README ¶
Henk is a very simple reverse HTTP proxy leveraging OpenSSH's built-in reverse proxy feature for authentication and secure tunneling and Let's Encrypt for adding HTTPS.
WARNING: Henk has not yet been thoroughly reviewed, use at your own risk.
Usage
Once henk is set up, run the HTTP service you want to expose locally, for example on port 8080. Then use SSH to set up a reverse proxy:
ssh henk@tunnel.host.net -NR /run/henk/foobar:localhost:8080
OpenSSH will create a proxy file on your server at /run/henk/foobar
and
forward its traffic to your localhost at port 8080. Henk will accept connections
on port 80 and 443 for foobar.tunnel.host.net
, obtain a certificate if needed
and proxy traffic to the proxy file. You can then access your service publicly:
curl https://foobar.tunnel.host.net
You can also tell HTTP backends running on the same host to listen on a socket
in /run/henk
to instantly make them reachable over HTTPS.
Setup
-
Build henk with
go build
. -
Place the binary at
/usr/bin/henk
. -
Create a
henk
user and group. -
Place the service file at
/etc/systemd/system/henk.service
. -
Edit it to set the desired base domain.
-
Set DNS to forward all subdomains for the base domain to your server.
-
Set
sshd
to disallow login ashenk
. Reverse proxy options should still work. -
Authorize desired SSH keys for user
henk
. -
Set
sshd
to clean up old sockets before creating new ones:echo StreamLocalBindUnlink yes >> /etc/ssh/sshd_config
-
Restart
sshd
and start the henk service.
Security model
Henk relies on the security of OpenSSH to protect the data forwarded to and from your local HTTP service. It also relies on the authentication of OpenSSH to specify who is allowed to use henk.
Henk relies on the Go autocert library to obtain Let's Encrypt certificates. It only obtains certificates for domains whose corresponding socket exists.
Henk has about a hundred lines of Go glue code which is a fairly small attack surface, but it has not yet been thoroughly reviewed.
Anyone with one of henk's authorized keys can use henk, host anything on any subdomain and steal subdomain proxies from others. Make sure you only give access to people you trust and that trust each other.
FAQ
Why do I need to connect as the same henk user?
OpenSSH creates the reverse proxy socket with the connecting user as owner and no permissions for group or other. If you connect as another user, the henk daemon won't be able to access the socket.
Why does OpenSSH fail to set up the reverse proxy?
Unfortunately, the error messages from OpenSSH aren't very clear. It could be one of these things:
- You're using SSH connection sharing or
ControlMaster
options: The proxy can only be set up by the master connection. Consider just disabling that option for this host. - OpenSSH does not have permission to create the socket: Check the ownership and
permission bits of
/run/henk
and make sure you connect to the same user that runs the henk daemon. - The path you specified for the socket still exists: Make sure to add
StreamLocalBindUnlink yes
to/etc/ssh/sshd_config
and restart SSHD. Check that the henk user has permission to remove the old socket or remove it manually.
Documentation ¶
There is no documentation for this package.