[HN Gopher] Reverst: Reverse Tunnels in Go over HTTP/3 and QUIC
___________________________________________________________________
Reverst: Reverse Tunnels in Go over HTTP/3 and QUIC
Author : todsacerdoti
Score : 128 points
Date : 2024-04-08 15:04 UTC (7 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| xyst wrote:
| Not a bad way to exfil data from target server.
| tru3_power wrote:
| Add it to the toolkit!
| ocdtrekkie wrote:
| Any good "restrictive network" blocks QUIC. This helps
| potentially in places the restriction is structural (CGNAT) but
| not where the restriction is security-based.
| jsiepkes wrote:
| You can easily setup a reverse tunnel with something like
| websockets or HTTP/2 (TCP). For example with wstunnel[1].
|
| [1] https://github.com/erebe/wstunnel
| roshanj wrote:
| This is great! I've had this exact idea for a specific robotics
| use-case but never got around to implementing it: a fleet of
| robots that each expose an HTTP service for debugging purposes.
| These robots connect to the internet through cellular or hop
| around among a set of wifi access points, such that long-lived
| connections are often interrupted and each robot IP address
| intermittently changes.
|
| Many other reverse proxy / tunneling solutions use TCP-based
| protocols or require the target hosts to be accessible by the
| proxy server, but in this case QUIC connection migration avoids
| the reconnection handshakes needed for dropped TCP connections,
| and your client->server model allows the robots to register
| themselves from restrictive networks.
|
| The only missing feature would be to allow some sort of auth
| plugin - perhaps as a sub-request made to an external auth
| service that contains the identifier of the client the request
| will be routed to, similar to nginx's auth_request
| (https://nginx.org/en/docs/http/ngx_http_auth_request_module....)
| GeorgeMac wrote:
| Would love a feature request GH issue for that! Seems totally
| doable!
| zilti wrote:
| But why http?
| yjftsjthsd-h wrote:
| Network effects? (No pun intended.) HTTP has a big ecosystem.
| Ex. Everyone already has curl installed.
|
| Edit: This isn't hypothetical, either; I literally use curl
| regularly to query services. Sure, there are other options,
| but HTTP generally works, so...
| screamingninja wrote:
| Have you considered wireguard / tailscale?
| debarshri wrote:
| Generally people use Zerotier for this kind of usecase in the
| industry. It is pretty robust.
| sekh wrote:
| This is a great idea! There are multiple tentatives of achieving
| the same feature with HTTP/2. A RFC is even being written
| https://www.ietf.org/archive/id/draft-bt-httpbis-reverse-htt...
|
| HAProxy implements something similar in HTTP/2 with the 'rhttp@'
| keyword.
|
| edit: wrong URL.
| GeorgeMac wrote:
| This is great! Thanks for sharing!
| sekh wrote:
| I just updated the URL which was the wrong one.
| 20thr wrote:
| This is very cool.
|
| We built something similar in
| https://github.com/namespacelabs/breakpoint but the more general
| purpose nature here is great.
| GeorgeMac wrote:
| This is very cool. Checking it out! Thanks!
| therein wrote:
| This is very useful. I needed this at least 10-20 times in the
| past but didn't know it existed.
|
| I no longer need it in a CI context but I could imagine this
| getting really handy when some weird thing happens during the
| build stages of a docker container too.
| erebe__ wrote:
| Nice project :)
|
| HTTP3 may not be suitable for all environments, as UDP is pretty
| commonly filtered.
|
| If you are in such scenario, you may want to take a look at
| wstunnel, it allows you to do the same (and more) over websocket
| or HTTP2.
|
| https://github.com/erebe/wstunnel
___________________________________________________________________
(page generated 2024-04-08 23:00 UTC)