Connect to Websites

Last modified on October 4, 2023

Overview

When connecting to a website resource through StrongDM, traffic is proxied from your system through your gateways or relays to reach the final site.

For your system to understand what web requests to proxy, you need to configure a Proxy Auto-Configuration (PAC) file. This file allows you to check your host URLs against an *.sdm.network expression to determine if the specified proxy should occur through StrongDM.

We recommend using our PAC file for this task.

Note that it is not necessary to run either the sdm connect or sdm disconnect commands for this website resource except in specific instances.

Prerequisites

Before you get started with the configuration steps in this guide, make sure the following conditions are met:

The web resource is created under the Websites section of the Admin UI. For more information, see Websites.
The intended users have access to view the website resource. For more, see the Roles page.

Configure PAC on Windows

Use the following steps to automatically set up a proxy in the Windows automatic proxy settings.

Open the Settings from the Windows menu.
Click Network & Internet.
Open the Proxy tab.
Enable Use setup script.
Add https://app.strongdm.com/proxy.pac to the Script address field.
Automatic Proxy Setup Windows
Click Save.
Log in to the StrongDM Desktop application.
Open the website in your browser and it successfully displays.

Configure PAC on macOS

Use the following steps to enable automatic proxy configuration on macOS.

Open your System Settings and select the Network icon.
Choose your current connection method (for example, wireless or ethernet) and view the details for that connection.
Click the Proxies tab.
Enable Automatic proxy configuration.
Add https://app.strongdm.com/proxy.pac to the URL field.
Automatic Proxy Configuration macOS
Click OK.
If prompted, enter your admin password.
Log in to the StrongDM Desktop application.
Open the website in your browser and it successfully displays.

If you connect to StrongDM resources via a VPN, you may need to add the PAC to the VPN connection within macOS network settings.

Use cURL With StrongDM

If you prefer to bypass the PAC file, you can use curl to send and receive *.sdm.network web traffic through StrongDM. For example, this can be helpful when testing programmatic connections to a site.

By default, curl sends an HTTP GET request. All curl requests are made through localhost on port 65230 and require *.sdm.network in the header. You can use the -x or --proxy switch to supply curl with proxy details. Both switches accomplish the same goal.

Once a resource is configured in the Websites section of the StrongDM Admin UI, run sdm status in the CLI.
Check the URL column in the output, which displays the configured websites with this basic URL pattern:
http://<HTTP_SUBDOMAIN>.<WEB_DOMAIN>.sdm.network/<PATH>
```
WEBSITE      URL                                                          TAGS
Example1     http://simple-web-page.my-organization.sdm.network/phpinfo.php    temporary access until 11:27AM
```
If we break down our Example1 website above, we can see the following URL components:
- <HTTP_SUBDOMAIN> is listed before the web domain (for example, simple-web-page) and is a reference to the resource in question.
- <WEB_DOMAIN> precedes .sdm.network (for example, my-organization). This value is used organization-wide. It can be found in your Admin UI under Settings > General. The web domain does not typically change during the lifetime of your deployment. The web domain is often the organization’s name with spaces and special characters removed, but can be different.
- <PATH> indicates the full path of the resource you are trying to access on that website (for example, /phpinfo.php).
Use the following curl command to specify StrongDM as the HTTP proxy. Replace with the values from the sdm status output in step 2.
```
curl -k -x localhost:65230 <URL_FROM_SDM_STATUS_OUTPUT>/<PATH>
```
```
curl -k -x localhost:65230 http://simple-web-page.my-organization.sdm.network/phpinfo.php
```
If using Windows PowerShell, the curl command may be mapped as an alias to the Invoke-WebRequest cmdlet. Therefore, use the curl.exe executable directly instead of the curl command.

Add to an Existing Proxy

If your system already has a proxy configured, you can append the following rules to your existing configuration:

function FindProxyForURL(url, host) {
  if (shExpMatch(host, "proxyerror.sdm.network")) {
    return "DIRECT";
  }
  if (shExpMatch(host, "*.sdm.network")) {
    return "PROXY localhost:65230";
  }
  return "DIRECT";
}

FAQ

Q: What is the proxy.pac file that the URL is pointing to?
A: A PAC file contains a JavaScript function that tells the HTTP client which proxy server to connect to for specifically defined URLs. To learn more, see the Mozilla Developer Docs.

Q: What does the StrongDM PAC file do?
A: It sends any web requests containing sdm.network in the URL to be proxied through a port on the localhost. All other connection attempts go directly to the intended site.

Q: Is there an alternative to pointing to the StrongDM hosted PAC file?
A: Yes, you could also download the PAC file and host it on your own web servers. It does not have to be dynamically loaded from our server.

Q: Are there any potential security concerns with this approach?
A: StrongDM controls full access to this proxy configuration, so the risk of falsely redirected traffic is very low. However, if you have concerns, you can choose to download and host the file yourself, as previously mentioned.

Connect to Websites

Overview #

Prerequisites #

Configure PAC on Windows #

Configure PAC on macOS #

Use cURL With StrongDM #

Add to an Existing Proxy #

FAQ #