Compare commits

...

5 Commits

Author SHA1 Message Date
b11920e71d Update collabore-tunnel.service 2023-05-13 17:03:49 +02:00
1ef92f5415 Create welcome_banner.txt 2023-05-13 17:03:46 +02:00
25111acee3 Update main.py 2023-05-13 17:03:41 +02:00
beae19da38 Update deps 2023-05-13 17:03:38 +02:00
bc74563e13 Update .gitignore 2023-05-13 17:03:33 +02:00
5 changed files with 176 additions and 35 deletions

3
.gitignore vendored
View File

@ -160,3 +160,6 @@ cython_debug/
# option (not recommended) you can uncomment the following to ignore the entire idea folder. # option (not recommended) you can uncomment the following to ignore the entire idea folder.
#.idea/ #.idea/
# Others
id_rsa_host
*.sock

View File

@ -6,6 +6,11 @@ After=network.target nginx.service
Environment=UNIX_SOCKETS_DIRECTORY=/tmp/collabore-tunnel Environment=UNIX_SOCKETS_DIRECTORY=/tmp/collabore-tunnel
Environment=SERVER_HOSTNAME=tnl.clb.re Environment=SERVER_HOSTNAME=tnl.clb.re
Environment=CONFIG_DIRECTORY=. Environment=CONFIG_DIRECTORY=.
Environment=WELCOME_BANNER_FILE=./welcome_banner.txt
Environment=RATE_LIMIT_COUNT=5
Environment=RATE_LIMIT_INTERVAL=60
Environment=MAX_CONNECTIONS_PER_IP=5
Environment=TIMEOUT=120
Environment=SSH_SERVER_HOST=0.0.0.0 Environment=SSH_SERVER_HOST=0.0.0.0
Environment=SSH_SERVER_PORT=22 Environment=SSH_SERVER_PORT=22
Environment=LOG_DEPTH=2 Environment=LOG_DEPTH=2

177
main.py
View File

@ -6,50 +6,134 @@ import os
import random import random
import string import string
import sys import sys
import time
from asyncio import AbstractEventLoop from asyncio import AbstractEventLoop
from collections import deque
from os import path from os import path
from types import FrameType from types import FrameType
from typing import AnyStr, Optional, Tuple from typing import AnyStr, Optional, Tuple
from _asyncio import Task
import asyncssh import asyncssh
from asyncssh import SSHKey, SSHServerConnection from asyncssh import SSHKey, SSHServerConnection
from asyncssh.channel import (
SSHUNIXChannel,
SSHUNIXSession,
SSHUNIXSessionFactory,
)
from asyncssh.listener import create_unix_forward_listener from asyncssh.listener import create_unix_forward_listener
from asyncssh.misc import MaybeAwait from asyncssh.misc import MaybeAwait
from asyncssh.channel import SSHUNIXChannel, SSHUNIXSession, SSHUNIXSessionFactory
from loguru import logger from loguru import logger
from loguru._handler import Handler from loguru._handler import Handler
unix_sockets_dir: str = os.getenv("UNIX_SOCKETS_DIRECTORY", "/tmp/collabore-tunnel") unix_sockets_dir: str = os.getenv("UNIX_SOCKETS_DIRECTORY", "/tmp/collabore-tunnel")
server_hostname: str = os.getenv("SERVER_HOSTNAME", "tnl.clb.re") server_hostname: str = os.getenv("SERVER_HOSTNAME", "tnl.clb.re")
config_dir: str = os.getenv("CONFIG_DIRECTORY", ".") config_dir: str = os.getenv("CONFIG_DIRECTORY", ".")
welcome_banner_file: str = os.getenv("WELCOME_BANNER_FILE", "./welcome_banner.txt")
rate_limit_count: int = int(os.getenv("RATE_LIMIT_COUNT", "5"))
rate_limit_interval: int = int(os.getenv("RATE_LIMIT_INTERVAL", "60"))
max_connections_per_ip: int = int(os.getenv("MAX_CONNECTIONS_PER_IP", "5"))
timeout: int = int(os.getenv("TIMEOUT", "120"))
ssh_server_host: str = os.getenv("SSH_SERVER_HOST", "0.0.0.0") ssh_server_host: str = os.getenv("SSH_SERVER_HOST", "0.0.0.0")
ssh_server_port: int = int(os.getenv("SSH_SERVER_PORT", "22")) ssh_server_port: int = int(os.getenv("SSH_SERVER_PORT", "22"))
log_level: str = os.getenv("LOG_LEVEL", "INFO") log_level: str = os.getenv("LOG_LEVEL", "INFO")
log_depth: int = int(os.getenv("LOG_DEPTH", "2")) log_depth: int = int(os.getenv("LOG_DEPTH", "2"))
welcome_banner = f"===============================================================================\n\
Welcome to collabore tunnel!\n\ def read_welcome_banner() -> str:
collabore tunnel is a free and open source service offered as part of the\n\ """Read the welcome banner from a file"""
club elec collabore platform (https://collabore.fr) operated by club elec that\n\ if not os.path.exists(welcome_banner_file):
allows you to expose your local services on the public Internet.\n\ return welcome_banner
To learn more about collabore tunnel,\n\ with open(welcome_banner_file, "r", encoding="UTF-8") as file:
visit the documentation website: https://tunnel.collabore.fr/\n\ return file.read()
club elec (https://clubelec.insset.fr) is a french not-for-profit\n\
student organisation.\n\
===============================================================================\n\n" welcome_banner: str = read_welcome_banner()
class RateLimiter:
"""Rate limiter handling class"""
def __init__(self, max_requests: int, interval: int):
"""Init class"""
self.max_requests: int = max_requests
self.interval: int = interval
self.timestamps: deque = deque()
def is_rate_limited(self) -> bool:
"""Check if rate limited"""
now: float = time.time()
while self.timestamps and self.timestamps[0] < now - self.interval:
self.timestamps.popleft()
if len(self.timestamps) >= self.max_requests:
return True
self.timestamps.append(now)
return False
class ConcurrentConnections:
"""Concurrent connection handling class"""
def __init__(self):
"""Init class"""
self.ip_connections: dict = {}
def increment(self, ip_addr: str) -> None:
"""Increment the number of concurrent connections for an IP"""
if ip_addr not in self.ip_connections:
self.ip_connections[ip_addr] = 1
else:
self.ip_connections[ip_addr] += 1
def decrement(self, ip_addr: str) -> None:
"""Decrement the number of concurrent connections for an IP"""
self.ip_connections[ip_addr] -= 1
def get(self, ip_addr: str) -> int:
"""Get the number of concurent connection for an IP"""
return self.ip_connections.get(ip_addr, 0)
ip_address_connections = ConcurrentConnections()
def check_concurrent_connections(ip_addr: str) -> bool:
"""Checking for concurrent connections"""
return ip_address_connections.get(ip_addr) >= max_connections_per_ip
class SSHServer(asyncssh.SSHServer): class SSHServer(asyncssh.SSHServer):
"""SSH server protocol handler class""" """SSH server protocol handler class"""
rate_limiters: dict = {}
def __init__(self): def __init__(self):
"""Init class""" """Init class"""
self.conn: SSHServerConnection self.conn: SSHServerConnection
self.socket_path: str self.socket_path: str
self.ip_addr: str
def check_rate_limit(self, ip_addr: str) -> bool:
"""Check if rate limited"""
if ip_addr not in self.rate_limiters:
self.rate_limiters[ip_addr] = RateLimiter(
rate_limit_count, rate_limit_interval
)
return self.rate_limiters[ip_addr].is_rate_limited()
def connection_made(self, conn: SSHServerConnection) -> None: def connection_made(self, conn: SSHServerConnection) -> None:
"""Called when a connection is made""" """Called when a connection is made"""
self.conn = conn self.conn = conn
self.ip_addr, _ = conn.get_extra_info("peername")
if self.check_rate_limit(self.ip_addr):
conn.set_extra_info(rate_limited=True)
if check_concurrent_connections(self.ip_addr):
conn.set_extra_info(connection_limited=True)
ip_address_connections.increment(self.ip_addr)
def connection_lost(self, exc: Optional[Exception]) -> None: def connection_lost(self, exc: Optional[Exception]) -> None:
"""Called when a connection is lost or closed""" """Called when a connection is lost or closed"""
@ -59,6 +143,7 @@ class SSHServer(asyncssh.SSHServer):
os.remove(self.socket_path) os.remove(self.socket_path)
except AttributeError: except AttributeError:
pass pass
ip_address_connections.decrement(self.ip_addr)
def begin_auth(self, username: str) -> MaybeAwait[bool]: def begin_auth(self, username: str) -> MaybeAwait[bool]:
"""Authentication has been requested by the client""" """Authentication has been requested by the client"""
@ -98,27 +183,67 @@ class SSHServer(asyncssh.SSHServer):
async def handle_ssh_client(process) -> None: async def handle_ssh_client(process) -> None:
"""Function called every time a client connects to the SSH server""" """Function called every time a client connects to the SSH server"""
socket_name: str = process.get_extra_info("socket_name") socket_name: str = process.get_extra_info("socket_name")
rate_limited: bool = process.get_extra_info("rate_limited")
connection_limited: bool = process.get_extra_info("connection_limited")
response: str = "" response: str = ""
if not socket_name:
response = f"Usage: ssh -R /:host:port ssh.tunnel.collabore.fr\n" async def process_timeout(process):
process.stdout.write(response + "\n") """Function to terminate the connection automatically
process.exit(1) after a specific period of time (in minutes)"""
logging.info( await asyncio.sleep(timeout * 60)
"The user was ejected because they did not connect in port forwarding mode." response = (
f"Timeout: you were automatically ejected after {timeout} minutes of use.\n"
) )
process.stdout.write(response + "\n")
process.logger.info(
f"The user was automatically ejected after {timeout} minutes of use"
)
process.close()
if not rate_limited:
if not connection_limited:
if not socket_name:
response = "Usage: ssh -R /:host:port ssh.tunnel.collabore.fr\n"
process.stdout.write(response + "\n")
process.logger.info(
"The user was ejected because they did not connect in port forwarding mode"
)
process.exit(1)
return return
no_tls: str = f"{socket_name}.{server_hostname}" no_tls: str = f"{socket_name}.{server_hostname}"
tls: str = f"https://{socket_name}.{server_hostname}" tls: str = f"https://{socket_name}.{server_hostname}"
response = f"{welcome_banner}Your local service has been exposed\ response = f"{welcome_banner}\nYour local service has been exposed to the public\n\
to the public Internet address: {no_tls}\nTLS termination: {tls}\n" Internet address: {no_tls}\nTLS termination: {tls}\n"
process.stdout.write(response + "\n") process.stdout.write(response + "\n")
logging.info(f"Exposed on {no_tls}, {tls}.") process.logger.info(f"Exposed on {no_tls}")
while not process.stdin.at_eof(): read_task: Task = asyncio.create_task(process.stdin.read())
timeout_task: Task = asyncio.create_task(process_timeout(process))
done, pending = await asyncio.wait(
[read_task, timeout_task], return_when=asyncio.FIRST_COMPLETED
)
for task in done:
try: try:
await process.stdin.read() await task
except asyncssh.TerminalSizeChanged: except asyncssh.BreakReceived:
pass pass
for task in pending:
task.cancel()
process.exit(0) process.exit(0)
else:
response = (
"Per-IP connection limit: too many connections running over this IP.\n"
)
process.stdout.write(response + "\n")
process.logger.warning("Rejected connection due to per-IP connection limit")
process.exit(1)
return
else:
response = "Rate limited: please try later.\n"
process.stdout.write(response + "\n")
process.logger.warning("Rejected connection due to rate limit")
process.exit(1)
return
async def start_ssh_server() -> None: async def start_ssh_server() -> None:
@ -182,10 +307,8 @@ def init_logging():
"""Init logging with a custom handler""" """Init logging with a custom handler"""
logging.root.handlers: Handler = [InterceptHandler()] logging.root.handlers: Handler = [InterceptHandler()]
logging.root.setLevel(log_level) logging.root.setLevel(log_level)
for name in logging.root.manager.loggerDict.keys(): fmt = "<green>[{time}]</green> <level>[{level}]</level> - <level>{message}</level>"
logging.getLogger(name).handlers: list = [] logger.configure(handlers=[{"sink": sys.stdout, "serialize": False, "format": fmt}])
logging.getLogger(name).propagate: bool = True
logger.configure(handlers=[{"sink": sys.stdout, "serialize": False}])
def get_random_slug(length) -> str: def get_random_slug(length) -> str:

View File

@ -1,2 +1,2 @@
asyncssh==2.12.0 asyncssh==2.13.1
loguru==0.6.0 loguru==0.7.0

10
welcome_banner.txt Normal file
View File

@ -0,0 +1,10 @@
===============================================================================
Welcome to collabore tunnel!
collabore tunnel is a free and open source service offered as part of the
club elec collabore platform (https://collabore.fr) operated by club elec that
allows you to expose your local services on the public Internet.
To learn more about collabore tunnel,
visit the documentation website: https://tunnel.collabore.fr/
club elec (https://clubelec.insset.fr) is a french not-for-profit
student organisation.
===============================================================================