Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SOCKS for accessing exposed TCP ports #117

Open
RoganDawes opened this issue May 26, 2020 · 1 comment
Open

Support SOCKS for accessing exposed TCP ports #117

RoganDawes opened this issue May 26, 2020 · 1 comment

Comments

@RoganDawes
Copy link

RoganDawes commented May 26, 2020
edited
Loading

When exposing TCP ports from a go-http-tunnel client via the server, currently we are required to choose a port on the server to map that port to. e.g server:2222 maps to client:22. However, this does not work well when you have multiple clients all wanting to expose the same client port on the same server port.
The SOCKS protocol allows the client to inform the proxy of the hostname and port that the client wishes to connect to, simply by exposing a single TCP port. Using SOCKS4a or SOCKS5, it is possible to pass the actual hostname to the proxy, rather than allowing the caller to resolve the name to an IP address. In this way, go-http-tunnel can be informed of the hostname and port that the client is attempting to connect to, and can look up the connected client names and ports in the registry to satisfy the request.
This is actually very similar to the existing SNI protocol sniffer method for determining the name that is being requested, but also allows the port to be specified.
For security purposes, the SOCKS protocol also allows for credentials to be passed to authenticate the connection attempt, which could be a valuable additional feature, allowing the go-http-tunnel client to control whether an incoming connection should be permitted or not, which is otherwise not currently possible.
Sample client configuration file might look like:

    server_addr: SERVER_IP:5223
    tunnels:
      webui:
        proto: http
        addr: localhost:8080
        auth: user:password
        host: webui.my-tunnel-host.com
      ssh:
        proto: socks
        addr: 192.168.0.5:22
        remote_addr: ssh.my-tunnel-host:22
        auth: user:password
      tls:
  	proto: sni
  	addr: localhost:443
  	host: tls.my-tunnel-host.com

On the server side, there could be a "-socksAddr" option that specifies the SOCKS port to listen to, disabled by default.

Edited to change the proto: tcp to proto: socks to indicate that the remote_addr should not necessarily be opened as a listening port on the server immediately on client connection, but rather that the socks client should request a connection to that port. Otherwise there is a bit of ambiguity there, especially if the hostname provided actually resolves to an IP address on the tunneld host.
@RoganDawes
Copy link
Author

Here is a possible starting point: https://github.com/armon/go-socks5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@RoganDawes