mirror of
https://github.com/gravitational/teleport
synced 2024-10-23 02:32:39 +00:00
Merge pull request #454 from gravitational/ev/tunnelconf
Added new YAML configuration parameter: `tunnel_listen_addr`
This commit is contained in:
commit
5558b3cac4
|
@ -85,7 +85,8 @@ Teleport services listen on several ports. This table shows the default port num
|
|||
|----------|------------|-------------------------------------------
|
||||
|3022 | Node | SSH port. This is Teleport's equivalent of port `#22` for SSH.
|
||||
|3023 | Proxy | SSH port clients connect to. A proxy will forward this connection to port `#3022` on the destination node.
|
||||
|3024 | Auth | SSH port used by the Auth Service to serve its API to other nodes in a cluster.
|
||||
|3025 | Auth | SSH port used by the Auth Service to serve its API to other nodes in a cluster.
|
||||
|3024 | Tunnel | SSH port used to create "reverse SSH tunnels" from behind-firewall environments into a trusted proxy server.
|
||||
|3080 | Proxy | HTTPS connection to authenticate `tsh` users and web users into the cluster. The same connection is used to serve a Web UI.
|
||||
|
||||
|
||||
|
@ -236,11 +237,21 @@ ssh_service:
|
|||
# This section configures the 'proxy servie'
|
||||
proxy_service:
|
||||
enabled: yes
|
||||
listen_addr: 127.0.0.1:3023
|
||||
web_listen_addr: 127.0.0.1:3080
|
||||
# SSH forwrading/proxy address. Command line (CLI) clients always begin their
|
||||
# SSH sessions by connecting to this port
|
||||
listen_addr: 0.0.0.0:3023
|
||||
|
||||
# TLS certificate for the server-side HTTPS connection.
|
||||
# Configuring these properly is critical for Teleport security.
|
||||
# Reverse tunnel listening address. An auth server (CA) can establish an outbound
|
||||
# (from behind the firwall) connection to this address. This will allow users of
|
||||
# the outside CA to connect to behind-the-firewall nodes.
|
||||
tunnel_listen_addr: 0.0.0.0:3024
|
||||
|
||||
# The HTTPS listen address to serve the Web UI and also to authenticate the
|
||||
# command line (CLI) users via password+HOTP
|
||||
web_listen_addr: 0.0.0.0:3080
|
||||
|
||||
# TLS certificate for the HTTPS connection. Configuring these properly is
|
||||
# critical for Teleport security.
|
||||
https_key_file: /etc/teleport/teleport.key
|
||||
https_cert_file: /etc/teleport/teleport.crt
|
||||
```
|
||||
|
|
|
@ -148,6 +148,7 @@ func (s *ConfigTestSuite) TestConfigReading(c *check.C) {
|
|||
c.Assert(conf.Proxy.CertFile, check.Equals, "/etc/teleport/proxy.crt")
|
||||
c.Assert(conf.Proxy.ListenAddress, check.Equals, "tcp://proxy_ssh_addr")
|
||||
c.Assert(conf.Proxy.WebAddr, check.Equals, "tcp://web_addr")
|
||||
c.Assert(conf.Proxy.TunAddr, check.Equals, "reverse_tunnel_address:3311")
|
||||
|
||||
// good config from file
|
||||
conf, err = ReadFromFile(s.configFileStatic)
|
||||
|
@ -216,8 +217,8 @@ func (s *ConfigTestSuite) TestApplyConfig(c *check.C) {
|
|||
c.Assert(err, check.IsNil)
|
||||
c.Assert(conf, check.NotNil)
|
||||
|
||||
var cfg service.Config
|
||||
err = ApplyFileConfig(conf, &cfg)
|
||||
cfg := service.MakeDefaultConfig()
|
||||
err = ApplyFileConfig(conf, cfg)
|
||||
c.Assert(err, check.IsNil)
|
||||
c.Assert(cfg.Auth.StaticTokens, check.DeepEquals, []services.ProvisionToken{
|
||||
{
|
||||
|
@ -233,6 +234,10 @@ func (s *ConfigTestSuite) TestApplyConfig(c *check.C) {
|
|||
})
|
||||
c.Assert(cfg.Auth.DomainName, check.Equals, "magadan")
|
||||
c.Assert(cfg.AdvertiseIP, check.DeepEquals, net.ParseIP("10.10.10.1"))
|
||||
|
||||
c.Assert(cfg.Proxy.Enabled, check.Equals, true)
|
||||
c.Assert(cfg.Proxy.WebAddr.FullAddress(), check.Equals, "tcp://webhost:3080")
|
||||
c.Assert(cfg.Proxy.ReverseTunnelListenAddr.FullAddress(), check.Equals, "tcp://tunnelhost:1001")
|
||||
}
|
||||
|
||||
func checkStaticConfig(c *check.C, conf *FileConfig) {
|
||||
|
@ -356,6 +361,7 @@ func makeConfigFixture() string {
|
|||
conf.Proxy.CertFile = "/etc/teleport/proxy.crt"
|
||||
conf.Proxy.ListenAddress = "tcp://proxy_ssh_addr"
|
||||
conf.Proxy.WebAddr = "tcp://web_addr"
|
||||
conf.Proxy.TunAddr = "reverse_tunnel_address:3311"
|
||||
|
||||
return conf.DebugDumpToYAML()
|
||||
}
|
||||
|
@ -466,7 +472,10 @@ auth_service:
|
|||
- "auth:yyy"
|
||||
ssh_service:
|
||||
enabled: no
|
||||
|
||||
proxy_service:
|
||||
enabled: no
|
||||
enabled: yes
|
||||
web_listen_addr: webhost
|
||||
tunnel_listen_addr: tunnelhost:1001
|
||||
`
|
||||
)
|
||||
|
|
|
@ -253,6 +253,13 @@ func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error {
|
|||
}
|
||||
cfg.Proxy.WebAddr = *addr
|
||||
}
|
||||
if fc.Proxy.TunAddr != "" {
|
||||
addr, err := utils.ParseHostPortAddr(fc.Proxy.TunAddr, int(defaults.SSHProxyTunnelListenPort))
|
||||
if err != nil {
|
||||
return trace.Wrap(err)
|
||||
}
|
||||
cfg.Proxy.ReverseTunnelListenAddr = *addr
|
||||
}
|
||||
if fc.Proxy.KeyFile != "" {
|
||||
if !fileExists(fc.Proxy.KeyFile) {
|
||||
return trace.Errorf("https key does not exist: %s", fc.Proxy.KeyFile)
|
||||
|
|
|
@ -80,6 +80,7 @@ var (
|
|||
"peers": true,
|
||||
"prefix": true,
|
||||
"web_listen_addr": true,
|
||||
"tunnel_listen_addr": true,
|
||||
"ssh_listen_addr": true,
|
||||
"listen_addr": true,
|
||||
"https_key_file": true,
|
||||
|
@ -233,6 +234,7 @@ func MakeSampleFileConfig() (fc *FileConfig) {
|
|||
p.EnabledFlag = "yes"
|
||||
p.ListenAddress = conf.Proxy.SSHAddr.Addr
|
||||
p.WebAddr = conf.Proxy.WebAddr.Addr
|
||||
p.TunAddr = conf.Proxy.ReverseTunnelListenAddr.Addr
|
||||
p.CertFile = "/etc/teleport/teleport.crt"
|
||||
p.KeyFile = "/etc/teleport/teleport.key"
|
||||
|
||||
|
@ -416,6 +418,7 @@ type CommandLabel struct {
|
|||
type Proxy struct {
|
||||
Service `yaml:",inline"`
|
||||
WebAddr string `yaml:"web_listen_addr,omitempty"`
|
||||
TunAddr string `yaml:"tunnel_listen_addr,omitempty"`
|
||||
KeyFile string `yaml:"https_key_file,omitempty"`
|
||||
CertFile string `yaml:"https_cert_file,omitempty"`
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue