# Kloudless Connect
Kloudless Connect is a proxy server that provides access to repositories located within your customer’s private network. It establishes a secure outbound connection to the Kloudless appliance and enables API requests to be tunneled from the appliance to the repository via a secure channel.
The proxy functions by allowing a limited number of remote port forwards per customer. As connections are made, the appliance registers ports with destinations within a customer’s private network. These destinations are made available to the Kloudless appliance and API. This proxy feature allows you to access a customer’s private services (e.g. a samba or SharePoint server) without exposing them to the internet.
# Additional Firewall Rules
The following ports must be made accessible from the IPs the proxy server is connecting from to the Kloudless appliance:
- 22 - SSH daemon used by the Kloudless Connect proxy for remote port forwarding over a secure channel.
If clustering is used, the load balancer must have a TCP port that proxies connections to port 22 on the cluster members (e.g. proxying port 1234 on the load balancer to port 22 on the appliances). Additionally, the cluster members must open ports 2200-5199 to the other members of the cluster so that the remotely forwarded ports can be accessed by any member of the cluster.
# Configuring a new client
The ke_manage_remote_networks command is used on the Kloudless appliance to
manage your customers’ proxied connections. The customer may use the Kloudless
Connect proxy server to
establish the connection.
Each customer must use a unique private key to authenticate their Kloudless
Connect proxy server with the Kloudless appliance. Each customer also needs a
unique identifier (referred to as the client_id). There are two ways to
register an SSH key pair for a customer, as detailed below.
# Providing an SSH private key
Run the following command to register a new customer and print out a private key:
ke_manage_remote_networks add client_id
client_id is a unique name chosen for a customer and should be descriptive
enough that you may identify each customer when editing proxy settings. This
will set up a new customer with the default number of ports that they are
allowed to proxy (20 ports). Provide the private key that this command produces
in a secure manner to the customer (this is a private key).
# Using a provided SSH public key
If your customer has already generated SSH keys and supplied you with a public key, you may create the account with that public key instead:
ke_manage_remote_networks add client_id --pub-key public_key
public_key is the path to the public SSH key that your customer supplied you
with.
# List a customer’s proxied ports
Use the following command to see which hosts and ports a customer has created proxied connections to:
ke_manage_remote_networks list [client_id]
client_id is optional. If present, this command prints the proxied ports for
a specific customer. If absent, information from all customers is listed.
# Generating New Private Keys
If a customer loses their private ssh key, run the following command to generate
a new key pair (to replace the old keys add the -f flag):
ke_manage_remote_networks add client_id
You may also use the --pub-key flag as detailed earlier to set a public key
rather than generate a new key pair.
# Change the number of connections for a customer
By default we allow each customer to proxy 20 different ports. Each storage service that a customer wishes to proxy must use a different port. If a customer wishes to connect more than 20 storage service to the Kloudless appliance, you will need to increase the number of ports allocated to that customer:
ke_manage_remote_networks change new_num client_id
# Revoking Access
There are two different ways to revoke access. First, you can simply remove a customer from the configuration. This terminates all of the their currently proxied connections and does not allow them to connect to the Kloudless appliance in the future:
ke_manage_remote_networks remove client_id
If you want to allow this customer to connect in the future, you will need to add the customer again.
If you would like to temporarily disable a customer’s access, you can change the number of connections for that client to 0. This also terminates their currently proxied connections and prevents them from re-connecting. However, the client’s SSH information remains in the appliance’s database.
ke_manage_remote_networks change 0 client_id
# Logs
The appliance logs information on proxied connections to /var/log/syslog for
debugging purposes, similar to other services on the appliance. If run in a
container, it will log to standard out, both Docker and Kubernetes support
viewing standard out, viewable as follows:
docker logs [kloudless-connect]
kubectl logs [k-connect-podId]
# Deploying Kloudless Connect
Once the steps above are completed, a customer can deploy Kloudless Connect in their network to make an outbound connection to Kloudless Enterprise.
# Compatibility
Kloudless Connect is available as a container, kloudless/customer-proxy:1.0, on Docker Hub.
Kloudless Connect can be used to connect to the services listed below. The minimum versions required for the client-side Kloudless Connect and the server-side Kloudless Enterprise are indicated as well.
| Service | Kloudless Enterprise Version | Kloudless Connect Version |
|---|---|---|
| SMB | >= 1.8.3 | >= 1.0.0 |
| WebDAV | >= 1.8.3 | >= 1.0.0 |
| Adobe CQ5 | >= 1.8.3 | >= 1.0.0 |
| CMIS | >= 1.14.4 | >= 1.0.0 |
| Alfresco | >= 1.14.4 | >= 1.0.0 |
| PowerShell | >= 1.32.0 | >= 1.0.0 |
# Installation
Kloudless Connect is available from Docker Hub as kloudless/connect:1.0
The image can be installed with the following command:
docker pull kloudless/customer-proxy:1.0
After creating a suitable configuration file, and receiving or generating an ssh key, it can be run with the following command:
docker run --name customer-proxy [-d] \
-v `pwd`/connect.yaml:/etc/kloudless/connect.yaml \
-v `pwd`/ssh_key.priv:/etc/kloudless/ssh_key.priv \
kloudless/customer-proxy:1.0
Note: the docker daemon requires absolute source paths to mount individual files.
Kloudless Connect proxy can also be installed from a debian package. Contact the Kloudless Support Team for more information.
# Configuration
The application has a YAML-formatted configuration file found at
/etc/kloudless/connect.yaml which defines the customer’s proxied connections.
Additionally, the path to the customer’s SSH private key and the IP address or
hostname and SSH port of the Kloudless appliance must be specified:
appliance: "kloudless.example.com:22"
ssh_key: "/etc/kloudless/connect_key.priv"
repositories:
example_group:
example_repo: "smb://samba.example.com:139"
example_webdav: "webdav+http://webdav.example.com:80/"
example_cmis: "cmis+https://cmis.example.com:443/cmisatom"
The docker container will start the kloudless_connect proxy service on boot
See Compatibility section for supported services.
Please refer to the file for further information on its format and the value of each attribute.
To proxy connections, simply run:
NAME="proxy" \
CONF="`pwd`/connect.yaml" \
KEY="`pwd`/connect_key.priv" \
docker run --name "$NAME" `# [--rm] [-d]` \
--volume "$CONF":/etc/kloudless/connect.yaml \
--volume "$KEY":/etc/kloudless/connect_key.priv \
kloudless/customer-proxy:1.0
Or run this script.
Proxying of connections can be controlled with the following commands, as root in the container:
service kloudless_connect start
service kloudless_connect stop
service kloudless_connect reload
While the kloudless_connect service is running, configured connections can be
individually controlled with:
supervisorctl status kloudless_connect:ke_connect_example_group_example_repo
supervisorctl start kloudless_connect:ke_connect_example_group_example_repo
supervisorctl stop kloudless_connect:ke_connect_example_group_example_repo
supervisorctl restart kloudless_connect:ke_connect_example_group_example_repo
# Troubleshooting
If there are issue with the Kloudless Connect client connecting to the server, the first place to check is the logs. The logs are managed by supervisord which runs the proxy processes. These logs are contained in /var/log/supervisord/ke_connect_*.log.
Common issues:
- Permission Denied: The client may encounter issues with SSH keys. To resolve, you can either generate a new ssh key pair and upload it to the server or re-create and use a provided public key.
- connect.yaml: If the configuration of the repository is incorrectly
documented, accounts will not be able to be connected. To resolve, please
refer to the format:
service[+scheme]://host:port[path] - The scheme is necessary when multiple connection protocols are available. For
example, WebDAV may connect over either HTTP or HTTPS. An example URI would
therefore be
webdav+http://10.0.0.1:80.
# Connecting accounts
Once Kloudless Connect has been deployed, configured repositories will be visible on the App Details page of the Developer Portal. Each repository will be associated with a “group key” that must be used during authentication to ensure that only trusted users from an organization can connect to the repository.
Further information on how to use the Group Key during the authentication process is available in the Kloudless Connect Authentication section of the API Documentation.