Google Cloud Identity Aware Proxy over Corporate Proxy

3
votes

Configured Google Cloud Identity Aware Proxy for the application. So far, I can ssh to it no problem, as long as I am not using corporate proxy. Tried over proxy (with IAP endpoint being in 'allow' list in corporate proxy), but it failed with SSL CERTIFICATE error.

Errors:

...
"/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 853, in _create
    self.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
INFO: Error during WebSocket processing:
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)

INFO: Client closed connection from [stdin].
DEBUG: (gcloud.compute.start-iap-tunnel) Error while connecting [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)].
Traceback (most recent call last):
  File "/usr/local/Caskroom/google-cloud-sdk/latest

...

Has anyone succeeded in configuring corporate proxy for IAP? If yes, what configuration would you think is needed to get it working?

Thanks so much in advance!!

1
google-iap

1 Answers

2
votes

Answering my own question:

Yes, a proxy can be configured to access IAP endpoint nodes.

Steps:

  1. Ask your friendly proxy admins to add the following to allow list:

    wss://tunnel.cloudprroxy.app

  2. Configure your current GCLOUD_SDK environment

    $ gcloud config set proxy/type http
    Updated property [proxy/type].

     $ gcloud config set proxy/address proxy.testcorp.com                                                                           
 Updated property [proxy/address].

 $ gcloud config set proxy/port 8080                                                                                            
 Updated property [proxy/port].

 $ gcloud config set proxy/username user001                                                                                    
 Updated property [proxy/username].

 $ gcloud config set proxy/password XXXXXXXXXXXX                                                                                
 Updated property [proxy/password].

  3. Make sure you have correct SSL Certs installed on your workstation. You can configure GCLOUD_SDK to use your certs using the following command:

    gcloud config set custom_ca_certs_file /Users/user01/gce/certs/corpcerts.pem

Next you can go ahead and issue 'gcloud ssh' command with --tunnel-through-iap to connect to your node.