Skip to main content

Runops Proxy

Runops proxy allows forwarding remote TCP services locally.

Agent Setup#

The agent is responsible for managing TCP connections in your local infrastructure, for proxying MySQL connections, a target with type mysql is required with the configurations described in the integrations section. The agent must be able to reach out the MySQL instance.

Docker Deployment#

With Environment Variables

AGENT_TOKEN=
AGENT_TAG=
docker run --rm -it runops/rproxy agent \
--tag "$AGENT_TAG" \
--token $AGENT_TOKEN \
-e MYSQL_CONFIG='{ "MYSQL_HOST": "", "MYSQL_PORT": "", "MYSQL_USER": "", "MYSQL_PASS": "" }'

With AWS Secret Manager

docker run --rm -it runops/rproxy agent \
--tag "$AGENT_TAG" \
--token $AGENT_TOKEN \
-e AWS_ACCESS_KEY_ID= \
-e AWS_SECRET_ACCESS_KEY= \
-e AWS_REGION=

Kubernetes Deployment#

Alter the snippet below to deploy a new instance in Kubernetes

# The agent token to connect to the API
# If you have any agent deployed, use the same token.
# Otherwise run the command to obtain a new one: runops agents create-token -f
AGENT_TOKEN=
# If you need multiple agents running in distinct networks, tag each instance with a unique name.
# A target must always match an agent instance, leave empty if this is your first instance.
AGENT_TAG=
kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: rproxy-agent
name: rproxy-agent
namespace: runops
spec:
replicas: 1
selector:
matchLabels:
app: rproxy-agent
strategy:
type: Recreate
template:
metadata:
labels:
app: rproxy-agent
spec:
containers:
- env:
# The AWS environments is required when there are
# targets using the secret manager as secret provider
# - name: AWS_ACCESS_KEY_ID
# value: ''
# - name: AWS_SECRET_ACCESS_KEY
# value: ''
# - name: AWS_REGION
# value: ''
# This environment is used if the secret provider option in the target
# is 'env-var'. The environment name must match with the secret path value of the target
# If you have multiple database instances, add new environments configuration with distinct
# names.
- name: MYSQL_CONFIG
value: '{ "MYSQL_HOST": "", "MYSQL_PORT": "", "MYSQL_USER": "", "MYSQL_PASS": "" }'
- name: TOKEN
value: $AGENT_TOKEN
- name: TAG
value: "$AGENT_TAG"
image: "runops/rproxy"
args: ["agent"]
imagePullPolicy: Always
resources:
requests:
memory: "1024Mi"
cpu: "500m"
name: rproxy-agent
EOF

Running the Proxy#

  • Download and install the runops cli: npm install -g runops
  • Download docker or the latest rproxy command utility

First authenticate with a valid user in your organization

runops login

With Docker#

# your target must match with the configuration of a deployed agent
TARGET_NAME=
docker run \
--rm -it \
-p 3307:3307 \
-v $HOME/.runops:/root/.runops \
runops/rproxy mysql -c $TARGET_NAME
2022/06/23 16:36:02 connected!
2022/06/23 16:36:02 serving mysql proxy at 0.0.0.0:3307
2022/06/23 16:36:02 connected with agent sucessfully, ready to accept connections!

Standalone Command#

TARGET_NAME=
rproxy mysql -c $TARGET_NAME

Try to connect in the database instance using your prefered MySQL client#

mysql -h 127.0.0.1 --port 3307

There's no need to pass the username and password

Auditing Connections#

All commands performed in the targets are audited, as an administrator in Runops it's possible to inspect which commands where issued:

# it will peform a live audit, streaming the results in real time to the terminal
rproxy audit -f
# audit all commands executed in 22 of June of 2022
rproxy audit -q datetime=2022-06-22