Flood Aqueduct helps our customers tunnel from the cloud into their own corporate networks, to facilitate load testing at scale.
For the purposes of testing, you may not always want to target your real life corporate intranet site. To that end, this repository provides a very simple, HTTPS based web server which will be reachable only from your own client machine. The configuration is up to you but we recommend hosting this at www.ecorp.dev
But wait, before you click that link, you might want to set it up first. Here's how.
First, clone this repository somewhere local so we can get down to business.
You're going to need a self-signed certificate, so you can look and feel like a HTTPS site. If you trust me, run this:
rm -rf ./certs
mkdir -p ./certs
openssl req \
-newkey rsa:2048 \
-x509 \
-nodes \
-keyout ./certs/ecorp.dev.key \
-new \
-out ./certs/ecorp.dev.crt \
-subj /CN=\*.ecorp.dev \
-reqexts SAN \
-extensions SAN \
-config <(cat /System/Library/OpenSSL/openssl.cnf \
<(printf '[SAN]\nsubjectAltName=DNS:\*.ecorp.dev')) \
-sha256 \
-days 3650
You should see something like this:
Generating a 2048 bit RSA private key
..................+++
.........+++
writing new private key to './certs/ecorp.dev.key'
-----
If you didn't, back to google searching you go. Note, these are self signed certificates, no good for production use of course. You can skip this step if you want to use the certificate I committed to this repository. We only do this so we can pretend to be a real HTTPS based website, in true Mr Robot style.
Time to make your shiny new MacBook trust those fake certificates. To do that, trust me again:
sudo security \
add-trusted-cert -d \
-r trustRoot \
-k /Library/Keychains/System.keychain \
./certs/ecorp.dev.crt
If everything went to plan, you should be able to find your self-signed root certificate for *.ecorp.dev sitting in your System Keychain.
Next, you will need docker compose. If you already have docker installed, chances are you already have it, otherwise you can follow its own installation instructions here.
Now you're ready to spin up your webserver, do that with this command:
docker-compose up
If you do that right, you should see something like this:
Recreating ecorpdev_whoami_1 ... done
Starting ecorpdev_nginx-proxy_1 ... done
Attaching to ecorpdev_whoami_1, ecorpdev_nginx-proxy_1
nginx-proxy_1 | Custom dhparam.pem file found, generation skipped
nginx-proxy_1 | forego | starting dockergen.1 on port 5000
nginx-proxy_1 | forego | starting nginx.1 on port 5100
whoami_1 | Listening on :8000
nginx-proxy_1 | dockergen.1 | 2019/02/20 13:19:38 Generated '/etc/nginx/conf.d/default.conf' from 2 containers
nginx-proxy_1 | dockergen.1 | 2019/02/20 13:19:38 Running 'nginx -s reload'
nginx-proxy_1 | dockergen.1 | 2019/02/20 13:19:38 Watching docker events
nginx-proxy_1 | dockergen.1 | 2019/02/20 13:19:38 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
Heads up, this thing won't quit until you hit Ctl-c. Don't worry, it's meant to be a web server so you want this thing up for your testing ...
The last thing you need to do, is give your machine some way to resolve this fictional site. You can do that in your hosts file.
You want your /etc/hosts file to look something like this:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
192.168.16.29 www.ecorp.dev
Notice that last line there? It's letting your computer know that the server www.ecorp.dev lives on your machine at 192.168.16.29 which is the IP address that your router has assigned. If you don't know how to edit these types of files, do so with a bit of caution. I normally sudo vi /etc/host assuming you know how to use Vi. Others prefer nano. Your call, time to learn something new.
Couple of things you can do now to test it's all hanging together. Running this command:
getent hosts www.ecorp.dev
or
dscacheutil -q host -a name www.ecorp.dev
Will hopefully show you that it resolves to this:
192.168.16.29 www.ecorp.dev
You should also be able to curl yourself:
curl -k https://www.ecorp.dev
You should get something like this:
I'm 5400858c7220
And last but not least, test it from a browser. Go ahead, click this link www.ecorp.dev
Congratulations if you got this far.
If you came here from Flood Aqueduct, you can now target your secret squirrel website from the cloud with aqueduct --target https://www.ecorp.dev but before you do, make sure your /etc/hosts file has the IP address assigned to your machine, not just localhost. You can find that address normally with this:
ipconfig getifaddr en0
Assuming you're connected on that en0 interface. Use that IP address, for example 10.13.31.200 instead of 127.0.0.1 and that way the tunnel client running in a container, can find your machine on your local network.
If you have questions feel free to reach out to us at Flood.