Kloudless Connect

Kloudless Connect is a proxy server that provides access to repositories located within your customer’s private network. It establishes a secure outbound connection to the Kloudless appliance and enables API requests to be tunneled from the appliance to the repository via a secure channel.

The proxy functions by allowing a limited number of remote port forwards per customer. As connections are made, the appliance registers ports with destinations within a customer’s private network. These destinations are made available to the Kloudless appliance and API. This proxy feature allows you to access a customer’s private services (e.g. a samba or SharePoint server) without exposing them to the internet.

Additional Firewall Rules

The following ports must be made accessible from the IPs the proxy server is connecting from to the Kloudless appliance:

  • 22 - SSH daemon used by the Kloudless Connect proxy for remote port forwarding over a secure channel.

If clustering is used, the load balancer must have a TCP port that proxies connections to port 22 on the cluster members (e.g. proxying port 1234 on the load balancer to port 22 on the appliances). Additionally, the cluster members must open ports 2200-5199 to the other members of the cluster so that the remotely forwarded ports can be accessed by any member of the cluster.

Configuring a new client

The ke_manage_remote_networks command is used on the Kloudless appliance to manage your customers’ proxied connections. The customer may use the Kloudless Connect proxy server to establish the connection.

Each customer must use a unique private key to authenticate their Kloudless Connect proxy server with the Kloudless appliance. Each customer also needs a unique identifier (referred to as the client_id). There are two ways to register an SSH key pair for a customer, as detailed below.

Providing an SSH private key

Run the following command to register a new customer and print out a private key:

ke_manage_remote_networks add client_id

client_id is a unique name chosen for a customer and should be descriptive enough that you may identify each customer when editing proxy settings. This will set up a new customer with the default number of ports that they are allowed to proxy (20 ports). Provide the private key that this command produces in a secure manner to the customer (this is a private key).

Using a provided SSH public key

If your customer has already generated SSH keys and supplied you with a public key, you may create the account with that public key instead:

ke_manage_remote_networks add client_id --pub-key public_key

public_key is the path to the public SSH key that your customer supplied you with.

List a customer’s proxied ports

Use the following command to see which hosts and ports a customer has created proxied connections to:

ke_manage_remote_networks list [client_id]

client_id is optional. If present, this command prints the proxied ports for a specific customer. If absent, information from all customers is listed.

Generating New Private Keys

If a customer loses their private ssh key, run the following command to generate a new key pair (to replace the old keys add the -f flag):

ke_manage_remote_networks add client_id

You may also use the --pub-key flag as detailed earlier to set a public key rather than generate a new key pair.

Change the number of connections for a customer

By default we allow each customer to proxy 20 different ports. Each storage service that a customer wishes to proxy must use a different port. If a customer wishes to connect more than 20 storage service to the kloudless appliance, you will need to increase the number of ports allocated to that customer:

ke_manage_remote_networks change new_num client_id

Revoking Access

There are two different ways to revoke access. First, you can simply remove a customer from the configuration. This terminates all of the their currently proxied connections and does not allow them to connect to the kloudless appliance in the future:

ke_manage_remote_networks remove client_id

If you want to allow this customer to connect in the future, you will need to add the customer again.

If you would like to temporarily disable a customer’s access, you can change the number of connections for that client to 0. This also terminates their currently proxied connections and prevents them from re-connecting. However, the client’s SSH information remains in the appliance’s database.

ke_manage_remote_networks change 0 client_id

Logs

The appliance logs information on proxied connections to /var/log/syslog for debugging purposes, similar to other services on the appliance.

Deploying Kloudless Connect

Once the steps above are completed, a customer can deploy Kloudless Connect in their network to make an outbound connection to Kloudless Enterprise.

Compatibility

Kloudless Connect is available as a container, kloudless/customer-proxy:1.0, on Docker Hub.

Kloudless Connect can be used to connect to the services listed below. The minimum versions required for the client-side Kloudless Connect and the server-side Kloudless Enterprise are indicated as well.

Service Kloudless Enterprise Version Kloudless Connect Version
SMB >= 1.8.3 >= 1.0.0
WebDAV >= 1.8.3 >= 1.0.0
Adobe CQ5 >= 1.8.3 >= 1.0.0
CMIS >= 1.14.4 >= 1.0.0
Alfresco >= 1.14.4 >= 1.0.0

Installation

The image can be installed with the following command:

docker pull kloudless/customer-proxy:1.0

After creating a suitable configuration file, and receiving or generating an ssh key, it can be run with the following command:

docker run --name customer-proxy [-d] \
  -v `pwd`/connect.yaml:/etc/kloudless/connect.yaml \
  -v `pwd`/ssh_key.priv:/etc/kloudless/ssh_key.priv \
  kloudless/customer-proxy:1.0

Note: the docker daemon requires absolute source paths to mount individual files.

Configuration

The application has a YAML-formatted configuration file found at /etc/kloudless/connect.yaml which defines the customer’s proxied connections. Additionally, the path to the customer’s SSH private key and the IP address or hostname and SSH port of the Kloudless appliance must be specified:

appliance: "kloudless.example.com:22"
ssh_key: "/etc/kloudless/connect_key.priv"
repositories:
    example_group:
        example_repo: "smb://samba.example.com:139"
        example_webdav: "webdav+http://webdav.example.com:80/"
        example_cmis: "cmis+https://cmis.example.com:443/cmisatom"

The docker container will start the kloudless_connect proxy service on boot

See Compatibility section for supported services.

Please refer to the file for further information on its format and the value of each attribute.

To proxy connections, simply run:

sudo service kloudless_connect start

To stop proxying connections, run:

sudo service kloudless_connect stop

To reload the configuration file, run:

sudo service kloudless_connect reload

Troubleshooting

If there are issue with the Kloudless Connect client connecting to the server, the first place to check is the logs. The logs are managed by supervisord which runs the proxy processes. These logs are contained in /var/log/supervisord/ke_connect_*.log.

Common issues:

  • Permission Denied: The client may encounter issues with SSH keys. To resolve, you can either generate a new ssh key pair and upload it to the server or re-create and use a provided public key.
  • connect.yaml: If the configuration of the repository is incorrectly documented, accounts will not be able to be connected. To resolve, please refer to the format: service[+scheme]://host:port[path]
  • The scheme is necessary when multiple connection protocols are available. For example, WebDAV may connect over either HTTP or HTTPS. An example URI would therefore be webdav+http://10.0.0.1:80.

Connecting accounts

Once Kloudless Connect has been deployed, configured repositories will be visible on the App Details page of the Developer Portal. Each repository will be associated with a “group key” that must be used during authentication to ensure that only trusted users from an organization can connect to the repository.

Further information on how to use the Group Key during the authentication process is available in the Kloudless Connect Authentication section of the API Documentation.