From fe01079c39ddf5101b68979ef7df78e5189b842e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Cie=C5=9Blak?= Date: Fri, 13 Dec 2024 17:40:23 +0100 Subject: [PATCH 1/2] Add docs for multi-port TCP access --- .../guides/per-session-mfa.mdx | 4 ++ docs/pages/connect-your-client/vnet.mdx | 14 +++++- .../application-access/guides/tcp.mdx | 50 +++++++++++++++++++ 3 files changed, 66 insertions(+), 2 deletions(-) diff --git a/docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx b/docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx index c2fa8ed63f9ef..1c6b1c99d4152 100644 --- a/docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx +++ b/docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx @@ -209,6 +209,10 @@ Current limitations for this feature are: (The OpenSSH `ssh` client does not work with per-session MFA). - Only `kubectl` supports per-session WebAuthn authentication for Kubernetes. - For desktop access, only WebAuthn devices are supported. +- When accessing a + [multi-port](../../../enroll-resources/application-access/guides/tcp.mdx#configuring-access-to-multiple-ports) + TCP application through [VNet](../../../connect-your-client/vnet.mdx), the first connection over + each port triggers an MFA check. ## Next steps diff --git a/docs/pages/connect-your-client/vnet.mdx b/docs/pages/connect-your-client/vnet.mdx index 79fba51ac6bc0..71e394d526dc0 100644 --- a/docs/pages/connect-your-client/vnet.mdx +++ b/docs/pages/connect-your-client/vnet.mdx @@ -43,13 +43,23 @@ tsh.app under "Allow in the Background". ## Step 3/3. Connect Once VNet is running, you can connect to the application using the application client you would -normally use to connect to it. The port number is inconsequential. VNet forwards connections over -any port number under the public address of the app to the app itself. +normally use to connect to it. ```code $ psql postgres://postgres@tcp-app.teleport.example.com/postgres ``` + +Unless the application specifies [multiple +ports](../enroll-resources/application-access/guides/tcp.mdx#configuring-access-to-multiple-ports), +VNet proxies connections over any port used by the application client. For multi-port apps, the port +number must match one of the target ports of the app. To see a list of target ports, click the +three dot menu next to an application in Teleport Connect or execute `tsh apps ls`. + +If [per-session MFA](../admin-guides/access-controls/guides/per-session-mfa.mdx) is enabled, the +first connection over each port triggers an MFA check. + + VNet is going to automatically start on the next Teleport Connect launch, unless you stop VNet before closing Teleport Connect. diff --git a/docs/pages/enroll-resources/application-access/guides/tcp.mdx b/docs/pages/enroll-resources/application-access/guides/tcp.mdx index e8fe7eac5739a..dd0601e35a830 100644 --- a/docs/pages/enroll-resources/application-access/guides/tcp.mdx +++ b/docs/pages/enroll-resources/application-access/guides/tcp.mdx @@ -148,6 +148,56 @@ $ psql postgres://postgres@localhost:55868/postgres ## Next steps +### Configuring access to multiple ports + +By default, the Application Service proxies connections to the `uri` field from the application +specification. However, Teleport can enable access to multiple ports of a TCP application. An +application specification in this case needs to have no port number in the `uri` field and a new +field called `tcp_ports` with a list of ports. + +For example, let's take tcp-app from the steps above and add access to port 8080 and port range +31276-32300. The Application Service definition should look like this: + +```yaml +app_service: + enabled: "yes" + apps: + - name: "tcp-app" + uri: tcp://localhost # No port in the URI + tcp_ports: + - port: 5432 # PostgreSQL + - port: 8080 # HTTP server + - port: 31276 + end_port: 32300 # Inclusive end of range +``` + +To access the app, [start VNet](../../../connect-your-client/vnet.mdx) and point an application +client towards the target port: + +```code +$ curl -I http://tcp-app.teleport.example.com:8080 +HTTP/1.1 200 OK + +$ psql postgres://postgres@tcp-app.teleport.example.com:5432/postgres +``` + + +There is no RBAC for TCP ports – a user that has access to an application can connect to any port in +the specification. We strongly recommend specifying only the necessary ports instead of defining a +wide port range that happens to include ports that are meant to be available. + + +{/* TODO(ravicious): DELETE IN 19.0.0. At this point all compatible servers and clients are going +to support multiple ports. */} + +Support for multiple ports is available in Teleport v17.1+. Connections from Teleport clients that +do not support multiple ports are routed to the first port from the application specification. An +Application Service that does not support multiple ports will not be able to handle traffic to a +multi-port application if it receives such application through [dynamic +registration](./dynamic-registration.mdx) from an Auth Service. + +### Further reading + - Learn about [access controls](../controls.mdx) for applications. - Learn how to [connect to TCP apps with VNet](../../../connect-your-client/vnet.mdx) and [configure VNet for custom `public_addr`](vnet.mdx). From 2a22f1211972d439af81933db8ff0d2907d104be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Cie=C5=9Blak?= Date: Fri, 13 Dec 2024 17:55:28 +0100 Subject: [PATCH 2/2] Remove unknown word from TODO comment --- docs/pages/enroll-resources/application-access/guides/tcp.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/enroll-resources/application-access/guides/tcp.mdx b/docs/pages/enroll-resources/application-access/guides/tcp.mdx index dd0601e35a830..e28a76bdd91e7 100644 --- a/docs/pages/enroll-resources/application-access/guides/tcp.mdx +++ b/docs/pages/enroll-resources/application-access/guides/tcp.mdx @@ -187,7 +187,7 @@ the specification. We strongly recommend specifying only the necessary port wide port range that happens to include ports that are meant to be available. -{/* TODO(ravicious): DELETE IN 19.0.0. At this point all compatible servers and clients are going +{/* TODO: DELETE IN 19.0.0. At this point all compatible servers and clients are going to support multiple ports. */} Support for multiple ports is available in Teleport v17.1+. Connections from Teleport clients that