-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
100 additions
and
71 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,41 +1,52 @@ | ||
# Edge Proxy Daemon | ||
# Secure Port Forwarder | ||
|
||
This is a TCP reverse proxy for edge services behind firewalls. | ||
This is a remote port forwarder based on SSH protocol (`ssh -R`). | ||
It only supports remote port forwarding, but not the rest of SSH features (no session/channel is supported), | ||
so it's safer than running a full featured SSH server on a public network. | ||
|
||
## How It Works | ||
With Secure Port Forwarder running on a public network, | ||
a server behind a firewall can be exposed to the public network using: | ||
|
||
The Edge Proxy Daemon must run somewhere it's able to open a TCP port on the network | ||
that services are being exposed to (e.g. Internet). The edge services connect to | ||
this proxy via SSH remote port forwarding. Here's an example: | ||
```shell | ||
ssh -N -R www.example.com:80:localhost:8080 [email protected] | ||
``` | ||
|
||
- Run Edge Proxy Daemon on Internet, with DNS name epd.example.com; | ||
- A web server is running behind firewall, and it's listening on `localhost:8080`; | ||
- On the same machine as the web server is running, run `ssh -N -R www.example.com:80:localhost:8080 [email protected]` | ||
Here assuming Secure Port Forwarder is running on `spf.example.com` on regular SSH port `22`, | ||
and the server behind the firewall is running on `localhost:8080`. | ||
The `ssh` command asks Secure Port Forwarder to forward `www.example.com:80` and rely it to `localhost:8080`. | ||
|
||
Now open the browser to access `http://www.example.com`, it should reach the web server running behind the firewall. | ||
The Edge Proxy Daemon doesn't expose the exact port requested by the SSH client, | ||
instead, it opens a random port on localhost, and relies on a endpoint setup script | ||
to configure another reverse proxy for forwarding the connection on the requested DNS to this local port. | ||
However Secure Port Forwarder doesn't exposing the specified DNS and port to the public network. | ||
Instead, it only opens a random TCP port on `localhost` and forwards connections to the SSH client. | ||
User must provide an endpoint setup script for setting up `www.example.com:80` on some proxy server | ||
(e.g. [traefik](https://github.com/containous/traefik)). | ||
|
||
## Usage | ||
|
||
Launch `epd` without arguments to use default configurations: | ||
Launch `spf` without arguments to use default configurations: | ||
|
||
- `-addr=:2022`: listen on `:2022` as SSH server address; | ||
- Use host keys from `/etc/ssh`; | ||
- Use `~/.ssh/authorized_keys` for authorized keys; | ||
- `-bind-addr=localhost`: open random TCP port as requested on `localhost`; | ||
|
||
In addition to that, specifying `-endpoint-exec=PROGRAM` to use `PROGRAM` for setting up a DNS based reverse proxy. | ||
In addition to that, specifying `-setup-cmd=PROGRAM` to use `PROGRAM` for setting up a DNS based reverse proxy. | ||
|
||
For example, when using [traefik](https://github.com/containous/traefik), a shell script can be used to configure it | ||
for forwarding the request on a specific DNS to a localhost port. | ||
The `PROGRAM` is invoked as: | ||
|
||
``` | ||
PROGRAM open|close hostname local-port | ||
PROGRAM open|close public-host:public-port local-host:local-port | ||
``` | ||
|
||
- `open` is used to ask the script to start forwarding from `public-host:public-port` to `local-host:local-port`; | ||
- `close` is used to ask the script to stop forwarding from `public-host:public-port`. | ||
|
||
According to `-bind-address=A.B.C.D` when launching `spf`, and the SSH client command line, e.g. | ||
|
||
```shell | ||
ssh -N -R www.example.com:80:localhost:8080 [email protected] | ||
``` | ||
|
||
When `local-port` is opened for `hostname` (request on the client side as `ssh -R hostname:anyport:host:port`), | ||
`open` is used. | ||
When the forwarding request is canceled, `close` is used. | ||
- `public-host:public-port` is `www.example.com:80`; | ||
- `local-host:local-port` is `A.B.C.D:port` where the `port` is a random port opened by `spf`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,9 @@ | ||
module github.com/evo-cloud/epd | ||
module github.com/evo-cloud/spf | ||
|
||
go 1.14 | ||
|
||
require ( | ||
github.com/evo-cloud/epd v0.0.0-20200807060954-8839e9c13e10 | ||
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b | ||
golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters