Qbee agent gateway setup

In many cases it would be desirable (even mandatory) to set up some guard rails for your embedded infrastructure, eg. with Operational Technology networks (OT) which usually represent a clear distinction to Information Technology (IT) networks when it comes to data flowing in and out. IT and OT networks serve different purposes and have traditionally operated in isolation, but with the advent of the Industrial Internet of Things (IIoT) and the push towards digital transformation, the boundary between OT and IT is becoming more intertwined.

However, there are techniques that seek to keep as much as possible of the separation without compromising security and usability. This example shows how you can achieve an OT/IT network split for your qbee-agent infrastructure by using a network proxy.

Qbee offers a ready-made docker image if want a simple proxy setup. On a host acting as a gateway, run the following:

sudo docker run --name qbee-gateway -p 3128:3128 -d qbeeio/qbee-gateway

Upon start the user qbee-gateway is set up with an autogenerated 64 character password which visible at the beginning of the docker logs.

sudo docker logs qbee-gateway

If you want to set your own password simply type the following on startup

sudo docker run --name qbee-gateway -p 3128:3128 \
    -e QBEE_GATEWAY_PASSWORD=<proxy-password> -d qbeeio/qbee-gateway

Once the container is running you can do the agent bootstrap on the devices as follows

sudo qbee-agent bootstrap -k <bootstrap_key> --proxy-host <ip-or-hostname-of-proxy> \
    --proxy-port 3128 --proxy-user qbee-gateway --proxy-password <proxy-password>

If you'd rather have the proxy run directly on the gateway host, then follow the instructions below

Installing proxy on hardware
  1. Install the squid proxy software or by installing the squid software directly on a hardware or virtual device

    sudo apt install squid -y
    
  2. Configure the proxy with authentication and restrict it to only allow qbee ports and domains from localnets

    /etc/squid/squid.conf
    auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/password
    auth_param basic realm proxy
    
    # Only allow authenticated proxy requests
    acl authenticated proxy_auth REQUIRED
    
    # Only allow qbee ssl ports and domains
    acl qbee_sslports port 443
    acl qbee_devicehub dstdomain device.app.qbee.io
    acl qbee_vpnserver dstdomain vpn.app.qbee.io
    
    # Localnets
    acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
    
    # Grant access to authenticated from localnet to ssl ports on qbee backend services
    http_access allow authenticated localnet qbee_sslports qbee_devicehub
    http_access allow authenticated localnet qbee_sslports qbee_vpnserver
    
    # Deny everything else
    http_access deny all
    
    http_port 3128 
    pid_filename /var/run/qbee-gateway.pid
    
  3. Add users and passwords for the proxy using the htpasswd utility from apache2-utils

    sudo apt install apache2-utils
    sudo htpasswd -b -B -c /etc/squid/password <proxy-user> <proxy-password>
    
  4. Restart the squid service and bootstrap qbee-agent to use the proxy

    sudo systemctl restart squid