then from your computer you should access with
ssh userABC@test-ssh
please test it
also from your computer type
ping test-ssh
Hi @HKilic ,
Yes, able to ping and SSH the server from this test-ssh (service name). So, here we need to use service name or IP to connect the destination resources instead of actual IP or web server name?
Also, is this possible to make this ferrumgate server URL to SSL secure URL HTTPS? we have own SSL certificate and would like to configure here.
Also, is any application available to use this zero trust connection on mobile device? As I have checked no client app for mobile android or ios.
We could not have time to develop yet. it is on the roadmap
there is 2 option.
- under settings/pki there is web. you can paste your keys there. and restart ferrumgate
- goto /var/lib/docker/volumes/fg-base_ferrum/_data/certs
and copy files as public.crt and private.key,
then
chown 1000:1000 public.crt
chown 1000:1000 private.key
chmod 400 private.key
I am not sure about the second option.there could be problem about permissions. please feedback me about second option
Hi @HKilic , The second option work for us.
Please do update once mobile app also launch.
One more issue, in generic VPN (we are using currently OpenVPN). when VPN connects the automatically client system Public IP changed (all internet traffic) from OpenVPN assigned public IP.
But in Ferrumgate server case, this is not happening. Do I need to do any specific settings? This is required as some of services are allowed on individual dedicated public IP and we require the same here to be allocate/assign ferrumgate server public IP to client system.
I hope you understood above requirement.
Please help!
You could do something like this. please take a look and share us if it works for you
Okay, I will try this and update you by tmrow.
Also, I have tried from Windows machine again without Antivirus Endpoint security. But still same issue. unable to connect.
Hi @HKilic , I go through the article you shared. This is useful when use weburls…
But our requirement is for our development team, where they do development from their local systems and do integrate with third party api’s , where external party allows the traffic from specific IPs only.
In current VPN connection they get assigned Public IP which is VPN server public IP and all works fine.
Third party service like RestAPI, WebHooks, SFTP and installed application programs as well. Which need to call from local laptops only.
to make it work. let’s try something
if you are reaching thirrd party (api.abc.com)
create a service that maps to api.abc.com
go to /settings/dns
create a dns record api.abc.com that maps to service assigned ip address
and give permissiion to service and try if your programs works.
Adding DNS records resolves to our service ip and it targets the real third party.
please try this,
I will check it and feedback to you again
Hi @HKilic , I have tried this. But didn’t work for me.
Configured the proxy
able to access proxy pac file
but destination site not accessible neither direct web URL or service name/ip (Here I have allowed ferrumgate server public IP in firewall).
Hi @HKilic ,
As suggested, I try to do for one of API service. But not able to access it. PFB screenshot.
-
service created ( I tried with port 80 and 443)
-
added in Authorization
-
created the DNS
-
able to ping service and DNS
-
but API is not accessible
Hi, its working on Windows machine as well. As I have checked other 2 systems its worked… Might be some problem in my laptop. So only not working on my laptop.
please check on ferrumgate server could reach domain you tested with
curl https://crondomain.com
it should work, if this works.
it means that your squid proxy is not working properly. check its config
please create only 1 service with 2 ports.
and also check your connection from ferrumgate machine if
curl https://apiblabla.com
works
then on your laptop
check ping api
then check ping apiblabla.com
works
Hi, for squid proxy:
squid.conf
whitelist
There is error squid service… Pls find below logs and help where is wrong.
systemctl status squid
× squid.service - Squid Web Proxy Server
Loaded: loaded (/lib/systemd/system/squid.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Tue 2024-07-02 10:03:31 IST; 5h 38min ago
Docs: man:squid(8)
Process: 460 ExecStartPre=/usr/sbin/squid --foreground -z (code=exited, status=0/SUCCESS)
Process: 525 ExecStart=/usr/sbin/squid --foreground -sYC (code=exited, status=1/FAILURE)
Main PID: 525 (code=exited, status=1/FAILURE)
CPU: 901ms
Jul 02 10:03:31 ip-172-32-2-98 squid[558]: Squid Cache (Version 5.7): Terminated abnormally.
Jul 02 10:03:31 ip-172-32-2-98 squid[558]: Closing Pinger socket on FD 14
Jul 02 10:03:31 ip-172-32-2-98 squid[525]: Squid Parent: squid-1 process 558 exited with status 1
Jul 02 10:03:31 ip-172-32-2-98 squid[525]: Squid Parent: squid-1 process 558 will not be restarted for 3600 seconds due to repeated, frequent failu>
Jul 02 10:03:31 ip-172-32-2-98 squid[525]: Exiting due to repeated, frequent failures
Jul 02 10:03:31 ip-172-32-2-98 squid[525]: Removing PID file (/run/squid.pid)
Jul 02 10:03:31 ip-172-32-2-98 systemd[1]: squid.service: Main process exited, code=exited, status=1/FAILURE
Jul 02 10:03:31 ip-172-32-2-98 systemd[1]: squid.service: Killing process 560 (squid) with signal SIGKILL.
Jul 02 10:03:31 ip-172-32-2-98 systemd[1]: squid.service: Failed with result ‘exit-code’.
Jul 02 10:03:31 ip-172-32-2-98 systemd[1]: Failed to start squid.service - Squid Web Proxy Server.
lines 1-19/19 (END)
nano pac.js ^C
root@ip-172-32-2-98:/home/admin# systemctl restart squid
Job for squid.service failed because the control process exited with error code.
See “systemctl status squid.service” and “journalctl -xeu squid.service” for details.
root@ip-172-32-2-98:/home/admin# journalctl -xeu squid.service
Jul 02 15:42:08 ip-172-32-2-98 squid[55496]: Using Least Load store dir selection
Jul 02 15:42:08 ip-172-32-2-98 squid[55496]: Set Current Directory to /var/spool/squid
Jul 02 15:42:08 ip-172-32-2-98 squid[55496]: Finished loading MIME types and icons.
Jul 02 15:42:08 ip-172-32-2-98 squid[55496]: commBind Cannot bind socket FD 12 to 10.100.100.10:3128: (99) Cannot assign requested address
Jul 02 15:42:08 ip-172-32-2-98 squid[55496]: HTCP Disabled.
Jul 02 15:42:08 ip-172-32-2-98 squid[55496]: Pinger socket opened on FD 14
Jul 02 15:42:08 ip-172-32-2-98 squid[55496]: Squid plugin modules loaded: 0
Jul 02 15:42:08 ip-172-32-2-98 squid[55496]: Adaptation support is off.
Jul 02 15:42:08 ip-172-32-2-98 squid[55496]: Closing HTTP(S) port 10.100.100.10:3128
Jul 02 15:42:08 ip-172-32-2-98 squid[55496]: storeDirWriteCleanLogs: Starting…
Jul 02 15:42:08 ip-172-32-2-98 squid[55496]: Finished. Wrote 0 entries.
Jul 02 15:42:08 ip-172-32-2-98 squid[55496]: Took 0.00 seconds ( 0.00 entries/sec).
Jul 02 15:42:08 ip-172-32-2-98 squid[55496]: FATAL: Unable to open HTTP Socket
Jul 02 15:42:08 ip-172-32-2-98 squid[55496]: Squid Cache (Version 5.7): Terminated abnormally.
Jul 02 15:42:08 ip-172-32-2-98 squid[55496]: Closing Pinger socket on FD 14
Jul 02 15:42:08 ip-172-32-2-98 squid[55478]: Squid Parent: squid-1 process 55496 exited with status 1
Jul 02 15:42:08 ip-172-32-2-98 squid[55478]: Squid Parent: squid-1 process 55496 will not be restarted for 3600 seconds due to repeated, frequent f>
Jul 02 15:42:08 ip-172-32-2-98 squid[55478]: Exiting due to repeated, frequent failures
Jul 02 15:42:08 ip-172-32-2-98 squid[55478]: Removing PID file (/run/squid.pid)
Jul 02 15:42:08 ip-172-32-2-98 systemd[1]: squid.service: Main process exited, code=exited, status=1/FAILURE
Hi, You mentioned create only 1 service with 2 ports. → How to add two ports in one service?
I did tried modify this API service first port 80 and then port 443, in both scanrio its doesn’t work.
And ping of API and ping of api.abc.com is working fine but while doing curl getting below error:
curl: (7) Failed to connect to api.abc.com port 80 after 2568 ms: Couldn’t connect to server.
Check if lo interface has 10.100.100.10/32 address
If not then there is a problem in /etc/network/interfaces
Squid cannot bind ip
There is Add button in the services UI. Add more ports with it. After fixing probably it will work