jmarya/knowledge
jmarya/knowledge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

add chisel

Browse source
This commit is contained in:
JMARyA 2024-03-15 09:38:04 +01:00
parent 1369e71700
commit e8923f532d
Signed by: jmarya
GPG key ID: 901B2ADDF27C2263
1 changed files with 92 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

92
technology/applications/cli/network/chisel.md Normal file
View file

@ -0,0 +1,92 @@
---
obj: application
repo: https://github.com/jpillora/chisel
rev: 2024-03-15
---
# chisel
Chisel is a fast [TCP](../../../internet/TCP.md)/[UDP](../../../internet/UDP.md) tunnel, transported over [HTTP](../../../internet/HTTP.md), secured via [SSH](../../network/SSH.md). Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.
## Features
- Easy to use
- Performant
- Encrypted connections using the [SSH](../../network/SSH.md) protocol (via `crypto/ssh`)
- Authenticated connections; authenticated client connections with a users config file, authenticated server connections with fingerprint matching.
- Client auto-reconnects with exponential backoff
- Clients can create multiple tunnel endpoints over one [TCP](../../../internet/TCP.md) connection
- Clients can optionally pass through SOCKS or [HTTP](../../../internet/HTTP.md) CONNECT proxies
- Reverse port forwarding (Connections go through the server and out the client)
- Server optionally doubles as a reverse proxy
- Server optionally allows SOCKS5 connections
- Clients optionally allow SOCKS5 connections from a reversed port forward
- Client connections over stdio which supports `ssh -o ProxyCommand` providing [SSH](../../network/SSH.md) over [HTTP](../../../internet/HTTP.md)
## Usage
### chisel server
Usage: `chisel server [options]`
| Option | Description |
| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `--host HOST` | Defines the [HTTP](../../../internet/HTTP.md) listening host (Env: `$HOST`; Default: 0.0.0.0) |
| `--port, -p PORT` | Defines the [HTTP](../../../internet/HTTP.md) listening port (Env: `$PORT`; Defaukt: 8080) |
| `--keygen PATH` | A path to write a newly generated PEM-encoded [SSH](../../network/SSH.md) private key file. If users depend on your `--key` fingerprint, you may also include your `--key` to output your existing key. Use - (dash) to output the generated key to stdout. |
| `--keyfile FILE` | An optional path to a PEM-encoded [SSH](../../network/SSH.md) private key. When this flag is set, the `--key` option is ignored, and the provided private key is used to secure all communications. (defaults to the `$CHISEL_KEY_FILE` environment variable). Since ECDSA keys are short, you may also set keyfile to an inline [base64](../../../files/Base64.md) private key (e.g. `chisel server --keygen - \| base64`). |
| `--authfile FILE` | An optional path to a `users.json` file. This file should be an object with users defined like:<br>```{ "<user:pass>": ["<addr-regex>","<addr-regex>"] }```<br>When `<user>` connects, their `<pass>` will be verified and then each of the remote addresses will be compared against the list of address regular expressions for a match. Addresses will always come in the form `<remote-host>:<remote-port>` for normal remotes and `R:<local-interface>:<local-port>` for reverse port forwarding remotes. This file will be automatically reloaded on change. |
| `--auth USER` | An optional string representing a single user with full access, in the form of `<user:pass>`. It is equivalent to creating an authfile with `{"<user:pass>": [""]}`. If unset, it will use the environment variable `$AUTH`. |
| `--keepalive INTERVAL` | An optional keepalive interval. Since the underlying transport is [HTTP](../../../internet/HTTP.md), in many instances we'll be traversing through proxies, often these proxies will close idle connections. You must specify a time with a unit, for example '5s' or '2m'. Defaults to '25s' (set to 0s to disable). |
| `--backend SERVER` | Specifies another [HTTP](../../../internet/HTTP.md) server to proxy requests to when chisel receives a normal [HTTP](../../../internet/HTTP.md) request. Useful for hiding chisel in plain sight. |
| `--socks5` | Allow clients to access the internal SOCKS5 proxy. |
| `--reverse` | Allow clients to specify reverse port forwarding remotes in addition to normal remotes. |
| `--tls-key PATH` | Enables TLS and provides optional path to a PEM-encoded TLS private key. When this flag is set, you must also set `--tls-cert`, and you cannot set `--tls-domain`. |
| `--tls-cert PATH` | Enables TLS and provides optional path to a PEM-encoded TLS certificate. When this flag is set, you must also set `--tls-key`, and you cannot set `--tls-domain`. |
| `--tls-domain DOMAIN` | Enables TLS and automatically acquires a TLS key and certificate using LetsEncrypt. Setting `--tls-domain` requires port 443. You may specify multiple `--tls-domain` flags to serve multiple domains. The resulting files are cached in the `$HOME/.cache/chisel` directory. You can modify this path by setting the`$CHISEL_LE_CACHE` variable, or disable caching by setting this variable to "-". You can optionally provide a certificate notification email by setting `$CHISEL_LE_EMAIL`. |
| `--tls-ca PATH` | a path to a PEM encoded CA certificate bundle or a directory holding multiple PEM encode CA certificate bundle files, which is used to validate client connections. The provided CA certificates will be used instead of the system roots. This is commonly used to implement mutual-TLS. |
| `--pid` | Generate pid file in current working directory |
| `-v` | Enable verbose [logging](../../../dev/Log.md) |
### chisel client
Usage: `chisel client [options] <server> <remote> [remote] [remote] ...`
`<server>` is the [URL](../../../internet/URL.md) to the chisel server.
`<remote>`s are remote connections tunneled through the server, each of which come in the form:
`<local-host>:<local-port>:<remote-host>:<remote-port>/<protocol>`
- ■ local-host defaults to `0.0.0.0` (all interfaces).
- ■ local-port defaults to remote-port.
- ■ remote-port is required*.
- ■ remote-host defaults to `0.0.0.0` (server localhost).
- ■ protocol defaults to tcp.
which shares `<remote-host>:<remote-port>` from the server to the client as `<local-host>:<local-port>`, or: `R:<local-interface>:<local-port>:<remote-host>:<remote-port>/<protocol>` which does reverse port forwarding, sharing `<remote-host>:<remote-port>` from the client to the server's `<local-interface>:<local-port>`.
When the chisel server has `--reverse` enabled, remotes can be prefixed with `R` to denote that they are reversed. That is, the server will listen and accept connections, and they will be proxied through the client which specified the remote. Reverse remotes specifying `R:socks` will listen on the server's default socks port (1080) and terminate the connection at the client's internal SOCKS5 proxy.
When stdio is used as local-host, the tunnel will connect standard input/output of this program with the remote. This is useful when combined with ssh ProxyCommand. You can use `ssh -o ProxyCommand='chisel client chiselserver stdio:%h:%p' user@example.com` to connect to an [SSH](../../network/SSH.md) server through the tunnel.
| Option | Description |
| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `--fingerprint VALUE` | A *strongly recommended* fingerprint string to perform host-key validation against the server's public key. Fingerprint mismatches will close the connection. Fingerprints are generated by hashing the ECDSA public key using SHA256 and encoding the result in [base64](../../../files/Base64.md). Fingerprints must be 44 characters containing a trailing equals (=). |
| `--auth USER` | An optional username and password (client authentication) in the form: `<user>:<pass>`. These credentials are compared to the credentials inside the server's `--authfile`. defaults to the `$AUTH` environment variable. |
| `--keepalive INTERVAL` | An optional keepalive interval. Since the underlying transport is [HTTP](../../../internet/HTTP.md), in many instances we'll be traversing through proxies, often these proxies will close idle connections. You must specify a time with a unit, for example '5s' or '2m'. Defaults to '25s' (set to 0s to disable). |
| `--max-retry-count MAX` | Maximum number of times to retry before exiting. Defaults to unlimited. |
| `--max-retry-interval INTERVAL` | Maximum wait time before retrying after a disconnection. Defaults to 5 minutes. |
| `--proxy PROXY` | An optional [HTTP](../../../internet/HTTP.md) CONNECT or SOCKS5 proxy which will be used to reach the chisel server. Authentication can be specified inside the [URL](../../../internet/URL.md). For example, `http://admin:password@my-server.com:8081`or: `socks://admin:password@my-server.com:1080` |
| `--header KEY:VALUE` | Set a custom header in the form `HeaderName: HeaderContent`. Can be used multiple times. (e.g `--header "Foo: Bar" --header "Hello: World"`) |
| `--hostname HOST` | Optionally set the 'Host' header (defaults to the host found in the server url). |
| `--sni SNI` | Override the ServerName when using TLS (defaults to the hostname). |
| `--tls-ca PATH` | An optional root certificate bundle used to verify the chisel server. Only valid when connecting to the server with "https" or "wss". By default, the operating system CAs will be used. |
| `--tls-skip-verify` | Skip server TLS certificate verification of chain and host name (if TLS is used for transport connections to server). If set, client accepts any TLS certificate presented by the server and any host name in that certificate. This only affects transport https (wss) connection. Chisel server's public key may be still verified (see `--fingerprint`) after inner connection is established. |
| `--tls-key PATH` | a path to a PEM encoded private key used for client authentication (mutual-TLS). |
| `--tls-cert PATH` | a path to a PEM encoded certificate matching the provided private key. The certificate must have client authentication enabled (mutual-TLS). |
| `--pid` | Generate pid file in current working directory |
| `-v` | Enable verbose [logging](../../../dev/Log.md) |
### Security
Encryption is always enabled. When you start up a chisel server, it will generate an in-memory ECDSA public/private key pair. The public key fingerprint ([base64](../../../files/Base64.md) encoded [SHA256](../../../cryptography/SHA.md)) will be displayed as the server starts. Instead of generating a random key, the server may optionally specify a key file, using the `--keyfile` option. When clients connect, they will also display the server's public key fingerprint. The client can force a particular fingerprint using the `--fingerprint` option.
### Authentication
Using the `--authfile` option, the server may optionally provide a `user.json` configuration file to create a list of accepted users. The client then authenticates using the `--auth` option. See [users.json](https://github.com/jpillora/chisel/blob/master/example/users.json) for an example authentication configuration file.
Internally, this is done using the _Password_ authentication method provided by [SSH](../../network/SSH.md).