From b1c9f31d5abd0d71de775b31cbcf4a88d3cdb89f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C3=ABtan=20L=2E=20H=2E-F?= Date: Fri, 30 Dec 2022 18:37:44 +0100 Subject: [PATCH] Add source code --- collabore-tunnel.service | 40 +++++++++++++++++++++++++++++++++ requirements.txt | 2 ++ ssh.tunnel.collabore.fr | 15 +++++++++++++ tnl.clb.re | 48 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 105 insertions(+) create mode 100644 collabore-tunnel.service create mode 100644 requirements.txt create mode 100644 ssh.tunnel.collabore.fr create mode 100644 tnl.clb.re diff --git a/collabore-tunnel.service b/collabore-tunnel.service new file mode 100644 index 0000000..ace6db9 --- /dev/null +++ b/collabore-tunnel.service @@ -0,0 +1,40 @@ +[Unit] +Description=collabore tunnel Make your local services accessible to all on the public Internet +After=network.target nginx.service + +[Service] +Environment=UNIX_SOCKETS_DIRECTORY=/tmp/collabore-tunnel +Environment=SERVER_HOSTNAME=tnl.clb.re +Environment=CONFIG_DIRECTORY=. +Environment=SSH_SERVER_HOST=0.0.0.0 +Environment=SSH_SERVER_PORT=22 +Environment=LOG_DEPTH=2 +WorkingDirectory=/opt/collabore-tunnel +ExecStart=/usr/bin/python3 main.py +ExecStop=/bin/kill -9 $MAINPID +ProtectSystem=strict +ReadWritePaths=/opt/collabore-tunnel /tmp +ReadOnlyPaths=/usr/bin +InaccessiblePaths=... +ProtectHome=true +ProtectProc=invisible +ProtectKernelTunables=true +ProtectControlGroups=true +NoNewPrivileges=true +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +RestrictNamespaces=uts ipc pid cgroup +RestrictSUIDSGID=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictRealtime=yes +MemoryDenyWriteExecute=yes +LockPersonality=yes +IPAddressAllow=192.168.1.0/24 +PrivateDevices=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectClock=true +SystemCallArchitectures=native +SystemCallFilter= + +[Install] +WantedBy=multi-user.target diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..6af8ff8 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,2 @@ +asyncssh==2.12.0 +loguru==0.6.0 \ No newline at end of file diff --git a/ssh.tunnel.collabore.fr b/ssh.tunnel.collabore.fr new file mode 100644 index 0000000..eec1c0f --- /dev/null +++ b/ssh.tunnel.collabore.fr @@ -0,0 +1,15 @@ +server { + server_name ssh.tunnel.collabore.fr; + listen 80; + + #listen 443 ssl; + + #ssl_certificate /etc/nginx/ssl/certs/ssh.tunnel.collabore.fr.pem; + #ssl_certificate_key /etc/nginx/ssl/certs/ssh.tunnel.collabore.fr.key; + + location / { + return 302 https://tunnel.collabore.fr/; + } + + server_tokens off; +} diff --git a/tnl.clb.re b/tnl.clb.re new file mode 100644 index 0000000..02764d9 --- /dev/null +++ b/tnl.clb.re @@ -0,0 +1,48 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + server_name ~^(?.+)\.tnl.clb.re$; + listen 80; + + #listen 443 ssl; + + #ssl_certificate /etc/nginx/ssl/certs/tnl.clb.re.pem; + #ssl_certificate_key /etc/nginx/ssl/certs/tnl.clb.re.key; + + error_page 502 /notunnel.txt; + location = /notunnel.txt { + return 200 "No tunnel available."; + internal; + } + + location / { + proxy_read_timeout 600s; + proxy_send_timeout 600s; + proxy_http_version 1.1; + proxy_set_header Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_pass http://unix:/tmp/collabore-tunnel/${app_name}.sock; + } + + server_tokens off; +} + +server { + server_name tnl.clb.re + listen 80; + + #listen 443 ssl; + + #ssl_certificate /etc/nginx/ssl/certs/tnl.clb.re.pem; + #ssl_certificate_key /etc/nginx/ssl/certs/tnl.clb.re.key; + + location / { + return 302 https://tunnel.collabore.fr/; + } + + server_tokens off; +}