Linux搭建Ngrok服务器及身份认证实现内网穿透

1. 前言

前段时间因为测试一些东西,嫌上传程序到服务器麻烦,就想在腾讯云上搭建一个Ngrok服务器用于内网穿透,这样就可以在外网访问本地Web网站。
更多关于ngrok可以查看百度百科 ngrok

2. 搭建步骤

2.1 安装go get工具

yum install mercurial git bzr subversion golang

2.2 git版本需要在1.7.9.5以上,如果不符合条件需要将git版本升级。

yum --disablerepo=base,updates --enablerepo=rpmforge-extras update git

2.3 获取ngrok源码

mkdir /root/Ngrok
cd /root/Ngrok
git clone https://github.com/tutumcloud/ngrok.git ngrok
export GOPATH=~/ngrok

2.4 生成自签名证书

cd ngrok
NGROK_DOMAIN="ngrok.testdomain.com"
openssl genrsa -out base.key 2048
openssl req -new -x509 -nodes -key base.key -days 10000 -subj "/CN=$NGROK_DOMAIN" -out base.pem
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=$NGROK_DOMAIN" -out server.csr
openssl x509 -req -in server.csr -CA base.pem -CAkey base.key -CAcreateserial -days 10000 -out server.crt

#在ngrok目录下就会新生成6个文件
ls -lt                           
总用量 56
-rw-r--r-- 1 root root  973 3月  23 11:23 server.crt
-rw-r--r-- 1 root root   17 3月  23 11:23 base.srl
-rw-r--r-- 1 root root  891 3月  23 11:23 server.csr
-rw-r--r-- 1 root root 1675 3月  23 11:23 server.key
-rw-r--r-- 1 root root 1115 3月  23 11:23 base.pem
-rw-r--r-- 1 root root 1679 3月  23 11:23 base.key

2.5 替换文件

Ngrok通过bindata将ngrok源码目录下的assets目录(资源文件)打包到可执行文件(ngrokd和ngrok)中去,assets/client/tls和assets/server/tls下分别存放着用于ngrok和ngrokd的默认证书文件,我们需要将它们替换成我们自己生成的

cp base.pem assets/client/tls/ngrokroot.crt
cp server.crt assets/server/tls/snakeoil.crt
cp server.key assets/server/tls/snakeoil.key

2.6 编译Linux服务端和客户端

make release-server release-client

2.7 编译window版本客户端

GOOS=windows GOARCH=amd64 make release-client
## 会生成 /root/Ngrok/ngrok/bin/windows_amd64/ngrok.exe

2.8 设置域名解析

在自己的域名控制台上添加两条A记录:ngrok.testdomain.com和*ngrok.testdomain.com,指向所在的Ngrok服务器ip

2.9 启动服务端

nohup ./bin/ngrokd -tlsKey=server.key -tlsCrt=server.crt -domain=ngrok.testdomain.com -httpAddr=:80 -httpsAddr=:443 -tunnelAddr=:4443 &

2.10 使用windows客户端

拷出./ngrok/bin/windows_amd64/ngrok.exe到windows下
同目录新建ngrok.cfg文件

server_addr: "ngrok.testdomain.com:4443"
trust_host_root_certs: false

启动客户端

ngrok.exe -config=ngrok.cfg -subdomain kian 8000

3. 添加身份认证

当前只要知道地址,拥有客户端都可以使用,所以我们要添加一个简单的认证。

3.1.1 修改源码ngrok/src/ngrok/server/control.go为

package server

import (
    "fmt"
    "io"
    "ngrok/conn"
    "ngrok/msg"
    "ngrok/util"
    "ngrok/version"
    "runtime/debug"
    "strings"
    "time"
    "os"
    "bufio"
)

const (
    pingTimeoutInterval = 30 * time.Second
    connReapInterval = 10 * time.Second
    controlWriteTimeout = 10 * time.Second
    proxyStaleDuration = 60 * time.Second
    proxyMaxPoolSize = 10
)

type Control struct {
    // auth message
    auth            *msg.Auth

    // actual connection
    conn            conn.Conn

    // put a message in this channel to send it over
    // conn to the client
    out             chan (msg.Message)

    // read from this channel to get the next message sent
    // to us over conn by the client
    in              chan (msg.Message)

    // the last time we received a ping from the client - for heartbeats
    lastPing        time.Time

    // all of the tunnels this control connection handles
    tunnels         []*Tunnel

    // proxy connections
    proxies         chan conn.Conn

    // identifier
    id              string

    // synchronizer for controlled shutdown of writer()
    writerShutdown  *util.Shutdown

    // synchronizer for controlled shutdown of reader()
    readerShutdown  *util.Shutdown

    // synchronizer for controlled shutdown of manager()
    managerShutdown *util.Shutdown

    // synchronizer for controller shutdown of entire Control
    shutdown        *util.Shutdown
}

func NewControl(ctlConn conn.Conn, authMsg *msg.Auth) {
    var err error

    // create the object
    c := &Control{
        auth:            authMsg,
        conn:            ctlConn,
        out:             make(chan msg.Message),
        in:              make(chan msg.Message),
        proxies:         make(chan conn.Conn, 10),
        lastPing:        time.Now(),
        writerShutdown:  util.NewShutdown(),
        readerShutdown:  util.NewShutdown(),
        managerShutdown: util.NewShutdown(),
        shutdown:        util.NewShutdown(),
    }

    failAuth := func(e error) {
        _ = msg.WriteMsg(ctlConn, &msg.AuthResp{Error: e.Error()})
        ctlConn.Close()
    }
    readLine := func(token string, filename string) (bool, error) {

        if token == "" {
            return false, nil;
        }
        f, err := os.Open(filename)
        if err != nil {
            return false, err
        }
        buf := bufio.NewReader(f)
        for {
            line, err := buf.ReadString('\n')
            line = strings.TrimSpace(line)
            if line == token {
                return true, nil
            }
            if err != nil {
                if err == io.EOF {
                    return false, nil
                }
                return false, err
            }
        }
        return false, nil
    }
    // register the clientid
    c.id = authMsg.ClientId
    if c.id == "" {
        // it's a new session, assign an ID
        if c.id, err = util.SecureRandId(16); err != nil {
            failAuth(err)
            return
        }
    }

    // set logging prefix
    ctlConn.SetType("ctl")
    ctlConn.AddLogPrefix(c.id)

    if authMsg.Version != version.Proto {
        failAuth(fmt.Errorf("Incompatible versions. Server %s, client %s. Download a new version at http://ngrok.com", version.MajorMinor(), authMsg.Version))
        return
    }
    authd, err := readLine(authMsg.User, "authtokens.txt")

    if authd != true {
        failAuth(fmt.Errorf("authtoken %s invalid", "is"));
        return
    }

    // register the control
    if replaced := controlRegistry.Add(c.id, c); replaced != nil {
        replaced.shutdown.WaitComplete()
    }

    // start the writer first so that the following messages get sent
    go c.writer()

    // Respond to authentication
    c.out <- &msg.AuthResp{
        Version:   version.Proto,
        MmVersion: version.MajorMinor(),
        ClientId:  c.id,
    }

    // As a performance optimization, ask for a proxy connection up front
    c.out <- &msg.ReqProxy{}

    // manage the connection
    go c.manager()
    go c.reader()
    go c.stopper()
}

// Register a new tunnel on this control connection
func (c *Control) registerTunnel(rawTunnelReq *msg.ReqTunnel) {
    for _, proto := range strings.Split(rawTunnelReq.Protocol, "+") {
        tunnelReq := *rawTunnelReq
        tunnelReq.Protocol = proto

        c.conn.Debug("Registering new tunnel")
        t, err := NewTunnel(&tunnelReq, c)
        if err != nil {
            c.out <- &msg.NewTunnel{Error: err.Error()}
            if len(c.tunnels) == 0 {
                c.shutdown.Begin()
            }

            // we're done
            return
        }

        // add it to the list of tunnels
        c.tunnels = append(c.tunnels, t)

        // acknowledge success
        c.out <- &msg.NewTunnel{
            Url:      t.url,
            Protocol: proto,
            ReqId:    rawTunnelReq.ReqId,
        }

        rawTunnelReq.Hostname = strings.Replace(t.url, proto + "://", "", 1)
    }
}

func (c *Control) manager() {
    // don't crash on panics
    defer func() {
        if err := recover(); err != nil {
            c.conn.Info("Control::manager failed with error %v: %s", err, debug.Stack())
        }
    }()

    // kill everything if the control manager stops
    defer c.shutdown.Begin()

    // notify that manager() has shutdown
    defer c.managerShutdown.Complete()

    // reaping timer for detecting heartbeat failure
    reap := time.NewTicker(connReapInterval)
    defer reap.Stop()

    for {
        select {
        case <-reap.C:
            if time.Since(c.lastPing) > pingTimeoutInterval {
                c.conn.Info("Lost heartbeat")
                c.shutdown.Begin()
            }

        case mRaw, ok := <-c.in:
        // c.in closes to indicate shutdown
            if !ok {
                return
            }

            switch m := mRaw.(type) {
            case *msg.ReqTunnel:
                c.registerTunnel(m)

            case *msg.Ping:
                c.lastPing = time.Now()
                c.out <- &msg.Pong{}
            }
        }
    }
}

func (c *Control) writer() {
    defer func() {
        if err := recover(); err != nil {
            c.conn.Info("Control::writer failed with error %v: %s", err, debug.Stack())
        }
    }()

    // kill everything if the writer() stops
    defer c.shutdown.Begin()

    // notify that we've flushed all messages
    defer c.writerShutdown.Complete()

    // write messages to the control channel
    for m := range c.out {
        c.conn.SetWriteDeadline(time.Now().Add(controlWriteTimeout))
        if err := msg.WriteMsg(c.conn, m); err != nil {
            panic(err)
        }
    }
}

func (c *Control) reader() {
    defer func() {
        if err := recover(); err != nil {
            c.conn.Warn("Control::reader failed with error %v: %s", err, debug.Stack())
        }
    }()

    // kill everything if the reader stops
    defer c.shutdown.Begin()

    // notify that we're done
    defer c.readerShutdown.Complete()

    // read messages from the control channel
    for {
        if msg, err := msg.ReadMsg(c.conn); err != nil {
            if err == io.EOF {
                c.conn.Info("EOF")
                return
            } else {
                panic(err)
            }
        } else {
            // this can also panic during shutdown
            c.in <- msg
        }
    }
}

func (c *Control) stopper() {
    defer func() {
        if r := recover(); r != nil {
            c.conn.Error("Failed to shut down control: %v", r)
        }
    }()

    // wait until we're instructed to shutdown
    c.shutdown.WaitBegin()

    // remove ourself from the control registry
    controlRegistry.Del(c.id)

    // shutdown manager() so that we have no more work to do
    close(c.in)
    c.managerShutdown.WaitComplete()

    // shutdown writer()
    close(c.out)
    c.writerShutdown.WaitComplete()

    // close connection fully
    c.conn.Close()

    // shutdown all of the tunnels
    for _, t := range c.tunnels {
        t.Shutdown()
    }

    // shutdown all of the proxy connections
    close(c.proxies)
    for p := range c.proxies {
        p.Close()
    }

    c.shutdown.Complete()
    c.conn.Info("Shutdown complete")
}

func (c *Control) RegisterProxy(conn conn.Conn) {
    conn.AddLogPrefix(c.id)

    conn.SetDeadline(time.Now().Add(proxyStaleDuration))
    select {
    case c.proxies <- conn:
        conn.Info("Registered")
    default:
        conn.Info("Proxies buffer is full, discarding.")
        conn.Close()
    }
}

// Remove a proxy connection from the pool and return it
// If not proxy connections are in the pool, request one
// and wait until it is available
// Returns an error if we couldn't get a proxy because it took too long
// or the tunnel is closing
func (c *Control) GetProxy() (proxyConn conn.Conn, err error) {
    var ok bool

    // get a proxy connection from the pool
    select {
    case proxyConn, ok = <-c.proxies:
        if !ok {
            err = fmt.Errorf("No proxy connections available, control is closing")
            return
        }
    default:
    // no proxy available in the pool, ask for one over the control channel
        c.conn.Debug("No proxy in pool, requesting proxy from control . . .")
        if err = util.PanicToError(func() {
            c.out <- &msg.ReqProxy{}
        }); err != nil {
            return
        }

            select {
            case proxyConn, ok = <-c.proxies:
                if !ok {
                    err = fmt.Errorf("No proxy connections available, control is closing")
                    return
                }

            case <-time.After(pingTimeoutInterval):
                err = fmt.Errorf("Timeout trying to get proxy connection")
                return
            }
    }
    return
}

// Called when this control is replaced by another control
// this can happen if the network drops out and the client reconnects
// before the old tunnel has lost its heartbeat
func (c *Control) Replaced(replacement *Control) {
    c.conn.Info("Replaced by control: %s", replacement.conn.Id())

    // set the control id to empty string so that when stopper()
    // calls registry.Del it won't delete the replacement
    c.id = ""

    // tell the old one to shutdown
    c.shutdown.Begin()
}

大概修改就是从本地authtokens.txt中获取字符串和客户端传来的进行比对,不熟悉golang。

3.2 在bin中创建authtokens.txt

username:password

3.3 重新编译服务端和客户端

3.4 修改客户端配置文件ngrok.cfg

server_addr: ngrok.testdomain.com:4443
trust_host_root_certs: true
auth_token: username:password
tunnels:
  kian:
    subdomain: kian
    proto:
      http: "80"
      https: "8080"

启动客户端

.\ngrok.exe -log ngrok.log -config ngrok.cfg start kian

Tunnel Status                 online
Version                       1.7/1.7
Forwarding                    http://kian.ngrok.testdomain.com -> 127.0.0.1:80
Forwarding                    https://kian.ngrok.testdomain.com -> 127.0.0.1:8080
Web Interface                 127.0.0.1:4040
# Conn                        0
Avg Conn Time                 0.00ms

4. 参考资料

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 205,132评论 6 478
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 87,802评论 2 381
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 151,566评论 0 338
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 54,858评论 1 277
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 63,867评论 5 368
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 48,695评论 1 282
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 38,064评论 3 399
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,705评论 0 258
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 42,915评论 1 300
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,677评论 2 323
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 37,796评论 1 333
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,432评论 4 322
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 39,041评论 3 307
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 29,992评论 0 19
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,223评论 1 260
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 45,185评论 2 352
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 42,535评论 2 343