Skip to content

Proxy gateway solutions

Why use a proxy?

Sometimes devices cannot reach the internet due to security concerns. A typical way of increasing security and controlling traffic is to use a proxy. The agent is designed to operate with different proxies thus allowing to run in more advanced network topologies.

How to bootstrap the agent with a proxy

The agent can connect through a proxy. This is tested with Squid but any other proxy should work as well. Most proxies work with http only but this is not a problem since all qbee traffic is TLS encrypted. If you use a https proxy there needs to be a CA. If you need a https proxy please reach out to support.

Below are all the options that can be passed to the bootstrap function:

$ sudo qbee-agent bootstrap -h
Usage: qbee-agent [global options] <command> [options] [<command> [options] ...]

Options:
  -k, --bootstrap-key BOOTSTRAP_KEY    Set the bootstrap key found in the user profile.  [required]
      --proxy-host PROXY_HOST          HTTP proxy host to use.                           [optional]
      --proxy-port PROXY_PORT          HTTP proxy port to use.                           [optional]
      --proxy-user PROXY_USER          HTTP proxy username.                              [optional]
      --proxy-password PROXY_PASSWORD  HTTP proxy password.                              [optional]

Thus a bootstrap call could look like this:

$ sudo qbee-agent bootstrap -k xxx --proxy-host 10.121.4.255 --proxy-port 3128 --proxy-user qbee-squid --proxy-password very_secret

Proxy implementations

In many cases it would be desirable (even mandatory) to set up some guard rails for your embedded infrastructure, eg. with Operational Technology networks (OT) which usually represent a clear distinction to Information Technology (IT) networks when it comes to data flowing in and out. IT and OT networks serve different purposes and have traditionally operated in isolation, but with the advent of the Industrial Internet of Things (IIoT) and the push towards digital transformation, the boundary between OT and IT is becoming more intertwined.

However, there are techniques that seek to keep as much as possible of the separation without compromising security and usability. This example shows how you can achieve an OT/IT network split for your qbee-agent infrastructure by using a network proxy.

Docker solution

Qbee offers a ready-made docker image if want a simple proxy setup. On a host acting as a gateway, run the following:

sudo docker run --name qbee-gateway -p 3128:3128 -d qbeeio/qbee-gateway

Upon start the user qbee-gateway is set up with an autogenerated 64 character password which visible at the beginning of the docker logs.

sudo docker logs qbee-gateway

If you want to set your own password simply type the following on startup

sudo docker run --name qbee-gateway -p 3128:3128 \
    -e QBEE_GATEWAY_PASSWORD=<proxy-password> -d qbeeio/qbee-gateway

Once the container is running you can do the agent bootstrap on the devices as follows

sudo qbee-agent bootstrap -k <bootstrap_key> --proxy-host <ip-or-hostname-of-proxy> \
    --proxy-port 3128 --proxy-user qbee-gateway --proxy-password <proxy-password>

Native gateway proxy solution

If you'd rather have the proxy run directly on the gateway host, then follow the instructions below

Installing proxy on hardware
  1. Install the squid proxy software or by installing the squid software directly on a hardware or virtual device

    sudo apt install squid -y
    
  2. Configure the proxy with authentication and restrict it to only allow qbee ports and domains from localnets

    /etc/squid/squid.conf
    auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/password
    auth_param basic realm proxy
    
    # Only allow authenticated proxy requests
    acl authenticated proxy_auth REQUIRED
    
    # Only allow qbee ssl ports and domains
    acl qbee_sslports port 443
    # Allow access to devicehub
    acl qbee_devicehub dstdomain device.app.qbee.io
    # Allow access to remote console (agent version 2024.05 and earlier)
    acl qbee_vpnserver dstdomain vpn.app.qbee.io
    # Allow access to remote console (agent version 2024.09 and later)
    acl qbee_edge dstdomain edge.app.qbee.io
    
    # Localnets
    acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
    
    # Grant access to authenticated from localnet to ssl ports on qbee backend services
    http_access allow authenticated localnet qbee_sslports qbee_devicehub
    http_access allow authenticated localnet qbee_sslports qbee_vpnserver
    http_access allow authenticated localnet qbee_sslports qbee_edge
    
    # Deny everything else
    http_access deny all
    
    http_port 3128 
    pid_filename /var/run/qbee-gateway.pid
    
  3. Add users and passwords for the proxy using the htpasswd utility from apache2-utils

    sudo apt install apache2-utils
    sudo htpasswd -b -B -c /etc/squid/password <proxy-user> <proxy-password>
    
  4. Restart the squid service and bootstrap qbee-agent to use the proxy

    sudo systemctl restart squid