Skip to content

Egress HTTPS Proxy Traffic

Valtix Gateway is now configured to accept traffic on port 443 from any source. You will now run a sample curl command from the EC2 instance and check the logs

Traffic

  1. SSH to the EC2 instance created in the spoke1-vpc
  2. curl https://www.google.com
  3. Since the certificate is not installed as a trusted root CA on the EC2 instance you will see a certificate error. You can install the certificate that is being used on the Gateway as a trusted CA on the EC2 instance or choose to ignore certifcate verification. For this tutorial, we will choose to ignore the error.
  4. curl -k https://www.google.com
  5. Note a successful response
  6. Naviagte to Investigate -> Flow Analytics -> All Events
  7. Select the Gateway from the top pulldown
  8. Check that the logs show in the table
  9. There are two (2) sessions created:
    1. EC2 instance ➡ Valtix Gateway
    2. Valtix Gateway ➡ www.google.com
  10. Check the FQDN column and verify that it shows www.google.com
  11. Check the Rule ID column and verify that it show the rule name that was configured (any-egress-http)
  12. Click on the Session ID to see the logs only for this session. (We will use this Session ID later to check more things)

Certificate Verification

Let's run some other commands to see the certificate and verify that the certificate received from Google is signed by the self-signed certificate. Run the following command

curl https://www.google.com -vk 2>&1 | grep -A 5 -i "server certificate"

You should see an output that looks similar to the following

* Server certificate:
*   subject: CN=www.google.com,OU=NetSec,O=Valtix Inc.,L=SantaClara,ST=California,C=US
*   start date: Dec 14 21:09:52 2020 GMT
*   expire date: Dec 15 21:09:52 2021 GMT
*   common name: www.google.com
*   issuer: O=Valtix

Look at the subject and issuer to confirm that the traffic was proxied by Valtix

If you run the command

curl https://www.google.com -vk 2>&1 | grep -A 5 -i "server certificate"
on another machine or your laptop that accesses Google directly without going via Valtix you will see the output as:

* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=www.google.com
*  start date: Nov 10 14:41:09 2020 GMT
*  expire date: Feb  2 14:41:08 2021 GMT
*  issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
*  SSL certificate verify ok.

Again looking at the subject and issuer you will notice that those fields are from Google.

You can run curl command to access different websites

curl -kvI https://www.facebook.com
curl -kvI https://github.com

Tech Notes

To install the certificate as a trusted CA on the EC2 instance, check this link