22 KiB
| obj | repo | rev |
|---|---|---|
| application | https://github.com/jpillora/chisel | 2024-03-17 |
chisel
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.
Features
- Easy to use
- Performant
- Encrypted connections using the SSH protocol (via
crypto/ssh) - Authenticated connections; authenticated client connections with a users config file, authenticated server connections with fingerprint matching.
- Client auto-reconnects with exponential backoff
- Clients can create multiple tunnel endpoints over one TCP connection
- Clients can optionally pass through SOCKS or HTTP CONNECT proxies
- Reverse port forwarding (Connections go through the server and out the client)
- Server optionally doubles as a reverse proxy
- Server optionally allows SOCKS5 connections
- Clients optionally allow SOCKS5 connections from a reversed port forward
- Client connections over stdio which supports
ssh -o ProxyCommandproviding SSH over HTTP
Usage
chisel server
Usage: chisel server [options]
| Option | Description |
|---|---|
--host HOST |
Defines the HTTP listening host (Env: $HOST; Default: 0.0.0.0) |
--port, -p PORT |
Defines the HTTP listening port (Env: $PORT; Defaukt: 8080) |
--keygen PATH |
A path to write a newly generated PEM-encoded SSH private key file. If users depend on your --key fingerprint, you may also include your --key to output your existing key. Use - (dash) to output the generated key to stdout. |
--keyfile FILE |
An optional path to a PEM-encoded SSH private key. When this flag is set, the --key option is ignored, and the provided private key is used to secure all communications. (defaults to the $CHISEL_KEY_FILE environment variable). Since ECDSA keys are short, you may also set keyfile to an inline base64 private key (e.g. chisel server --keygen - | base64). |
--authfile FILE |
An optional path to a users.json file. This file should be an object with users defined like:{ "<user:pass>": ["<addr-regex>","<addr-regex>"] }When <user> connects, their <pass> will be verified and then each of the remote addresses will be compared against the list of address regular expressions for a match. Addresses will always come in the form <remote-host>:<remote-port> for normal remotes and R:<local-interface>:<local-port> for reverse port forwarding remotes. This file will be automatically reloaded on change. |
--auth USER |
An optional string representing a single user with full access, in the form of <user:pass>. It is equivalent to creating an authfile with {"<user:pass>": [""]}. If unset, it will use the environment variable $AUTH. |
--keepalive INTERVAL |
An optional keepalive interval. Since the underlying transport is HTTP, in many instances we'll be traversing through proxies, often these proxies will close idle connections. You must specify a time with a unit, for example '5s' or '2m'. Defaults to '25s' (set to 0s to disable). |
--backend SERVER |
Specifies another HTTP server to proxy requests to when chisel receives a normal HTTP request. Useful for hiding chisel in plain sight. |
--socks5 |
Allow clients to access the internal SOCKS5 proxy. |
--reverse |
Allow clients to specify reverse port forwarding remotes in addition to normal remotes. |
--tls-key PATH |
Enables TLS and provides optional path to a PEM-encoded TLS private key. When this flag is set, you must also set --tls-cert, and you cannot set --tls-domain. |
--tls-cert PATH |
Enables TLS and provides optional path to a PEM-encoded TLS certificate. When this flag is set, you must also set --tls-key, and you cannot set --tls-domain. |
--tls-domain DOMAIN |
Enables TLS and automatically acquires a TLS key and certificate using LetsEncrypt. Setting --tls-domain requires port 443. You may specify multiple --tls-domain flags to serve multiple domains. The resulting files are cached in the $HOME/.cache/chisel directory. You can modify this path by setting the$CHISEL_LE_CACHE variable, or disable caching by setting this variable to "-". You can optionally provide a certificate notification email by setting $CHISEL_LE_EMAIL. |
--tls-ca PATH |
a path to a PEM encoded CA certificate bundle or a directory holding multiple PEM encode CA certificate bundle files, which is used to validate client connections. The provided CA certificates will be used instead of the system roots. This is commonly used to implement mutual-TLS. |
--pid |
Generate pid file in current working directory |
-v |
Enable verbose logging |
chisel client
Usage: chisel client [options] <server> <remote> [remote] [remote] ...
<server> is the URL to the chisel server.
<remote>s are remote connections tunneled through the server, each of which come in the form:
<local-host>:<local-port>:<remote-host>:<remote-port>/<protocol>
- ■ local-host defaults to
0.0.0.0(all interfaces). - ■ local-port defaults to remote-port.
- ■ remote-port is required*.
- ■ remote-host defaults to
0.0.0.0(server localhost). - ■ protocol defaults to tcp.
which shares <remote-host>:<remote-port> from the server to the client as <local-host>:<local-port>, or: R:<local-interface>:<local-port>:<remote-host>:<remote-port>/<protocol> which does reverse port forwarding, sharing <remote-host>:<remote-port> from the client to the server's <local-interface>:<local-port>.
When the chisel server has --reverse enabled, remotes can be prefixed with R to denote that they are reversed. That is, the server will listen and accept connections, and they will be proxied through the client which specified the remote. Reverse remotes specifying R:socks will listen on the server's default socks port (1080) and terminate the connection at the client's internal SOCKS5 proxy.
When stdio is used as local-host, the tunnel will connect standard input/output of this program with the remote. This is useful when combined with ssh ProxyCommand. You can use ssh -o ProxyCommand='chisel client chiselserver stdio:%h:%p' user@example.com to connect to an SSH server through the tunnel.
| Option | Description |
|---|---|
--fingerprint VALUE |
A strongly recommended fingerprint string to perform host-key validation against the server's public key. Fingerprint mismatches will close the connection. Fingerprints are generated by hashing the ECDSA public key using SHA256 and encoding the result in base64. Fingerprints must be 44 characters containing a trailing equals (=). |
--auth USER |
An optional username and password (client authentication) in the form: <user>:<pass>. These credentials are compared to the credentials inside the server's --authfile. defaults to the $AUTH environment variable. |
--keepalive INTERVAL |
An optional keepalive interval. Since the underlying transport is HTTP, in many instances we'll be traversing through proxies, often these proxies will close idle connections. You must specify a time with a unit, for example '5s' or '2m'. Defaults to '25s' (set to 0s to disable). |
--max-retry-count MAX |
Maximum number of times to retry before exiting. Defaults to unlimited. |
--max-retry-interval INTERVAL |
Maximum wait time before retrying after a disconnection. Defaults to 5 minutes. |
--proxy PROXY |
An optional HTTP CONNECT or SOCKS5 proxy which will be used to reach the chisel server. Authentication can be specified inside the URL. For example, http://admin:password@my-server.com:8081or: socks://admin:password@my-server.com:1080 |
--header KEY:VALUE |
Set a custom header in the form HeaderName: HeaderContent. Can be used multiple times. (e.g --header "Foo: Bar" --header "Hello: World") |
--hostname HOST |
Optionally set the 'Host' header (defaults to the host found in the server url). |
--sni SNI |
Override the ServerName when using TLS (defaults to the hostname). |
--tls-ca PATH |
An optional root certificate bundle used to verify the chisel server. Only valid when connecting to the server with "https" or "wss". By default, the operating system CAs will be used. |
--tls-skip-verify |
Skip server TLS certificate verification of chain and host name (if TLS is used for transport connections to server). If set, client accepts any TLS certificate presented by the server and any host name in that certificate. This only affects transport https (wss) connection. Chisel server's public key may be still verified (see --fingerprint) after inner connection is established. |
--tls-key PATH |
a path to a PEM encoded private key used for client authentication (mutual-TLS). |
--tls-cert PATH |
a path to a PEM encoded certificate matching the provided private key. The certificate must have client authentication enabled (mutual-TLS). |
--pid |
Generate pid file in current working directory |
-v |
Enable verbose logging |
Security
Encryption is always enabled. When you start up a chisel server, it will generate an in-memory ECDSA public/private key pair. The public key fingerprint (base64 encoded SHA256) will be displayed as the server starts. Instead of generating a random key, the server may optionally specify a key file, using the --keyfile option. When clients connect, they will also display the server's public key fingerprint. The client can force a particular fingerprint using the --fingerprint option.
Authentication
Using the --authfile option, the server may optionally provide a user.json configuration file to create a list of accepted users. The client then authenticates using the --auth option. See users.json for an example authentication configuration file.
Internally, this is done using the Password authentication method provided by SSH.
Systemd Unit
Client:
[Unit]
Description=Chisel Port Forwarding Service
After=network.target
[Service]
Type=simple
ExecStart=chisel client --auth <auth> <server> <forward>
Restart=always
[Install]
WantedBy=multi-user.target
Docker Compose
Server:
version: "3"
services:
chisel:
image: jpillora/chisel
command: "server --reverse --authfile /users.json"
environment:
- HOST=0.0.0.0
- PORT=8080
ports:
- 8080:8080 # Proxy
volumes:
- ./users.json:/users.json
restart: unless-stopped