How does Argo Tunnel fit into a jumphost/dmz cluster?


#1

I’m fairly new to the devops security side, and been tasked with setting up the hashistack - terraform deployment of consul, nomad, vault on scaleway servers.

It seems from this, one would setup a jumphost, I guess cloudflare calls this the origin server, which the public can access and forwards its requests onto the local nomad+consul servers in the DMZ, which only local IPs can access.

My concern with this model, is if someone else’s app is running on the same scaleway servers, then it would also have a local ip, and thus the DMZ and jumphost configuration would need to be specific IPs, or where every server has the public key of the other servers with all traffic TLS encrypted with a custom CA provided by vault.

However, that is quite complicated, so I’m wondering if the other solution is to just install Argo Tunnel on all the servers, control access to sensitive services via Cloudflare Access, thus not having to bother with a custom local-only DMZ+TLS setup.

Is this a use case solved well by Argo Tunnel?

(just in case I am using DMZ and jumphost wrong, this is my understanding - a jumphost is a server that the public can access which then forwards requests into a DMZ zone, that is a zone that has no public incoming traffic allowed, only traffic from allowed local ips, thus the need for the jumphost.)


#2

This would work with Argo-Tunnel & Access. You don’t need to worry about a DMZ since Argo-Tunnel will reach out. You can run an instance of cloudflared for each node or have a few of them wrapped as a service that hits an internal load balancer.


#3

So just spent an an hour or so preparing to setup argo tunnel on https://github.com/bevry/terraform-scaleway-hashistack

For the origin server, Consul and Vault run on it. For the master and slave servers, Consul and Nomad run on them.

As cloudflared only supports one url:port and hostname combo, I’m not sure how I am meant to set this up. My initial anticipation was that running cloudflared on the machine, will expose everything on 0.0.0.0 (so be port agnostic), such that hostname:8080 tunnelled to 0.0.0.0:8080, and hostname:8181 tunnelled to 0.0.0.0:818.

The ideal is to have the following. Consul, Vault, Nomad listening on 0.0.0.0 with the multiple ports they use. Then for the different services and machines, end up with something like:

Perhaps I can accomplish this with consul’s local DNS features. Will try that.


#4

You can run multiple instances of cloudflared on the same machine. We allow for your origin server to have any port, but when we bind it to the Cloudflare host it’s always exposed on 80 & 443. Let me know what you find. We’re looking at different ways Spectrum (ProxyAnything) and Argo-Tunnel could work together.