# README
NHP-Server
架构设计
-
Server启动时监听特定端口,等待Agent和AC进行连接。并由Agent或AC主动触发向Server的通信。不存在Server向Agent或AC主动建立连接的情况,通常情况下这种连接会跨防火墙或NAT导致不能建立。
- 特殊情况:Server在收到Agent发起的敲门处理时,鉴权后需要主动向AC发起开门请求,并等待回应。
-
发送消息时,向sendMsgCh发送创建好的MsgAssembler(必须从已有连接中指定ConnData)。MsgAssembler经过加密后会从此连接发出
-
接收到报文时,会将报文进行解密获取明文消息。由msghandler分别进行处理。
NHP-Server配置文件
etc/config.json
{
// (mandatory) private key in base64 format
"privateKey": "eHdyRHKJy/YZJsResCt5XTAZgtcwvLpSXAiZ8DBc0V4=",
// (mandatory) specify the udp listening port
"listenPort": 62206,
// whether to validate peer's public key when receiving NHP packet from agent. If true, server must have a pre-recorded public key pool (in "agents" field) of all allowed agents. If false, server skip public key validation, so it reduces secure level.
"disableAgentValidation": false,
// list of preset allowed AC peers. only public key and expire time are needed. It has the same effect as AddACPeer()
"acs": [
{
// type: NHP-AC
"type": 3,
// public key in base64 format
"pubKeyBase64": "Fr5jzZDVpNh5m9AcBDMtHGmbCAczHyPegT8IxQ3XAzE=",
// expire time for the public key (seconds from epoch)
"expireTime": 1716345064
}
],
// list of preset allowed agent peers. only public key and expire time are needed. It has the same effect as AddAgentPeer()
"agents": [
{
// type: NHP-Agent
"type": 1,
// public key in base64 format
"pubKeyBase64": "WnJAolo88/q0x2VdLQYdmZNtKjwG2ocBd1Ozj41AKlo=",
// expire time for the public key (seconds from epoch)
"expireTime": 1716345064
}
],
// (optional) placeholder of preset url for possible authorization service provider
"asps": {
"abc.com": {
"aspId": "abc.com",
"urlAddr": "http://120.92.16.228:30088",
"urlOTP": "/nhp/api/v1/preAuth",
"urlReg": "/nhp/api/v1/registerAgent",
"urlAuth": "/nhp/api/v1/verifyAuth",
"urlList": "/nhp/api/v1/resourceList"
}
},
// (optional) specify other source IP addresses to be opened by the ac that may come along with certain agent IP address
"srcAsscAddrs": {
"192.168.2.27": [
{
"ip": "192.168.2.26",
"port": 54222
},
{
"ip": "192.168.2.28",
"port": 54223
}
]
},
// preset resources for udp knocking
"udpRess": {
// ID of authorization service provider
"abc_group": {
// ID of resource group
"app_resource_group_000": {
// skip service provider authorization and use this preset resource group
"skipAuth": true,
// set the desired open time for this resource group (in second)
"opnTime": 120,
"resInfo": {
// name of resource
"apiServer": {
// (optional) hostname overrides addr.ip at knock feedback
"host": "api.abc.com",
// (mandatory) request ac to open which layer 4 address and protocol of this resource
"addr": {
// (mandatory) request ac to open traffic destinated to the public IP address of this resource
"ip": "12.34.56.78",
// (optional) request ac to open traffic destinated to the port number where this resource hosts on. empty or 0 means open all port numbers.
"port": 443,
// (optional) protocol, "tcp": request ac to open only tcp traffic, "udp": request ac to open only udp traffic, empty: request ac to open tcp + udp + icmp echo traffic
"proto": "tcp"
},
}
}
}
}
},
// preset resources for http knocking
"httpRess": {
// ID of authorization service provider
"abc_group": {
// ID of the resource group, usually it means AppId
"app_resource_group_001": {
// set the desired open time for this resource group (in second)
"opnTime": 120,
// contains multiple resources
"resInfo": {
// name of resource
"apiServer": {
// (optional) hostname overrides addr.ip at knock feedback
"host": "api.abc.com",
// (mandatory) request ac to open which layer 4 address and protocol of this resource
"addr": {
// (mandatory) request ac to open traffic destinated to the public IP address of this resource
"ip": "12.34.56.78",
// (optional) request ac to open traffic destinated to the port number where this resource hosts on. empty or 0 means open all port numbers.
"port": 443,
// (optional) protocol, "tcp": request ac to open only tcp traffic, "udp": request ac to open only udp traffic, empty: request ac to open tcp + udp + icmp echo traffic
"proto": "tcp"
},
// (optional) the private layer 4 address of the ac. In some network, server may communicate with ac using private addresses.
"acAddr": {
"ip": "172.16.1.2",
"port": 443
},
// whether to append ":port" at the end of hostname/ip at knock feedback. For example, set this field to false if this resource use https and requesting ac to open port 443.
"portSuffix": false
},
// another resource
"webServer": {
"host": "www.abc.com",
"addr": {
"ip": "23.45.67.89",
"port": 8080,
"proto": ""
},
"portSuffix": true
}
},
// (optional) additional key info for server calling further authroization APIs
"accessKey": "b3458c581ef0efb7b669",
"secretKey": "f21c2a02c09a641a11cf"
}
},
// another authorization service provider
"xyz_org": {
"abcd1234": {
"opnTime": 120,
"resInfo": {
"udpServer": {
"host": "server.xyz.net",
"addr": {
"ip": "1.2.3.4",
"port": 443,
"proto": "udp"
},
"portSuffix": false
}
},
// (optional) additional key info for server calling further authroization APIs
"appKey": "demo-l2T0J3U3mQZ3",
"appSecret": "hVqd8eOqCFg5cc1D2ouACs3q"
}
}
}
}
# Functions
LoadFilesRecursively loads HTML and template files recursively from the specified directory and adds them to the given gin.Engine.
# Constants
second.
90 seconds.
20 seconds.
300 seconds to delete idle connection.
30 seconds to delete idle connection.
second, align with ipset default timeout.
second.
No description provided by the author
80%.
No description provided by the author
block source address if packet precheck errors exceeds this count.
# Variables
No description provided by the author
# Structs
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author