The Sauce Labs Cookbook

Sauce Headless

Front End Performance Testing

Analytics

External Resources

More Info


Page tree
Skip to end of metadata
Go to start of metadata

There are several ways to secure Sauce Connect Proxy in your network. With our recommended configuration, firewall rules are set so that Sauce Connect Proxy has only one point of access to the customer's internal network – through a single HTTP proxy – and all inbound traffic will be relayed. You'll have a secure setup with fine-grained access control and complete logging. 

See the following sections for more information:

Recommended Sauce Connect Configuration

The sc client program establishes a TLS connection (tunnel connection) to a dedicated tunnel endpoint server hosted in the Sauce Labs cloud. During test sessions, browsers and mobile apps use this tunnel endpoint as an HTTP proxy. HTTP requests are multiplexed and relayed back through the tunnel connection to the sc client program, which proxies these HTTP requests, providing access to the Application Under Test within your network.

There are two options to control and monitor the access sc has to your network: firewall rules and proxy settings. In our recommended configuration, both are used.

Firewall Rules

The SC Client program should be run on a dedicated, single-purpose machine or VM (aka the SC Host), which has access only to the systems required for testing. This can be accomplished with an external firewall.

For maximum control, we recommend the SC Host is firewalled so that its only access to the customer network is through a single HTTP proxy, where all inbound traffic will be relayed, and can be appropriately restricted and logged. Unintended access through other routes can be prevented in the event of a security vulnerability that affects Sauce Connect.

Proxy Settings

In its default configuration, Sauce Connect will act as an HTTP proxy itself, relaying requests received over the tunnel connection directly to hosts in the customer network.

By using the --proxy or --pac command-line options, sc can be configured to relay all requests to another HTTP proxy or proxies, where policy can be controlled and activity can be logged and monitored. The access provided by the configured proxies is in turn the only access that inbound requests coming through sc will have to the customer network.

We recommend the use of an HTTP proxy that is familiar to the customer's security team. The proxy should be configured to allow access only to a whitelisted set of URL domains or URL prefixes used for testing. Access should be logged. Note that logs can be inspected by an Intrusion Detection System for malware signatures and other signs of suspicious activity.

For more information, see Sauce Connect Command Line Reference and Sauce Connect Proxy Setup with Additional Proxies.

DIAGRAM: Recommended Sauce Connect Configuration

Summary of Recommended Configuration

By configuring Sauce Connect following these steps, you can create a security profile with fine-grained control over access and complete logging of activity:

  1. Designate a dedicated, single-purpose machine or VM as a Sauce Connect client host.
  2. Configure an HTTP proxy of the customer's choice, the HTTP proxy, only allowing access to systems under test, and logging all traffic.
  3. Configure any Intrusion Detection Systems to monitor the sc proxy logs.
  4. Firewall the SC Host so that its customer network access is restricted to the specific host and port where the sc proxy resides.
  5. Run sc with the --proxy or --pac command line options, configuring it to use the sc proxy for all inbound HTTP connections.

Benefits to this configuration:

  • Single point of entry for requests relayed through Sauce Connect to access the customer network
  • Layer 3 access restricted to a single proxy
  • Fine-grained access control at the HTTP level
  • Only the Application Under Test is exposed to requests originating from Sauce Labs
  • Complete logging of access
  • Easy monitoring with Intrusion Detection Systems

Sauce Labs Security Process

Sauce Labs provides a secure and scalable cloud computing platform for functional testing of web and mobile apps located in world-class data centers in North America and Europe.

Having our own cloud enables us to provide our services faster, and with higher security, than can be delivered on a public cloud with shared resources. Managing our own data centers also means that we are responsible for delivering a consistent experience with the utmost concern for the security of our users’ data.

For an overview of the services offered by Sauce Labs, our methods for securing the transmission of test data and results, and our security policies and procedures, see our white paper, Overview of Sauce Labs Security Processes.