jpillora / chisel Goto Github PK
View Code? Open in Web Editor NEWA fast TCP/UDP tunnel over HTTP
License: MIT License
A fast TCP/UDP tunnel over HTTP
License: MIT License
Hi, its hard to understand what chisel does and does not do.
Is it possible to add some user scenario examples on the readme please?
If I understand correctly you can use chisel to:
You cannot use chisel to:
Hi, this is a really neat project you've hacked together. Just out of curiosity, if you're controlling clients and servers on both ends why don't you just tunnel tcp via a tls channel and be done with it? Why do you need HTTP in there at all?
Client get crashed after running about 3 minutes while the download speed is about 25MB/s
, I'm testing locally with wget
.
System: ubuntu 16.04 64 bit (Linux desktop 4.4.0-59-generic #80-Ubuntu SMP Fri Jan 6 17:47:47 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux)
Desktop lan ip is 192.168.9.162
, port 80 is served by nginx for file download.
Server command: chisel server -v --port 3000 --proxy http://example.com
Client command: chisel client -v --keepalive=10s http://192.168.9.162:3000 8001:80
Download test command: wget http://192.168.9.162:8001/dl/00002.m2ts
chisel client crash log:
2017/02/03 20:50:39 client: Disconnected
2017/02/03 20:50:39 client: Fingerprint a4:59:fb:8a:fd:93:b5:0a:2e:08:9c:15:38:b3:1d:44
2017/02/03 20:50:39 client: Sending configurating
2017/02/03 20:50:39 client: Connected (Latency 333.839µs)
2017/02/03 20:50:42 client: 0.0.0.0:80#1: conn#4: Open
2017/02/03 20:51:24 client: Fingerprint a4:59:fb:8a:fd:93:b5:0a:2e:08:9c:15:38:b3:1d:44
2017/02/03 20:52:06 client: Fingerprint a4:59:fb:8a:fd:93:b5:0a:2e:08:9c:15:38:b3:1d:44
panic: ssh: no key material for msgNewKeys
goroutine 71 [running]:
panic(0x74ec60, 0xc820084bb0)
/usr/lib/go-1.6/src/runtime/panic.go:481 +0x3e6
golang.org/x/crypto/ssh.(*connectionState).writePacket(0xc820128168, 0xc82011ad80, 0x7fc143dba330, 0xc8200126f0, 0xc8200e0440, 0x9, 0x9, 0x0, 0x0)
/root/gocode/src/golang.org/x/crypto/ssh/transport.go:163 +0x2c5
golang.org/x/crypto/ssh.(*transport).writePacket(0xc820128100, 0xc8200e0440, 0x9, 0x9, 0x0, 0x0)
/root/gocode/src/golang.org/x/crypto/ssh/transport.go:144 +0x81
golang.org/x/crypto/ssh.(*handshakeTransport).pushPacket(0xc820106140, 0xc8200e0440, 0x9, 0x9, 0x0, 0x0)
/root/gocode/src/golang.org/x/crypto/ssh/handshake.go:206 +0x63
golang.org/x/crypto/ssh.(*handshakeTransport).kexLoop(0xc820106140)
/root/gocode/src/golang.org/x/crypto/ssh/handshake.go:286 +0x40f
created by golang.org/x/crypto/ssh.newClientTransport
/root/gocode/src/golang.org/x/crypto/ssh/handshake.go:113 +0x352
Hello, I am having a difficult time understanding how to use chisel for my use case.
I have a sever, running "chisel server --port 8080".
I have a client (client A) that is running a webserver on port 80.
I have another client behind a firewall (client B).
I would like client B to be able to view the website hosted on client A's machine.
What types of settings would I use in "chisel client" for each client to allow this to work?
Thank you!!
This feature assumes connections will be broken if server is restarted.
This would come in handy for building the auth file programmatically from a separate data source to avoid.
There's three ways we could do it in increasing levels of complexity:
Not sure which will be best.
Following archive from https://github.com/jpillora/chisel/releases/tag/1.2.2 are corrupted...
chisel_darwin_amd64.gz
chisel_linux_386.gz
chisel_linux_amd64.gz
chisel_linux_arm.gz
chisel_windows_amd64.exe.gz
wrong CRC during extraction
Is there an option to use the tun/tap devices with ssh to have a vpn implemented over chisel instead of doing port forwarding?
Is possible to add X-Forwarded-For header option to server, so the destination server could get real IP, or even add support for Proxy Protocol v1?
Hi,
I can't seem to find the option to specify an upstream proxy on the client side. The objective would be to support a chisel client that has to connect through an authenticated (NTLM) proxy in order to connect to the chisel server.
Any options ?
Thanks.
Arno
is there a possibility to drop ssh an use plain web sockets over https? in other words, why is this using http, websocket and ssh instead of just https and websocket?
Thanks for all your work !
I use Chisel Client in Windows 7. Internet connection of our company runs through a proxy.
Chisel Client does not seem to support a http proxy (I tried to set HTTP_PROXY in ENV).
Did I miss a point ? Do you see a possibility to get it working ?
Client was automatic add duration when connect fail.
But some times server is down at a long time, client can't retry in a few seconds.
Restart client is only i can do.
Currently, with 1.2, multiple clients instances are needed to connect to multiple servers.
Although #9 would aid in this in the sense that instead of running multiple server you would run a router and multiple clients proxying endpoints so maybe multiple servers per client is not a necessary feature.
(Sorry for my poor English)
Chisel is an amazing tool! I want to use chisel behind Nginx.
Becasuse the firewall of my company only allow port 443 use HTTP CONNECT command.
I want to use port 443 for my home server for HTTPS website, and chisel too.
So I tried to config Nginx to redirect HTTPS request by different domain.
[Client Command]
chisel_windows_amd64.exe client --proxy http://company-proxy:port https://home-server:443 0.0.0.0:33389:192.168.1.102:3389
2017/05/26 11:34:54 client: Retrying in 100ms...
@jpillora I need to tunnel https/http over an http connection specifically to GAE. Using this project would be ideal, however GAE doesn't yet support web sockets. Is there a way to fall back to HTTP when web sockets aren't available?
I know this isn't nearly as natural, but at least in our firewall environment I can only hit an http endpoint without ws support.
If one tries to run multiple chisel clients, possibly talking to different hosts, but mistakenly uses the same local port, the second invocation should fail and complain loudly.
./chisel client -v --keepalive 10s https://first-host 5022::2022 &
./chisel client -v --keepalive 10s https://second-host 5022::2022
The second invocation continues to run despite encountering the error (silent error!). This leads to false sense of success, and subsequent attempts to communicate to second-host
via local port 5022 will actually forward traffic to first-host
.
Below is slightly modified output from an actual run:
$ ./chisel client -v --keepalive 10s https://second-host 5022::2022
2017/04/13 12:38:32 client: Connecting to wss://second-host:443
2017/04/13 12:38:32 client: 0.0.0.0:202#1: listen tcp4 0.0.0.0:5022: bind: address already in use
2017/04/13 12:38:33 client: Fingerprint 6e:37:2b:d4:76:28:35:12:36:a3:ae:b1:59:10:77:3e
2017/04/13 12:38:33 client: Sending configurating
2017/04/13 12:38:33 client: Connected (Latency 30.839892ms)
Hi.
Add please option custom HTTP header in client.These settings help many bypass the firewall.
User-Agent:CustomAgent
Host:CustomHost
X-Forwarded-Host:CustomHost
The current settings for bypassing the firewall are very bad -
User-Agent:Go-http-client/1.1
Please add this option.
I think to you many will say thank you.
And your program will be the best.
Please add a TLS capable listener to bypass 'smart' firewalls.
After a while not using the chisel connections(30minutes).
The connections dead and seems not accessable.
2016/03/25 05:36:14 client: ghp:8123#1: conn#104: Close (sent 47380 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#507: Close (sent 0 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#512: Close (sent 0 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#517: Close (sent 233 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#514: Close (sent 0 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#509: Close (sent 0 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#510: Close (sent 0 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#515: Close (sent 215 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#516: Close (sent 223 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#504: Close (sent 207 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#505: Close (sent 233 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#518: Close (sent 207 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#513: Close (sent 0 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#519: Close (sent 207 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#506: Close (sent 0 received 0)
2016/03/25 05:36:40 client: ghp:8123#1: conn#511: Close (sent 0 received 0)
The connection was dead. and can not read any data.
I forced kill the progress. and run again . the connection working well.
so please add dead connection detect, when the connection is dead, can not read any data for a limit time(3-30s). please disconnect and reconnect it .
Thanks.
I'm using nginx to proxy requests to chisel, there are several benefits if users can change the hostname of server address
Probable usage:
$ chisel client --hostname mydomain.com https://1.2.3.4 3000
the --hostname
parameter will override the default server hostname.
I'm trying to get started with chisel by running the demo but I can't get client to connect.
~> docker run --rm -it jpillora/chisel client https://chisel-demo.herokuapp.com 3000
2016/06/28 10:15:58 client: Connecting to wss://chisel-demo.herokuapp.com:443
2016/06/28 10:15:59 client: Retrying in 100ms...
2016/06/28 10:16:00 client: Retrying in 200ms...
2016/06/28 10:16:01 client: Retrying in 400ms...
2016/06/28 10:16:02 client: Retrying in 800ms...
2016/06/28 10:16:04 client: Retrying in 1.6s...
2016/06/28 10:16:06 client: Retrying in 3.2s...
I can browse to the webpage in browser and get example.com output however.
Hello.
I trying:
~/bin $ ./chisel_linux_amd64 server --port 9312 --socks5
2017/08/27 18:08:00 server: SOCKS5 Enabled
2017/08/27 18:08:00 server: Fingerprint 2b:01:b4:8b:26:a5:24:5a:e2:b8:02:fa:58:96:ee:35
2017/08/27 18:08:00 server: Listening on 9312
but got
./chisel_linux_amd64 client --fingerprint 2b:01:b4:8b:26:a5:24:5a:e2:b8:02:fa:58:96:ee:35 https://pacific-refuge-52999.herokuapp.com:9312 1080:socks
2017/08/27 21:10:49 client: Connecting to wss://pacific-refuge-52999.herokuapp.com:9312
2017/08/27 21:10:49 client: tunnel#1 127.0.0.1:1080=>socks: Listening
2017/08/27 21:10:50 client: Retrying in 100ms...
2017/08/27 21:10:52 client: Retrying in 200ms...
2017/08/27 21:10:53 client: Retrying in 400ms...
2017/08/27 21:10:55 client: Retrying in 800ms...
2017/08/27 21:10:57 client: Retrying in 1.6s...
What am I doing wrong?
telnet pacific-refuge-52999.herokuapp.com 9312
Trying 23.23.116.0...
Trying 23.21.155.56...
Trying 23.23.120.204...
Trying 23.23.117.76...
Trying 23.21.142.10...
Trying 23.21.45.51...
Trying 23.21.181.176...
Trying 23.23.126.158...
telnet: Unable to connect to remote host: Connection refused
ssh -L
defaults to exposing the tunnel locally on localhost. If a chisel server is providing access to a port on its localhost, it seems like having the client keep its end of the tunnel on localhost is a safe default. As a user coming from ssh tunnelling, this not being the case was an unexpected difference.
vultr ~ # wget https://github.com/jpillora/chisel/releases/download/1.1.3/chisel_1.1.3_amd64.deb
vultr ~ # sudo dpkg -i chisel_1.1.3_amd64.deb
(Reading database ... 94889 files and directories currently installed.)
Preparing to unpack chisel_1.1.3_amd64.deb ...
Unpacking chisel (1.1.3) ...
dpkg: error processing archive chisel_1.1.3_amd64.deb (--install):
trying to overwrite '/usr/bin/test', which is also in package coreutils 8.25-2ubuntu2
dpkg-deb: error: subprocess paste was killed by signal (Broken pipe)
Errors were encountered while processing:
chisel_1.1.3_amd64.deb
I want to support manual TLS with certs and automatic with Let's Encrypt (see acmewrapper. However, this would require a tls.json
file (or a set of files) to store TLS state, and with Let's Encrypt you'd also need to specify a hostname and you'd be restricted to port 80/443. All of this adds complexity so, I ended up leaving TLS support out for now. Since the SSH protocol is already performing full authentication and encryption, I see TLS as an optional nice to have.
Encrypting the keys using the server key then storing them encrypted out in the open, in a public database somewhere might work... First I'd need to use a proper PBKDF for the server key.
Please mention any comments/ideas you have below
autossh
allows using pkill -HUP autossh
to make autossh attempt to reconnect immediately.
See https://linux.die.net/man/1/autossh "Controlling SSH".
Use case: When you have a 5 min timeout from the backoff, but you want it to connect immediately without having to restart the process.
I'm trying to run chisel server on an OpenShift application but it fails. I think this is because Apache is listening on port 8080 by default (not sure).
Command:
./chisel server --host $OPENSHIFT_GO_IP --port $OPENSHIFT_GO_PORT --proxy http://example.com
Error:
bind: address already in use
how?
I have OpenVPN server running on TCP/443. Is it possible to run it over chisel?
If yes, what commands should be issued on server and what on client?
Any help would be much appreciated.
On Ubuntu 16.04 there appears to be a conflict when installing via dpkg -i . The binary tries to install a file named test under /usr/bin but /usr/bin/test already exists as part of coreutils. Perhaps renaming to something more descriptive (and unique) would be better.
Hi, it's cool to have tun device, so we can use chisel as a simple VPN solution :)
Would seem web sockets are now on the agenda for GAE. Thought I would just leave this here https://code.google.com/p/googleappengine/issues/detail?id=2535. Feel free to close. Might be nice to add to readme.
plase add the release for windows 32-bit.
Hello , currently chisel has built in socks server. i guess we can easy add http proxy server inside chisel server.
I am made a very tiny http proxy server
We can put chisel into docker image.
Here is my docker image
https://github.com/netroby/alpine-chisel
https://hub.docker.com/r/netroby/alpine-chisel/
and these guide how to using docker image
Both server and client need docker installed.
There be a proxy server listen on 127.0.0.1:8123 on server. (squid or polipo)
create a file /etc/chisel.json, with content
{
"USER:AVERYSTRONGPASSWORD": [
""
]
}
run command
docker run -d --restart=always --name chisel-server -v /etc/chisel.json:/etc/chisel.json -p 0.0.0.0:8719:8719 netroby/alpine-chisel /bin/chisel server -v --port 8719 --authfile /etc/chisel.json
$SERVER_IP will be your chisel server ip address
run command
docker run -d --restart=always --name chisel -p 0.0.0.0:8123:8123 netroby/alpine-chisel /bin/chisel client -v --keepalive 300s --auth USER:AVERYSTRONGPASSWORD $SERVER_IP:8719 8123
After it success connected to chisel server, the localhost:8123 will forward tcp connection to remote server proxy server port. you will be access to the free network
Hi,
It would be useful to be able to run the client in 'stdio' mode - that way it can be used as a ProxyCommand for SSH, eg
ssh -o ProxyCommand='chisel client mychiselserver stdio:%h:%p' myuser@somehost
To gain better connect performance, can we add conn pool for client?
The current client, will dial remote when need.
It's ok, but not very fast.
If there be conn pool. it will gain better performance.
First off, let me begin by saying that Chisel is a brilliant little project for accomplishing a lot of useful tasks. I personally use Chisel to tunnel SSH traffic to containers and VMs.
However, this got me thinking- how do you propose to achieve zero-downtime maintenance and deployment of the chisel server? If there are existing tunnels already created and active, would it be possible to switch the connections over to the new chisel server instance?
Issue #8 mentions problems with reaching clients behind HTTP-only NAT/firewalls. Allowing a client to be a proxy endpoint would provide access to the client via the chisel server. For example, client A connects to client B via server:
[client A] <-> [server] <-> [client B] <-> ...
Possible API:
chisel server <server options>
#client B
chisel client --proxy B <client options> <server address>
#client A
chisel client <client options> <server address> B@3000
Where B@3000
is in the format <proxy name>@<chisel remote>
My use case is being able to SSH into 1000's of embedded devices that are behind a firewall. I've been looking at creating a supervisor app for your server that would listen on a std port for connection requests from devices, and then create new instances respectively. The supervisor app would also need to provide some sort of directory service to clients wishing to connect to devices.
Some firewalls will check the Host
header in the request and see if it's in the white list. I wish there could be a command-line option to customize this field (and possibly, arbitrary header fields).
Hi, Thanks for all your good work. @jpillora and @morikat
Since ssh channels are used, is it possible to add remote port forwarding in the future?
Something like ssh clients do.
-R [bind_address:]port:host:hostport
Specifies that the given port on the remote (server) host is to
be forwarded to the given host and port on the local side.
During chisel's normal operation, I had this error:
ssh: handshake failed: websocket: close 1006 (abnormal closure): unexpected EOF
The client is on a bad network so that's probably what caused the error. The problem is that the tunnel went down for good and chisel didn't stop ether.
If this kind of fatal error occurs, can you either:
Can it be related to this code ?
https://github.com/jpillora/chisel/blob/master/client/client.go#L160
It would be nice to have a client option to limit the retries to a specified amount of time, so it does not retry indefinitely.
This is useful to monitor the connection of "daemonized" tunnels; one can set-up a bash script which opens the tunnel, and if chisel exists (because it fails to re-establish the connection in x amount of time) e.g. an alert email could be sent.
Currently chisel does not exit and tries to reconnect forever, which is hard to monitor from bash scripts.
tks for your reply!
I have chisel set up successfully and I've established an SSH tunnel between a remote host and my developer machine. I'm connected to the host using a webterm (https://github.com/chjj/tty.js).
I'm wondering if it's possible to use chisel to transfer files to and from my dev machine to the remote host?
Is it possible to set my machine up so that I can scp files to and from these machines, transferring the files using the tunnel that gets set up?
It would be awesome to see this offer reverse port forwards as well as local port forwards.
Dose chisel client support --authfile ?
I would prefer chisel read configure file from disk. and do not want other user view the password .
The current -auth put username and password on command line argument. when using ps -aux | grep chisel , you will see the password.
It might be not safe
i have a situation where i have some embedded devices out in the field and they are all in NAT environment. They can only call upstream on 80 and 443.
So i am hoping i could use this to connect to them via a public static in between server, using Chisel.
But i am not sure.. Can you let me know what you think..
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.