Example
Below we provide a detailed example
of setting up a Connector connection
for securely exposing your application's resources.
Scenario
Let's suppose the following scenario.
You want to share access to three different servers within your network:
- Your
git repository server
- Your
application environment server
- Your internal
DNS server
for proper name resolution
The use cases you want to allow are:
- Fluid Attacks can clone your git repository using SSH.
- Fluid Attacks can test your application via HTTPS.
- Fluid Attacks can resolve your internal domains via DNS.
Configuration
For this you will:
- Fill out the connection form so we can set up a connection for you.
- Install cloudflared
in any of the servers you want to share.
For this example,
let's assume you install it on the
git repository server
. - Receive a SECRET TOKEN from Fluid Attacks that you will use for setting up the connection.
Firewall rules
Now you should focus on creating firewall rules that allow the use cases presented previously:
For the git repository server
,
set the following egress firewall rules:
- For secure connection
- Allow TCP/UDP via port 7844
to
region1.v2.argotunnel.com
- Allow TCP/UDP via port 7844
to
region2.v2.argotunnel.com
- Allow TCP via port 443
to
api.cloudflare.com
- Allow TCP via port 443
to
update.argotunnel.com
- Allow TCP/UDP via port 7844
to
- For internal communication
- Allow TCP connections via port 443 (HTTPS)
to
application environment server
- Allow TCP/UDP connections via port 53 (DNS)
to
DNS server
- Allow TCP connections via port 443 (HTTPS)
to
For the application environment server
,
set the following ingress firewall rules:
- Allow TCP connections via port 443 (HTTPS)
from
git repository server
For the DNS server
,
set the following ingress firewall rules:
ingress
: Allow TCP/UDP connections via port 53 (DNS) fromgit repository server
Turning on the connection
Now that cloudflared
is installed
and the required firewall rules are in place,
you can proceed to enable the connection:
As a System Administrator, run the registration command for the connection using the SECRET TOKEN provided by Fluid Attacks.
Testing the connection
Once the connection is on, you can proceed and test it according to the documentation.
Conclusions
Once you have:
- A working
pivot agent
- Minimum privilege firewall rules within your private network
All use cases for this example scenario should be covered.
Additional support
If you require additional support, do not hesitate to contact us.