Merge pull request antoniomika#204 from antoniomika/am/v2-work

v2
shakahl · Dec 29, 2021 · b626f96 · b626f96
2 parents 24e9f31 + 4219759
commit b626f96
Show file tree

Hide file tree

Showing 12 changed files with 505 additions and 129 deletions.
diff --git a/README.md b/README.md
@@ -4,12 +4,9 @@ An open source serveo/ngrok alternative.
 
 ## Deploy
 
-Builds are made automatically for each commit to the repo and are pushed to Dockerhub. Builds are
-tagged using a commit sha, branch name, tag, latest if released on main.
-You can find a list [here](https://hub.docker.com/r/antoniomika/sish/tags).
-Each release builds separate `sish` binaries that can be downloaded from
-[here](https://github.com/antoniomika/sish/releases) for various OS/archs.
-Feel free to either use the automated binaries or to build your own. If you submit a PR, images are
+Builds are made automatically for each commit to the repo and are pushed to Dockerhub. Builds are tagged using a commit sha,
+branch name, tag, latest if released on main. You can find a list [here](https://hub.docker.com/r/antoniomika/sish/tags).
+Each release builds separate `sish` binaries that can be downloaded from [here](https://github.com/antoniomika/sish/releases) for various OS/archs. Feel free to either use the automated binaries or to build your own. If you submit a PR, images are
 not built by default and will require a retag from a maintainer to be built.
 
 1. Pull the Docker image
@@ -28,7 +25,7 @@ not built by default and will require a retag from a maintainer to be built.
         --https=true \
         --https-certificate-directory=/ssl \
         --authentication-keys-directory=/pubkeys \
-        --private-key-location=/keys/ssh_key \
+        --private-keys-directory=/keys \
         --bind-random-ports=false
       ```
 
@@ -126,6 +123,31 @@ I can use the forwarded connection to then access my laptop from anywhere:
 ssh -p 2222 ssi.sh
 ```
 
+### SNI forwarding
+
+Sometimes, you may have multiple TCP services running on the same port.
+If these services support [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication), you can have sish
+route TLS connections to different backends based on the SNI name provided. For example, I have two webservices
+(servers) and I want to offload TLS to each without sish offloading SSL. This can be achieved by disabling sish's
+internal HTTPS service (you won't be able to use the service console for this however). Then, I can start a ssh
+connection from each server like so:
+
+From server A
+
+```bash
+ssh -R servera.example.com:443:localhost:443 ssi.sh sni-proxy=true
+```
+
+From server B
+
+```bash
+ssh -R serverb.example.com:443:localhost:443 ssi.sh sni-proxy=true
+```
+
+As long as server{a,b}.example.com points to where sish is hosted and a user can bind those hosts, TLS connections to
+servera.example.com:443 will be forwarded to server A and TLS connections to serverb.example.com:443 will
+be forwarded to server B. It is then up to each server to complete the TLS handshake and the subsequent request.
+
 ### TCP alias forwarding
 
 Let's say instead I don't want the service to be accessible by the rest of the world, you can then use a TCP
@@ -154,6 +176,21 @@ Shorthand for which is this with newer SSH versions:
 ssh -J ssi.sh mylaptop
 ```
 
+You can also use TCP aliases with any port you would like. If for example you wanted to use an alias
+with port `80` or `443` (default to a HTTP tunnel), provide the command `tcp-alias=true` to the ssh command:
+
+```bash
+ssh -R service:80:localhost:80 ssi.sh tcp-alias=true
+```
+
+Aliases can be accessed on a different computer using SSH local forwards also. For the above, I could use:
+
+```bash
+ssh -L 80:service:80 ssi.sh
+```
+
+to then access the forwarded server service at `localhost:80` on the client side of the computer I am on.
+
 ## Authentication
 
 If you want to use this service privately, it supports both public key and password
@@ -243,6 +280,14 @@ to write.
 [[email protected]](mailto:[email protected])
 or on [freenode IRC #sish](https://kiwiirc.com/client/chat.freenode.net:6697/#sish)
 
+## Upgrading to v2.0
+
+v2 introduces only a few breaking changes, namely around authentication. v2 enables authentication by default. If you were
+an authenticated instance before, be sure to set `--authentication` accordingly. v2 also brings support for multiple
+SSH host private keys, which allows you to use different encryption schemes. This changed the `--private-key-location` to
+`--private-keys-directory`. Keys generated or previously used in sish will work as normal, just be sure to update this
+argument if it was changed from the default.
+
 ## Upgrading to v1.0
 
 There are numerous breaking changes in sish between pre-1.0 and post-1.0 versions. The largest changes are
@@ -266,11 +311,11 @@ Usage:
 
 Flags:
       --admin-console                                           Enable the admin console accessible at http(s)://domain/_sish/console?x-authorization=admin-console-token
-  -j, --admin-console-token string                              The token to use for admin console access if it's enabled (default "S3Cr3tP4$$W0rD")
+  -j, --admin-console-token string                              The token to use for admin console access if it's enabled
       --alias-load-balancer                                     Enable the alias load balancer (multiple clients can bind the same alias)
       --append-user-to-subdomain                                Append the SSH user to the subdomain. This is useful in multitenant environments
       --append-user-to-subdomain-separator string               The token to use for separating username and subdomain selection in a virtualhost (default "-")
-      --authentication                                          Require authentication for the SSH service
+      --authentication                                          Require authentication for the SSH service (default true)
   -k, --authentication-keys-directory string                    Directory where public keys for public key authentication are stored.
                                                                 sish will watch this directory and automatically load new keys and remove keys
                                                                 from the authentication list (default "deploy/pubkeys/")
@@ -332,9 +377,8 @@ Flags:
       --ping-client-interval duration                           Duration representing an interval to ping a client to ensure it is up (default 5s)
       --ping-client-timeout duration                            Duration to wait for activity before closing a connection after sending a ping to a client (default 5s)
   -n, --port-bind-range string                                  Ports or port ranges that sish will allow to be bound when a user attempts to use TCP forwarding (default "0,1024-65535")
-  -l, --private-key-location string                             The location of the SSH server private key. sish will create a private key here if
-                                                                it doesn't exist using the --private-key-passphrase to encrypt it if supplied (default "deploy/keys/ssh_key")
   -p, --private-key-passphrase string                           Passphrase to use to encrypt the server private key (default "S3Cr3tP4$$phrAsE")
+  -l, --private-keys-directory string                           The location of other SSH server private keys. sish will add these as valid auth methods for SSH. Note, these need to be unencrypted OR use the private-key-passphrase (default "deploy/keys")
       --proxy-protocol                                          Use the proxy-protocol while proxying connections in order to pass-on IP address and port information
       --proxy-protocol-listener                                 Use the proxy-protocol to resolve ip addresses from user connections
       --proxy-protocol-policy string                            What to do with the proxy protocol header. Can be use, ignore, reject, or require (default "use")

diff --git a/cmd/sish.go b/cmd/sish.go
@@ -63,13 +63,13 @@ func init() {
 	rootCmd.PersistentFlags().StringP("whitelisted-ips", "w", "", "A comma separated list of whitelisted ips. Applies to HTTP, TCP, and SSH connections")
 	rootCmd.PersistentFlags().StringP("whitelisted-countries", "y", "", "A comma separated list of whitelisted countries. Applies to HTTP, TCP, and SSH connections")
 	rootCmd.PersistentFlags().StringP("private-key-passphrase", "p", "S3Cr3tP4$$phrAsE", "Passphrase to use to encrypt the server private key")
-	rootCmd.PersistentFlags().StringP("private-key-location", "l", "deploy/keys/ssh_key", "The location of the SSH server private key. sish will create a private key here if\nit doesn't exist using the --private-key-passphrase to encrypt it if supplied")
+	rootCmd.PersistentFlags().StringP("private-keys-directory", "l", "deploy/keys", "The location of other SSH server private keys. sish will add these as valid auth methods for SSH. Note, these need to be unencrypted OR use the private-key-passphrase")
 	rootCmd.PersistentFlags().StringP("authentication-password", "u", "", "Password to use for SSH server password authentication")
 	rootCmd.PersistentFlags().StringP("authentication-keys-directory", "k", "deploy/pubkeys/", "Directory where public keys for public key authentication are stored.\nsish will watch this directory and automatically load new keys and remove keys\nfrom the authentication list")
 	rootCmd.PersistentFlags().StringP("port-bind-range", "n", "0,1024-65535", "Ports or port ranges that sish will allow to be bound when a user attempts to use TCP forwarding")
 	rootCmd.PersistentFlags().StringP("proxy-protocol-version", "q", "1", "What version of the proxy protocol to use. Can either be 1, 2, or userdefined.\nIf userdefined, the user needs to add a command to SSH called proxyproto=version (ie proxyproto=1)")
 	rootCmd.PersistentFlags().StringP("proxy-protocol-policy", "", "use", "What to do with the proxy protocol header. Can be use, ignore, reject, or require")
-	rootCmd.PersistentFlags().StringP("admin-console-token", "j", "S3Cr3tP4$$W0rD", "The token to use for admin console access if it's enabled")
+	rootCmd.PersistentFlags().StringP("admin-console-token", "j", "", "The token to use for admin console access if it's enabled")
 	rootCmd.PersistentFlags().StringP("service-console-token", "m", "", "The token to use for service console access. Auto generated if empty for each connected tunnel")
 	rootCmd.PersistentFlags().StringP("append-user-to-subdomain-separator", "", "-", "The token to use for separating username and subdomain selection in a virtualhost")
 	rootCmd.PersistentFlags().StringP("time-format", "", "2006/01/02 - 15:04:05", "The time format to use for both HTTP and general log messages")
@@ -92,7 +92,7 @@ func init() {
 	rootCmd.PersistentFlags().BoolP("debug", "", false, "Enable debugging information")
 	rootCmd.PersistentFlags().BoolP("ping-client", "", true, "Send ping requests to the underlying SSH client.\nThis is useful to ensure that SSH connections are kept open or close cleanly")
 	rootCmd.PersistentFlags().BoolP("geodb", "", false, "Use a geodb to verify country IP address association for IP filtering")
-	rootCmd.PersistentFlags().BoolP("authentication", "", false, "Require authentication for the SSH service")
+	rootCmd.PersistentFlags().BoolP("authentication", "", true, "Require authentication for the SSH service")
 	rootCmd.PersistentFlags().BoolP("proxy-protocol", "", false, "Use the proxy-protocol while proxying connections in order to pass-on IP address and port information")
 	rootCmd.PersistentFlags().BoolP("proxy-protocol-use-timeout", "", false, "Use a timeout for the proxy-protocol read")
 	rootCmd.PersistentFlags().BoolP("proxy-protocol-listener", "", false, "Use the proxy-protocol to resolve ip addresses from user connections")

diff --git a/config.example.yml b/config.example.yml
@@ -1,9 +1,9 @@
 admin-console: false
-admin-console-token: S3Cr3tP4$$W0rD
+admin-console-token: ""
 alias-load-balancer: false
 append-user-to-subdomain: false
 append-user-to-subdomain-separator: '-'
-authentication: false
+authentication: true
 authentication-keys-directory: deploy/pubkeys/
 authentication-keys-directory-watch-interval: 200ms
 authentication-password: ""
@@ -61,8 +61,8 @@ ping-client: true
 ping-client-interval: 5s
 ping-client-timeout: 5s
 port-bind-range: 0,1024-65535
-private-key-location: deploy/keys/ssh_key
 private-key-passphrase: S3Cr3tP4$$phrAsE
+private-keys-directory: deploy/keys
 proxy-protocol: false
 proxy-protocol-listener: false
 proxy-protocol-policy: use

diff --git a/go.mod b/go.mod
@@ -4,20 +4,20 @@ go 1.17
 
 require (
 	github.com/ScaleFT/sshkeys v0.0.0-20200327173127-6142f742bca5
-	github.com/caddyserver/certmagic v0.15.1
+	github.com/caddyserver/certmagic v0.15.2
 	github.com/fsnotify/fsnotify v1.5.1
-	github.com/gin-gonic/gin v1.7.4
+	github.com/gin-gonic/gin v1.7.7
 	github.com/gorilla/websocket v1.4.2
 	github.com/jpillora/ipfilter v1.2.3
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/mikesmitty/edkey v0.0.0-20170222072505-3356ea4e686a
 	github.com/pires/go-proxyproto v0.6.1
 	github.com/radovskyb/watcher v1.0.7
 	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/cobra v1.2.1
-	github.com/spf13/viper v1.9.0
+	github.com/spf13/cobra v1.3.0
+	github.com/spf13/viper v1.10.1
 	github.com/vulcand/oxy v1.3.0
-	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
+	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 )
 
@@ -38,15 +38,15 @@ require (
 	github.com/magiconair/properties v1.8.5 // indirect
 	github.com/mailgun/timetools v0.0.0-20170619190023-f3a7b8ffff47 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
-	github.com/mholt/acmez v1.0.0 // indirect
-	github.com/miekg/dns v1.1.43 // indirect
-	github.com/mitchellh/mapstructure v1.4.2 // indirect
+	github.com/mholt/acmez v1.0.1 // indirect
+	github.com/miekg/dns v1.1.45 // indirect
+	github.com/mitchellh/mapstructure v1.4.3 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pelletier/go-toml v1.9.4 // indirect
 	github.com/phuslu/iploc v1.0.20211029 // indirect
 	github.com/segmentio/fasthash v1.0.3 // indirect
-	github.com/spf13/afero v1.6.0 // indirect
+	github.com/spf13/afero v1.7.1 // indirect
 	github.com/spf13/cast v1.4.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
@@ -56,11 +56,14 @@ require (
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
 	go.uber.org/zap v1.19.1 // indirect
-	golang.org/x/net v0.0.0-20211105192438-b53810dc28af // indirect
-	golang.org/x/sys v0.0.0-20211107104306-e0b2ad06fe42 // indirect
+	golang.org/x/mod v0.5.1 // indirect
+	golang.org/x/net v0.0.0-20211216030914-fe4d6282115f // indirect
+	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
 	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/tools v0.1.8 // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
-	gopkg.in/ini.v1 v1.63.2 // indirect
+	gopkg.in/ini.v1 v1.66.2 // indirect
 	gopkg.in/mgo.v2 v2.0.0-20190816093944-a6b53ec6cb22 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )