Open willdot opened 3 weeks ago
Kadeessh, a Caddy plugin built atop this amazing lib , can do that by implementing a custom module that implements a specific interface. The filter by remote IP isn't implemented yet, but it can be easily done in a few lines.
If you nerdsnipe me enough, I might just it soon 😄 the development on Kadeessh is slow due poverty in time and feedback. I've been trying to revive it.
Isn't this already possible by inspecting the Context
passed to the RequestHandler
?
Kadeessh, a Caddy plugin built atop this amazing lib , can do that by implementing a custom module that implements a specific interface. The filter by remote IP isn't implemented yet, but it can be easily done in a few lines.
If you nerdsnipe me enough, I might just it soon 😄 the development on Kadeessh is slow due poverty in time and feedback. I've been trying to revive it.
I thought there may have been a Caddy implementation of what I'm trying to do, but attempting to write a service myself 😝
Isn't this already possible by inspecting the
Context
passed to theRequestHandler
?
If you mean the Forwarded Request Handler, that only fires when the SSH tunnel is created, and inside that is a constant for loop that fires when someone visits the "tunnelled" address. So the IP for that will be the person that is setting up the remote port forward, not the person that is calling the tunnel address.
When using a ForwardedTCPHandler as a request handler for remote port forwarding, it would be nice to be able to reject connections unless their IP is "allowed".
This can be done with an intercept handler which can be set on the
ForwardedTCPHandler
type and then used withinHandleSSHRequest()
.It could accept a
net.Addr()
and return a true/false result. If true, the incoming connection can be continued as normal but if false, the connection can be closed and thus be rejected.Use case for this is I'm creating a tool (like Ngrok) that will allow a command such as
ssh -R some-domain:5000:localhost:3000 some-domain -p 2222
to be run locally which will allow people to make requests tohttp://some-domain:5000
and it will forward the request to an app running locally. However by doing so, anyone could get hold of that URL and send requests to me..... By allowing an intercept functionality this can be limited by IP address.