README
¶
NHP-Server
架构设计
-
Server启动时监听特定端口,等待Agent和AC进行连接。并由Agent或AC主动触发向Server的通信。不存在Server向Agent或AC主动建立连接的情况,通常情况下这种连接会跨防火墙或NAT导致不能建立。
- 特殊情况:Server在收到Agent发起的敲门处理时,鉴权后需要主动向AC发起开门请求,并等待回应。
-
发送消息时,向sendMsgCh发送创建好的MsgAssembler(必须从已有连接中指定ConnData)。MsgAssembler经过加密后会从此连接发出
-
接收到报文时,会将报文进行解密获取明文消息。由msghandler分别进行处理。
NHP-Server配置文件
etc/config.json
{
// (mandatory) private key in base64 format
"privateKey": "eHdyRHKJy/YZJsResCt5XTAZgtcwvLpSXAiZ8DBc0V4=",
// (mandatory) specify the udp listening port
"listenPort": 62206,
// whether to validate peer's public key when receiving NHP packet from agent. If true, server must have a pre-recorded public key pool (in "agents" field) of all allowed agents. If false, server skip public key validation, so it reduces secure level.
"disableAgentValidation": false,
// list of preset allowed AC peers. only public key and expire time are needed. It has the same effect as AddACPeer()
"acs": [
{
// type: NHP-AC
"type": 3,
// public key in base64 format
"pubKeyBase64": "Fr5jzZDVpNh5m9AcBDMtHGmbCAczHyPegT8IxQ3XAzE=",
// expire time for the public key (seconds from epoch)
"expireTime": 1716345064
}
],
// list of preset allowed agent peers. only public key and expire time are needed. It has the same effect as AddAgentPeer()
"agents": [
{
// type: NHP-Agent
"type": 1,
// public key in base64 format
"pubKeyBase64": "WnJAolo88/q0x2VdLQYdmZNtKjwG2ocBd1Ozj41AKlo=",
// expire time for the public key (seconds from epoch)
"expireTime": 1716345064
}
],
// (optional) placeholder of preset url for possible authorization service provider
"asps": {
"abc.com": {
"aspId": "abc.com",
"urlAddr": "http://120.92.16.228:30088",
"urlOTP": "/nhp/api/v1/preAuth",
"urlReg": "/nhp/api/v1/registerAgent",
"urlAuth": "/nhp/api/v1/verifyAuth",
"urlList": "/nhp/api/v1/resourceList"
}
},
// (optional) specify other source IP addresses to be opened by the ac that may come along with certain agent IP address
"srcAsscAddrs": {
"192.168.2.27": [
{
"ip": "192.168.2.26",
"port": 54222
},
{
"ip": "192.168.2.28",
"port": 54223
}
]
},
// preset resources for udp knocking
"udpRess": {
// ID of authorization service provider
"abc_group": {
// ID of resource group
"app_resource_group_000": {
// skip service provider authorization and use this preset resource group
"skipAuth": true,
// set the desired open time for this resource group (in second)
"opnTime": 120,
"resInfo": {
// name of resource
"apiServer": {
// (optional) hostname overrides addr.ip at knock feedback
"host": "api.abc.com",
// (mandatory) request ac to open which layer 4 address and protocol of this resource
"addr": {
// (mandatory) request ac to open traffic destinated to the public IP address of this resource
"ip": "12.34.56.78",
// (optional) request ac to open traffic destinated to the port number where this resource hosts on. empty or 0 means open all port numbers.
"port": 443,
// (optional) protocol, "tcp": request ac to open only tcp traffic, "udp": request ac to open only udp traffic, empty: request ac to open tcp + udp + icmp echo traffic
"proto": "tcp"
},
}
}
}
}
},
// preset resources for http knocking
"httpRess": {
// ID of authorization service provider
"abc_group": {
// ID of the resource group, usually it means AppId
"app_resource_group_001": {
// set the desired open time for this resource group (in second)
"opnTime": 120,
// contains multiple resources
"resInfo": {
// name of resource
"apiServer": {
// (optional) hostname overrides addr.ip at knock feedback
"host": "api.abc.com",
// (mandatory) request ac to open which layer 4 address and protocol of this resource
"addr": {
// (mandatory) request ac to open traffic destinated to the public IP address of this resource
"ip": "12.34.56.78",
// (optional) request ac to open traffic destinated to the port number where this resource hosts on. empty or 0 means open all port numbers.
"port": 443,
// (optional) protocol, "tcp": request ac to open only tcp traffic, "udp": request ac to open only udp traffic, empty: request ac to open tcp + udp + icmp echo traffic
"proto": "tcp"
},
// (optional) the private layer 4 address of the ac. In some network, server may communicate with ac using private addresses.
"acAddr": {
"ip": "172.16.1.2",
"port": 443
},
// whether to append ":port" at the end of hostname/ip at knock feedback. For example, set this field to false if this resource use https and requesting ac to open port 443.
"portSuffix": false
},
// another resource
"webServer": {
"host": "www.abc.com",
"addr": {
"ip": "23.45.67.89",
"port": 8080,
"proto": ""
},
"portSuffix": true
}
},
// (optional) additional key info for server calling further authroization APIs
"accessKey": "b3458c581ef0efb7b669",
"secretKey": "f21c2a02c09a641a11cf"
}
},
// another authorization service provider
"xyz_org": {
"abcd1234": {
"opnTime": 120,
"resInfo": {
"udpServer": {
"host": "server.xyz.net",
"addr": {
"ip": "1.2.3.4",
"port": 443,
"proto": "udp"
},
"portSuffix": false
}
},
// (optional) additional key info for server calling further authroization APIs
"appKey": "demo-l2T0J3U3mQZ3",
"appSecret": "hVqd8eOqCFg5cc1D2ouACs3q"
}
}
}
}
Documentation
¶
Index ¶
- Constants
- Variables
- func LoadFilesRecursively(g *gin.Engine, dir string)
- type ACConn
- type BlockAddr
- type Config
- type HttpConfig
- type HttpServer
- type Peers
- type UdpConn
- type UdpServer
- func (s *UdpServer) AddACPeer(acPeer *core.UdpPeer)
- func (s *UdpServer) AddAddressAssociation(srcIp string, addrs []*common.NetAddress)
- func (s *UdpServer) AddAgentPeer(agent *core.UdpPeer)
- func (s *UdpServer) AddAuthService(aspData *common.AuthServiceProviderData) error
- func (s *UdpServer) AddBlockAddr(addr *net.UDPAddr)
- func (s *UdpServer) AddResource(res *common.ResourceData) error
- func (s *UdpServer) BlockAddrRefreshRoutine()
- func (s *UdpServer) ClosePlugins()
- func (s *UdpServer) FindAuthSvcProvider(aspId string) *common.AuthServiceProviderData
- func (us *UdpServer) FindPluginHandler(aspId string) plugins.PluginHandler
- func (s *UdpServer) HandleACOnline(ppd *core.PacketParserData) (err error)
- func (s *UdpServer) HandleKnockRequest(ppd *core.PacketParserData) (err error)
- func (s *UdpServer) HandleListRequest(ppd *core.PacketParserData) (err error)
- func (s *UdpServer) HandleOTPRequest(ppd *core.PacketParserData) (err error)
- func (s *UdpServer) HandleRegisterRequest(ppd *core.PacketParserData) (err error)
- func (s *UdpServer) IsBlockAddr(addr *net.UDPAddr) bool
- func (s *UdpServer) IsRunning() bool
- func (s *UdpServer) LoadPlugin(pluginId string, h plugins.PluginHandler) error
- func (us *UdpServer) NewNhpServerHelper(ppd *core.PacketParserData) *plugins.NhpServerPluginHelper
- func (s *UdpServer) RefreshBlockAddr()
- func (s *UdpServer) RemoveAddressAssociation(srcIp string)
- func (s *UdpServer) SendPacket(pkt *core.Packet, conn *UdpConn) (n int, err error)
- func (s *UdpServer) Start(dirPath string, logLevel int) (err error)
- func (s *UdpServer) Stop()
- func (s *UdpServer) StopConfigWatch()
- func (s *UdpServer) ValidatePlugin(h plugins.PluginHandler) bool
Constants ¶
View Source
const ( MaxConcurrentConnection = 20480 OverloadConnectionThreshold = MaxConcurrentConnection * 4 / 5 // 80% BlockAddrRefreshRate = 20 // 20 seconds BlockAddrExpireTime = 90 // 90 seconds PreCheckThreatCountBeforeBlock = 5 // block source address if packet precheck errors exceeds this count DefaultAgentConnectionTimeoutMs = 30 * 1000 // 30 seconds to delete idle connection DefaultACConnectionTimeoutMs = 300 * 1000 // 300 seconds to delete idle connection PacketQueueSizePerConnection = 64 )
View Source
const ( DefaultIpOpenTime = 120 // second, align with ipset default timeout ACOpenCompensationTime = 5 // second )
knock
View Source
const (
HttpTransactionTimeout = 3 // second
)
http APIs
Variables ¶
View Source
var (
ExeDirPath string
)
Functions ¶
func LoadFilesRecursively ¶
LoadFilesRecursively loads HTML and template files recursively from the specified directory and adds them to the given gin.Engine. It walks through the directory and its subdirectories, and for each file with a .html or .tmpl extension, it reads the file content, creates a new template with the file path as the template name, and parses the content into the template. The loaded templates are set as the HTML templates for the gin.Engine. The directory path should be a clean absolute path. If any error occurs during the file loading or template parsing, the function returns the error.
Types ¶
type HttpConfig ¶
type HttpServer ¶
type HttpServer struct {
// contains filtered or unexported fields
}
func (*HttpServer) FindPluginHandler ¶
func (hs *HttpServer) FindPluginHandler(aspId string) plugins.PluginHandler
FindPluginHandler returns the plugin handler for the given ASP ID It delegates the task to the underlying UDP server's FindPluginHandler method.
func (*HttpServer) IsRunning ¶
func (hs *HttpServer) IsRunning() bool
func (*HttpServer) NewHttpServerHelper ¶
func (hs *HttpServer) NewHttpServerHelper() *plugins.HttpServerPluginHelper
func (*HttpServer) Start ¶
func (hs *HttpServer) Start(us *UdpServer, hc *HttpConfig) error
Note HttpServer must be started after starting UdpServer, when log and config have been setup
func (*HttpServer) Stop ¶
func (hs *HttpServer) Stop()
Stop stops the HttpServer by setting the running flag to false, closing the stop channel, shutting down the underlying http server, waiting for all goroutines to finish, and logging a message indicating that the HttpServer has been stopped.
type UdpConn ¶
type UdpConn struct {
ConnData *core.ConnectionData
// contains filtered or unexported fields
}
type UdpServer ¶
type UdpServer struct {
// contains filtered or unexported fields
}
func (*UdpServer) AddAddressAssociation ¶
func (s *UdpServer) AddAddressAssociation(srcIp string, addrs []*common.NetAddress)
func (*UdpServer) AddAgentPeer ¶
func (*UdpServer) AddAuthService ¶
func (s *UdpServer) AddAuthService(aspData *common.AuthServiceProviderData) error
func (*UdpServer) AddBlockAddr ¶
func (*UdpServer) AddResource ¶
func (s *UdpServer) AddResource(res *common.ResourceData) error
func (*UdpServer) BlockAddrRefreshRoutine ¶
func (s *UdpServer) BlockAddrRefreshRoutine()
func (*UdpServer) ClosePlugins ¶
func (s *UdpServer) ClosePlugins()
func (*UdpServer) FindAuthSvcProvider ¶
func (s *UdpServer) FindAuthSvcProvider(aspId string) *common.AuthServiceProviderData
func (*UdpServer) FindPluginHandler ¶
func (us *UdpServer) FindPluginHandler(aspId string) plugins.PluginHandler
func (*UdpServer) HandleACOnline ¶
func (s *UdpServer) HandleACOnline(ppd *core.PacketParserData) (err error)
func (*UdpServer) HandleKnockRequest ¶
func (s *UdpServer) HandleKnockRequest(ppd *core.PacketParserData) (err error)
HandleKnockRequest Server will respond with success or error with NHP_ACK message
func (*UdpServer) HandleListRequest ¶
func (s *UdpServer) HandleListRequest(ppd *core.PacketParserData) (err error)
HandleListRequest Server will respond with success or error with NHP_LRT message
func (*UdpServer) HandleOTPRequest ¶
func (s *UdpServer) HandleOTPRequest(ppd *core.PacketParserData) (err error)
HandleOTPRequest Server will not respond to agent's otp request
func (*UdpServer) HandleRegisterRequest ¶
func (s *UdpServer) HandleRegisterRequest(ppd *core.PacketParserData) (err error)
HandleRegisterRequest Server will respond with success or error with NHP_RAK message
func (*UdpServer) LoadPlugin ¶
func (s *UdpServer) LoadPlugin(pluginId string, h plugins.PluginHandler) error
func (*UdpServer) NewNhpServerHelper ¶
func (us *UdpServer) NewNhpServerHelper(ppd *core.PacketParserData) *plugins.NhpServerPluginHelper
func (*UdpServer) RefreshBlockAddr ¶
func (s *UdpServer) RefreshBlockAddr()
func (*UdpServer) RemoveAddressAssociation ¶
func (*UdpServer) SendPacket ¶
func (*UdpServer) Start ¶
dirPath: the path of app or shared library entry point logLevel: 0: silent, 1: error, 2: info, 3: debug, 4: verbose
UDP server never actively sends first packet outwards. It only reacts to received packet then sends response.
func (*UdpServer) StopConfigWatch ¶
func (s *UdpServer) StopConfigWatch()
func (*UdpServer) ValidatePlugin ¶
func (s *UdpServer) ValidatePlugin(h plugins.PluginHandler) bool
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.