Open vercas opened 4 months ago
Hello,
Would you mind explaining how this facilitates the setup with a docker container ? If I am not mistaken, you can create a network namespace that you can share across multiple container.
It's for situations where you can't/won't put wstunnel and nginx in the same network namespace.
A common example is a bastion host - you want the reverse proxy container to only have access to a public facing network, while wstunnel containers would only have access to an internal network.
I'd also like to have similar to ssh alternative below.
ssh -N -f -R /tmp/zp3ft5fmps6bd4gep7iv:127.0.0.1:80 user@host
This would also help in scenarios like chained proxies, where forwarding via unix sockets seems to have better performance than local network loopbacks.
Hello,
Would you mind trying this pre-release https://github.com/erebe/wstunnel/releases/tag/v9.1.0 and let me know if it works for you ?
You should be able to start wstunnel client and specify something like -L unix:///tmp//wstunnel.sock:127.0.0.1:80
Regarding wstunnel server supporting receiving packets from a unix socket, I am not sure whether I am going to do it, as it will require a bit too much code change to my taste to support it, and I am not sure if there is a real need for it. Will check and let you know
P.s: I still need to support unix datagram socket, but as everything related to udp, it is a pain to implement.
Hello @erebe
Thank you for adding Unix socket support. That works for me with reverse connection. I noticed it does not delete a socket file when connection is finished and unable to reuse the file again, so when you try -R unix:///tmp//wstunnel.sock:127.0.0.1:80 again, the server rejects connection.
indeed thanks for reporting, I have made the fix :see_no_evil: https://github.com/erebe/wstunnel/commit/b7dbd864c42eb9619507521041eff16d48dfe16a
and have re-created the release 9.2.0, so if you re-download it, it should be good now.
Specifically for cases where the wstunnel server is behind a reverse proxy, it would be useful to have the ability to listen on a Unix domain socket instead of having to use an IP address and port.
This would only be useful with non-secure
ws
, e.g.unix:///absolute/path/to/unix/socket
orunix://relative/path/to/socket
.Unix domain sockets are subject to filesystem security models and mount namespaces, making them easier to restrict access to than traditional IP/port network endpoints, especially when you have Docker installed on the same system.
A command-line option for specifying the
mode
of the created socket would be handy too.