Repository: jpillora/chisel Branch: master Commit: 44310b65667a Files: 65 Total size: 156.3 KB Directory structure: gitextract_fkfyxjey/ ├── .github/ │ ├── Dockerfile │ ├── dependabot.yml │ ├── goreleaser.yml │ └── workflows/ │ └── ci.yml ├── .gitignore ├── LICENSE ├── Makefile ├── README.md ├── client/ │ ├── client.go │ ├── client_connect.go │ └── client_test.go ├── example/ │ ├── Flyfile │ ├── fly.toml │ ├── reverse-tunneling-authenticated.md │ └── users.json ├── go.mod ├── go.sum ├── main.go ├── server/ │ ├── server.go │ ├── server_handler.go │ └── server_listen.go ├── share/ │ ├── ccrypto/ │ │ ├── determ_rand.go │ │ ├── generate_key_go119.go │ │ ├── keys.go │ │ └── keys_helpers.go │ ├── cio/ │ │ ├── logger.go │ │ ├── pipe.go │ │ └── stdio.go │ ├── cnet/ │ │ ├── conn_rwc.go │ │ ├── conn_ws.go │ │ ├── connstats.go │ │ ├── http_server.go │ │ └── meter.go │ ├── compat.go │ ├── cos/ │ │ ├── common.go │ │ ├── pprof.go │ │ ├── signal.go │ │ └── signal_windows.go │ ├── settings/ │ │ ├── config.go │ │ ├── env.go │ │ ├── remote.go │ │ ├── remote_test.go │ │ ├── user.go │ │ └── users.go │ ├── tunnel/ │ │ ├── tunnel.go │ │ ├── tunnel_in_proxy.go │ │ ├── tunnel_in_proxy_udp.go │ │ ├── tunnel_out_ssh.go │ │ ├── tunnel_out_ssh_udp.go │ │ ├── udp.go │ │ └── wg.go │ └── version.go └── test/ ├── bench/ │ ├── main.go │ ├── perf.md │ └── userfile └── e2e/ ├── acl_channel_test.go ├── auth_test.go ├── base_test.go ├── cert_utils_test.go ├── env_key_test.go ├── proxy_test.go ├── setup_test.go ├── socks_test.go ├── tls_test.go └── udp_test.go ================================================ FILE CONTENTS ================================================ ================================================ FILE: .github/Dockerfile ================================================ # build stage FROM golang:alpine AS build RUN apk update && apk add git ADD . /src WORKDIR /src ENV CGO_ENABLED=0 RUN go build \ -ldflags "-X github.com/jpillora/chisel/share.BuildVersion=$(git describe --abbrev=0 --tags)" \ -o /tmp/bin # run stage FROM scratch LABEL maintainer="dev@jpillora.com" COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ WORKDIR /app COPY --from=build /tmp/bin /app/bin ENTRYPOINT ["/app/bin"] ================================================ FILE: .github/dependabot.yml ================================================ version: 2 updates: # Maintain dependencies for GitHub Actions - package-ecosystem: "github-actions" directory: "/" schedule: interval: "monthly" # Dependencies listed in go.mod - package-ecosystem: "gomod" directory: "/" # Location of package manifests schedule: interval: "monthly" ================================================ FILE: .github/goreleaser.yml ================================================ # test this file with # goreleaser release --config goreleaser.yml --clean --snapshot version: 2 builds: - env: - CGO_ENABLED=0 ldflags: - -s -w -X github.com/jpillora/chisel/share.BuildVersion={{.Version}} flags: - -trimpath goos: - linux - darwin - windows - openbsd goarch: - "386" - amd64 - arm - arm64 - ppc64 - ppc64le - mips - mipsle - mips64 - mips64le - s390x goarm: - "5" - "6" - "7" gomips: - hardfloat - softfloat ignore: # https://github.com/golang/go/issues/70705 - goos: windows goarch: arm nfpms: - maintainer: "https://github.com/jpillora" formats: - deb - rpm - apk archives: - formats: - gz format_overrides: - goos: windows formats: [zip] files: - none* release: draft: true prerelease: auto changelog: sort: asc filters: exclude: - "^docs:" - "^test:" ================================================ FILE: .github/workflows/ci.yml ================================================ name: CI on: pull_request: {} push: {} permissions: write-all jobs: # ================ # BUILD AND TEST JOB # ================ test: name: Build & Test strategy: matrix: go-version: ["stable"] platform: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.platform }} steps: - name: Checkout uses: actions/checkout@v5 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@v6 with: go-version: ${{ matrix.go-version }} check-latest: true - name: Build run: go build -v -o /dev/null . - name: Test run: go test -v ./... # ================ # RELEASE BINARIES (on push "v*" tag) # ================ release_binaries: name: Release Binaries needs: test if: startsWith(github.ref, 'refs/tags/v') runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@v5 with: fetch-depth: 0 - name: goreleaser if: success() uses: docker://goreleaser/goreleaser:latest env: GITHUB_USER: ${{ github.repository_owner }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GOTOOLCHAIN: auto with: args: release --config .github/goreleaser.yml # ================ # RELEASE DOCKER IMAGES (on push "v*" tag) # ================ release_docker: name: Release Docker Images needs: test if: startsWith(github.ref, 'refs/tags/v') runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@v5 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to DockerHub uses: docker/login-action@v3 with: username: jpillora password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Docker meta id: meta uses: docker/metadata-action@v5 with: images: jpillora/chisel tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} - name: Build and push uses: docker/build-push-action@v6 with: context: . file: .github/Dockerfile platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/386,linux/arm/v7,linux/arm/v6 push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max ================================================ FILE: .gitignore ================================================ dist/ *.swp .idea/ chisel bin/ release/ tmp/ *.orig debug # Compiled Object files, Static and Dynamic libs (Shared Objects) *.o *.a *.so # Folders _obj _test # Architecture specific extensions/prefixes *.[568vq] [568vq].out *.cgo1.go *.cgo2.c _cgo_defun.c _cgo_gotypes.go _cgo_export.* _testmain.go *.exe *.test *.prof ================================================ FILE: LICENSE ================================================ MIT License Copyright (c) 2024 Jaime Pillora Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: Makefile ================================================ VERSION=$(shell git describe --abbrev=0 --tags) BUILD=$(shell git rev-parse HEAD) DIRBASE=./build DIR=${DIRBASE}/${VERSION}/${BUILD}/bin LDFLAGS=-ldflags "-s -w ${XBUILD} -buildid=${BUILD} -X github.com/jpillora/chisel/share.BuildVersion=${VERSION}" GOFILES=`go list ./...` GOFILESNOTEST=`go list ./... | grep -v test` # Make Directory to store executables $(shell mkdir -p ${DIR}) all: @goreleaser build --skip-validate --single-target --config .github/goreleaser.yml freebsd: lint env CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -trimpath ${LDFLAGS} ${GCFLAGS} ${ASMFLAGS} -o ${DIR}/chisel-freebsd_amd64 . linux: lint env CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -trimpath ${LDFLAGS} ${GCFLAGS} ${ASMFLAGS} -o ${DIR}/chisel-linux_amd64 . windows: lint env CGO_ENABLED=1 GOOS=windows GOARCH=amd64 go build -trimpath ${LDFLAGS} ${GCFLAGS} ${ASMFLAGS} -o ${DIR}/chisel-windows_amd64 . darwin: env CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -trimpath ${LDFLAGS} ${GCFLAGS} ${ASMFLAGS} -o ${DIR}/chisel-darwin_amd64 . docker: @docker build . dep: ## Get the dependencies @go get -u github.com/goreleaser/goreleaser @go get -u github.com/boumenot/gocover-cobertura @go get -v -d ./... @go get -u all @go mod tidy lint: ## Lint the files @go fmt ${GOFILES} @go vet ${GOFILESNOTEST} test: ## Run unit tests @go test -coverprofile=${DIR}/coverage.out -race -short ${GOFILESNOTEST} @go tool cover -html=${DIR}/coverage.out -o ${DIR}/coverage.html @gocover-cobertura < ${DIR}/coverage.out > ${DIR}/coverage.xml release: lint test goreleaser release --config .github/goreleaser.yml clean: rm -rf ${DIRBASE}/* .PHONY: all freebsd linux windows docker dep lint test release clean ================================================ FILE: README.md ================================================ # Chisel [![GoDoc](https://godoc.org/github.com/jpillora/chisel?status.svg)](https://godoc.org/github.com/jpillora/chisel) [![CI](https://github.com/jpillora/chisel/workflows/CI/badge.svg)](https://github.com/jpillora/chisel/actions?workflow=CI) Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. ![overview](https://docs.google.com/drawings/d/1p53VWxzGNfy8rjr-mW8pvisJmhkoLl82vAgctO_6f1w/pub?w=960&h=720) ## Table of Contents - [Features](#features) - [Install](#install) - [Demo](#demo) - [Usage](#usage) - [Contributing](#contributing) - [Changelog](#changelog) - [License](#license) ## Features - Easy to use - [Performant](./test/bench/perf.md)\* - [Encrypted connections](#security) using the SSH protocol (via `crypto/ssh`) - [Authenticated connections](#authentication); authenticated client connections with a users config file, authenticated server connections with fingerprint matching. - Client auto-reconnects with [exponential backoff](https://github.com/jpillora/backoff) - Clients can create multiple tunnel endpoints over one TCP connection - Clients can optionally pass through SOCKS or HTTP CONNECT proxies - Reverse port forwarding (Connections go through the server and out the client) - Server optionally doubles as a [reverse proxy](http://golang.org/pkg/net/http/httputil/#NewSingleHostReverseProxy) - Server optionally allows [SOCKS5](https://en.wikipedia.org/wiki/SOCKS) connections (See [guide below](#socks5-guide)) - Clients optionally allow [SOCKS5](https://en.wikipedia.org/wiki/SOCKS) connections from a reversed port forward - Client connections over stdio which supports `ssh -o ProxyCommand` providing SSH over HTTP ## Install ### Binaries [![Releases](https://img.shields.io/github/release/jpillora/chisel.svg)](https://github.com/jpillora/chisel/releases) [![Releases](https://img.shields.io/github/downloads/jpillora/chisel/total.svg)](https://github.com/jpillora/chisel/releases) See [the latest release](https://github.com/jpillora/chisel/releases/latest) or download and install it now with `curl https://i.jpillora.com/chisel! | bash` ### Docker [![Docker Pulls](https://img.shields.io/docker/pulls/jpillora/chisel.svg)](https://hub.docker.com/r/jpillora/chisel/) [![Image Size](https://img.shields.io/docker/image-size/jpillora/chisel/latest)](https://microbadger.com/images/jpillora/chisel) ```sh docker run --rm -it jpillora/chisel --help ``` ### Fedora The package is maintained by the Fedora community. If you encounter issues related to the usage of the RPM, please use this [issue tracker](https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&component=chisel&list_id=11614537&product=Fedora&product=Fedora%20EPEL). ```sh sudo dnf -y install chisel ``` ### Source ```sh $ go install github.com/jpillora/chisel@latest ``` ## Demo A [demo app](https://chisel-demo.herokuapp.com) on Heroku is running this `chisel server`: ```sh $ chisel server --port $PORT --proxy http://example.com # listens on $PORT, proxy web requests to http://example.com ``` This demo app is also running a [simple file server](https://www.npmjs.com/package/serve) on `:3000`, which is normally inaccessible due to Heroku's firewall. However, if we tunnel in with: ```sh $ chisel client https://chisel-demo.herokuapp.com 3000 # connects to chisel server at https://chisel-demo.herokuapp.com, # tunnels your localhost:3000 to the server's localhost:3000 ``` and then visit [localhost:3000](http://localhost:3000/), we should see a directory listing. Also, if we visit the [demo app](https://chisel-demo.herokuapp.com) in the browser we should hit the server's default proxy and see a copy of [example.com](http://example.com). ## Usage ``` plain $ chisel --help Usage: chisel [command] [--help] Version: X.Y.Z Commands: server - runs chisel in server mode client - runs chisel in client mode Read more: https://github.com/jpillora/chisel ``` ``` plain $ chisel server --help Usage: chisel server [options] Options: --host, Defines the HTTP listening host – the network interface (defaults the environment variable HOST and falls back to 0.0.0.0). --port, -p, Defines the HTTP listening port (defaults to the environment variable PORT and fallsback to port 8080). --key, (deprecated use --keygen and --keyfile instead) An optional string to seed the generation of a ECDSA public and private key pair. All communications will be secured using this key pair. Share the subsequent fingerprint with clients to enable detection of man-in-the-middle attacks (defaults to the CHISEL_KEY environment variable, otherwise a new key is generate each run). --keygen, A path to write a newly generated PEM-encoded SSH private key file. If users depend on your --key fingerprint, you may also include your --key to output your existing key. Use - (dash) to output the generated key to stdout. --keyfile, An optional path to a PEM-encoded SSH private key. When this flag is set, the --key option is ignored, and the provided private key is used to secure all communications. (defaults to the CHISEL_KEY_FILE environment variable). Since ECDSA keys are short, you may also set keyfile to an inline base64 private key (e.g. chisel server --keygen - | base64). --authfile, An optional path to a users.json file. This file should be an object with users defined like: { "": ["",""] } when connects, their will be verified and then each of the remote addresses will be compared against the list of address regular expressions for a match. Addresses will always come in the form ":" for normal remotes and "R::" for reverse port forwarding remotes. This file will be automatically reloaded on change. --auth, An optional string representing a single user with full access, in the form of . It is equivalent to creating an authfile with {"": [""]}. If unset, it will use the environment variable AUTH. --keepalive, An optional keepalive interval. Since the underlying transport is HTTP, in many instances we'll be traversing through proxies, often these proxies will close idle connections. You must specify a time with a unit, for example '5s' or '2m'. Defaults to '25s' (set to 0s to disable). --backend, Specifies another HTTP server to proxy requests to when chisel receives a normal HTTP request. Useful for hiding chisel in plain sight. --socks5, Allow clients to access the internal SOCKS5 proxy. See chisel client --help for more information. --reverse, Allow clients to specify reverse port forwarding remotes in addition to normal remotes. --tls-key, Enables TLS and provides optional path to a PEM-encoded TLS private key. When this flag is set, you must also set --tls-cert, and you cannot set --tls-domain. --tls-cert, Enables TLS and provides optional path to a PEM-encoded TLS certificate. When this flag is set, you must also set --tls-key, and you cannot set --tls-domain. --tls-domain, Enables TLS and automatically acquires a TLS key and certificate using LetsEncrypt. Setting --tls-domain requires port 443. You may specify multiple --tls-domain flags to serve multiple domains. The resulting files are cached in the "$HOME/.cache/chisel" directory. You can modify this path by setting the CHISEL_LE_CACHE variable, or disable caching by setting this variable to "-". You can optionally provide a certificate notification email by setting CHISEL_LE_EMAIL. --tls-ca, a path to a PEM encoded CA certificate bundle or a directory holding multiple PEM encode CA certificate bundle files, which is used to validate client connections. The provided CA certificates will be used instead of the system roots. This is commonly used to implement mutual-TLS. --pid Generate pid file in current working directory -v, Enable verbose logging --help, This help text Signals: The chisel process is listening for: a SIGUSR2 to print process stats, and a SIGHUP to short-circuit the client reconnect timer Version: X.Y.Z Read more: https://github.com/jpillora/chisel ``` ``` plain $ chisel client --help Usage: chisel client [options] [remote] [remote] ... is the URL to the chisel server. s are remote connections tunneled through the server, each of which come in the form: :::/ ■ local-host defaults to 0.0.0.0 (all interfaces). ■ local-port defaults to remote-port. ■ remote-port is required*. ■ remote-host defaults to 0.0.0.0 (server localhost). ■ protocol defaults to tcp. which shares : from the server to the client as :, or: R::::/ which does reverse port forwarding, sharing : from the client to the server's :. example remotes 3000 example.com:3000 3000:google.com:80 192.168.0.5:3000:google.com:80 socks 5000:socks R:2222:localhost:22 R:socks R:5000:socks stdio:example.com:22 1.1.1.1:53/udp When the chisel server has --socks5 enabled, remotes can specify "socks" in place of remote-host and remote-port. The default local host and port for a "socks" remote is 127.0.0.1:1080. Connections to this remote will terminate at the server's internal SOCKS5 proxy. When the chisel server has --reverse enabled, remotes can be prefixed with R to denote that they are reversed. That is, the server will listen and accept connections, and they will be proxied through the client which specified the remote. Reverse remotes specifying "R:socks" will listen on the server's default socks port (1080) and terminate the connection at the client's internal SOCKS5 proxy. When stdio is used as local-host, the tunnel will connect standard input/output of this program with the remote. This is useful when combined with ssh ProxyCommand. You can use ssh -o ProxyCommand='chisel client chiselserver stdio:%h:%p' \ user@example.com to connect to an SSH server through the tunnel. Options: --fingerprint, A *strongly recommended* fingerprint string to perform host-key validation against the server's public key. Fingerprint mismatches will close the connection. Fingerprints are generated by hashing the ECDSA public key using SHA256 and encoding the result in base64. Fingerprints must be 44 characters containing a trailing equals (=). --auth, An optional username and password (client authentication) in the form: ":". These credentials are compared to the credentials inside the server's --authfile. defaults to the AUTH environment variable. --keepalive, An optional keepalive interval. Since the underlying transport is HTTP, in many instances we'll be traversing through proxies, often these proxies will close idle connections. You must specify a time with a unit, for example '5s' or '2m'. Defaults to '25s' (set to 0s to disable). --max-retry-count, Maximum number of times to retry before exiting. Defaults to unlimited. --max-retry-interval, Maximum wait time before retrying after a disconnection. Defaults to 5 minutes. --proxy, An optional HTTP CONNECT or SOCKS5 proxy which will be used to reach the chisel server. Authentication can be specified inside the URL. For example, http://admin:password@my-server.com:8081 or: socks://admin:password@my-server.com:1080 --header, Set a custom header in the form "HeaderName: HeaderContent". Can be used multiple times. (e.g --header "Foo: Bar" --header "Hello: World") --hostname, Optionally set the 'Host' header (defaults to the host found in the server url). --sni, Override the ServerName when using TLS (defaults to the hostname). --tls-ca, An optional root certificate bundle used to verify the chisel server. Only valid when connecting to the server with "https" or "wss". By default, the operating system CAs will be used. --tls-skip-verify, Skip server TLS certificate verification of chain and host name (if TLS is used for transport connections to server). If set, client accepts any TLS certificate presented by the server and any host name in that certificate. This only affects transport https (wss) connection. Chisel server's public key may be still verified (see --fingerprint) after inner connection is established. --tls-key, a path to a PEM encoded private key used for client authentication (mutual-TLS). --tls-cert, a path to a PEM encoded certificate matching the provided private key. The certificate must have client authentication enabled (mutual-TLS). --pid Generate pid file in current working directory -v, Enable verbose logging --help, This help text Signals: The chisel process is listening for: a SIGUSR2 to print process stats, and a SIGHUP to short-circuit the client reconnect timer Version: X.Y.Z Read more: https://github.com/jpillora/chisel ``` ### Security Encryption is always enabled. When you start up a chisel server, it will generate an in-memory ECDSA public/private key pair. The public key fingerprint (base64 encoded SHA256) will be displayed as the server starts. Instead of generating a random key, the server may optionally specify a key file, using the `--keyfile` option. When clients connect, they will also display the server's public key fingerprint. The client can force a particular fingerprint using the `--fingerprint` option. See the `--help` above for more information. ### Authentication Using the `--authfile` option, the server may optionally provide a `user.json` configuration file to create a list of accepted users. The client then authenticates using the `--auth` option. See [users.json](example/users.json) for an example authentication configuration file. See the `--help` above for more information. Internally, this is done using the _Password_ authentication method provided by SSH. Learn more about `crypto/ssh` here http://blog.gopheracademy.com/go-and-ssh/. ### SOCKS5 Guide with Docker 1. Print a new private key to the terminal ```sh chisel server --keygen - # or save it to disk --keygen /path/to/mykey ``` 1. Start your chisel server ```sh jpillora/chisel server --keyfile '' -p 9312 --socks5 ``` 1. Connect your chisel client (using server's fingerprint) ```sh chisel client --fingerprint '' :9312 socks ``` 1. Point your SOCKS5 clients (e.g. OS/Browser) to: ``` :1080 ``` 1. Now you have an encrypted, authenticated SOCKS5 connection over HTTP #### Caveats Since WebSockets support is required: - IaaS providers all will support WebSockets (unless an unsupporting HTTP proxy has been forced in front of you, in which case I'd argue that you've been downgraded to PaaS) - PaaS providers vary in their support for WebSockets - Heroku has full support - Openshift has full support though connections are only accepted on ports 8443 and 8080 - Google App Engine has **no** support (Track this on [their repo](https://code.google.com/p/googleappengine/issues/detail?id=2535)) ## Contributing - http://golang.org/doc/code.html - http://golang.org/doc/effective_go.html - `github.com/jpillora/chisel/share` contains the shared package - `github.com/jpillora/chisel/server` contains the server package - `github.com/jpillora/chisel/client` contains the client package ## Changelog - `1.0` - Initial release - `1.1` - Replaced simple symmetric encryption for ECDSA SSH - `1.2` - Added SOCKS5 (server) and HTTP CONNECT (client) support - `1.3` - Added reverse tunnelling support - `1.4` - Added arbitrary HTTP header support - `1.5` - Added reverse SOCKS support (by @aus) - `1.6` - Added client stdio support (by @BoleynSu) - `1.7` - Added UDP support - `1.8` - Move to a `scratch`Docker image - `1.9` - Bump to Go 1.21. Switch from `--key` seed to P256 key strings with `--key{gen,file}` (by @cmenginnz) - `1.10` - Bump to Go 1.22. Add `.rpm` `.deb` and `.akp` to releases. Fix bad version comparison. - `1.11` - Bump to Go 1.25.1. Update all dependencies. ## License [MIT](https://github.com/jpillora/chisel/blob/master/LICENSE) © Jaime Pillora ================================================ FILE: client/client.go ================================================ package chclient import ( "context" "crypto/md5" "crypto/tls" "crypto/x509" "encoding/base64" "errors" "fmt" "net" "net/http" "net/url" "os" "regexp" "strings" "time" "github.com/gorilla/websocket" chshare "github.com/jpillora/chisel/share" "github.com/jpillora/chisel/share/ccrypto" "github.com/jpillora/chisel/share/cio" "github.com/jpillora/chisel/share/cnet" "github.com/jpillora/chisel/share/settings" "github.com/jpillora/chisel/share/tunnel" "golang.org/x/crypto/ssh" "golang.org/x/net/proxy" "golang.org/x/sync/errgroup" ) // Config represents a client configuration type Config struct { Fingerprint string Auth string KeepAlive time.Duration MaxRetryCount int MaxRetryInterval time.Duration Server string Proxy string Remotes []string Headers http.Header TLS TLSConfig DialContext func(ctx context.Context, network, addr string) (net.Conn, error) Verbose bool } // TLSConfig for a Client type TLSConfig struct { SkipVerify bool CA string Cert string Key string ServerName string } // Client represents a client instance type Client struct { *cio.Logger config *Config computed settings.Config sshConfig *ssh.ClientConfig tlsConfig *tls.Config proxyURL *url.URL server string connCount cnet.ConnCount stop func() eg *errgroup.Group tunnel *tunnel.Tunnel } // NewClient creates a new client instance func NewClient(c *Config) (*Client, error) { //apply default scheme if !strings.HasPrefix(c.Server, "http") { c.Server = "http://" + c.Server } if c.MaxRetryInterval < time.Second { c.MaxRetryInterval = 5 * time.Minute } u, err := url.Parse(c.Server) if err != nil { return nil, err } //swap to websockets scheme u.Scheme = strings.Replace(u.Scheme, "http", "ws", 1) //apply default port if !regexp.MustCompile(`:\d+$`).MatchString(u.Host) { if u.Scheme == "wss" { u.Host = u.Host + ":443" } else { u.Host = u.Host + ":80" } } hasReverse := false hasSocks := false hasStdio := false client := &Client{ Logger: cio.NewLogger("client"), config: c, computed: settings.Config{ Version: chshare.BuildVersion, }, server: u.String(), tlsConfig: nil, } //set default log level client.Logger.Info = true //configure tls if u.Scheme == "wss" { tc := &tls.Config{} if c.TLS.ServerName != "" { tc.ServerName = c.TLS.ServerName } //certificate verification config if c.TLS.SkipVerify { client.Infof("TLS verification disabled") tc.InsecureSkipVerify = true } else if c.TLS.CA != "" { rootCAs := x509.NewCertPool() if b, err := os.ReadFile(c.TLS.CA); err != nil { return nil, fmt.Errorf("Failed to load file: %s", c.TLS.CA) } else if ok := rootCAs.AppendCertsFromPEM(b); !ok { return nil, fmt.Errorf("Failed to decode PEM: %s", c.TLS.CA) } else { client.Infof("TLS verification using CA %s", c.TLS.CA) tc.RootCAs = rootCAs } } //provide client cert and key pair for mtls if c.TLS.Cert != "" && c.TLS.Key != "" { c, err := tls.LoadX509KeyPair(c.TLS.Cert, c.TLS.Key) if err != nil { return nil, fmt.Errorf("Error loading client cert and key pair: %v", err) } tc.Certificates = []tls.Certificate{c} } else if c.TLS.Cert != "" || c.TLS.Key != "" { return nil, fmt.Errorf("Please specify client BOTH cert and key") } client.tlsConfig = tc } //validate remotes for _, s := range c.Remotes { r, err := settings.DecodeRemote(s) if err != nil { return nil, fmt.Errorf("Failed to decode remote '%s': %s", s, err) } if r.Socks { hasSocks = true } if r.Reverse { hasReverse = true } if r.Stdio { if hasStdio { return nil, errors.New("Only one stdio is allowed") } hasStdio = true } //confirm non-reverse tunnel is available if !r.Reverse && !r.Stdio && !r.CanListen() { return nil, fmt.Errorf("Client cannot listen on %s", r.String()) } client.computed.Remotes = append(client.computed.Remotes, r) } //outbound proxy if p := c.Proxy; p != "" { client.proxyURL, err = url.Parse(p) if err != nil { return nil, fmt.Errorf("Invalid proxy URL (%s)", err) } } //ssh auth and config user, pass := settings.ParseAuth(c.Auth) client.sshConfig = &ssh.ClientConfig{ User: user, Auth: []ssh.AuthMethod{ssh.Password(pass)}, ClientVersion: "SSH-" + chshare.ProtocolVersion + "-client", HostKeyCallback: client.verifyServer, Timeout: settings.EnvDuration("SSH_TIMEOUT", 30*time.Second), } //prepare client tunnel client.tunnel = tunnel.New(tunnel.Config{ Logger: client.Logger, Inbound: true, //client always accepts inbound Outbound: hasReverse, Socks: hasReverse && hasSocks, KeepAlive: client.config.KeepAlive, }) return client, nil } // Run starts client and blocks while connected func (c *Client) Run() error { ctx, cancel := context.WithCancel(context.Background()) defer cancel() if err := c.Start(ctx); err != nil { return err } return c.Wait() } func (c *Client) verifyServer(hostname string, remote net.Addr, key ssh.PublicKey) error { expect := c.config.Fingerprint if expect == "" { return nil } got := ccrypto.FingerprintKey(key) _, err := base64.StdEncoding.DecodeString(expect) if _, ok := err.(base64.CorruptInputError); ok { c.Logger.Infof("Specified deprecated MD5 fingerprint (%s), please update to the new SHA256 fingerprint: %s", expect, got) return c.verifyLegacyFingerprint(key) } else if err != nil { return fmt.Errorf("Error decoding fingerprint: %w", err) } if got != expect { return fmt.Errorf("Invalid fingerprint (%s)", got) } //overwrite with complete fingerprint c.Infof("Fingerprint %s", got) return nil } // verifyLegacyFingerprint calculates and compares legacy MD5 fingerprints func (c *Client) verifyLegacyFingerprint(key ssh.PublicKey) error { bytes := md5.Sum(key.Marshal()) strbytes := make([]string, len(bytes)) for i, b := range bytes { strbytes[i] = fmt.Sprintf("%02x", b) } got := strings.Join(strbytes, ":") expect := c.config.Fingerprint if !strings.HasPrefix(got, expect) { return fmt.Errorf("Invalid fingerprint (%s)", got) } return nil } // Start client and does not block func (c *Client) Start(ctx context.Context) error { ctx, cancel := context.WithCancel(ctx) c.stop = cancel eg, ctx := errgroup.WithContext(ctx) c.eg = eg via := "" if c.proxyURL != nil { via = " via " + c.proxyURL.String() } c.Infof("Connecting to %s%s\n", c.server, via) //connect to chisel server eg.Go(func() error { return c.connectionLoop(ctx) }) //listen sockets eg.Go(func() error { clientInbound := c.computed.Remotes.Reversed(false) if len(clientInbound) == 0 { return nil } return c.tunnel.BindRemotes(ctx, clientInbound) }) return nil } func (c *Client) setProxy(u *url.URL, d *websocket.Dialer) error { // CONNECT proxy if !strings.HasPrefix(u.Scheme, "socks") { d.Proxy = func(*http.Request) (*url.URL, error) { return u, nil } return nil } // SOCKS5 proxy if u.Scheme != "socks" && u.Scheme != "socks5h" { return fmt.Errorf( "unsupported socks proxy type: %s:// (only socks5h:// or socks:// is supported)", u.Scheme, ) } var auth *proxy.Auth if u.User != nil { pass, _ := u.User.Password() auth = &proxy.Auth{ User: u.User.Username(), Password: pass, } } socksDialer, err := proxy.SOCKS5("tcp", u.Host, auth, proxy.Direct) if err != nil { return err } d.NetDial = socksDialer.Dial return nil } // Wait blocks while the client is running. func (c *Client) Wait() error { return c.eg.Wait() } // Close manually stops the client func (c *Client) Close() error { if c.stop != nil { c.stop() } return nil } ================================================ FILE: client/client_connect.go ================================================ package chclient import ( "context" "errors" "fmt" "io" "strings" "time" "github.com/gorilla/websocket" "github.com/jpillora/backoff" chshare "github.com/jpillora/chisel/share" "github.com/jpillora/chisel/share/cnet" "github.com/jpillora/chisel/share/cos" "github.com/jpillora/chisel/share/settings" "golang.org/x/crypto/ssh" ) func (c *Client) connectionLoop(ctx context.Context) error { //connection loop! b := &backoff.Backoff{Max: c.config.MaxRetryInterval} for { connected, err := c.connectionOnce(ctx) //reset backoff after successful connections if connected { b.Reset() } //connection error attempt := int(b.Attempt()) maxAttempt := c.config.MaxRetryCount //dont print closed-connection errors if strings.HasSuffix(err.Error(), "use of closed network connection") { err = io.EOF } //show error message and attempt counts (excluding disconnects) if err != nil && err != io.EOF { msg := fmt.Sprintf("Connection error: %s", err) if attempt > 0 { maxAttemptVal := fmt.Sprint(maxAttempt) if maxAttempt < 0 { maxAttemptVal = "unlimited" } msg += fmt.Sprintf(" (Attempt: %d/%s)", attempt, maxAttemptVal) } c.Infof(msg) } //give up? if maxAttempt >= 0 && attempt >= maxAttempt { c.Infof("Give up") break } d := b.Duration() c.Infof("Retrying in %s...", d) select { case <-cos.AfterSignal(d): continue //retry now case <-ctx.Done(): c.Infof("Cancelled") return nil } } c.Close() return nil } // connectionOnce connects to the chisel server and blocks func (c *Client) connectionOnce(ctx context.Context) (connected bool, err error) { //already closed? select { case <-ctx.Done(): return false, errors.New("Cancelled") default: //still open } ctx, cancel := context.WithCancel(ctx) defer cancel() //prepare dialer d := websocket.Dialer{ HandshakeTimeout: settings.EnvDuration("WS_TIMEOUT", 45*time.Second), Subprotocols: []string{chshare.ProtocolVersion}, TLSClientConfig: c.tlsConfig, ReadBufferSize: settings.EnvInt("WS_BUFF_SIZE", 0), WriteBufferSize: settings.EnvInt("WS_BUFF_SIZE", 0), NetDialContext: c.config.DialContext, } //optional proxy if p := c.proxyURL; p != nil { if err := c.setProxy(p, &d); err != nil { return false, err } } wsConn, _, err := d.DialContext(ctx, c.server, c.config.Headers) if err != nil { return false, err } conn := cnet.NewWebSocketConn(wsConn) // perform SSH handshake on net.Conn c.Debugf("Handshaking...") sshConn, chans, reqs, err := ssh.NewClientConn(conn, "", c.sshConfig) if err != nil { e := err.Error() if strings.Contains(e, "unable to authenticate") { c.Infof("Authentication failed") c.Debugf(e) } else { c.Infof(e) } return false, err } defer sshConn.Close() // chisel client handshake (reverse of server handshake) // send configuration c.Debugf("Sending config") t0 := time.Now() _, configerr, err := sshConn.SendRequest( "config", true, settings.EncodeConfig(c.computed), ) if err != nil { c.Infof("Config verification failed") return false, err } if len(configerr) > 0 { return false, errors.New(string(configerr)) } c.Infof("Connected (Latency %s)", time.Since(t0)) //connected, handover ssh connection for tunnel to use, and block err = c.tunnel.BindSSH(ctx, sshConn, reqs, chans) c.Infof("Disconnected") connected = time.Since(t0) > 5*time.Second return connected, err } ================================================ FILE: client/client_test.go ================================================ package chclient import ( "crypto/elliptic" "log" "net/http" "net/http/httptest" "sync" "testing" "time" "github.com/jpillora/chisel/share/ccrypto" "golang.org/x/crypto/ssh" ) func TestCustomHeaders(t *testing.T) { //fake server wg := sync.WaitGroup{} wg.Add(1) server := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) { if req.Header.Get("Foo") != "Bar" { t.Fatal("expected header Foo to be 'Bar'") } wg.Done() })) defer server.Close() //client headers := http.Header{} headers.Set("Foo", "Bar") config := Config{ KeepAlive: time.Second, MaxRetryInterval: time.Second, Server: server.URL, Remotes: []string{"9000"}, Headers: headers, } c, err := NewClient(&config) if err != nil { log.Fatal(err) } go c.Run() //wait for test to complete wg.Wait() c.Close() } func TestFallbackLegacyFingerprint(t *testing.T) { config := Config{ Fingerprint: "a5:32:92:c6:56:7a:9e:61:26:74:1b:81:a6:f5:1b:44", } c, err := NewClient(&config) if err != nil { t.Fatal(err) } r := ccrypto.NewDetermRand([]byte("test123")) priv, err := ccrypto.GenerateKeyGo119(elliptic.P256(), r) if err != nil { t.Fatal(err) } pub, err := ssh.NewPublicKey(&priv.PublicKey) if err != nil { t.Fatal(err) } err = c.verifyServer("", nil, pub) if err != nil { t.Fatal(err) } } func TestVerifyLegacyFingerprint(t *testing.T) { config := Config{ Fingerprint: "a5:32:92:c6:56:7a:9e:61:26:74:1b:81:a6:f5:1b:44", } c, err := NewClient(&config) if err != nil { t.Fatal(err) } r := ccrypto.NewDetermRand([]byte("test123")) priv, err := ccrypto.GenerateKeyGo119(elliptic.P256(), r) if err != nil { t.Fatal(err) } pub, err := ssh.NewPublicKey(&priv.PublicKey) if err != nil { t.Fatal(err) } err = c.verifyLegacyFingerprint(pub) if err != nil { t.Fatal(err) } } func TestVerifyFingerprint(t *testing.T) { config := Config{ Fingerprint: "qmrRoo8MIqePv3jC8+wv49gU6uaFgD3FASQx9V8KdmY=", } c, err := NewClient(&config) if err != nil { t.Fatal(err) } r := ccrypto.NewDetermRand([]byte("test123")) priv, err := ccrypto.GenerateKeyGo119(elliptic.P256(), r) if err != nil { t.Fatal(err) } pub, err := ssh.NewPublicKey(&priv.PublicKey) if err != nil { t.Fatal(err) } err = c.verifyServer("", nil, pub) if err != nil { t.Fatal(err) } } ================================================ FILE: example/Flyfile ================================================ FROM jpillora/chisel ENTRYPOINT ["/app/bin", "server", "--port", "443", "--tls-domain", "chisel.jpillora.com"] ================================================ FILE: example/fly.toml ================================================ app = "jp-chisel" kill_signal = "SIGINT" kill_timeout = 5 processes = [] [build] dockerfile = "Flyfile" [[services]] internal_port = 443 protocol = "tcp" [[services.ports]] port = "443" ================================================ FILE: example/reverse-tunneling-authenticated.md ================================================ # Reverse Tunneling > **Use Case**: Host a website on your Raspberry Pi without opening ports on your router. This guide will show you how to use an internet-facing server (for example, a cloud VPS) as a relay to bounce down TCP traffic on port 80 to your Raspberry Pi. ## Chisel CLI ### Server Setup a relay server on the VPS to bounce down TCP traffic on port 80: ```bash #!/bin/bash # ⬇️ Start Chisel server in Reverse mode chisel server --reverse \ # ⬇️ Use the include users.json as an authfile --authfile="./users.json" \ ``` The corresponding `authfile` might look like this: ```json { "foo:bar": ["0.0.0.0:80"] } ``` ### Client Setup a chisel client to receive bounced-down traffic and forward it to the webserver running on the Pi: ```bash #!/bin/bash chisel client \ # ⬇️ Authenticates user "foo" with password "bar" --auth="foo:bar" \ # ⬇️ Connects to chisel relay server example.com # listening on the default ("fallback") port, 8080 example.com \ # ⬇️ Reverse tunnels port 80 on the relay server to # port 80 on your Pi. R:80:localhost:80 ``` --- ## Chisel Container This guide makes use of Docker and Docker compose to accomplish the same task as the above guide. ### Server Setup a relay server on the VPS to bounce down TCP traffic on port 80: ```yaml version: '3' services: chisel: image: jpillora/chisel restart: unless-stopped container_name: chisel # ⬇️ Pass CLI arguments one at a time in an array, as required by Docker compose. command: - 'server' # ⬇️ Use the --key=value syntax, since Docker compose doesn't parse whitespace well. - '--authfile=/users.json' - '--reverse' # ⬇️ Mount the authfile as a Docker volume volumes: - './users.json:/users.json' # ⬇️ Give the container unrestricted access to the Docker host's network network_mode: host ``` The `authfile` (`users.json`) remains the same as in the non-containerized version - shown again with the username `foo` and password `bar`. ```json { "foo:bar": ["0.0.0.0:80"] } ``` ### Client Setup an instance of the Chisel client on the Pi to receive relayed TCP traffic and feed it to the web server: ```yaml version: '3' services: chisel: # ⬇️ Delay starting Chisel server until the web server container is started. depends_on: - webserver image: jpillora/chisel restart: unless-stopped container_name: 'chisel' command: - 'client' # ⬇️ Use username `foo` and password `bar` to authenticate with Chisel server. - '--auth=foo:bar' # ⬇️ Domain & port of Chisel server. Port defaults to 8080 on server, but must be manually set on client. - 'proxy.example.com:8080' # ⬇️ Reverse tunnel traffic from the chisel server to the web server container, identified in Docker using DNS by its service name `webserver`. - 'R:80:webserver:80' networks: - internal # ⬇️ Basic Nginx webserver for demo purposes. webserver: image: nginx restart: unless-stopped container_name: nginx networks: - internal # ⬇️ Make use of a Docker network called `internal`. networks: internal: ``` ================================================ FILE: example/users.json ================================================ { "root:toor": [ "" ], "foo:bar": [ "^0.0.0.0:3000$" ], "ping:pong": [ "^0.0.0.0:[45]000$", "^example.com:80$", "^R:0.0.0.0:7000$" ] } ================================================ FILE: go.mod ================================================ module github.com/jpillora/chisel go 1.25 toolchain go1.25.7 require ( github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 github.com/fsnotify/fsnotify v1.9.0 github.com/gorilla/websocket v1.5.3 github.com/jpillora/backoff v1.0.0 github.com/jpillora/requestlog v1.0.0 github.com/jpillora/sizestr v1.0.0 golang.org/x/crypto v0.48.0 golang.org/x/net v0.50.0 golang.org/x/sync v0.19.0 ) require ( github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2 // indirect github.com/jpillora/ansi v1.0.3 // indirect github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce // indirect golang.org/x/sys v0.41.0 // indirect golang.org/x/text v0.34.0 // indirect ) ================================================ FILE: go.sum ================================================ github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2 h1:axBiC50cNZOs7ygH5BgQp4N+aYrZ2DNpWZ1KG3VOSOM= github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2/go.mod h1:jnzFpU88PccN/tPPhCpnNU8mZphvKxYM9lLNkd8e+os= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg= github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/jpillora/ansi v1.0.3 h1:nn4Jzti0EmRfDxm7JtEs5LzCbNwd5sv+0aE+LdS9/ZQ= github.com/jpillora/ansi v1.0.3/go.mod h1:D2tT+6uzJvN1nBVQILYWkIdq7zG+b5gcFN5WI/VyjMY= github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/jpillora/requestlog v1.0.0 h1:bg++eJ74T7DYL3DlIpiwknrtfdUA9oP/M4fL+PpqnyA= github.com/jpillora/requestlog v1.0.0/go.mod h1:HTWQb7QfDc2jtHnWe2XEIEeJB7gJPnVdpNn52HXPvy8= github.com/jpillora/sizestr v1.0.0 h1:4tr0FLxs1Mtq3TnsLDV+GYUWG7Q26a6s+tV5Zfw2ygw= github.com/jpillora/sizestr v1.0.0/go.mod h1:bUhLv4ctkknatr6gR42qPxirmd5+ds1u7mzD+MZ33f0= github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce h1:fb190+cK2Xz/dvi9Hv8eCYJYvIGUTN2/KLq1pT6CjEc= github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4= golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts= golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos= golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60= golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM= golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k= golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg= golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM= golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk= golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA= ================================================ FILE: main.go ================================================ package main import ( "flag" "fmt" "log" "net/http" "os" "runtime" "strconv" "strings" "time" chclient "github.com/jpillora/chisel/client" chserver "github.com/jpillora/chisel/server" chshare "github.com/jpillora/chisel/share" "github.com/jpillora/chisel/share/ccrypto" "github.com/jpillora/chisel/share/cos" "github.com/jpillora/chisel/share/settings" ) var help = ` Usage: chisel [command] [--help] Version: ` + chshare.BuildVersion + ` (` + runtime.Version() + `) Commands: server - runs chisel in server mode client - runs chisel in client mode Read more: https://github.com/jpillora/chisel ` func main() { version := flag.Bool("version", false, "") v := flag.Bool("v", false, "") flag.Bool("help", false, "") flag.Bool("h", false, "") flag.Usage = func() {} flag.Parse() if *version || *v { fmt.Println(chshare.BuildVersion) os.Exit(0) } args := flag.Args() subcmd := "" if len(args) > 0 { subcmd = args[0] args = args[1:] } switch subcmd { case "server": server(args) case "client": client(args) default: fmt.Print(help) os.Exit(0) } } var commonHelp = ` --pid Generate pid file in current working directory -v, Enable verbose logging --help, This help text Signals: The chisel process is listening for: a SIGUSR2 to print process stats, and a SIGHUP to short-circuit the client reconnect timer Version: ` + chshare.BuildVersion + ` (` + runtime.Version() + `) Read more: https://github.com/jpillora/chisel ` func generatePidFile() { pid := []byte(strconv.Itoa(os.Getpid())) if err := os.WriteFile("chisel.pid", pid, 0644); err != nil { log.Fatal(err) } } var serverHelp = ` Usage: chisel server [options] Options: --host, Defines the HTTP listening host – the network interface (defaults the environment variable HOST and falls back to 0.0.0.0). --port, -p, Defines the HTTP listening port (defaults to the environment variable PORT and fallsback to port 8080). --key, (deprecated use --keygen and --keyfile instead) An optional string to seed the generation of a ECDSA public and private key pair. All communications will be secured using this key pair. Share the subsequent fingerprint with clients to enable detection of man-in-the-middle attacks (defaults to the CHISEL_KEY environment variable, otherwise a new key is generate each run). --keygen, A path to write a newly generated PEM-encoded SSH private key file. If users depend on your --key fingerprint, you may also include your --key to output your existing key. Use - (dash) to output the generated key to stdout. --keyfile, An optional path to a PEM-encoded SSH private key. When this flag is set, the --key option is ignored, and the provided private key is used to secure all communications. (defaults to the CHISEL_KEY_FILE environment variable). Since ECDSA keys are short, you may also set keyfile to an inline base64 private key (e.g. chisel server --keygen - | base64). --authfile, An optional path to a users.json file. This file should be an object with users defined like: { "": ["",""] } when connects, their will be verified and then each of the remote addresses will be compared against the list of address regular expressions for a match. Addresses will always come in the form ":" for normal remotes and "R::" for reverse port forwarding remotes. This file will be automatically reloaded on change. --auth, An optional string representing a single user with full access, in the form of . It is equivalent to creating an authfile with {"": [""]}. If unset, it will use the environment variable AUTH. --keepalive, An optional keepalive interval. Since the underlying transport is HTTP, in many instances we'll be traversing through proxies, often these proxies will close idle connections. You must specify a time with a unit, for example '5s' or '2m'. Defaults to '25s' (set to 0s to disable). --backend, Specifies another HTTP server to proxy requests to when chisel receives a normal HTTP request. Useful for hiding chisel in plain sight. --socks5, Allow clients to access the internal SOCKS5 proxy. See chisel client --help for more information. --reverse, Allow clients to specify reverse port forwarding remotes in addition to normal remotes. --tls-key, Enables TLS and provides optional path to a PEM-encoded TLS private key. When this flag is set, you must also set --tls-cert, and you cannot set --tls-domain. --tls-cert, Enables TLS and provides optional path to a PEM-encoded TLS certificate. When this flag is set, you must also set --tls-key, and you cannot set --tls-domain. --tls-domain, Enables TLS and automatically acquires a TLS key and certificate using LetsEncrypt. Setting --tls-domain requires port 443. You may specify multiple --tls-domain flags to serve multiple domains. The resulting files are cached in the "$HOME/.cache/chisel" directory. You can modify this path by setting the CHISEL_LE_CACHE variable, or disable caching by setting this variable to "-". You can optionally provide a certificate notification email by setting CHISEL_LE_EMAIL. --tls-ca, a path to a PEM encoded CA certificate bundle or a directory holding multiple PEM encode CA certificate bundle files, which is used to validate client connections. The provided CA certificates will be used instead of the system roots. This is commonly used to implement mutual-TLS. ` + commonHelp func server(args []string) { flags := flag.NewFlagSet("server", flag.ContinueOnError) config := &chserver.Config{} flags.StringVar(&config.KeySeed, "key", "", "") flags.StringVar(&config.KeyFile, "keyfile", "", "") flags.StringVar(&config.AuthFile, "authfile", "", "") flags.StringVar(&config.Auth, "auth", "", "") flags.DurationVar(&config.KeepAlive, "keepalive", 25*time.Second, "") flags.StringVar(&config.Proxy, "proxy", "", "") flags.StringVar(&config.Proxy, "backend", "", "") flags.BoolVar(&config.Socks5, "socks5", false, "") flags.BoolVar(&config.Reverse, "reverse", false, "") flags.StringVar(&config.TLS.Key, "tls-key", "", "") flags.StringVar(&config.TLS.Cert, "tls-cert", "", "") flags.Var(multiFlag{&config.TLS.Domains}, "tls-domain", "") flags.StringVar(&config.TLS.CA, "tls-ca", "", "") host := flags.String("host", "", "") p := flags.String("p", "", "") port := flags.String("port", "", "") pid := flags.Bool("pid", false, "") verbose := flags.Bool("v", false, "") keyGen := flags.String("keygen", "", "") flags.Usage = func() { fmt.Print(serverHelp) os.Exit(0) } flags.Parse(args) if *keyGen != "" { if err := ccrypto.GenerateKeyFile(*keyGen, config.KeySeed); err != nil { log.Fatal(err) } return } if config.KeySeed != "" { log.Print("Option `--key` is deprecated and will be removed in a future version of chisel.") log.Print("Please use `chisel server --keygen /file/path`, followed by `chisel server --keyfile /file/path` to specify the SSH private key") } if *host == "" { *host = os.Getenv("HOST") } if *host == "" { *host = "0.0.0.0" } if *port == "" { *port = *p } if *port == "" { *port = os.Getenv("PORT") } if *port == "" { *port = "8080" } if config.KeyFile == "" { config.KeyFile = settings.Env("KEY_FILE") } if config.KeySeed == "" { config.KeySeed = settings.Env("KEY") } if config.Auth == "" { config.Auth = os.Getenv("AUTH") } s, err := chserver.NewServer(config) if err != nil { log.Fatal(err) } s.Debug = *verbose if *pid { generatePidFile() } go cos.GoStats() ctx := cos.InterruptContext() if err := s.StartContext(ctx, *host, *port); err != nil { log.Fatal(err) } if err := s.Wait(); err != nil { log.Fatal(err) } } type multiFlag struct { values *[]string } func (flag multiFlag) String() string { return strings.Join(*flag.values, ", ") } func (flag multiFlag) Set(arg string) error { *flag.values = append(*flag.values, arg) return nil } type headerFlags struct { http.Header } func (flag *headerFlags) String() string { out := "" for k, v := range flag.Header { out += fmt.Sprintf("%s: %s\n", k, v) } return out } func (flag *headerFlags) Set(arg string) error { index := strings.Index(arg, ":") if index < 0 { return fmt.Errorf(`Invalid header (%s). Should be in the format "HeaderName: HeaderContent"`, arg) } if flag.Header == nil { flag.Header = http.Header{} } key := arg[0:index] value := arg[index+1:] flag.Header.Set(key, strings.TrimSpace(value)) return nil } var clientHelp = ` Usage: chisel client [options] [remote] [remote] ... is the URL to the chisel server. s are remote connections tunneled through the server, each of which come in the form: :::/ ■ local-host defaults to 0.0.0.0 (all interfaces). ■ local-port defaults to remote-port. ■ remote-port is required*. ■ remote-host defaults to 0.0.0.0 (server localhost). ■ protocol defaults to tcp. which shares : from the server to the client as :, or: R::::/ which does reverse port forwarding, sharing : from the client to the server's :. example remotes 3000 example.com:3000 3000:google.com:80 192.168.0.5:3000:google.com:80 socks 5000:socks R:2222:localhost:22 R:socks R:5000:socks stdio:example.com:22 1.1.1.1:53/udp When the chisel server has --socks5 enabled, remotes can specify "socks" in place of remote-host and remote-port. The default local host and port for a "socks" remote is 127.0.0.1:1080. Connections to this remote will terminate at the server's internal SOCKS5 proxy. When the chisel server has --reverse enabled, remotes can be prefixed with R to denote that they are reversed. That is, the server will listen and accept connections, and they will be proxied through the client which specified the remote. Reverse remotes specifying "R:socks" will listen on the server's default socks port (1080) and terminate the connection at the client's internal SOCKS5 proxy. When stdio is used as local-host, the tunnel will connect standard input/output of this program with the remote. This is useful when combined with ssh ProxyCommand. You can use ssh -o ProxyCommand='chisel client chiselserver stdio:%h:%p' \ user@example.com to connect to an SSH server through the tunnel. Options: --fingerprint, A *strongly recommended* fingerprint string to perform host-key validation against the server's public key. Fingerprint mismatches will close the connection. Fingerprints are generated by hashing the ECDSA public key using SHA256 and encoding the result in base64. Fingerprints must be 44 characters containing a trailing equals (=). --auth, An optional username and password (client authentication) in the form: ":". These credentials are compared to the credentials inside the server's --authfile. defaults to the AUTH environment variable. --keepalive, An optional keepalive interval. Since the underlying transport is HTTP, in many instances we'll be traversing through proxies, often these proxies will close idle connections. You must specify a time with a unit, for example '5s' or '2m'. Defaults to '25s' (set to 0s to disable). --max-retry-count, Maximum number of times to retry before exiting. Defaults to unlimited. --max-retry-interval, Maximum wait time before retrying after a disconnection. Defaults to 5 minutes. --proxy, An optional HTTP CONNECT or SOCKS5 proxy which will be used to reach the chisel server. Authentication can be specified inside the URL. For example, http://admin:password@my-server.com:8081 or: socks://admin:password@my-server.com:1080 --header, Set a custom header in the form "HeaderName: HeaderContent". Can be used multiple times. (e.g --header "Foo: Bar" --header "Hello: World") --hostname, Optionally set the 'Host' header (defaults to the host found in the server url). --sni, Override the ServerName when using TLS (defaults to the hostname). --tls-ca, An optional root certificate bundle used to verify the chisel server. Only valid when connecting to the server with "https" or "wss". By default, the operating system CAs will be used. --tls-skip-verify, Skip server TLS certificate verification of chain and host name (if TLS is used for transport connections to server). If set, client accepts any TLS certificate presented by the server and any host name in that certificate. This only affects transport https (wss) connection. Chisel server's public key may be still verified (see --fingerprint) after inner connection is established. --tls-key, a path to a PEM encoded private key used for client authentication (mutual-TLS). --tls-cert, a path to a PEM encoded certificate matching the provided private key. The certificate must have client authentication enabled (mutual-TLS). ` + commonHelp func client(args []string) { flags := flag.NewFlagSet("client", flag.ContinueOnError) config := chclient.Config{Headers: http.Header{}} flags.StringVar(&config.Fingerprint, "fingerprint", "", "") flags.StringVar(&config.Auth, "auth", "", "") flags.DurationVar(&config.KeepAlive, "keepalive", 25*time.Second, "") flags.IntVar(&config.MaxRetryCount, "max-retry-count", -1, "") flags.DurationVar(&config.MaxRetryInterval, "max-retry-interval", 0, "") flags.StringVar(&config.Proxy, "proxy", "", "") flags.StringVar(&config.TLS.CA, "tls-ca", "", "") flags.BoolVar(&config.TLS.SkipVerify, "tls-skip-verify", false, "") flags.StringVar(&config.TLS.Cert, "tls-cert", "", "") flags.StringVar(&config.TLS.Key, "tls-key", "", "") flags.Var(&headerFlags{config.Headers}, "header", "") hostname := flags.String("hostname", "", "") sni := flags.String("sni", "", "") pid := flags.Bool("pid", false, "") verbose := flags.Bool("v", false, "") flags.Usage = func() { fmt.Print(clientHelp) os.Exit(0) } flags.Parse(args) //pull out options, put back remaining args args = flags.Args() if len(args) < 2 { log.Fatalf("A server and least one remote is required") } config.Server = args[0] config.Remotes = args[1:] //default auth if config.Auth == "" { config.Auth = os.Getenv("AUTH") } //move hostname onto headers if *hostname != "" { config.Headers.Set("Host", *hostname) config.TLS.ServerName = *hostname } if *sni != "" { config.TLS.ServerName = *sni } //ready c, err := chclient.NewClient(&config) if err != nil { log.Fatal(err) } c.Debug = *verbose if *pid { generatePidFile() } go cos.GoStats() ctx := cos.InterruptContext() if err := c.Start(ctx); err != nil { log.Fatal(err) } if err := c.Wait(); err != nil { log.Fatal(err) } } ================================================ FILE: server/server.go ================================================ package chserver import ( "context" "errors" "log" "net/http" "net/http/httputil" "net/url" "os" "regexp" "time" "github.com/gorilla/websocket" chshare "github.com/jpillora/chisel/share" "github.com/jpillora/chisel/share/ccrypto" "github.com/jpillora/chisel/share/cio" "github.com/jpillora/chisel/share/cnet" "github.com/jpillora/chisel/share/settings" "github.com/jpillora/requestlog" "golang.org/x/crypto/ssh" ) // Config is the configuration for the chisel service type Config struct { KeySeed string KeyFile string AuthFile string Auth string Proxy string Socks5 bool Reverse bool KeepAlive time.Duration TLS TLSConfig } // Server respresent a chisel service type Server struct { *cio.Logger config *Config fingerprint string httpServer *cnet.HTTPServer reverseProxy *httputil.ReverseProxy sessCount int32 sessions *settings.Users sshConfig *ssh.ServerConfig users *settings.UserIndex } var upgrader = websocket.Upgrader{ CheckOrigin: func(r *http.Request) bool { return true }, ReadBufferSize: settings.EnvInt("WS_BUFF_SIZE", 0), WriteBufferSize: settings.EnvInt("WS_BUFF_SIZE", 0), } // NewServer creates and returns a new chisel server func NewServer(c *Config) (*Server, error) { server := &Server{ config: c, httpServer: cnet.NewHTTPServer(), Logger: cio.NewLogger("server"), sessions: settings.NewUsers(), } server.Info = true server.users = settings.NewUserIndex(server.Logger) if c.AuthFile != "" { if err := server.users.LoadUsers(c.AuthFile); err != nil { return nil, err } } if c.Auth != "" { u := &settings.User{Addrs: []*regexp.Regexp{settings.UserAllowAll}} u.Name, u.Pass = settings.ParseAuth(c.Auth) if u.Name != "" { server.users.AddUser(u) } } var pemBytes []byte var err error if c.KeyFile != "" { var key []byte if ccrypto.IsChiselKey([]byte(c.KeyFile)) { key = []byte(c.KeyFile) } else { key, err = os.ReadFile(c.KeyFile) if err != nil { log.Fatalf("Failed to read key file %s", c.KeyFile) } } pemBytes = key if ccrypto.IsChiselKey(key) { pemBytes, err = ccrypto.ChiselKey2PEM(key) if err != nil { log.Fatalf("Invalid key %s", string(key)) } } } else { //generate private key (optionally using seed) pemBytes, err = ccrypto.Seed2PEM(c.KeySeed) if err != nil { log.Fatal("Failed to generate key") } } //convert into ssh.PrivateKey private, err := ssh.ParsePrivateKey(pemBytes) if err != nil { log.Fatal("Failed to parse key") } //fingerprint this key server.fingerprint = ccrypto.FingerprintKey(private.PublicKey()) //create ssh config server.sshConfig = &ssh.ServerConfig{ ServerVersion: "SSH-" + chshare.ProtocolVersion + "-server", PasswordCallback: server.authUser, } server.sshConfig.AddHostKey(private) //setup reverse proxy if c.Proxy != "" { u, err := url.Parse(c.Proxy) if err != nil { return nil, err } if u.Host == "" { return nil, server.Errorf("Missing protocol (%s)", u) } server.reverseProxy = httputil.NewSingleHostReverseProxy(u) //always use proxy host server.reverseProxy.Director = func(r *http.Request) { //enforce origin, keep path r.URL.Scheme = u.Scheme r.URL.Host = u.Host r.Host = u.Host } } //print when reverse tunnelling is enabled if c.Reverse { server.Infof("Reverse tunnelling enabled") } return server, nil } // Run is responsible for starting the chisel service. // Internally this calls Start then Wait. func (s *Server) Run(host, port string) error { if err := s.Start(host, port); err != nil { return err } return s.Wait() } // Start is responsible for kicking off the http server func (s *Server) Start(host, port string) error { return s.StartContext(context.Background(), host, port) } // StartContext is responsible for kicking off the http server, // and can be closed by cancelling the provided context func (s *Server) StartContext(ctx context.Context, host, port string) error { s.Infof("Fingerprint %s", s.fingerprint) if s.users.Len() > 0 { s.Infof("User authentication enabled") } if s.reverseProxy != nil { s.Infof("Reverse proxy enabled") } l, err := s.listener(host, port) if err != nil { return err } h := http.Handler(http.HandlerFunc(s.handleClientHandler)) if s.Debug { o := requestlog.DefaultOptions o.TrustProxy = true h = requestlog.WrapWith(h, o) } return s.httpServer.GoServe(ctx, l, h) } // Wait waits for the http server to close func (s *Server) Wait() error { return s.httpServer.Wait() } // Close forcibly closes the http server func (s *Server) Close() error { return s.httpServer.Close() } // GetFingerprint is used to access the server fingerprint func (s *Server) GetFingerprint() string { return s.fingerprint } // authUser is responsible for validating the ssh user / password combination func (s *Server) authUser(c ssh.ConnMetadata, password []byte) (*ssh.Permissions, error) { // check if user authentication is enabled and if not, allow all if s.users.Len() == 0 { return nil, nil } // check the user exists and has matching password n := c.User() user, found := s.users.Get(n) if !found || user.Pass != string(password) { s.Debugf("Login failed for user: %s", n) return nil, errors.New("Invalid authentication for username: %s") } // insert the user session map // TODO this should probably have a lock on it given the map isn't thread-safe s.sessions.Set(string(c.SessionID()), user) return nil, nil } // AddUser adds a new user into the server user index func (s *Server) AddUser(user, pass string, addrs ...string) error { authorizedAddrs := []*regexp.Regexp{} for _, addr := range addrs { authorizedAddr, err := regexp.Compile(addr) if err != nil { return err } authorizedAddrs = append(authorizedAddrs, authorizedAddr) } s.users.AddUser(&settings.User{ Name: user, Pass: pass, Addrs: authorizedAddrs, }) return nil } // DeleteUser removes a user from the server user index func (s *Server) DeleteUser(user string) { s.users.Del(user) } // ResetUsers in the server user index. // Use nil to remove all. func (s *Server) ResetUsers(users []*settings.User) { s.users.Reset(users) } ================================================ FILE: server/server_handler.go ================================================ package chserver import ( "net/http" "strings" "sync/atomic" "time" chshare "github.com/jpillora/chisel/share" "github.com/jpillora/chisel/share/cnet" "github.com/jpillora/chisel/share/settings" "github.com/jpillora/chisel/share/tunnel" "golang.org/x/crypto/ssh" "golang.org/x/sync/errgroup" ) // handleClientHandler is the main http websocket handler for the chisel server func (s *Server) handleClientHandler(w http.ResponseWriter, r *http.Request) { //websockets upgrade AND has chisel prefix upgrade := strings.ToLower(r.Header.Get("Upgrade")) protocol := r.Header.Get("Sec-WebSocket-Protocol") if upgrade == "websocket" { if protocol == chshare.ProtocolVersion { s.handleWebsocket(w, r) return } //print into server logs and silently fall-through s.Infof("ignored client connection using protocol '%s', expected '%s'", protocol, chshare.ProtocolVersion) } //proxy target was provided if s.reverseProxy != nil { s.reverseProxy.ServeHTTP(w, r) return } //no proxy defined, provide access to health/version checks switch r.URL.Path { case "/health": w.Write([]byte("OK\n")) return case "/version": w.Write([]byte(chshare.BuildVersion)) return } //missing :O w.WriteHeader(404) w.Write([]byte("Not found")) } // handleWebsocket is responsible for handling the websocket connection func (s *Server) handleWebsocket(w http.ResponseWriter, req *http.Request) { id := atomic.AddInt32(&s.sessCount, 1) l := s.Fork("session#%d", id) wsConn, err := upgrader.Upgrade(w, req, nil) if err != nil { l.Debugf("Failed to upgrade (%s)", err) return } conn := cnet.NewWebSocketConn(wsConn) // perform SSH handshake on net.Conn l.Debugf("Handshaking with %s...", req.RemoteAddr) sshConn, chans, reqs, err := ssh.NewServerConn(conn, s.sshConfig) if err != nil { s.Debugf("Failed to handshake (%s)", err) return } // pull the users from the session map var user *settings.User if s.users.Len() > 0 { sid := string(sshConn.SessionID()) u, ok := s.sessions.Get(sid) if !ok { panic("bug in ssh auth handler") } user = u s.sessions.Del(sid) } // chisel server handshake (reverse of client handshake) // verify configuration l.Debugf("Verifying configuration") // wait for request, with timeout var r *ssh.Request select { case r = <-reqs: case <-time.After(settings.EnvDuration("CONFIG_TIMEOUT", 10*time.Second)): l.Debugf("Timeout waiting for configuration") sshConn.Close() return } failed := func(err error) { l.Debugf("Failed: %s", err) r.Reply(false, []byte(err.Error())) } if r.Type != "config" { failed(s.Errorf("expecting config request")) return } c, err := settings.DecodeConfig(r.Payload) if err != nil { failed(s.Errorf("invalid config")) return } //print if client and server versions dont match cv := strings.TrimPrefix(c.Version, "v") if cv == "" { cv = "" } sv := strings.TrimPrefix(chshare.BuildVersion, "v") if cv != sv { l.Infof("Client version (%s) differs from server version (%s)", cv, sv) } //validate remotes for _, r := range c.Remotes { //if user is provided, ensure they have //access to the desired remotes if user != nil { addr := r.UserAddr() if !user.HasAccess(addr) { failed(s.Errorf("access to '%s' denied", addr)) return } } //confirm reverse tunnels are allowed if r.Reverse && !s.config.Reverse { l.Debugf("Denied reverse port forwarding request, please enable --reverse") failed(s.Errorf("Reverse port forwaring not enabled on server")) return } //confirm reverse tunnel is available if r.Reverse && !r.CanListen() { failed(s.Errorf("Server cannot listen on %s", r.String())) return } } //successfuly validated config! r.Reply(true, nil) //tunnel per ssh connection tunnelConfig := tunnel.Config{ Logger: l, Inbound: s.config.Reverse, Outbound: true, //server always accepts outbound Socks: s.config.Socks5, KeepAlive: s.config.KeepAlive, } //enforce ACL on every channel, not just the initial config if user != nil { tunnelConfig.ACL = user.HasAccess } tunnel := tunnel.New(tunnelConfig) //bind eg, ctx := errgroup.WithContext(req.Context()) eg.Go(func() error { //connected, handover ssh connection for tunnel to use, and block return tunnel.BindSSH(ctx, sshConn, reqs, chans) }) eg.Go(func() error { //connected, setup reversed-remotes? serverInbound := c.Remotes.Reversed(true) if len(serverInbound) == 0 { return nil } //block return tunnel.BindRemotes(ctx, serverInbound) }) err = eg.Wait() if err != nil && !strings.HasSuffix(err.Error(), "EOF") { l.Debugf("Closed connection (%s)", err) } else { l.Debugf("Closed connection") } } ================================================ FILE: server/server_listen.go ================================================ package chserver import ( "crypto/tls" "crypto/x509" "errors" "net" "os" "os/user" "path/filepath" "github.com/jpillora/chisel/share/settings" "golang.org/x/crypto/acme/autocert" ) //TLSConfig enables configures TLS type TLSConfig struct { Key string Cert string Domains []string CA string } func (s *Server) listener(host, port string) (net.Listener, error) { hasDomains := len(s.config.TLS.Domains) > 0 hasKeyCert := s.config.TLS.Key != "" && s.config.TLS.Cert != "" if hasDomains && hasKeyCert { return nil, errors.New("cannot use key/cert and domains") } var tlsConf *tls.Config if hasDomains { tlsConf = s.tlsLetsEncrypt(s.config.TLS.Domains) } extra := "" if hasKeyCert { c, err := s.tlsKeyCert(s.config.TLS.Key, s.config.TLS.Cert, s.config.TLS.CA) if err != nil { return nil, err } tlsConf = c if port != "443" && hasDomains { extra = " (WARNING: LetsEncrypt will attempt to connect to your domain on port 443)" } } //tcp listen l, err := net.Listen("tcp", host+":"+port) if err != nil { return nil, err } //optionally wrap in tls proto := "http" if tlsConf != nil { proto += "s" l = tls.NewListener(l, tlsConf) } if err == nil { s.Infof("Listening on %s://%s:%s%s", proto, host, port, extra) } return l, nil } func (s *Server) tlsLetsEncrypt(domains []string) *tls.Config { //prepare cert manager m := &autocert.Manager{ Prompt: func(tosURL string) bool { s.Infof("Accepting LetsEncrypt TOS and fetching certificate...") return true }, Email: settings.Env("LE_EMAIL"), HostPolicy: autocert.HostWhitelist(domains...), } //configure file cache c := settings.Env("LE_CACHE") if c == "" { h := os.Getenv("HOME") if h == "" { if u, err := user.Current(); err == nil { h = u.HomeDir } } c = filepath.Join(h, ".cache", "chisel") } if c != "-" { s.Infof("LetsEncrypt cache directory %s", c) m.Cache = autocert.DirCache(c) } //return lets-encrypt tls config return m.TLSConfig() } func (s *Server) tlsKeyCert(key, cert string, ca string) (*tls.Config, error) { keypair, err := tls.LoadX509KeyPair(cert, key) if err != nil { return nil, err } //file based tls config using tls defaults c := &tls.Config{ Certificates: []tls.Certificate{keypair}, } //mTLS requires server's CA if ca != "" { if err := addCA(ca, c); err != nil { return nil, err } s.Infof("Loaded CA path: %s", ca) } return c, nil } func addCA(ca string, c *tls.Config) error { fileInfo, err := os.Stat(ca) if err != nil { return err } clientCAPool := x509.NewCertPool() if fileInfo.IsDir() { //this is a directory holding CA bundle files files, err := os.ReadDir(ca) if err != nil { return err } //add all cert files from path for _, file := range files { f := file.Name() if err := addPEMFile(filepath.Join(ca, f), clientCAPool); err != nil { return err } } } else { //this is a CA bundle file if err := addPEMFile(ca, clientCAPool); err != nil { return err } } //set client CAs and enable cert verification c.ClientCAs = clientCAPool c.ClientAuth = tls.RequireAndVerifyClientCert return nil } func addPEMFile(path string, pool *x509.CertPool) error { content, err := os.ReadFile(path) if err != nil { return err } if !pool.AppendCertsFromPEM(content) { return errors.New("Fail to load certificates from : " + path) } return nil } ================================================ FILE: share/ccrypto/determ_rand.go ================================================ package ccrypto // Deterministic crypto.Reader // overview: half the result is used as the output // [a|...] -> sha512(a) -> [b|output] -> sha512(b) import ( "crypto/sha512" "io" ) const DetermRandIter = 2048 func NewDetermRand(seed []byte) io.Reader { var out []byte //strengthen seed var next = seed for i := 0; i < DetermRandIter; i++ { next, out = hash(next) } return &determRand{ next: next, out: out, } } type determRand struct { next, out []byte } func (d *determRand) Read(b []byte) (int, error) { n := 0 l := len(b) for n < l { next, out := hash(d.next) n += copy(b[n:], out) d.next = next } return n, nil } func hash(input []byte) (next []byte, output []byte) { nextout := sha512.Sum512(input) return nextout[:sha512.Size/2], nextout[sha512.Size/2:] } ================================================ FILE: share/ccrypto/generate_key_go119.go ================================================ package ccrypto import ( "crypto/ecdsa" "crypto/elliptic" "io" "math/big" ) var one = new(big.Int).SetInt64(1) // This function is copied from ecdsa.GenerateKey() of Go 1.19 func GenerateKeyGo119(c elliptic.Curve, rand io.Reader) (*ecdsa.PrivateKey, error) { k, err := randFieldElement(c, rand) if err != nil { return nil, err } priv := new(ecdsa.PrivateKey) priv.PublicKey.Curve = c priv.D = k priv.PublicKey.X, priv.PublicKey.Y = c.ScalarBaseMult(k.Bytes()) return priv, nil } // This function is copied from Go 1.19 func randFieldElement(c elliptic.Curve, rand io.Reader) (k *big.Int, err error) { params := c.Params() // Note that for P-521 this will actually be 63 bits more than the order, as // division rounds down, but the extra bit is inconsequential. b := make([]byte, params.N.BitLen()/8+8) _, err = io.ReadFull(rand, b) if err != nil { return } k = new(big.Int).SetBytes(b) n := new(big.Int).Sub(params.N, one) k.Mod(k, n) k.Add(k, one) return } ================================================ FILE: share/ccrypto/keys.go ================================================ package ccrypto import ( "crypto/sha256" "encoding/base64" "fmt" "os" "golang.org/x/crypto/ssh" ) // GenerateKey generates a PEM key func GenerateKey(seed string) ([]byte, error) { return Seed2PEM(seed) } // GenerateKeyFile generates an ChiselKey func GenerateKeyFile(keyFilePath, seed string) error { chiselKey, err := seed2ChiselKey(seed) if err != nil { return err } if keyFilePath == "-" { fmt.Print(string(chiselKey)) return nil } return os.WriteFile(keyFilePath, chiselKey, 0600) } // FingerprintKey calculates the SHA256 hash of an SSH public key func FingerprintKey(k ssh.PublicKey) string { bytes := sha256.Sum256(k.Marshal()) return base64.StdEncoding.EncodeToString(bytes[:]) } ================================================ FILE: share/ccrypto/keys_helpers.go ================================================ package ccrypto import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" "crypto/x509" "encoding/base64" "encoding/pem" "strings" ) const ChiselKeyPrefix = "ck-" // Relations between entities: // // .............> PEM <........... // . ^ . // . | . // . | . // Seed -------> PrivateKey . // . ^ . // . | . // . V . // ..........> ChiselKey ......... func Seed2PEM(seed string) ([]byte, error) { privateKey, err := seed2PrivateKey(seed) if err != nil { return nil, err } return privateKey2PEM(privateKey) } func seed2ChiselKey(seed string) ([]byte, error) { privateKey, err := seed2PrivateKey(seed) if err != nil { return nil, err } return privateKey2ChiselKey(privateKey) } func seed2PrivateKey(seed string) (*ecdsa.PrivateKey, error) { if seed == "" { return ecdsa.GenerateKey(elliptic.P256(), rand.Reader) } else { return GenerateKeyGo119(elliptic.P256(), NewDetermRand([]byte(seed))) } } func privateKey2ChiselKey(privateKey *ecdsa.PrivateKey) ([]byte, error) { b, err := x509.MarshalECPrivateKey(privateKey) if err != nil { return nil, err } encodedPrivateKey := make([]byte, base64.RawStdEncoding.EncodedLen(len(b))) base64.RawStdEncoding.Encode(encodedPrivateKey, b) return append([]byte(ChiselKeyPrefix), encodedPrivateKey...), nil } func privateKey2PEM(privateKey *ecdsa.PrivateKey) ([]byte, error) { b, err := x509.MarshalECPrivateKey(privateKey) if err != nil { return nil, err } return pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b}), nil } func chiselKey2PrivateKey(chiselKey []byte) (*ecdsa.PrivateKey, error) { rawChiselKey := chiselKey[len(ChiselKeyPrefix):] decodedPrivateKey := make([]byte, base64.RawStdEncoding.DecodedLen(len(rawChiselKey))) _, err := base64.RawStdEncoding.Decode(decodedPrivateKey, rawChiselKey) if err != nil { return nil, err } return x509.ParseECPrivateKey(decodedPrivateKey) } func ChiselKey2PEM(chiselKey []byte) ([]byte, error) { privateKey, err := chiselKey2PrivateKey(chiselKey) if err == nil { return privateKey2PEM(privateKey) } return nil, err } func IsChiselKey(chiselKey []byte) bool { return strings.HasPrefix(string(chiselKey), ChiselKeyPrefix) } ================================================ FILE: share/cio/logger.go ================================================ package cio import ( "fmt" "log" "os" ) //Logger is pkg/log Logger with prefixing and 2 log levels type Logger struct { Info, Debug bool //internal prefix string logger *log.Logger info, debug *bool } func NewLogger(prefix string) *Logger { return NewLoggerFlag(prefix, log.Ldate|log.Ltime) } func NewLoggerFlag(prefix string, flag int) *Logger { l := &Logger{ prefix: prefix, logger: log.New(os.Stderr, "", flag), Info: false, Debug: false, } return l } func (l *Logger) Infof(f string, args ...interface{}) { if l.IsInfo() { l.logger.Printf(l.prefix+": "+f, args...) } } func (l *Logger) Debugf(f string, args ...interface{}) { if l.IsDebug() { l.logger.Printf(l.prefix+": "+f, args...) } } func (l *Logger) Errorf(f string, args ...interface{}) error { return fmt.Errorf(l.prefix+": "+f, args...) } func (l *Logger) Fork(prefix string, args ...interface{}) *Logger { //slip the parent prefix at the front args = append([]interface{}{l.prefix}, args...) ll := NewLogger(fmt.Sprintf("%s: "+prefix, args...)) //store link to parent settings too ll.Info = l.Info if l.info != nil { ll.info = l.info } else { ll.info = &l.Info } ll.Debug = l.Debug if l.debug != nil { ll.debug = l.debug } else { ll.debug = &l.Debug } return ll } func (l *Logger) Prefix() string { return l.prefix } func (l *Logger) IsInfo() bool { return l.Info || (l.info != nil && *l.info) } func (l *Logger) IsDebug() bool { return l.Debug || (l.debug != nil && *l.debug) } ================================================ FILE: share/cio/pipe.go ================================================ package cio import ( "io" "log" "sync" ) func Pipe(src io.ReadWriteCloser, dst io.ReadWriteCloser) (int64, int64) { var sent, received int64 var wg sync.WaitGroup var o sync.Once close := func() { src.Close() dst.Close() } wg.Add(2) go func() { received, _ = io.Copy(src, dst) o.Do(close) wg.Done() }() go func() { sent, _ = io.Copy(dst, src) o.Do(close) wg.Done() }() wg.Wait() return sent, received } const vis = false type pipeVisPrinter struct { name string } func (p pipeVisPrinter) Write(b []byte) (int, error) { log.Printf(">>> %s: %x", p.name, b) return len(b), nil } func pipeVis(name string, r io.Reader) io.Reader { if vis { return io.TeeReader(r, pipeVisPrinter{name}) } return r } ================================================ FILE: share/cio/stdio.go ================================================ package cio import ( "io" "os" ) //Stdio as a ReadWriteCloser var Stdio = &struct { io.ReadCloser io.Writer }{ io.NopCloser(os.Stdin), os.Stdout, } ================================================ FILE: share/cnet/conn_rwc.go ================================================ package cnet import ( "io" "net" "time" ) type rwcConn struct { io.ReadWriteCloser buff []byte } //NewRWCConn converts a RWC into a net.Conn func NewRWCConn(rwc io.ReadWriteCloser) net.Conn { c := rwcConn{ ReadWriteCloser: rwc, } return &c } func (c *rwcConn) LocalAddr() net.Addr { return c } func (c *rwcConn) RemoteAddr() net.Addr { return c } func (c *rwcConn) Network() string { return "tcp" } func (c *rwcConn) String() string { return "" } func (c *rwcConn) SetDeadline(t time.Time) error { return nil //no-op } func (c *rwcConn) SetReadDeadline(t time.Time) error { return nil //no-op } func (c *rwcConn) SetWriteDeadline(t time.Time) error { return nil //no-op } ================================================ FILE: share/cnet/conn_ws.go ================================================ package cnet import ( "net" "time" "github.com/gorilla/websocket" ) type wsConn struct { *websocket.Conn buff []byte } //NewWebSocketConn converts a websocket.Conn into a net.Conn func NewWebSocketConn(websocketConn *websocket.Conn) net.Conn { c := wsConn{ Conn: websocketConn, } return &c } //Read is not threadsafe though thats okay since there //should never be more than one reader func (c *wsConn) Read(dst []byte) (int, error) { ldst := len(dst) //use buffer or read new message var src []byte if len(c.buff) > 0 { src = c.buff c.buff = nil } else if _, msg, err := c.Conn.ReadMessage(); err == nil { src = msg } else { return 0, err } //copy src->dest var n int if len(src) > ldst { //copy as much as possible of src into dst n = copy(dst, src[:ldst]) //copy remainder into buffer r := src[ldst:] lr := len(r) c.buff = make([]byte, lr) copy(c.buff, r) } else { //copy all of src into dst n = copy(dst, src) } //return bytes copied return n, nil } func (c *wsConn) Write(b []byte) (int, error) { if err := c.Conn.WriteMessage(websocket.BinaryMessage, b); err != nil { return 0, err } n := len(b) return n, nil } func (c *wsConn) SetDeadline(t time.Time) error { if err := c.Conn.SetReadDeadline(t); err != nil { return err } return c.Conn.SetWriteDeadline(t) } ================================================ FILE: share/cnet/connstats.go ================================================ package cnet import ( "fmt" "sync/atomic" ) //ConnCount is a connection counter type ConnCount struct { count int32 open int32 } func (c *ConnCount) New() int32 { return atomic.AddInt32(&c.count, 1) } func (c *ConnCount) Open() { atomic.AddInt32(&c.open, 1) } func (c *ConnCount) Close() { atomic.AddInt32(&c.open, -1) } func (c *ConnCount) String() string { return fmt.Sprintf("[%d/%d]", atomic.LoadInt32(&c.open), atomic.LoadInt32(&c.count)) } ================================================ FILE: share/cnet/http_server.go ================================================ package cnet import ( "context" "errors" "net" "net/http" "sync" "golang.org/x/sync/errgroup" ) //HTTPServer extends net/http Server and //adds graceful shutdowns type HTTPServer struct { *http.Server waiterMux sync.Mutex waiter *errgroup.Group listenErr error } //NewHTTPServer creates a new HTTPServer func NewHTTPServer() *HTTPServer { return &HTTPServer{ Server: &http.Server{}, } } func (h *HTTPServer) GoListenAndServe(addr string, handler http.Handler) error { return h.GoListenAndServeContext(context.Background(), addr, handler) } func (h *HTTPServer) GoListenAndServeContext(ctx context.Context, addr string, handler http.Handler) error { if ctx == nil { return errors.New("ctx must be set") } l, err := net.Listen("tcp", addr) if err != nil { return err } return h.GoServe(ctx, l, handler) } func (h *HTTPServer) GoServe(ctx context.Context, l net.Listener, handler http.Handler) error { if ctx == nil { return errors.New("ctx must be set") } h.waiterMux.Lock() defer h.waiterMux.Unlock() h.Handler = handler h.waiter, ctx = errgroup.WithContext(ctx) h.waiter.Go(func() error { return h.Serve(l) }) go func() { <-ctx.Done() h.Close() }() return nil } func (h *HTTPServer) Close() error { h.waiterMux.Lock() defer h.waiterMux.Unlock() if h.waiter == nil { return errors.New("not started yet") } return h.Server.Close() } func (h *HTTPServer) Wait() error { h.waiterMux.Lock() unset := h.waiter == nil h.waiterMux.Unlock() if unset { return errors.New("not started yet") } h.waiterMux.Lock() wait := h.waiter.Wait h.waiterMux.Unlock() err := wait() if err == http.ErrServerClosed { err = nil //success } return err } ================================================ FILE: share/cnet/meter.go ================================================ package cnet import ( "io" "net" "sync/atomic" "time" "github.com/jpillora/chisel/share/cio" "github.com/jpillora/sizestr" ) //NewMeter to measure readers/writers func NewMeter(l *cio.Logger) *Meter { return &Meter{l: l} } //Meter can be inserted in the path or //of a reader or writer to measure the //throughput type Meter struct { //meter state sent, recv int64 //print state l *cio.Logger printing uint32 last int64 lsent, lrecv int64 } func (m *Meter) print() { //move out of the read/write path asap if atomic.CompareAndSwapUint32(&m.printing, 0, 1) { go m.goprint() } } func (m *Meter) goprint() { time.Sleep(time.Second) //snapshot s := atomic.LoadInt64(&m.sent) r := atomic.LoadInt64(&m.recv) //compute speed curr := time.Now().UnixNano() last := atomic.LoadInt64(&m.last) dt := time.Duration(curr-last) * time.Nanosecond ls := atomic.LoadInt64(&m.lsent) lr := atomic.LoadInt64(&m.lrecv) //DEBUG // m.l.Infof("%s = %d(%d-%d), %d(%d-%d)", dt, s-ls, s, ls, r-lr, r, lr) //scale to per second V=D/T sps := int64(float64(s-ls) / float64(dt) * float64(time.Second)) rps := int64(float64(r-lr) / float64(dt) * float64(time.Second)) if last > 0 && (sps != 0 || rps != 0) { m.l.Debugf("write %s/s read %s/s", sizestr.ToString(sps), sizestr.ToString(rps)) } //record last printed atomic.StoreInt64(&m.lsent, s) atomic.StoreInt64(&m.lrecv, r) //done atomic.StoreInt64(&m.last, curr) atomic.StoreUint32(&m.printing, 0) } //TeeReader inserts Meter into the read path //if the linked logger is in debug mode, //otherwise this is a no-op func (m *Meter) TeeReader(r io.Reader) io.Reader { if m.l.IsDebug() { return &meterReader{m, r} } return r } type meterReader struct { *Meter inner io.Reader } func (m *meterReader) Read(p []byte) (n int, err error) { n, err = m.inner.Read(p) atomic.AddInt64(&m.recv, int64(n)) m.Meter.print() return } //TeeWriter inserts Meter into the write path //if the linked logger is in debug mode, //otherwise this is a no-op func (m *Meter) TeeWriter(w io.Writer) io.Writer { if m.l.IsDebug() { return &meterWriter{m, w} } return w } type meterWriter struct { *Meter inner io.Writer } func (m *meterWriter) Write(p []byte) (n int, err error) { n, err = m.inner.Write(p) atomic.AddInt64(&m.sent, int64(n)) m.Meter.print() return } //MeterConn inserts Meter into the connection path //if the linked logger is in debug mode, //otherwise this is a no-op func MeterConn(l *cio.Logger, conn net.Conn) net.Conn { m := NewMeter(l) return &meterConn{ mread: m.TeeReader(conn), mwrite: m.TeeWriter(conn), Conn: conn, } } type meterConn struct { mread io.Reader mwrite io.Writer net.Conn } func (m *meterConn) Read(p []byte) (n int, err error) { return m.mread.Read(p) } func (m *meterConn) Write(p []byte) (n int, err error) { return m.mwrite.Write(p) } //MeterRWC inserts Meter into the RWC path //if the linked logger is in debug mode, //otherwise this is a no-op func MeterRWC(l *cio.Logger, rwc io.ReadWriteCloser) io.ReadWriteCloser { m := NewMeter(l) return &struct { io.Reader io.Writer io.Closer }{ Reader: m.TeeReader(rwc), Writer: m.TeeWriter(rwc), Closer: rwc, } } ================================================ FILE: share/compat.go ================================================ package chshare //this file exists to maintain backwards compatibility import ( "github.com/jpillora/chisel/share/ccrypto" "github.com/jpillora/chisel/share/cio" "github.com/jpillora/chisel/share/cnet" "github.com/jpillora/chisel/share/cos" "github.com/jpillora/chisel/share/settings" "github.com/jpillora/chisel/share/tunnel" ) const ( DetermRandIter = ccrypto.DetermRandIter ) type ( Config = settings.Config Remote = settings.Remote Remotes = settings.Remotes User = settings.User Users = settings.Users UserIndex = settings.UserIndex HTTPServer = cnet.HTTPServer ConnStats = cnet.ConnCount Logger = cio.Logger TCPProxy = tunnel.Proxy ) var ( NewDetermRand = ccrypto.NewDetermRand GenerateKey = ccrypto.GenerateKey FingerprintKey = ccrypto.FingerprintKey Pipe = cio.Pipe NewLoggerFlag = cio.NewLoggerFlag NewLogger = cio.NewLogger Stdio = cio.Stdio DecodeConfig = settings.DecodeConfig DecodeRemote = settings.DecodeRemote NewUsers = settings.NewUsers NewUserIndex = settings.NewUserIndex UserAllowAll = settings.UserAllowAll ParseAuth = settings.ParseAuth NewRWCConn = cnet.NewRWCConn NewWebSocketConn = cnet.NewWebSocketConn NewHTTPServer = cnet.NewHTTPServer GoStats = cos.GoStats SleepSignal = cos.SleepSignal NewTCPProxy = tunnel.NewProxy ) //EncodeConfig old version func EncodeConfig(c *settings.Config) ([]byte, error) { return settings.EncodeConfig(*c), nil } ================================================ FILE: share/cos/common.go ================================================ package cos import ( "context" "os" "os/signal" "time" ) //InterruptContext returns a context which is //cancelled on OS Interrupt func InterruptContext() context.Context { ctx, cancel := context.WithCancel(context.Background()) go func() { sig := make(chan os.Signal, 1) signal.Notify(sig, os.Interrupt) //windows compatible? <-sig signal.Stop(sig) cancel() }() return ctx } //SleepSignal sleeps for the given duration, //or until a SIGHUP is received func SleepSignal(d time.Duration) { <-AfterSignal(d) } ================================================ FILE: share/cos/pprof.go ================================================ // +build pprof package cos import ( "log" "net/http" _ "net/http/pprof" //import http profiler api ) func init() { go func() { log.Fatal(http.ListenAndServe("localhost:6060", nil)) }() log.Printf("[pprof] listening on 6060") } ================================================ FILE: share/cos/signal.go ================================================ //+build !windows package cos import ( "log" "os" "os/signal" "runtime" "syscall" "time" "github.com/jpillora/sizestr" ) //GoStats prints statistics to //stdout on SIGUSR2 (posix-only) func GoStats() { //silence complaints from windows const SIGUSR2 = syscall.Signal(0x1f) time.Sleep(time.Second) c := make(chan os.Signal, 1) signal.Notify(c, SIGUSR2) for range c { memStats := runtime.MemStats{} runtime.ReadMemStats(&memStats) log.Printf("recieved SIGUSR2, go-routines: %d, go-memory-usage: %s", runtime.NumGoroutine(), sizestr.ToString(int64(memStats.Alloc))) } } //AfterSignal returns a channel which will be closed //after the given duration or until a SIGHUP is received func AfterSignal(d time.Duration) <-chan struct{} { ch := make(chan struct{}) go func() { sig := make(chan os.Signal, 1) signal.Notify(sig, syscall.SIGHUP) select { case <-time.After(d): case <-sig: } signal.Stop(sig) close(ch) }() return ch } ================================================ FILE: share/cos/signal_windows.go ================================================ //+build windows package cos import ( "time" ) func GoStats() { //noop } func AfterSignal(d time.Duration) <-chan struct{} { ch := make(chan struct{}) go func() { <-time.After(d) close(ch) }() return ch } ================================================ FILE: share/settings/config.go ================================================ package settings import ( "encoding/json" "fmt" ) type Config struct { Version string Remotes } func DecodeConfig(b []byte) (*Config, error) { c := &Config{} err := json.Unmarshal(b, c) if err != nil { return nil, fmt.Errorf("Invalid JSON config") } return c, nil } func EncodeConfig(c Config) []byte { //Config doesn't have types that can fail to marshal b, _ := json.Marshal(c) return b } ================================================ FILE: share/settings/env.go ================================================ package settings import ( "os" "strconv" "strings" "time" ) // Env returns a chisel environment variable func Env(name string) string { return os.Getenv("CHISEL_" + name) } // EnvInt returns an integer using an environment variable, with a default fallback func EnvInt(name string, def int) int { if n, err := strconv.Atoi(Env(name)); err == nil { return n } return def } // EnvDuration returns a duration using an environment variable, with a default fallback func EnvDuration(name string, def time.Duration) time.Duration { if n, err := time.ParseDuration(Env(name)); err == nil { return n } return def } // EnvBool returns a boolean using an environment variable func EnvBool(name string) bool { v := Env(name) return v == "1" || strings.ToLower(v) == "true" } ================================================ FILE: share/settings/remote.go ================================================ package settings import ( "errors" "net" "net/url" "regexp" "strconv" "strings" ) // short-hand conversions (see remote_test) // 3000 -> // local 127.0.0.1:3000 // remote 127.0.0.1:3000 // foobar.com:3000 -> // local 127.0.0.1:3000 // remote foobar.com:3000 // 3000:google.com:80 -> // local 127.0.0.1:3000 // remote google.com:80 // 192.168.0.1:3000:google.com:80 -> // local 192.168.0.1:3000 // remote google.com:80 // 127.0.0.1:1080:socks // local 127.0.0.1:1080 // remote socks // stdio:example.com:22 // local stdio // remote example.com:22 // 1.1.1.1:53/udp // local 127.0.0.1:53/udp // remote 1.1.1.1:53/udp type Remote struct { LocalHost, LocalPort, LocalProto string RemoteHost, RemotePort, RemoteProto string Socks, Reverse, Stdio bool } const revPrefix = "R:" func DecodeRemote(s string) (*Remote, error) { reverse := false if strings.HasPrefix(s, revPrefix) { s = strings.TrimPrefix(s, revPrefix) reverse = true } parts := regexp.MustCompile(`(\[[^\[\]]+\]|[^\[\]:]+):?`).FindAllStringSubmatch(s, -1) if len(parts) <= 0 || len(parts) >= 5 { return nil, errors.New("Invalid remote") } r := &Remote{Reverse: reverse} //parse from back to front, to set 'remote' fields first, //then to set 'local' fields second (allows the 'remote' side //to provide the defaults) for i := len(parts) - 1; i >= 0; i-- { p := parts[i][1] //remote portion is socks? if i == len(parts)-1 && p == "socks" { r.Socks = true continue } //local portion is stdio? if i == 0 && p == "stdio" { r.Stdio = true continue } p, proto := L4Proto(p) if proto != "" { if r.RemotePort == "" { r.RemoteProto = proto } else if r.LocalProto == "" { r.LocalProto = proto } } if isPort(p) { if !r.Socks && r.RemotePort == "" { r.RemotePort = p } r.LocalPort = p continue } if !r.Socks && (r.RemotePort == "" && r.LocalPort == "") { return nil, errors.New("Missing ports") } if !isHost(p) { return nil, errors.New("Invalid host") } if !r.Socks && r.RemoteHost == "" { r.RemoteHost = p } else { r.LocalHost = p } } //remote string parsed, apply defaults... if r.Socks { //socks defaults if r.LocalHost == "" { r.LocalHost = "127.0.0.1" } if r.LocalPort == "" { r.LocalPort = "1080" } } else { //non-socks defaults if r.LocalHost == "" { r.LocalHost = "0.0.0.0" } if r.RemoteHost == "" { r.RemoteHost = "127.0.0.1" } } if r.RemoteProto == "" { r.RemoteProto = "tcp" } if r.LocalProto == "" { r.LocalProto = r.RemoteProto } if r.LocalProto != r.RemoteProto { //TODO support cross protocol //tcp <-> udp, is faily straight forward //udp <-> tcp, is trickier since udp is stateless and tcp is not return nil, errors.New("cross-protocol remotes are not supported yet") } if r.Socks && r.RemoteProto != "tcp" { return nil, errors.New("only TCP SOCKS is supported") } if r.Stdio && r.Reverse { return nil, errors.New("stdio cannot be reversed") } return r, nil } func isPort(s string) bool { n, err := strconv.Atoi(s) if err != nil { return false } if n <= 0 || n > 65535 { return false } return true } func isHost(s string) bool { _, err := url.Parse("//" + s) if err != nil { return false } return true } var l4Proto = regexp.MustCompile(`(?i)\/(tcp|udp)$`) //L4Proto extacts the layer-4 protocol from the given string func L4Proto(s string) (head, proto string) { if l4Proto.MatchString(s) { l := len(s) return strings.ToLower(s[:l-4]), s[l-3:] } return s, "" } //implement Stringer func (r Remote) String() string { sb := strings.Builder{} if r.Reverse { sb.WriteString(revPrefix) } sb.WriteString(strings.TrimPrefix(r.Local(), "0.0.0.0:")) sb.WriteString("=>") sb.WriteString(strings.TrimPrefix(r.Remote(), "127.0.0.1:")) if r.RemoteProto == "udp" { sb.WriteString("/udp") } return sb.String() } //Encode remote to a string func (r Remote) Encode() string { if r.LocalPort == "" { r.LocalPort = r.RemotePort } local := r.Local() remote := r.Remote() if r.RemoteProto == "udp" { remote += "/udp" } if r.Reverse { return "R:" + local + ":" + remote } return local + ":" + remote } //Local is the decodable local portion func (r Remote) Local() string { if r.Stdio { return "stdio" } if r.LocalHost == "" { r.LocalHost = "0.0.0.0" } return r.LocalHost + ":" + r.LocalPort } //Remote is the decodable remote portion func (r Remote) Remote() string { if r.Socks { return "socks" } if r.RemoteHost == "" { r.RemoteHost = "127.0.0.1" } return r.RemoteHost + ":" + r.RemotePort } //UserAddr is checked when checking if a //user has access to a given remote func (r Remote) UserAddr() string { if r.Reverse { return "R:" + r.LocalHost + ":" + r.LocalPort } return r.RemoteHost + ":" + r.RemotePort } //CanListen checks if the port can be listened on func (r Remote) CanListen() bool { //valid protocols switch r.LocalProto { case "tcp": conn, err := net.Listen("tcp", r.Local()) if err == nil { conn.Close() return true } return false case "udp": addr, err := net.ResolveUDPAddr("udp", r.Local()) if err != nil { return false } conn, err := net.ListenUDP(r.LocalProto, addr) if err == nil { conn.Close() return true } return false } //invalid return false } type Remotes []*Remote //Filter out forward reversed/non-reversed remotes func (rs Remotes) Reversed(reverse bool) Remotes { subset := Remotes{} for _, r := range rs { match := r.Reverse == reverse if match { subset = append(subset, r) } } return subset } //Encode back into strings func (rs Remotes) Encode() []string { s := make([]string, len(rs)) for i, r := range rs { s[i] = r.Encode() } return s } ================================================ FILE: share/settings/remote_test.go ================================================ package settings import ( "reflect" "testing" ) func TestRemoteDecode(t *testing.T) { //test table for i, test := range []struct { Input string Output Remote Encoded string }{ { "3000", Remote{ LocalPort: "3000", RemoteHost: "127.0.0.1", RemotePort: "3000", }, "0.0.0.0:3000:127.0.0.1:3000", }, { "google.com:80", Remote{ LocalPort: "80", RemoteHost: "google.com", RemotePort: "80", }, "0.0.0.0:80:google.com:80", }, { "R:google.com:80", Remote{ LocalPort: "80", RemoteHost: "google.com", RemotePort: "80", Reverse: true, }, "R:0.0.0.0:80:google.com:80", }, { "示例網站.com:80", Remote{ LocalPort: "80", RemoteHost: "示例網站.com", RemotePort: "80", }, "0.0.0.0:80:示例網站.com:80", }, { "socks", Remote{ LocalHost: "127.0.0.1", LocalPort: "1080", Socks: true, }, "127.0.0.1:1080:socks", }, { "127.0.0.1:1081:socks", Remote{ LocalHost: "127.0.0.1", LocalPort: "1081", Socks: true, }, "127.0.0.1:1081:socks", }, { "1.1.1.1:53/udp", Remote{ LocalPort: "53", LocalProto: "udp", RemoteHost: "1.1.1.1", RemotePort: "53", RemoteProto: "udp", }, "0.0.0.0:53:1.1.1.1:53/udp", }, { "localhost:5353:1.1.1.1:53/udp", Remote{ LocalHost: "localhost", LocalPort: "5353", LocalProto: "udp", RemoteHost: "1.1.1.1", RemotePort: "53", RemoteProto: "udp", }, "localhost:5353:1.1.1.1:53/udp", }, { "[::1]:8080:google.com:80", Remote{ LocalHost: "[::1]", LocalPort: "8080", RemoteHost: "google.com", RemotePort: "80", }, "[::1]:8080:google.com:80", }, { "R:[::]:3000:[::1]:3000", Remote{ LocalHost: "[::]", LocalPort: "3000", RemoteHost: "[::1]", RemotePort: "3000", Reverse: true, }, "R:[::]:3000:[::1]:3000", }, } { //expected defaults expected := test.Output if expected.LocalHost == "" { expected.LocalHost = "0.0.0.0" } if expected.RemoteProto == "" { expected.RemoteProto = "tcp" } if expected.LocalProto == "" { expected.LocalProto = "tcp" } //compare got, err := DecodeRemote(test.Input) if err != nil { t.Fatalf("decode #%d '%s' failed: %s", i+1, test.Input, err) } if !reflect.DeepEqual(got, &expected) { t.Fatalf("decode #%d '%s' expected\n %#v\ngot\n %#v", i+1, test.Input, expected, got) } if e := got.Encode(); test.Encoded != e { t.Fatalf("encode #%d '%s' expected\n %#v\ngot\n %#v", i+1, test.Input, test.Encoded, e) } } } ================================================ FILE: share/settings/user.go ================================================ package settings import ( "regexp" "strings" ) var UserAllowAll = regexp.MustCompile("") func ParseAuth(auth string) (string, string) { if strings.Contains(auth, ":") { pair := strings.SplitN(auth, ":", 2) return pair[0], pair[1] } return "", "" } type User struct { Name string Pass string Addrs []*regexp.Regexp } func (u *User) HasAccess(addr string) bool { m := false for _, r := range u.Addrs { if r.MatchString(addr) { m = true break } } return m } ================================================ FILE: share/settings/users.go ================================================ package settings import ( "encoding/json" "errors" "fmt" "os" "regexp" "sync" "github.com/fsnotify/fsnotify" "github.com/jpillora/chisel/share/cio" ) type Users struct { sync.RWMutex inner map[string]*User } func NewUsers() *Users { return &Users{inner: map[string]*User{}} } // Len returns the numbers of users func (u *Users) Len() int { u.RLock() l := len(u.inner) u.RUnlock() return l } // Get user from the index by key func (u *Users) Get(key string) (*User, bool) { u.RLock() user, found := u.inner[key] u.RUnlock() return user, found } // Set a users into the list by specific key func (u *Users) Set(key string, user *User) { u.Lock() u.inner[key] = user u.Unlock() } // Del ete a users from the list func (u *Users) Del(key string) { u.Lock() delete(u.inner, key) u.Unlock() } // AddUser adds a users to the set func (u *Users) AddUser(user *User) { u.Set(user.Name, user) } // Reset all users to the given set, // Use nil to remove all. func (u *Users) Reset(users []*User) { m := map[string]*User{} for _, u := range users { m[u.Name] = u } u.Lock() u.inner = m u.Unlock() } // UserIndex is a reloadable user source type UserIndex struct { *cio.Logger *Users configFile string } // NewUserIndex creates a source for users func NewUserIndex(logger *cio.Logger) *UserIndex { return &UserIndex{ Logger: logger.Fork("users"), Users: NewUsers(), } } // LoadUsers is responsible for loading users from a file func (u *UserIndex) LoadUsers(configFile string) error { u.configFile = configFile u.Infof("Loading configuration file %s", configFile) if err := u.loadUserIndex(); err != nil { return err } if err := u.addWatchEvents(); err != nil { return err } return nil } // watchEvents is responsible for watching for updates to the file and reloading func (u *UserIndex) addWatchEvents() error { watcher, err := fsnotify.NewWatcher() if err != nil { return err } if err := watcher.Add(u.configFile); err != nil { return err } go func() { for e := range watcher.Events { if e.Op&fsnotify.Write != fsnotify.Write { continue } if err := u.loadUserIndex(); err != nil { u.Infof("Failed to reload the users configuration: %s", err) } else { u.Debugf("Users configuration successfully reloaded from: %s", u.configFile) } } }() return nil } // loadUserIndex is responsible for loading the users configuration func (u *UserIndex) loadUserIndex() error { if u.configFile == "" { return errors.New("configuration file not set") } b, err := os.ReadFile(u.configFile) if err != nil { return fmt.Errorf("Failed to read auth file: %s, error: %s", u.configFile, err) } var raw map[string][]string if err := json.Unmarshal(b, &raw); err != nil { return errors.New("Invalid JSON: " + err.Error()) } users := []*User{} for auth, remotes := range raw { user := &User{} user.Name, user.Pass = ParseAuth(auth) if user.Name == "" { return errors.New("Invalid user:pass string") } for _, r := range remotes { if r == "" || r == "*" { user.Addrs = append(user.Addrs, UserAllowAll) } else { re, err := regexp.Compile(r) if err != nil { return errors.New("Invalid address regex") } user.Addrs = append(user.Addrs, re) } } users = append(users, user) } //swap u.Reset(users) return nil } ================================================ FILE: share/tunnel/tunnel.go ================================================ package tunnel import ( "bytes" "context" "errors" "io" "log" "os" "sync" "time" "github.com/armon/go-socks5" "github.com/jpillora/chisel/share/cio" "github.com/jpillora/chisel/share/cnet" "github.com/jpillora/chisel/share/settings" "golang.org/x/crypto/ssh" "golang.org/x/sync/errgroup" ) //Config a Tunnel type Config struct { *cio.Logger Inbound bool Outbound bool Socks bool KeepAlive time.Duration //ACL optionally checks if a given address (host:port) is allowed. //When set, outbound connections are denied if this returns false. ACL func(addr string) bool } //Tunnel represents an SSH tunnel with proxy capabilities. //Both chisel client and server are Tunnels. //chisel client has a single set of remotes, whereas //chisel server has multiple sets of remotes (one set per client). //Each remote has a 1:1 mapping to a proxy. //Proxies listen, send data over ssh, and the other end of the ssh connection //communicates with the endpoint and returns the response. type Tunnel struct { Config //ssh connection activeConnMut sync.RWMutex activatingConn waitGroup activeConn ssh.Conn //proxies proxyCount int //internals connStats cnet.ConnCount socksServer *socks5.Server } //New Tunnel from the given Config func New(c Config) *Tunnel { c.Logger = c.Logger.Fork("tun") t := &Tunnel{ Config: c, } t.activatingConn.Add(1) //setup socks server (not listening on any port!) extra := "" if c.Socks { sl := log.New(io.Discard, "", 0) if t.Logger.Debug { sl = log.New(os.Stdout, "[socks]", log.Ldate|log.Ltime) } t.socksServer, _ = socks5.New(&socks5.Config{Logger: sl}) extra += " (SOCKS enabled)" } t.Debugf("Created%s", extra) return t } //BindSSH provides an active SSH for use for tunnelling func (t *Tunnel) BindSSH(ctx context.Context, c ssh.Conn, reqs <-chan *ssh.Request, chans <-chan ssh.NewChannel) error { //link ctx to ssh-conn go func() { <-ctx.Done() if c.Close() == nil { t.Debugf("SSH cancelled") } t.activatingConn.DoneAll() }() //mark active and unblock t.activeConnMut.Lock() if t.activeConn != nil { panic("double bind ssh") } t.activeConn = c t.activeConnMut.Unlock() t.activatingConn.Done() //optional keepalive loop against this connection if t.Config.KeepAlive > 0 { go t.keepAliveLoop(c) } //block until closed go t.handleSSHRequests(reqs) go t.handleSSHChannels(chans) t.Debugf("SSH connected") err := c.Wait() t.Debugf("SSH disconnected") //mark inactive and block t.activatingConn.Add(1) t.activeConnMut.Lock() t.activeConn = nil t.activeConnMut.Unlock() return err } //getSSH blocks while connecting func (t *Tunnel) getSSH(ctx context.Context) ssh.Conn { //cancelled already? if isDone(ctx) { return nil } t.activeConnMut.RLock() c := t.activeConn t.activeConnMut.RUnlock() //connected already? if c != nil { return c } //connecting... select { case <-ctx.Done(): //cancelled return nil case <-time.After(settings.EnvDuration("SSH_WAIT", 35*time.Second)): return nil //a bit longer than ssh timeout case <-t.activatingConnWait(): t.activeConnMut.RLock() c := t.activeConn t.activeConnMut.RUnlock() return c } } func (t *Tunnel) activatingConnWait() <-chan struct{} { ch := make(chan struct{}) go func() { t.activatingConn.Wait() close(ch) }() return ch } //BindRemotes converts the given remotes into proxies, and blocks //until the caller cancels the context or there is a proxy error. func (t *Tunnel) BindRemotes(ctx context.Context, remotes []*settings.Remote) error { if len(remotes) == 0 { return errors.New("no remotes") } if !t.Inbound { return errors.New("inbound connections blocked") } proxies := make([]*Proxy, len(remotes)) for i, remote := range remotes { p, err := NewProxy(t.Logger, t, t.proxyCount, remote) if err != nil { return err } proxies[i] = p t.proxyCount++ } //TODO: handle tunnel close eg, ctx := errgroup.WithContext(ctx) for _, proxy := range proxies { p := proxy eg.Go(func() error { return p.Run(ctx) }) } t.Debugf("Bound proxies") err := eg.Wait() t.Debugf("Unbound proxies") return err } func (t *Tunnel) keepAliveLoop(sshConn ssh.Conn) { //ping forever for { time.Sleep(t.Config.KeepAlive) _, b, err := sshConn.SendRequest("ping", true, nil) if err != nil { break } if len(b) > 0 && !bytes.Equal(b, []byte("pong")) { t.Debugf("strange ping response") break } } //close ssh connection on abnormal ping sshConn.Close() } ================================================ FILE: share/tunnel/tunnel_in_proxy.go ================================================ package tunnel import ( "context" "io" "net" "sync" "github.com/jpillora/chisel/share/cio" "github.com/jpillora/chisel/share/settings" "github.com/jpillora/sizestr" "golang.org/x/crypto/ssh" ) //sshTunnel exposes a subset of Tunnel to subtypes type sshTunnel interface { getSSH(ctx context.Context) ssh.Conn } //Proxy is the inbound portion of a Tunnel type Proxy struct { *cio.Logger sshTun sshTunnel id int count int remote *settings.Remote dialer net.Dialer tcp *net.TCPListener udp *udpListener mu sync.Mutex } //NewProxy creates a Proxy func NewProxy(logger *cio.Logger, sshTun sshTunnel, index int, remote *settings.Remote) (*Proxy, error) { id := index + 1 p := &Proxy{ Logger: logger.Fork("proxy#%s", remote.String()), sshTun: sshTun, id: id, remote: remote, } return p, p.listen() } func (p *Proxy) listen() error { if p.remote.Stdio { //TODO check if pipes active? } else if p.remote.LocalProto == "tcp" { addr, err := net.ResolveTCPAddr("tcp", p.remote.LocalHost+":"+p.remote.LocalPort) if err != nil { return p.Errorf("resolve: %s", err) } l, err := net.ListenTCP("tcp", addr) if err != nil { return p.Errorf("tcp: %s", err) } p.Infof("Listening") p.tcp = l } else if p.remote.LocalProto == "udp" { l, err := listenUDP(p.Logger, p.sshTun, p.remote) if err != nil { return err } p.Infof("Listening") p.udp = l } else { return p.Errorf("unknown local proto") } return nil } //Run enables the proxy and blocks while its active, //close the proxy by cancelling the context. func (p *Proxy) Run(ctx context.Context) error { if p.remote.Stdio { return p.runStdio(ctx) } else if p.remote.LocalProto == "tcp" { return p.runTCP(ctx) } else if p.remote.LocalProto == "udp" { return p.udp.run(ctx) } panic("should not get here") } func (p *Proxy) runStdio(ctx context.Context) error { defer p.Infof("Closed") for { p.pipeRemote(ctx, cio.Stdio) select { case <-ctx.Done(): return nil default: // the connection is not ready yet, keep waiting } } } func (p *Proxy) runTCP(ctx context.Context) error { done := make(chan struct{}) //implements missing net.ListenContext go func() { select { case <-ctx.Done(): p.tcp.Close() case <-done: } }() for { src, err := p.tcp.Accept() if err != nil { select { case <-ctx.Done(): //listener closed err = nil default: p.Infof("Accept error: %s", err) } close(done) return err } go p.pipeRemote(ctx, src) } } func (p *Proxy) pipeRemote(ctx context.Context, src io.ReadWriteCloser) { defer src.Close() p.mu.Lock() p.count++ cid := p.count p.mu.Unlock() l := p.Fork("conn#%d", cid) l.Debugf("Open") sshConn := p.sshTun.getSSH(ctx) if sshConn == nil { l.Debugf("No remote connection") return } //ssh request for tcp connection for this proxy's remote dst, reqs, err := sshConn.OpenChannel("chisel", []byte(p.remote.Remote())) if err != nil { l.Infof("Stream error: %s", err) return } go ssh.DiscardRequests(reqs) //then pipe s, r := cio.Pipe(src, dst) l.Debugf("Close (sent %s received %s)", sizestr.ToString(s), sizestr.ToString(r)) } ================================================ FILE: share/tunnel/tunnel_in_proxy_udp.go ================================================ package tunnel import ( "context" "encoding/gob" "fmt" "io" "net" "strings" "sync" "sync/atomic" "time" "github.com/jpillora/chisel/share/cio" "github.com/jpillora/chisel/share/settings" "github.com/jpillora/sizestr" "golang.org/x/crypto/ssh" "golang.org/x/sync/errgroup" ) //listenUDP is a special listener which forwards packets via //the bound ssh connection. tricky part is multiplexing lots of //udp clients through the entry node. each will listen on its //own source-port for a response: // (random) // src-1 1111->... dst-1 6345->7777 // src-2 2222->... <---> udp <---> udp <-> dst-1 7543->7777 // src-3 3333->... listener handler dst-1 1444->7777 // //we must store these mappings (1111-6345, etc) in memory for a length //of time, so that when the exit node receives a response on 6345, it //knows to return it to 1111. func listenUDP(l *cio.Logger, sshTun sshTunnel, remote *settings.Remote) (*udpListener, error) { a, err := net.ResolveUDPAddr("udp", remote.Local()) if err != nil { return nil, l.Errorf("resolve: %s", err) } conn, err := net.ListenUDP("udp", a) if err != nil { return nil, l.Errorf("listen: %s", err) } //ready u := &udpListener{ Logger: l, sshTun: sshTun, remote: remote, inbound: conn, maxMTU: settings.EnvInt("UDP_MAX_SIZE", 9012), } u.Debugf("UDP max size: %d bytes", u.maxMTU) return u, nil } type udpListener struct { *cio.Logger sshTun sshTunnel remote *settings.Remote inbound *net.UDPConn outboundMut sync.Mutex outbound *udpChannel sent, recv int64 maxMTU int } func (u *udpListener) run(ctx context.Context) error { defer u.inbound.Close() //udp doesnt accept connections, //udp simply forwards packets //and therefore only needs to listen eg, ctx := errgroup.WithContext(ctx) eg.Go(func() error { return u.runInbound(ctx) }) eg.Go(func() error { return u.runOutbound(ctx) }) if err := eg.Wait(); err != nil { u.Debugf("listen: %s", err) return err } u.Debugf("Close (sent %s received %s)", sizestr.ToString(u.sent), sizestr.ToString(u.recv)) return nil } func (u *udpListener) runInbound(ctx context.Context) error { buff := make([]byte, u.maxMTU) for !isDone(ctx) { //read from inbound udp u.inbound.SetReadDeadline(time.Now().Add(time.Second)) n, addr, err := u.inbound.ReadFromUDP(buff) if e, ok := err.(net.Error); ok && (e.Timeout() || e.Temporary()) { continue } if err != nil { return u.Errorf("read error: %w", err) } //upsert ssh channel uc, err := u.getUDPChan(ctx) if err != nil { if strings.HasSuffix(err.Error(), "EOF") { continue } return u.Errorf("inbound-udpchan: %w", err) } //send over channel, including source address b := buff[:n] if err := uc.encode(addr.String(), b); err != nil { if strings.HasSuffix(err.Error(), "EOF") { continue //dropped packet... } return u.Errorf("encode error: %w", err) } //stats atomic.AddInt64(&u.sent, int64(n)) } return nil } func (u *udpListener) runOutbound(ctx context.Context) error { for !isDone(ctx) { //upsert ssh channel uc, err := u.getUDPChan(ctx) if err != nil { if strings.HasSuffix(err.Error(), "EOF") { continue } return u.Errorf("outbound-udpchan: %w", err) } //receive from channel, including source address p := udpPacket{} if err := uc.decode(&p); err == io.EOF { //outbound ssh disconnected, get new connection... continue } else if err != nil { return u.Errorf("decode error: %w", err) } //write back to inbound udp addr, err := net.ResolveUDPAddr("udp", p.Src) if err != nil { return u.Errorf("resolve error: %w", err) } n, err := u.inbound.WriteToUDP(p.Payload, addr) if err != nil { return u.Errorf("write error: %w", err) } //stats atomic.AddInt64(&u.recv, int64(n)) } return nil } func (u *udpListener) getUDPChan(ctx context.Context) (*udpChannel, error) { u.outboundMut.Lock() defer u.outboundMut.Unlock() //cached if u.outbound != nil { return u.outbound, nil } //not cached, bind sshConn := u.sshTun.getSSH(ctx) if sshConn == nil { return nil, fmt.Errorf("ssh-conn nil") } //ssh request for udp packets for this proxy's remote, //just "udp" since the remote address is sent with each packet dstAddr := u.remote.Remote() + "/udp" rwc, reqs, err := sshConn.OpenChannel("chisel", []byte(dstAddr)) if err != nil { return nil, fmt.Errorf("ssh-chan error: %s", err) } go ssh.DiscardRequests(reqs) //remove on disconnect go u.unsetUDPChan(sshConn) //ready o := &udpChannel{ r: gob.NewDecoder(rwc), w: gob.NewEncoder(rwc), c: rwc, } u.outbound = o u.Debugf("aquired channel") return o, nil } func (u *udpListener) unsetUDPChan(sshConn ssh.Conn) { sshConn.Wait() u.Debugf("lost channel") u.outboundMut.Lock() u.outbound = nil u.outboundMut.Unlock() } ================================================ FILE: share/tunnel/tunnel_out_ssh.go ================================================ package tunnel import ( "fmt" "io" "net" "strings" "github.com/jpillora/chisel/share/cio" "github.com/jpillora/chisel/share/cnet" "github.com/jpillora/chisel/share/settings" "github.com/jpillora/sizestr" "golang.org/x/crypto/ssh" ) func (t *Tunnel) handleSSHRequests(reqs <-chan *ssh.Request) { for r := range reqs { switch r.Type { case "ping": r.Reply(true, []byte("pong")) default: t.Debugf("Unknown request: %s", r.Type) } } } func (t *Tunnel) handleSSHChannels(chans <-chan ssh.NewChannel) { for ch := range chans { go t.handleSSHChannel(ch) } } func (t *Tunnel) handleSSHChannel(ch ssh.NewChannel) { if !t.Config.Outbound { t.Debugf("Denied outbound connection") ch.Reject(ssh.Prohibited, "Denied outbound connection") return } remote := string(ch.ExtraData()) //extract protocol hostPort, proto := settings.L4Proto(remote) udp := proto == "udp" socks := hostPort == "socks" if socks && t.socksServer == nil { t.Debugf("Denied socks request, please enable socks") ch.Reject(ssh.Prohibited, "SOCKS5 is not enabled") return } //check ACL against the actual requested destination if t.Config.ACL != nil && !socks && !t.Config.ACL(hostPort) { t.Debugf("Denied connection to %s (ACL)", hostPort) ch.Reject(ssh.Prohibited, "access denied") return } sshChan, reqs, err := ch.Accept() if err != nil { t.Debugf("Failed to accept stream: %s", err) return } stream := io.ReadWriteCloser(sshChan) //cnet.MeterRWC(t.Logger.Fork("sshchan"), sshChan) defer stream.Close() go ssh.DiscardRequests(reqs) l := t.Logger.Fork("conn#%d", t.connStats.New()) //ready to handle t.connStats.Open() l.Debugf("Open %s", t.connStats.String()) if socks { err = t.handleSocks(stream) } else if udp { err = t.handleUDP(l, stream, hostPort) } else { err = t.handleTCP(l, stream, hostPort) } t.connStats.Close() errmsg := "" if err != nil && !strings.HasSuffix(err.Error(), "EOF") { errmsg = fmt.Sprintf(" (error %s)", err) } l.Debugf("Close %s%s", t.connStats.String(), errmsg) } func (t *Tunnel) handleSocks(src io.ReadWriteCloser) error { return t.socksServer.ServeConn(cnet.NewRWCConn(src)) } func (t *Tunnel) handleTCP(l *cio.Logger, src io.ReadWriteCloser, hostPort string) error { dst, err := net.Dial("tcp", hostPort) if err != nil { return err } s, r := cio.Pipe(src, dst) l.Debugf("sent %s received %s", sizestr.ToString(s), sizestr.ToString(r)) return nil } ================================================ FILE: share/tunnel/tunnel_out_ssh_udp.go ================================================ package tunnel import ( "encoding/gob" "io" "net" "os" "sync" "time" "github.com/jpillora/chisel/share/cio" "github.com/jpillora/chisel/share/settings" ) func (t *Tunnel) handleUDP(l *cio.Logger, rwc io.ReadWriteCloser, hostPort string) error { conns := &udpConns{ Logger: l, m: map[string]*udpConn{}, } defer conns.closeAll() h := &udpHandler{ Logger: l, hostPort: hostPort, udpChannel: &udpChannel{ r: gob.NewDecoder(rwc), w: gob.NewEncoder(rwc), c: rwc, }, udpConns: conns, maxMTU: settings.EnvInt("UDP_MAX_SIZE", 9012), } h.Debugf("UDP max size: %d bytes", h.maxMTU) for { p := udpPacket{} if err := h.handleWrite(&p); err != nil { return err } } } type udpHandler struct { *cio.Logger hostPort string *udpChannel *udpConns maxMTU int } func (h *udpHandler) handleWrite(p *udpPacket) error { if err := h.r.Decode(&p); err != nil { return err } //dial now, we know we must write conn, exists, err := h.udpConns.dial(p.Src, h.hostPort) if err != nil { return err } //however, we dont know if we must read... //spawn up to go-routines to wait //for a reply. //TODO configurable //TODO++ dont use go-routines, switch to pollable // array of listeners where all listeners are // sweeped periodically, removing the idle ones const maxConns = 100 if !exists { if h.udpConns.len() <= maxConns { go h.handleRead(p, conn) } else { h.Debugf("exceeded max udp connections (%d)", maxConns) } } _, err = conn.Write(p.Payload) if err != nil { return err } return nil } func (h *udpHandler) handleRead(p *udpPacket, conn *udpConn) { //ensure connection is cleaned up defer h.udpConns.remove(conn.id) buff := make([]byte, h.maxMTU) for { //response must arrive within 15 seconds deadline := settings.EnvDuration("UDP_DEADLINE", 15*time.Second) conn.SetReadDeadline(time.Now().Add(deadline)) //read response n, err := conn.Read(buff) if err != nil { if !os.IsTimeout(err) && err != io.EOF { h.Debugf("read error: %s", err) } break } b := buff[:n] //encode back over ssh connection err = h.udpChannel.encode(p.Src, b) if err != nil { h.Debugf("encode error: %s", err) return } } } type udpConns struct { *cio.Logger sync.Mutex m map[string]*udpConn } func (cs *udpConns) dial(id, addr string) (*udpConn, bool, error) { cs.Lock() defer cs.Unlock() conn, ok := cs.m[id] if !ok { c, err := net.Dial("udp", addr) if err != nil { return nil, false, err } conn = &udpConn{ id: id, Conn: c, // cnet.MeterConn(cs.Logger.Fork(addr), c), } cs.m[id] = conn } return conn, ok, nil } func (cs *udpConns) len() int { cs.Lock() l := len(cs.m) cs.Unlock() return l } func (cs *udpConns) remove(id string) { cs.Lock() delete(cs.m, id) cs.Unlock() } func (cs *udpConns) closeAll() { cs.Lock() for id, conn := range cs.m { conn.Close() delete(cs.m, id) } cs.Unlock() } type udpConn struct { id string net.Conn } ================================================ FILE: share/tunnel/udp.go ================================================ package tunnel import ( "context" "encoding/gob" "io" ) type udpPacket struct { Src string Payload []byte } func init() { gob.Register(&udpPacket{}) } //udpChannel encodes/decodes udp payloads over a stream type udpChannel struct { r *gob.Decoder w *gob.Encoder c io.Closer } func (o *udpChannel) encode(src string, b []byte) error { return o.w.Encode(udpPacket{ Src: src, Payload: b, }) } func (o *udpChannel) decode(p *udpPacket) error { return o.r.Decode(p) } func isDone(ctx context.Context) bool { select { case <-ctx.Done(): return true default: return false } } ================================================ FILE: share/tunnel/wg.go ================================================ package tunnel import ( "sync" "sync/atomic" ) type waitGroup struct { inner sync.WaitGroup n int32 } func (w *waitGroup) Add(n int) { atomic.AddInt32(&w.n, int32(n)) w.inner.Add(n) } func (w *waitGroup) Done() { if n := atomic.LoadInt32(&w.n); n > 0 && atomic.CompareAndSwapInt32(&w.n, n, n-1) { w.inner.Done() } } func (w *waitGroup) DoneAll() { for atomic.LoadInt32(&w.n) > 0 { w.Done() } } func (w *waitGroup) Wait() { w.inner.Wait() } ================================================ FILE: share/version.go ================================================ package chshare //ProtocolVersion of chisel. When backwards //incompatible changes are made, this will //be incremented to signify a protocol //mismatch. var ProtocolVersion = "chisel-v3" var BuildVersion = "0.0.0-src" ================================================ FILE: test/bench/main.go ================================================ //chisel end-to-end test //====================== // // (direct) // .--------------->----------------. // / chisel chisel \ // request--->client:2001--->server:2002---->fileserver:3000 // \ / // '--> crowbar:4001--->crowbar:4002' // client server // // crowbar and chisel binaries should be in your PATH package main import ( "flag" "fmt" "io" "log" "net/http" "os" "os/exec" "path" "strconv" "github.com/jpillora/chisel/share/cnet" "time" ) const ENABLE_CROWBAR = false const ( B = 1 KB = 1000 * B MB = 1000 * KB GB = 1000 * MB ) func run() { flag.Parse() args := flag.Args() if len(args) == 0 { fatal("go run main.go [test] or [bench]") } for _, a := range args { switch a { case "test": test() case "bench": bench() } } } //test func test() { testTunnel("2001", 500) testTunnel("2001", 50000) } //benchmark func bench() { benchSizes("3000") benchSizes("2001") if ENABLE_CROWBAR { benchSizes("4001") } } func benchSizes(port string) { for size := 1; size <= 100*MB; size *= 10 { testTunnel(port, size) } } func testTunnel(port string, size int) { t0 := time.Now() resp, err := requestFile(port, size) if err != nil { fatal(err) } if resp.StatusCode != 200 { fatal(err) } n, err := io.Copy(io.Discard, resp.Body) if err != nil { fatal(err) } t1 := time.Now() fmt.Printf(":%s => %d bytes in %s\n", port, size, t1.Sub(t0)) if int(n) != size { fatalf("%d bytes expected, got %d", size, n) } } //============================ func requestFile(port string, size int) (*http.Response, error) { url := "http://127.0.0.1:" + port + "/" + strconv.Itoa(size) // fmt.Println(url) return http.Get(url) } func makeFileServer() *cnet.HTTPServer { bsize := 3 * MB bytes := make([]byte, bsize) //filling huge buffer for i := 0; i < len(bytes); i++ { bytes[i] = byte(i) } s := cnet.NewHTTPServer() s.Server.SetKeepAlivesEnabled(false) handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { rsize, _ := strconv.Atoi(r.URL.Path[1:]) for rsize >= bsize { w.Write(bytes) rsize -= bsize } w.Write(bytes[:rsize]) }) s.GoListenAndServe("0.0.0.0:3000", handler) return s } //============================ func fatal(args ...interface{}) { panic(fmt.Sprint(args...)) } func fatalf(f string, args ...interface{}) { panic(fmt.Sprintf(f, args...)) } //global setup func main() { fs := makeFileServer() go func() { err := fs.Wait() if err != nil { fmt.Printf("fs server closed (%s)\n", err) } }() if ENABLE_CROWBAR { dir, _ := os.Getwd() cd := exec.Command("crowbard", `-listen`, "0.0.0.0:4002", `-userfile`, path.Join(dir, "userfile")) if err := cd.Start(); err != nil { fatal(err) } go func() { fatalf("crowbard: %v", cd.Wait()) }() defer cd.Process.Kill() time.Sleep(100 * time.Millisecond) cf := exec.Command("crowbar-forward", "-local=0.0.0.0:4001", "-server=http://127.0.0.1:4002", "-remote=127.0.0.1:3000", "-username", "foo", "-password", "bar") if err := cf.Start(); err != nil { fatal(err) } defer cf.Process.Kill() } time.Sleep(100 * time.Millisecond) hd := exec.Command("chisel", "server", // "-v", "--key", "foobar", "--port", "2002") hd.Stdout = os.Stdout if err := hd.Start(); err != nil { fatal(err) } defer hd.Process.Kill() time.Sleep(100 * time.Millisecond) hf := exec.Command("chisel", "client", // "-v", "--fingerprint", "mOz4rg9zlQ409XAhhj6+fDDVwQMY42CL3Zg2W2oTYxA=", "127.0.0.1:2002", "2001:3000") hf.Stdout = os.Stdout if err := hf.Start(); err != nil { fatal(err) } defer hf.Process.Kill() time.Sleep(100 * time.Millisecond) defer func() { if r := recover(); r != nil { log.Print(r) } }() run() fs.Close() } ================================================ FILE: test/bench/perf.md ================================================ ### Performance With [crowbar](https://github.com/q3k/crowbar), a connection is tunneled by repeatedly querying the server with updates. This results in a large amount of HTTP and TCP connection overhead. Chisel overcomes this using WebSockets combined with [crypto/ssh](https://golang.org/x/crypto/ssh) to create hundreds of logical connections, resulting in **one** TCP connection per client. In this simple benchmark, we have: ``` (direct) .--------------->----------------. / chisel chisel \ request--->client:2001--->server:2002---->fileserver:3000 \ / '--> crowbar:4001--->crowbar:4002' client server ``` Note, we're using an in-memory "file" server on localhost for these tests _direct_ ``` :3000 => 1 bytes in 1.291417ms :3000 => 10 bytes in 713.525µs :3000 => 100 bytes in 562.48µs :3000 => 1000 bytes in 595.445µs :3000 => 10000 bytes in 1.053298ms :3000 => 100000 bytes in 741.351µs :3000 => 1000000 bytes in 1.367143ms :3000 => 10000000 bytes in 8.601549ms :3000 => 100000000 bytes in 76.3939ms ``` `chisel` ``` :2001 => 1 bytes in 1.351976ms :2001 => 10 bytes in 1.106086ms :2001 => 100 bytes in 1.005729ms :2001 => 1000 bytes in 1.254396ms :2001 => 10000 bytes in 1.139777ms :2001 => 100000 bytes in 2.35437ms :2001 => 1000000 bytes in 11.502673ms :2001 => 10000000 bytes in 123.130246ms :2001 => 100000000 bytes in 966.48636ms ``` ~100MB in **~1 second** `crowbar` ``` :4001 => 1 bytes in 3.335797ms :4001 => 10 bytes in 1.453007ms :4001 => 100 bytes in 1.811727ms :4001 => 1000 bytes in 1.621525ms :4001 => 10000 bytes in 5.20729ms :4001 => 100000 bytes in 38.461926ms :4001 => 1000000 bytes in 358.784864ms :4001 => 10000000 bytes in 3.603206487s :4001 => 100000000 bytes in 36.332395213s ``` ~100MB in **36 seconds** See `test/bench/main.go` ================================================ FILE: test/bench/userfile ================================================ foo:bar ================================================ FILE: test/e2e/acl_channel_test.go ================================================ package e2e_test import ( "encoding/json" "fmt" "io" "net" "net/http" "testing" "time" chserver "github.com/jpillora/chisel/server" "github.com/jpillora/chisel/share/cnet" "github.com/jpillora/chisel/share/settings" "github.com/gorilla/websocket" "golang.org/x/crypto/ssh" ) // dialChiselSSH connects to the chisel server via websocket and // performs an SSH handshake as the given user. func dialChiselSSH(t *testing.T, serverAddr, user, pass string) (ssh.Conn, <-chan ssh.NewChannel, <-chan *ssh.Request) { t.Helper() ws, _, err := (&websocket.Dialer{ HandshakeTimeout: 5 * time.Second, Subprotocols: []string{"chisel-v3"}, }).Dial("ws://"+serverAddr, http.Header{}) if err != nil { t.Fatalf("websocket dial: %v", err) } conn := cnet.NewWebSocketConn(ws) sc, chans, reqs, err := ssh.NewClientConn(conn, "", &ssh.ClientConfig{ User: user, Auth: []ssh.AuthMethod{ssh.Password(pass)}, HostKeyCallback: ssh.InsecureIgnoreHostKey(), }) if err != nil { t.Fatalf("ssh handshake: %v", err) } go ssh.DiscardRequests(reqs) go func() { for c := range chans { c.Reject(ssh.Prohibited, "") } }() return sc, chans, reqs } // sendConfig sends the chisel config request with the given remotes. func sendConfig(t *testing.T, sc ssh.Conn, remotes []*settings.Remote) { t.Helper() cfg, err := json.Marshal(settings.Config{Version: "0", Remotes: remotes}) if err != nil { t.Fatalf("marshal config: %v", err) } ok, reply, err := sc.SendRequest("config", true, cfg) if err != nil { t.Fatalf("config request: %v", err) } if !ok { t.Fatalf("config rejected: %s", reply) } } // TestAuthChannelDenied verifies that a channel to an unauthorized // destination is rejected. func TestAuthChannelDenied(t *testing.T) { allowedPort := availablePort() blockedPort := availablePort() blockedListener, err := net.Listen("tcp", "127.0.0.1:"+blockedPort) if err != nil { t.Fatal(err) } defer blockedListener.Close() go func() { for { conn, err := blockedListener.Accept() if err != nil { return } conn.Write([]byte("FORBIDDEN")) conn.Close() } }() // Start chisel server with ACL: user can only reach allowedPort s, err := chserver.NewServer(&chserver.Config{ KeySeed: "acl-test", }) if err != nil { t.Fatal(err) } s.Debug = debug if err := s.AddUser("user", "pass", fmt.Sprintf(`^127\.0\.0\.1:%s$`, allowedPort)); err != nil { t.Fatal(err) } serverPort := availablePort() if err := s.Start("127.0.0.1", serverPort); err != nil { t.Fatal(err) } defer s.Close() serverAddr := "127.0.0.1:" + serverPort // Connect and send config with only the allowed remote sc, _, _ := dialChiselSSH(t, serverAddr, "user", "pass") defer sc.Close() r, err := settings.DecodeRemote(fmt.Sprintf("0.0.0.0:%s:127.0.0.1:%s", allowedPort, allowedPort)) if err != nil { t.Fatal(err) } sendConfig(t, sc, []*settings.Remote{r}) // Try to open a channel to the BLOCKED port — must be rejected target := net.JoinHostPort("127.0.0.1", blockedPort) ch, _, err := sc.OpenChannel("chisel", []byte(target)) if err == nil { ch.Close() t.Fatalf("channel to blocked port %s was accepted", blockedPort) } t.Logf("channel to blocked port correctly rejected: %v", err) } // TestAuthChannelAllowed verifies that a channel to an authorized // destination is accepted. func TestAuthChannelAllowed(t *testing.T) { allowedPort := availablePort() // Start a TCP listener on the allowed port allowedListener, err := net.Listen("tcp", "127.0.0.1:"+allowedPort) if err != nil { t.Fatal(err) } defer allowedListener.Close() go func() { for { conn, err := allowedListener.Accept() if err != nil { return } conn.Write([]byte("ALLOWED")) conn.Close() } }() // Start chisel server with ACL: user can only reach allowedPort s, err := chserver.NewServer(&chserver.Config{ KeySeed: "acl-test-allowed", }) if err != nil { t.Fatal(err) } s.Debug = debug if err := s.AddUser("user", "pass", fmt.Sprintf(`^127\.0\.0\.1:%s$`, allowedPort)); err != nil { t.Fatal(err) } serverPort := availablePort() if err := s.Start("127.0.0.1", serverPort); err != nil { t.Fatal(err) } defer s.Close() serverAddr := "127.0.0.1:" + serverPort // Connect and send config with the allowed remote sc, _, _ := dialChiselSSH(t, serverAddr, "user", "pass") defer sc.Close() r, err := settings.DecodeRemote(fmt.Sprintf("0.0.0.0:%s:127.0.0.1:%s", allowedPort, allowedPort)) if err != nil { t.Fatal(err) } sendConfig(t, sc, []*settings.Remote{r}) // Open channel to the allowed port — must succeed target := net.JoinHostPort("127.0.0.1", allowedPort) ch, reqs, err := sc.OpenChannel("chisel", []byte(target)) if err != nil { t.Fatalf("channel to allowed port %s was rejected: %v", allowedPort, err) } go ssh.DiscardRequests(reqs) defer ch.Close() // Read data from the allowed target buf := make([]byte, 64) n, err := ch.Read(buf) if err != nil && err != io.EOF { t.Fatalf("read from allowed channel: %v", err) } if string(buf[:n]) != "ALLOWED" { t.Fatalf("expected 'ALLOWED', got %q", buf[:n]) } t.Logf("channel to allowed port works correctly, received: %s", buf[:n]) } // TestNoAuthChannel verifies that when no auth is configured, // all destinations are reachable. func TestNoAuthChannel(t *testing.T) { targetPort := availablePort() // Start a TCP listener listener, err := net.Listen("tcp", "127.0.0.1:"+targetPort) if err != nil { t.Fatal(err) } defer listener.Close() go func() { for { conn, err := listener.Accept() if err != nil { return } conn.Write([]byte("OPEN")) conn.Close() } }() // Start chisel server with NO auth s, err := chserver.NewServer(&chserver.Config{ KeySeed: "no-acl-test", }) if err != nil { t.Fatal(err) } s.Debug = debug serverPort := availablePort() if err := s.Start("127.0.0.1", serverPort); err != nil { t.Fatal(err) } defer s.Close() serverAddr := "127.0.0.1:" + serverPort // Connect with any credentials (server accepts all when no auth configured) sc, _, _ := dialChiselSSH(t, serverAddr, "anyone", "anything") defer sc.Close() r, err := settings.DecodeRemote(fmt.Sprintf("0.0.0.0:%s:127.0.0.1:%s", targetPort, targetPort)) if err != nil { t.Fatal(err) } sendConfig(t, sc, []*settings.Remote{r}) // Open channel — should be accepted since no ACL target := net.JoinHostPort("127.0.0.1", targetPort) ch, creqs, err := sc.OpenChannel("chisel", []byte(target)) if err != nil { t.Fatalf("channel rejected when no ACL is configured: %v", err) } go ssh.DiscardRequests(creqs) defer ch.Close() buf := make([]byte, 64) n, err := ch.Read(buf) if err != nil && err != io.EOF { t.Fatalf("read: %v", err) } if string(buf[:n]) != "OPEN" { t.Fatalf("expected 'OPEN', got %q", buf[:n]) } t.Logf("no-ACL mode works correctly") } // TestAuthWildcardChannel verifies that a user with wildcard access // can reach any destination. func TestAuthWildcardChannel(t *testing.T) { targetPort := availablePort() listener, err := net.Listen("tcp", "127.0.0.1:"+targetPort) if err != nil { t.Fatal(err) } defer listener.Close() go func() { for { conn, err := listener.Accept() if err != nil { return } conn.Write([]byte("WILDCARD")) conn.Close() } }() s, err := chserver.NewServer(&chserver.Config{ KeySeed: "acl-wildcard-test", Auth: "admin:secret", }) if err != nil { t.Fatal(err) } s.Debug = debug serverPort := availablePort() if err := s.Start("127.0.0.1", serverPort); err != nil { t.Fatal(err) } defer s.Close() sc, _, _ := dialChiselSSH(t, "127.0.0.1:"+serverPort, "admin", "secret") defer sc.Close() r, err := settings.DecodeRemote(fmt.Sprintf("0.0.0.0:%s:127.0.0.1:%s", targetPort, targetPort)) if err != nil { t.Fatal(err) } sendConfig(t, sc, []*settings.Remote{r}) target := net.JoinHostPort("127.0.0.1", targetPort) ch, reqs, err := sc.OpenChannel("chisel", []byte(target)) if err != nil { t.Fatalf("wildcard user channel rejected: %v", err) } go ssh.DiscardRequests(reqs) defer ch.Close() buf := make([]byte, 64) n, err := ch.Read(buf) if err != nil && err != io.EOF { t.Fatalf("read: %v", err) } if string(buf[:n]) != "WILDCARD" { t.Fatalf("expected 'WILDCARD', got %q", buf[:n]) } t.Logf("wildcard user correctly allowed") } ================================================ FILE: test/e2e/auth_test.go ================================================ package e2e_test import ( "testing" chclient "github.com/jpillora/chisel/client" chserver "github.com/jpillora/chisel/server" ) //TODO tests for: // - failed auth // - dynamic auth (server add/remove user) // - watch auth file func TestAuth(t *testing.T) { tmpPort1 := availablePort() tmpPort2 := availablePort() //setup server, client, fileserver teardown := simpleSetup(t, &chserver.Config{ KeySeed: "foobar", Auth: "../bench/userfile", }, &chclient.Config{ Remotes: []string{ "0.0.0.0:" + tmpPort1 + ":127.0.0.1:$FILEPORT", "0.0.0.0:" + tmpPort2 + ":localhost:$FILEPORT", }, Auth: "foo:bar", }) defer teardown() //test first remote result, err := post("http://localhost:"+tmpPort1, "foo") if err != nil { t.Fatal(err) } if result != "foo!" { t.Fatalf("expected exclamation mark added") } //test second remote result, err = post("http://localhost:"+tmpPort2, "bar") if err != nil { t.Fatal(err) } if result != "bar!" { t.Fatalf("expected exclamation mark added again") } } ================================================ FILE: test/e2e/base_test.go ================================================ package e2e_test import ( "testing" chclient "github.com/jpillora/chisel/client" chserver "github.com/jpillora/chisel/server" ) func TestBase(t *testing.T) { tmpPort := availablePort() //setup server, client, fileserver teardown := simpleSetup(t, &chserver.Config{}, &chclient.Config{ Remotes: []string{tmpPort + ":$FILEPORT"}, }) defer teardown() //test remote result, err := post("http://localhost:"+tmpPort, "foo") if err != nil { t.Fatal(err) } if result != "foo!" { t.Fatalf("expected exclamation mark added") } } func TestReverse(t *testing.T) { tmpPort := availablePort() //setup server, client, fileserver teardown := simpleSetup(t, &chserver.Config{ Reverse: true, }, &chclient.Config{ Remotes: []string{"R:" + tmpPort + ":$FILEPORT"}, }) defer teardown() //test remote (this goes through the server and out the client) result, err := post("http://localhost:"+tmpPort, "foo") if err != nil { t.Fatal(err) } if result != "foo!" { t.Fatalf("expected exclamation mark added") } } ================================================ FILE: test/e2e/cert_utils_test.go ================================================ package e2e_test import ( "bytes" "crypto/ecdsa" "crypto/ed25519" "crypto/elliptic" "crypto/rand" "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/pem" "fmt" "math/big" "net" "os" "path" "time" chclient "github.com/jpillora/chisel/client" chserver "github.com/jpillora/chisel/server" ) type tlsConfig struct { serverTLS *chserver.TLSConfig clientTLS *chclient.TLSConfig tmpDir string } func (t *tlsConfig) Close() { if t.tmpDir != "" { os.RemoveAll(t.tmpDir) } } func newTestTLSConfig() (*tlsConfig, error) { tlsConfig := &tlsConfig{} _, serverCertPEM, serverKeyPEM, err := certGetCertificate(&certConfig{ hosts: []string{ "0.0.0.0", "localhost", }, extKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, }) if err != nil { return nil, err } _, clientCertPEM, clientKeyPEM, err := certGetCertificate(&certConfig{ extKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, }) if err != nil { return nil, err } tlsConfig.tmpDir, err = os.MkdirTemp("", "") if err != nil { return nil, err } dirServerCA := path.Join(tlsConfig.tmpDir, "server-ca") if err := os.Mkdir(dirServerCA, 0777); err != nil { return nil, err } pathServerCACrt := path.Join(dirServerCA, "client.crt") if err := os.WriteFile(pathServerCACrt, clientCertPEM, 0666); err != nil { return nil, err } dirClientCA := path.Join(tlsConfig.tmpDir, "client-ca") if err := os.Mkdir(dirClientCA, 0777); err != nil { return nil, err } pathClientCACrt := path.Join(dirClientCA, "server.crt") if err := os.WriteFile(pathClientCACrt, serverCertPEM, 0666); err != nil { return nil, err } dirServerCrt := path.Join(tlsConfig.tmpDir, "server-crt") if err := os.Mkdir(dirServerCrt, 0777); err != nil { return nil, err } pathServerCrtCrt := path.Join(dirServerCrt, "server.crt") if err := os.WriteFile(pathServerCrtCrt, serverCertPEM, 0666); err != nil { return nil, err } pathServerCrtKey := path.Join(dirServerCrt, "server.key") if err := os.WriteFile(pathServerCrtKey, serverKeyPEM, 0666); err != nil { return nil, err } dirClientCrt := path.Join(tlsConfig.tmpDir, "client-crt") if err := os.Mkdir(dirClientCrt, 0777); err != nil { return nil, err } pathClientCrtCrt := path.Join(dirClientCrt, "client.crt") if err := os.WriteFile(pathClientCrtCrt, clientCertPEM, 0666); err != nil { return nil, err } pathClientCrtKey := path.Join(dirClientCrt, "client.key") if err := os.WriteFile(pathClientCrtKey, clientKeyPEM, 0666); err != nil { return nil, err } // for self signed cert, it needs the server cert, for real cert, this need to be the trusted CA cert tlsConfig.serverTLS = &chserver.TLSConfig{ CA: pathServerCACrt, Cert: pathServerCrtCrt, Key: pathServerCrtKey, } tlsConfig.clientTLS = &chclient.TLSConfig{ CA: pathClientCACrt, Cert: pathClientCrtCrt, Key: pathClientCrtKey, } return tlsConfig, nil } type certConfig struct { signCA *x509.Certificate isCA bool hosts []string validFrom *time.Time validFor *time.Time extKeyUsage []x509.ExtKeyUsage rsaBits int ecdsaCurve string ed25519Key bool } func certGetCertificate(c *certConfig) (*x509.Certificate, []byte, []byte, error) { var err error var priv interface{} switch c.ecdsaCurve { case "": if c.ed25519Key { _, priv, err = ed25519.GenerateKey(rand.Reader) } else { rsaBits := c.rsaBits if rsaBits == 0 { rsaBits = 2048 } priv, err = rsa.GenerateKey(rand.Reader, rsaBits) } case "P224": priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader) case "P256": priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) case "P384": priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader) case "P521": priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader) default: return nil, nil, nil, fmt.Errorf("Unrecognized elliptic curve: %q", c.ecdsaCurve) } if err != nil { return nil, nil, nil, fmt.Errorf("Failed to generate private key: %v", err) } // ECDSA, ED25519 and RSA subject keys should have the DigitalSignature // KeyUsage bits set in the x509.Certificate template keyUsage := x509.KeyUsageDigitalSignature // Only RSA subject keys should have the KeyEncipherment KeyUsage bits set. In // the context of TLS this KeyUsage is particular to RSA key exchange and // authentication. if _, isRSA := priv.(*rsa.PrivateKey); isRSA { keyUsage |= x509.KeyUsageKeyEncipherment } notBefore := time.Now() if c.validFrom != nil { notBefore = *c.validFrom } notAfter := time.Now().Add(24 * time.Hour) if c.validFor != nil { notAfter = *c.validFor } serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) if err != nil { return nil, nil, nil, fmt.Errorf("Failed to generate serial number: %v", err) } cert := &x509.Certificate{ SerialNumber: serialNumber, Subject: pkix.Name{ OrganizationalUnit: []string{"test"}, Organization: []string{"Chisel"}, Country: []string{"us"}, Province: []string{"ma"}, Locality: []string{"Boston"}, CommonName: "localhost", }, NotBefore: notBefore, NotAfter: notAfter, KeyUsage: keyUsage, ExtKeyUsage: c.extKeyUsage, BasicConstraintsValid: true, } for _, h := range c.hosts { if ip := net.ParseIP(h); ip != nil { cert.IPAddresses = append(cert.IPAddresses, ip) } else { cert.DNSNames = append(cert.DNSNames, h) } } if c.isCA { cert.IsCA = true cert.KeyUsage |= x509.KeyUsageCertSign } ca := cert if c.signCA != nil { ca = c.signCA } certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, certGetPublicKey(priv), priv) if err != nil { return nil, nil, nil, fmt.Errorf("Failed to create certificate: %v", err) } certPEM := new(bytes.Buffer) pem.Encode(certPEM, &pem.Block{ Type: "CERTIFICATE", Bytes: certBytes, }) privBytes, err := x509.MarshalPKCS8PrivateKey(priv) if err != nil { return nil, nil, nil, fmt.Errorf("Unable to marshal private key: %v", err) } certPrivKeyPEM := new(bytes.Buffer) pem.Encode(certPrivKeyPEM, &pem.Block{ Type: "PRIVATE KEY", Bytes: privBytes, }) return cert, certPEM.Bytes(), certPrivKeyPEM.Bytes(), nil } func certGetPublicKey(priv interface{}) interface{} { switch k := priv.(type) { case *rsa.PrivateKey: return &k.PublicKey case *ecdsa.PrivateKey: return &k.PublicKey case ed25519.PrivateKey: return k.Public().(ed25519.PublicKey) default: return nil } } ================================================ FILE: test/e2e/env_key_test.go ================================================ package e2e_test import ( "os" "testing" chclient "github.com/jpillora/chisel/client" chserver "github.com/jpillora/chisel/server" ) func TestChiselKeyEnvironmentVariable(t *testing.T) { // Set the CHISEL_KEY environment variable os.Setenv("CHISEL_KEY", "test-key-value") defer os.Unsetenv("CHISEL_KEY") tmpPort := availablePort() // Create server with empty config - should pick up CHISEL_KEY env var serverConfig := &chserver.Config{} // Setup server and client teardown := simpleSetup(t, serverConfig, &chclient.Config{ Remotes: []string{tmpPort + ":$FILEPORT"}, }) defer teardown() // Test that the connection works - if the key is properly set, // the server should start successfully and connections should work result, err := post("http://localhost:"+tmpPort, "env-key-test") if err != nil { t.Fatal(err) } if result != "env-key-test!" { t.Fatalf("expected exclamation mark added, got: %s", result) } } func TestChiselKeyEnvironmentVariableConsistency(t *testing.T) { // This test verifies that the same CHISEL_KEY value produces // consistent behavior (same fingerprint) by manually setting KeySeed keyValue := "consistency-test-key" // Create two server instances with the same KeySeed (simulating what main.go does) server1, err := chserver.NewServer(&chserver.Config{ KeySeed: keyValue, }) if err != nil { t.Fatalf("Failed to create first server: %v", err) } server2, err := chserver.NewServer(&chserver.Config{ KeySeed: keyValue, }) if err != nil { t.Fatalf("Failed to create second server: %v", err) } // Both servers should have the same fingerprint since they use the same key if server1.GetFingerprint() != server2.GetFingerprint() { t.Fatalf("Expected same fingerprint for same key, got %s and %s", server1.GetFingerprint(), server2.GetFingerprint()) } } ================================================ FILE: test/e2e/proxy_test.go ================================================ package e2e_test //TODO tests for: // client -> CONNECT proxy -> server -> endpoint // client -> SOCKS proxy -> server -> endpoint ================================================ FILE: test/e2e/setup_test.go ================================================ package e2e_test import ( "context" "io" "log" "net" "net/http" "strings" "testing" "time" chclient "github.com/jpillora/chisel/client" chserver "github.com/jpillora/chisel/server" ) const debug = true // test layout configuration type testLayout struct { server *chserver.Config client *chclient.Config fileServer bool udpEcho bool udpServer bool } func (tl *testLayout) setup(t *testing.T) (server *chserver.Server, client *chclient.Client, teardown func()) { //start of the world // goroutines := runtime.NumGoroutine() //root cancel ctx, cancel := context.WithCancel(context.Background()) //fileserver (fake endpoint) filePort := availablePort() if tl.fileServer { fileAddr := "127.0.0.1:" + filePort f := http.Server{ Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { b, _ := io.ReadAll(r.Body) w.Write(append(b, '!')) }), } fl, err := net.Listen("tcp", fileAddr) if err != nil { t.Fatal(err) } log.Printf("fileserver: listening on %s", fileAddr) go func() { f.Serve(fl) cancel() }() go func() { <-ctx.Done() f.Close() }() } //server server, err := chserver.NewServer(tl.server) if err != nil { t.Fatal(err) } server.Debug = debug port := availablePort() if err := server.StartContext(ctx, "127.0.0.1", port); err != nil { t.Fatal(err) } go func() { server.Wait() server.Infof("Closed") cancel() }() //client (with defaults) tl.client.Fingerprint = server.GetFingerprint() if tl.server.TLS.Key != "" { //the domain name has to be localhost to match the ssl cert tl.client.Server = "https://localhost:" + port } else { tl.client.Server = "http://127.0.0.1:" + port } for i, r := range tl.client.Remotes { //convert $FILEPORT into the allocated port for this test case if tl.fileServer { tl.client.Remotes[i] = strings.Replace(r, "$FILEPORT", filePort, 1) } } client, err = chclient.NewClient(tl.client) if err != nil { t.Fatal(err) } client.Debug = debug if err := client.Start(ctx); err != nil { t.Fatal(err) } go func() { client.Wait() client.Infof("Closed") cancel() }() //cancel context tree, and wait for both client and server to stop teardown = func() { cancel() server.Wait() client.Wait() //confirm goroutines have been cleaned up // time.Sleep(500 * time.Millisecond) // TODO remove sleep // d := runtime.NumGoroutine() - goroutines // if d != 0 { // pprof.Lookup("goroutine").WriteTo(os.Stdout, 1) // t.Fatalf("goroutines left %d", d) // } } //wait a bit... //TODO: client signal API, similar to os.Notify(signal) // wait for client setup time.Sleep(50 * time.Millisecond) //ready return server, client, teardown } func simpleSetup(t *testing.T, s *chserver.Config, c *chclient.Config) context.CancelFunc { conf := testLayout{ server: s, client: c, fileServer: true, } _, _, teardown := conf.setup(t) return teardown } func post(url, body string) (string, error) { resp, err := http.Post(url, "text/plain", strings.NewReader(body)) if err != nil { return "", err } b, err := io.ReadAll(resp.Body) if err != nil { return "", err } return string(b), nil } func availablePort() string { l, err := net.Listen("tcp", "127.0.0.1:0") if err != nil { log.Panic(err) } l.Close() _, port, err := net.SplitHostPort(l.Addr().String()) if err != nil { log.Panic(err) } return port } ================================================ FILE: test/e2e/socks_test.go ================================================ package e2e_test //TODO tests for: // - SOCKS-client -> [client -> server SOCKS] -> endpoint // - SOCKS-client -> [server -> client SOCKS] -> endpoint ================================================ FILE: test/e2e/tls_test.go ================================================ package e2e_test import ( "path" "testing" chclient "github.com/jpillora/chisel/client" chserver "github.com/jpillora/chisel/server" ) func TestTLS(t *testing.T) { tlsConfig, err := newTestTLSConfig() if err != nil { t.Fatal(err) } defer tlsConfig.Close() tmpPort := availablePort() //setup server, client, fileserver teardown := simpleSetup(t, &chserver.Config{ TLS: *tlsConfig.serverTLS, }, &chclient.Config{ Remotes: []string{tmpPort + ":$FILEPORT"}, TLS: *tlsConfig.clientTLS, Server: "https://localhost:" + tmpPort, }) defer teardown() //test remote result, err := post("http://localhost:"+tmpPort, "foo") if err != nil { t.Fatal(err) } if result != "foo!" { t.Fatalf("expected exclamation mark added") } } func TestMTLS(t *testing.T) { tlsConfig, err := newTestTLSConfig() if err != nil { t.Fatal(err) } defer tlsConfig.Close() //provide no client cert, server should reject the client request tlsConfig.serverTLS.CA = path.Dir(tlsConfig.serverTLS.CA) tmpPort := availablePort() //setup server, client, fileserver teardown := simpleSetup(t, &chserver.Config{ TLS: *tlsConfig.serverTLS, }, &chclient.Config{ Remotes: []string{tmpPort + ":$FILEPORT"}, TLS: *tlsConfig.clientTLS, Server: "https://localhost:" + tmpPort, }) defer teardown() //test remote result, err := post("http://localhost:"+tmpPort, "foo") if err != nil { t.Fatal(err) } if result != "foo!" { t.Fatalf("expected exclamation mark added") } } func TestTLSMissingClientCert(t *testing.T) { tlsConfig, err := newTestTLSConfig() if err != nil { t.Fatal(err) } defer tlsConfig.Close() //provide no client cert, server should reject the client request tlsConfig.clientTLS.Cert = "" tlsConfig.clientTLS.Key = "" tmpPort := availablePort() //setup server, client, fileserver teardown := simpleSetup(t, &chserver.Config{ TLS: *tlsConfig.serverTLS, }, &chclient.Config{ Remotes: []string{tmpPort + ":$FILEPORT"}, TLS: *tlsConfig.clientTLS, Server: "https://localhost:" + tmpPort, }) defer teardown() //test remote _, err = post("http://localhost:"+tmpPort, "foo") if err == nil { t.Fatal(err) } } func TestTLSMissingClientCA(t *testing.T) { tlsConfig, err := newTestTLSConfig() if err != nil { t.Fatal(err) } defer tlsConfig.Close() //specify a CA which does not match the client cert //server should reject the client request //provide no client cert, server should reject the client request tlsConfig.serverTLS.CA = tlsConfig.clientTLS.CA tmpPort := availablePort() //setup server, client, fileserver teardown := simpleSetup(t, &chserver.Config{ TLS: *tlsConfig.serverTLS, }, &chclient.Config{ Remotes: []string{tmpPort + ":$FILEPORT"}, TLS: *tlsConfig.clientTLS, Server: "https://localhost:" + tmpPort, }) defer teardown() //test remote _, err = post("http://localhost:"+tmpPort, "foo") if err == nil { t.Fatal(err) } } ================================================ FILE: test/e2e/udp_test.go ================================================ package e2e_test import ( "log" "net" "testing" "time" chclient "github.com/jpillora/chisel/client" chserver "github.com/jpillora/chisel/server" "golang.org/x/sync/errgroup" ) func TestUDP(t *testing.T) { //listen on random udp port echoPort := availableUDPPort() a, _ := net.ResolveUDPAddr("udp", ":"+echoPort) l, err := net.ListenUDP("udp", a) if err != nil { t.Fatal(err) } //chisel client+server inboundPort := availableUDPPort() teardown := simpleSetup(t, &chserver.Config{}, &chclient.Config{ Remotes: []string{ inboundPort + ":" + echoPort + "/udp", }, }, ) defer teardown() //fake udp server, read and echo back duplicated, close eg := errgroup.Group{} eg.Go(func() error { defer l.Close() b := make([]byte, 128) n, a, err := l.ReadFrom(b) if err != nil { return err } if _, err = l.WriteTo(append(b[:n], b[:n]...), a); err != nil { return err } return nil }) //fake udp client conn, err := net.Dial("udp4", "localhost:"+inboundPort) if err != nil { t.Fatal(err) } //write bazz through the tunnel if _, err := conn.Write([]byte("bazz")); err != nil { t.Fatal(err) } //receive bazzbazz back b := make([]byte, 128) conn.SetReadDeadline(time.Now().Add(2 * time.Second)) n, err := conn.Read(b) if err != nil { t.Fatal(err) return } //udp server should close correctly if err := eg.Wait(); err != nil { t.Fatal(err) return } //ensure expected s := string(b[:n]) if s != "bazzbazz" { t.Fatalf("expected double bazz") } } func availableUDPPort() string { a, _ := net.ResolveUDPAddr("udp", ":0") l, err := net.ListenUDP("udp", a) if err != nil { log.Panicf("availability listen: %s", err) } l.Close() _, port, err := net.SplitHostPort(l.LocalAddr().String()) if err != nil { log.Panic(err) } return port }