laitimes

Reverst:基于QUIC协议和HTTP3的反向隧道工具

About Reverst:

Reverst is a powerful reverse tunneling tool consisting of a reverse tunneling server with load balancing and a server-client library, developed in Go and based on QUIC and HTTP/3.

Reverst:基于QUIC协议和HTTP3的反向隧道工具

关于QUIC和HTTP/3

QUIC,即快速UDP互联网连接协议。 QUIC(Quick UDP Internet Connections)是由 Google 从2013年开始研究的基于UDP的可靠传输协议,它最早的原型是SPDY + QUIC-Crypto + Reliable UDP,后来经历了SPDY转型为2015年5月IETF 正式发布的HTTP/2.0。 考虑到HTTP/2.0和TLS/1.3的发布,它的核心协议族逐步进化为现在的HTTP/3.0 + TLS/1.3 + QUIC-Transport的组合。

HTTP3, on the other hand, uses UDP to achieve high speeds while maintaining QUIC stability (choosing QUIC means choosing UDP) without sacrificing TLS security. The transport layer of HTTP/3 is not TCP, but UDP+QUIC.

Tool features

The current version of Reverst has the following features:

1. Go language driver: developed based on pure Go language, using libraries;

2. Compatibility; The client package (Go) is abstractly implemented based on the net/http standard library;

3. Load balancing: multiple service instances can be run in the same tunnel;

4. High performance: based on QUIC and HTTP/3 to realize its functions;

Usage scenarios

Reverst is primarily used to expose services in a restricted network, such as those protected by NAT gateways, to the Internet. The tunnel file needs to be deployed on the Internet, and then the client server establishes communication with the tunnel and registers it in the target tunnel group. A tunnel group is a set of load-balanced client servers that are exposed to the public network through the HTTP interface of the reverse tunnel.

The following diagram illustrates the tunnel lifecycle:

Reverst:基于QUIC协议和HTTP3的反向隧道工具

Tool installation

client

Client Installation Command:

go get go.flipt.io/reverst/client           

Code Build:

go install ./client/...           

Server-side

Code Build:

go install ./cmd/...           

Test

Reverst uses Dagger to configure and run an integration test suite:

dagger call test --source=.           

The test suite configures a tunnel and registers a server-client in the tunnel and requests services through the tunnel's HTTP interface.

tool runs

The following parameters are examples of parameters when the tunnel server is running:

1、QUCI隧道监听127.0.0.1:7171;

2. HTTP service listener 127.0.0.1:8181;

3. The logging is set to the debug level;

The configuration command is as follows:

go run ./cmd/reverst/... -l debug \

    -n flipt.dev.local \

    -g examples/simple/group.yml \

    -k examples/simple/server.key \

-c examples/simple/server.crt           

The following command can be used to run the sample server:

go run ./examples/simple/main.go --username user --password pass           

The following command can send a request to the service:

curl -H 'Host: flipt.dev.local' 127.0.0.1:8181/fo           

Tool usage and configuration

Command line argument options and environment variables

reverst -h

COMMAND

  reverst

 

USAGE

  reverst [FLAGS]

 

FLAGS

  -l, --log LEVEL                      debug、info、warn或error (默认: INFO)

  -a, --tunnel-address STRING       接收隧道QUIC连接的地址 (默认: 127.0.0.1:7171)

  -s, --http-address STRING           处理HTTP请求的地址 (默认: 0.0.0.0:8181)

  -n, --server-name STRING           通过TLS识别隧道的服务器名称 (必须)

  -k, --private-key-path STRING      path to TLS private key PEM file (必须)

  -c, --certificate-path STRING      TLS证书PEM文件路径 (必须)

  -g, --tunnel-groups STRING       k8s配置映射标识符或文件路径 (默认: groups.yml)

  -w, --watch-groups                  监控隧道组源以获取更新

      --management-address STRING    管理API的HTTP地址

      --max-idle-timeout DURATION    连接可以空闲的最长时间 (默认: 1ms)

      --keep-alive-period DURATION   keep-alive事件间隔时间(默认: 30s)           

Tunnel group configuration

reverst -g path/to/configuration.yml

// alternatively:

reverst -g file:///path/to/configuration.yml           

Or:

reverst -g k8s://configmap/default/tunnelconfig/groups.yml           

Configure multiple authentication policies

groups:

  "group-name":

    hosts:

    - "some.host.address.dev" # Host for routing inbound HTTP requests to tunnel group

    authentication:

      basic:

        username: "user"

        password: "pass"

      bearer:

        token: "some-token"

      external:

        scheme: "JWT"

        endpoint: "http://some-external-endpoint/auth/ext"           

License Agreement

This project is developed and released under an open source license.

Project address

Reverst:https://github.com/flipt-io/reverst/

Resources

https://github.com/quic-go/quic-go

Read on