Merge pull request #454 from gravitational/ev/tunnelconf

Added new YAML configuration parameter: `tunnel_listen_addr`
2024-10-23 02:32:39 +00:00 · 2016-06-11 19:35:39 -07:00 · 2016-06-11 19:35:39 -07:00 · 5558b3cac4
parent 741a70ae17 adab29db0a
commit 5558b3cac4
4 changed files with 38 additions and 8 deletions
--- a/docs/admin-guide.md
+++ b/docs/admin-guide.md
@ -85,7 +85,8 @@ Teleport services listen on several ports. This table shows the default port num
 |----------|------------|-------------------------------------------
 |3022      | Node       | SSH port. This is Teleport's equivalent of port `#22` for SSH.
 |3023      | Proxy      | SSH port clients connect to. A proxy will forward this connection to port `#3022` on the destination node.
-|3024      | Auth       | SSH port used by the Auth Service to serve its API to other nodes in a cluster.
+|3025      | Auth       | SSH port used by the Auth Service to serve its API to other nodes in a cluster.
+|3024      | Tunnel     | SSH port used to create "reverse SSH tunnels" from behind-firewall environments into a trusted proxy server.
 |3080      | Proxy      | HTTPS connection to authenticate `tsh` users and web users into the cluster. The same connection is used to serve a Web UI.


@ -236,11 +237,21 @@ ssh_service:
 # This section configures the 'proxy servie'
 proxy_service:
    enabled: yes
-    listen_addr: 127.0.0.1:3023
-    web_listen_addr: 127.0.0.1:3080
+    # SSH forwrading/proxy address. Command line (CLI) clients always begin their
+    # SSH sessions by connecting to this port
+    listen_addr: 0.0.0.0:3023

-    # TLS certificate for the server-side HTTPS connection.
-    # Configuring these properly is critical for Teleport security.
+    # Reverse tunnel listening address. An auth server (CA) can establish an outbound 
+    # (from behind the firwall) connection to this address. This will allow users of
+    # the outside CA to connect to behind-the-firewall nodes.
+    tunnel_listen_addr: 0.0.0.0:3024
+
+    # The HTTPS listen address to serve the Web UI and also to authenticate the 
+    # command line (CLI) users via password+HOTP
+    web_listen_addr: 0.0.0.0:3080
+
+    # TLS certificate for the HTTPS connection. Configuring these properly is 
+    # critical for Teleport security.
    https_key_file: /etc/teleport/teleport.key
    https_cert_file: /etc/teleport/teleport.crt
 ```
--- a/lib/config/config_test.go
+++ b/lib/config/config_test.go
@ -148,6 +148,7 @@ func (s *ConfigTestSuite) TestConfigReading(c *check.C) {
 	c.Assert(conf.Proxy.CertFile, check.Equals, "/etc/teleport/proxy.crt")
 	c.Assert(conf.Proxy.ListenAddress, check.Equals, "tcp://proxy_ssh_addr")
 	c.Assert(conf.Proxy.WebAddr, check.Equals, "tcp://web_addr")
+	c.Assert(conf.Proxy.TunAddr, check.Equals, "reverse_tunnel_address:3311")

 	// good config from file
 	conf, err = ReadFromFile(s.configFileStatic)
@ -216,8 +217,8 @@ func (s *ConfigTestSuite) TestApplyConfig(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(conf, check.NotNil)

-	var cfg service.Config
-	err = ApplyFileConfig(conf, &cfg)
+	cfg := service.MakeDefaultConfig()
+	err = ApplyFileConfig(conf, cfg)
 	c.Assert(err, check.IsNil)
 	c.Assert(cfg.Auth.StaticTokens, check.DeepEquals, []services.ProvisionToken{
 		{
@ -233,6 +234,10 @@ func (s *ConfigTestSuite) TestApplyConfig(c *check.C) {
 	})
 	c.Assert(cfg.Auth.DomainName, check.Equals, "magadan")
 	c.Assert(cfg.AdvertiseIP, check.DeepEquals, net.ParseIP("10.10.10.1"))
+
+	c.Assert(cfg.Proxy.Enabled, check.Equals, true)
+	c.Assert(cfg.Proxy.WebAddr.FullAddress(), check.Equals, "tcp://webhost:3080")
+	c.Assert(cfg.Proxy.ReverseTunnelListenAddr.FullAddress(), check.Equals, "tcp://tunnelhost:1001")
 }

 func checkStaticConfig(c *check.C, conf *FileConfig) {
@ -356,6 +361,7 @@ func makeConfigFixture() string {
 	conf.Proxy.CertFile = "/etc/teleport/proxy.crt"
 	conf.Proxy.ListenAddress = "tcp://proxy_ssh_addr"
 	conf.Proxy.WebAddr = "tcp://web_addr"
+	conf.Proxy.TunAddr = "reverse_tunnel_address:3311"

 	return conf.DebugDumpToYAML()
 }
@ -466,7 +472,10 @@ auth_service:
  - "auth:yyy"
 ssh_service:
  enabled: no
+
 proxy_service:
-  enabled: no
+  enabled: yes
+  web_listen_addr: webhost
+  tunnel_listen_addr: tunnelhost:1001
 `
 )
--- a/lib/config/configuration.go
+++ b/lib/config/configuration.go
@ -253,6 +253,13 @@ func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error {
 		}
 		cfg.Proxy.WebAddr = *addr
 	}
+	if fc.Proxy.TunAddr != "" {
+		addr, err := utils.ParseHostPortAddr(fc.Proxy.TunAddr, int(defaults.SSHProxyTunnelListenPort))
+		if err != nil {
+			return trace.Wrap(err)
+		}
+		cfg.Proxy.ReverseTunnelListenAddr = *addr
+	}
 	if fc.Proxy.KeyFile != "" {
 		if !fileExists(fc.Proxy.KeyFile) {
 			return trace.Errorf("https key does not exist: %s", fc.Proxy.KeyFile)
--- a/lib/config/fileconf.go
+++ b/lib/config/fileconf.go
@ -80,6 +80,7 @@ var (
 		"peers":              true,
 		"prefix":             true,
 		"web_listen_addr":    true,
+		"tunnel_listen_addr": true,
 		"ssh_listen_addr":    true,
 		"listen_addr":        true,
 		"https_key_file":     true,
@ -233,6 +234,7 @@ func MakeSampleFileConfig() (fc *FileConfig) {
 	p.EnabledFlag = "yes"
 	p.ListenAddress = conf.Proxy.SSHAddr.Addr
 	p.WebAddr = conf.Proxy.WebAddr.Addr
+	p.TunAddr = conf.Proxy.ReverseTunnelListenAddr.Addr
 	p.CertFile = "/etc/teleport/teleport.crt"
 	p.KeyFile = "/etc/teleport/teleport.key"

@ -416,6 +418,7 @@ type CommandLabel struct {
 type Proxy struct {
 	Service  `yaml:",inline"`
 	WebAddr  string `yaml:"web_listen_addr,omitempty"`
+	TunAddr  string `yaml:"tunnel_listen_addr,omitempty"`
 	KeyFile  string `yaml:"https_key_file,omitempty"`
 	CertFile string `yaml:"https_cert_file,omitempty"`
 }