From 76d0b67c5a6f19d5c53af16f0afc94d3954987d8 Mon Sep 17 00:00:00 2001 From: Bruno Antunes Date: Sat, 23 Mar 2019 11:12:21 +0000 Subject: [PATCH] Adds documentation on subdomain requesting, and CIDR range/country whitelisting --- README.md | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6f2d754..355f9d1 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,14 @@ Builds are made automatically on Google Cloud Build and Dockerhub. Feel free to 3. SSH to your host to communicate with sish - `ssh -p 2222 -R 80:localhost:8080 ssi.sh` +You can choose your own instead of relying on a randomly assigned one by setting +the `-sish.bindrandom` option to `false` and then selecting a subdomain with ( +example for `foo`): + +`ssh -p 2222 -R foo:80:localhost:8080 ssi.sh` + +If the selected subdomain is not taken, it will be assigned to your connection. + ## How it works SSH can normally forward local and remote ports. This service implements an SSH server that only does that and nothing else. The service supports multiplexing connections over HTTP/HTTPS with WebSocket support. Just assign a remote port as port `80` to proxy HTTP traffic and `443` to proxy HTTPS traffic. If you use any other remote port, the server will listen to the port for connections, but only if that port is available. @@ -41,11 +49,20 @@ sish@sish0:~/sish/pubkeys# curl https://github.com/antoniomika.keys > antoniomik This will load my public keys from GitHub, place them in the directory that sish is watching, and then load the pubkey. As soon as this command is run, I can SSH normally and it will authorize me. +## Whitelisting IPs + +Whitelisting IP ranges or countries is also possible. Whole CIDR ranges can be +specified with the `-sish.whitelistedips` option that accepts a comma-separated string like "192.30.252.0/22,185.199.108.0/22". If you want to whitelist a single +IP, use the `/32` range. + +To whitelist countries, use `sish.whitelistedcountries` with a comma-separated +string of countries in ISO format (for example, "pt" for Portugal). + ## Demo There is a demo service (and my private instance) currently running on `ssi.sh` that doesn't require any authentication. This service provides default logging (errors, connection IP/username, and pubkey fingerprint). I do not log any of the password authentication data or the data sent within the service/tunnels. My deploy uses the exact deploy steps that are listed above. This instance is for testing and educational purposes only. You can deploy this extremely easily on any host (Google Cloud Platform provides an always-free instance that this should run perfectly on). If the service begins to accrue a lot of traffic, I will enable authentication and then you can reach out to me to get your SSH key whitelisted (make sure it's on GitHub and you provide me with your GitHub username). ## Notes -1. This is by no means production ready in any way. This was hacked together and solves a fairly specific use case. +1. This is by no means production ready in any way. This was hacked together and solves a fairly specific use case. - You can help it get production ready by submitting PRs/reviewing code/writing tests/etc 2. This is a fairly simple implementation, I've intentionally cut corners in some places to make it easier to write. 3. If you have any questions or comments, feel free to reach out via email [me@antoniomika.me](mailto:me@antoniomika.me) or on [freenode IRC #sish](https://kiwiirc.com/client/chat.freenode.net:6697/#sish) @@ -104,4 +121,4 @@ Usage of ./sish: A comma separated list of whitelisted countries -sish.whitelistedips string A comma separated list of whitelisted ips -``` \ No newline at end of file +```