proxy bypass items can be added, each separated by a comma. E.g
  • *.docker.io,www.tutorialspoint.com,100.0.1.20,100.0.0.0/8

Two destinations, 127.0.0.01 and localhost, are added to the proxy bypass list automatically.

Network settings:
           Local IP addresses: 172.31.17.115, 191.1.0.1
           Gateway: 172.31.16.1
           DNS: 172.31.0.2
           EDNS: Enabled for Stitcher connectivity
           Default search domain: us-west-2.compute.internal Stitcher: 103.47.244.165
           Proxy settings:
                 Enabled
                 Server: ip-172-31-24-80.us-west-2.compute.internal Port: 3128
                 Bypass: 127.0.0.1,localhost
Network interfaces: 
           eth0

           Warning: This NPA Publisher appears to be running in a Public Cloud environment, please manage all network configurations, except for proxy settings, directly via the Cloud Provider Console.

If Proxy settings are enabled and the IP address of Stitcher is shown, it means the Publisher is working with the proxy.

Configure Proxy Settings with the Publisher Token

Publisher has been supporting Publisher configuration with Publisher token. We can manually extend the Publisher token to include the proxy settings. Obtained a Publisher token like the following example.

eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJucy0xMzgyLm5wYTAxLW1wLW5wZS5ucGEuYm9vbXNrb3BlLm NvbSIsInN1YiI6IjMwMjRhMGM0MjhmODk3NWUiLCJleHAiOjE3MDUwNDQzNzIsImp0aSI6I…

And the proxy settings are like below (Below NO_PROXY settings are mandatory):

HTTPS_PROXY=ip-172-31-24-80.us-west-2.compute.internal:3128 
PUBLISHER_USE_PROXY="true"
NO_PROXY=127.0.0.1,localhost

Encode the proxy settings by running a base64 command in the shell like below (Ensure 127.0.0.1 and localhost are always added to the NO_PROXY list):

base64 <<END
HTTPS_PROXY=ip-172-31-24-80.us-west-2.compute.internal:3128 
PUBLISHER_USE_PROXY="true"
NO_PROXY=127.0.0.1,localhost 
END

And get the following output:

SFRUUFNfUFJPWFk9aXAtMTcyLTMxLTI0LTgwLnVzLXdlc3QtMi5jb21wdXRlLmludGVybmFsOjMxMjg KUFVCTElTSEVSX1VTRV9QUk9YWT0idHJ1ZSIKTk9fUFJPWFk9MTI3LjAuMC4xLGxvY2FsaG9zdAo=

Then combine these, ensuring you start with the token, then a comma character (,) and then the proxy configuration in base64.

eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJucy0xMzgyLm5wYTAxLW1wLW5wZS5ucGEuYm9vbXNrb3BlLm NvbSIsInN1YiI6IjMwMjRhMGM0MjhmODk3NWUiLCJleHAiOjE3MDUwNDQzNzIsImp0aSI6I…,SFRUUF NfUFJPWFk9aXAtMTcyLTMxLTI0LTgwLnVzLXdlc3QtMi5jb21wdXRlLmludGVybmFsOjMxMjgKUFVCT ElTSEVSX1VTRV9QUk9YWT0idHJ1ZSIKTk9fUFJPWFk9MTI3LjAuMC4xLGxvY2FsaG9zdAo=

You can use the combined string as the Publisher token. The Publisher Wizard will split the Publisher token by comma, then use the first part for Publisher registration, and the second part for the proxy settings.

Troubleshooting

When Proxy settings are Enabled, and Stitcher is Unknown, it means the Publisher cannot connect to the Stitcher via the Proxy server. Engage with your sales team to go through the troubleshooting steps.

Network settings:
       Local IP addresses: 172.31.30.9 
       Gateway: 172.31.16.1
       DNS: 172.31.0.2
       EDNS: Enabled for Stitcher connectivity
       Default search domain: us-west-2.compute.internal 
       Stitcher: Unknown
       Proxy settings:
             Enabled
             Server: ip-172-31-24-80.us-west-2.compute.internal Port: 3128
             Bypass: 127.0.0.1,localhost

You can check the log of Publisher Wizard in logs/publisher_wizard.log. To access these logs, the Publisher Wizard can be closed first. If the following log is found, it means the connection through the proxy failed.

2024/10/23 08:10:49 UTC - 2967 publisherhelper => stitcherHost: -> 103.47.244.165
2024/10/23 08:10:54 UTC - 2967 Error: Failed to do request Connect "https://103.47.244.165:443": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

If your Publisher is not connecting to the Stitcher, check the Publisher logs in logs/agent.txt (Below are also indications that there are issues with the configured proxy server).

[ip-172-31-34-12:2024-11-07 15:48:02.458 +00:00] [info] httpsproxy.cpp:49:configureFromEnv():0x7f58a16ed930 Use Proxy [172.31.47.18:3128] with 2 bypass. 127.0.0.1,localhost
[ip-172-31-34-12:2024-11-07 15:48:02.464 +00:00] [warning] tundevice.cpp:127:openDevice():0x0 ** TUN opened: tun0
[ip-172-31-34-12:2024-11-07 15:48:02.523 +00:00] [info] dispatcherEpoll.cpp:185:startDispatchSync():0x7f58a165d000 Start Dispatcher 0x0x7f58a165d000 Sync (Beta1).
[ip-172-31-34-12:2024-11-07 15:48:02.623 +00:00] [info] agenthandler.cpp:526:refreshAndConnect():0x7f58a16ed500 Launching discovery
[ip-172-31-34-12:2024-11-07 15:48:02.623 +00:00] [info] process_runner.cpp:26:start():0x7f58a1640230 Starting commands './npa_publisher_wizard -discoveryrefresh'
[ip-172-31-34-12:2024-11-07 15:48:05.727 +00:00] [info] process_runner.cpp:74:handleClose():0x7f58a1640230 Process execution is complete
[ip-172-31-34-12:2024-11-07 15:48:05.728 +00:00] [info] agenthandler.cpp:188:resolveByEDNS():0x7f58a1655290 Querying external DNS server for stitcher.npa.goskope.com
[ip-172-31-34-12:2024-11-07 15:48:05.730 +00:00] [info] sslhelper.cpp:115:newCtx():0x0 Tls Cipher list : Default
[ip-172-31-34-12:2024-11-07 15:48:08.797 +00:00] [info] tcpclient.cpp:195:handleClose():0x7f58a1715600 Closing socket m_fd 11 fd 11
[ip-172-31-34-12:2024-11-07 15:48:08.800 +00:00] [error] httpclient.cpp:118:sendResponseToChildOnce():0x7f58a163c040 HTTP Request GET /resolve?name=stitcher.npa.goskope.com HTTP/1.1
Host: dns.google
User-Agent: curl/7.47.0 Content-Length: 0 Connection: close
Content-Type: application/json
. HTTP Client received non successful HTTP code. State 1 Timeout 0, Code 0 Length 0 Response
[ip-172-31-34-12:2024-11-07 15:48:08.800 +00:00] [error] ednshttpclient.cpp:41:handleResponse():0x7f58a163c040 External DNS query failed
[ip-172-31-34-12:2024-11-07 15:48:08.800 +00:00] [info] agenthandler.cpp:194:operator()():0x7f58a1655290 EDNS lookup for host stitcher.npa.goskope.com failed. Falling back to LDNS
[ip-172-31-34-12:2024-11-07 15:48:08.801 +00:00] [info] agenthandler.cpp:251:operator()():0x0 Got Proxy [172.31.47.18] IP via LDNS. Proxy IP is [172.31.47.18].
[ip-172-31-34-12:2024-11-07 15:48:08.801 +00:00] [info] agenthandler.cpp:484:connectToStitcher():0x7f58a16ed500 Connecting to Stitcher stitcher.npa.goskope.com via Proxy 172.31.47.18
[ip-172-31-34-12:2024-11-07 15:48:08.801 +00:00] [info] sslclient.cpp:161:prepare():0x0 Connecting to 172.31.47.18:3128,
fd: 11
[ip-172-31-34-12:2024-11-07 15:48:11.869 +00:00] [info] socket_tools.cpp:228:connectWithTimeOut():0x0 SO_ERROR value 113 (No route to host), fd: 11
[ip-172-31-34-12:2024-11-07 15:48:11.869 +00:00] [info] socket_tools.cpp:228:connectWithTimeOut():0x0 SO_ERROR
value 0 (Success), fd: 11
[ip-172-31-34-12:2024-11-07 15:48:11.869 +00:00] [info] sslclient.cpp:254:connect():0x0 Establishing SSL connection to 172.31.47.18:3128, timeout: 60s
[ip-172-31-34-12:2024-11-07 15:48:11.869 +00:00] [info] httpsproxy.cpp:148:requestConnect():0x7f58a16ed930 Requesting Proxy [172.31.47.18:3128] - [stitcher.npa.goskope.com:443] connection.
[ip-172-31-34-12:2024-11-07 15:48:11.869 +00:00] [error] httpsproxy_transport.cpp:31:sendMessage():0x7f58a162b9c0 Failed to send to proxy. Broken pipe.
[ip-172-31-34-12:2024-11-07 15:48:11.869 +00:00] [error] sslclient.cpp:236:sslConnect():0x0 Unable to establish SSL connection. Error 0 32 (Broken pipe). Closing socket 11
[ip-172-31-34-12:2024-11-07 15:48:11.869 +00:00] [info] agenthandler.cpp:576:establish():0x7f58a16ed500 SSL connection failed. Proxy [172.31.47.18:3128] - [stitcher.npa.goskope.com:443] state [Connection Error].
[ip-172-31-34-12:2024-11-07 15:48:12.871 +00:00] [info] agenthandler.cpp:526:refreshAndConnect():0x7f58a16ed500 Launching discovery
[ip-172-31-34-12:2024-11-07 15:48:12.871 +00:00] [info] process_runner.cpp:26:start():0x7f58a1640230 Starting commands './npa_publisher_wizard -discoveryrefresh'
[ip-172-31-34-12:2024-11-07 15:48:12.904 +00:00] [info] process_runner.cpp:74:handleClose():0x7f58a1640230 Process execution is complete
[ip-172-31-34-12:2024-11-07 15:48:12.905 +00:00] [info] agenthandler.cpp:188:resolveByEDNS():0x7f58a1655290 Querying external DNS server for stitcher.npa.goskope.com
[ip-172-31-34-12:2024-11-07 15:48:14.941 +00:00] [info] tcpclient.cpp:195:handleClose():0x7f58a1715900 Closing socket m_fd 11 fd 11
[ip-172-31-34-12:2024-11-07 15:48:14.941 +00:00] [error] httpclient.cpp:118:sendResponseToChildOnce():0x7f58a163c040 HTTP Request GET /resolve?name=stitcher.npa.goskope.com HTTP/1.1
Share this Doc

Explicit Proxy for a Publisher

Or copy link

In this topic ...