Despite meeting all the necessary prerequisites(listed below), scanning GCP Hosts using IAP fails with the error: 'WebSocketBadStatusException' object has no attribute 'startswith'. The scan is conducted from an Appliance using an HTTP internet proxy (configured in GCP Credential). Prerequisites: The following permissions/roles are configured on the GCP Service account used for scanning:
The following is reported in the discovery debug log: websocket._exceptions.WebSocketBadStatusException: Handshake status 403 DefaultErrorTe . . Error Generated by (Proxy name/ID) : <HTTP Proxy Address> In The Cloud : true Client IP : <Client_IP> Client Connection IP : <Client_Connection_IP> Proxy IP: 0.0.0.0 Proxy Incoming Port : 8080 Proxy Incoming Protocol : HTTP Proxy Outbound IP : 0.0.0.0 URL Host : tunnel.cloudproxy.app URL : <URL> URL Categories : Internet Services URL Reputation : Minimal Risk Block Reason : Default Error Template Error Message : User-Agent : invocation-id/f47b3b594daa42a98cfa0ac91cb83499 environment/None environment-version/None interactive/False Ruleset : Block_FINAL Rule : Block_all OnPremProxy ID : <ID> |
As documented here:
"IAP uses the following domains, which are owned by Google:
If connecting through a proxy server or firewall, ensure they allow traffic to these domains and do not block WebSocket connections. Blocking traffic to these domains will prevent the use of IAP for TCP, resulting in various error messages."
Solution:
Allow traffic to the domains tunnel.cloudproxy.app and mtls.tunnel.cloudproxy.app (if certificate-based access is enabled), or bypass the proxy/firewall.
|