-
Notifications
You must be signed in to change notification settings - Fork 125
/
intercept.v1.json
121 lines (121 loc) · 4.26 KB
/
intercept.v1.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
{
"$id": "http://edge.openziti.org/schemas/intercept.v1.config.json",
"additionalProperties": false,
"definitions": {
"dialAddress": {
"format": "idn-hostname",
"not": {
"pattern": "^$"
},
"type": "string"
},
"inhabitedSet": {
"minItems": 1,
"type": "array",
"uniqueItems": true
},
"listenAddress": {
"description": "idn-hostname allows ipv4 and ipv6 addresses, as well as hostnames that might happen to contain '*' and/or '/'. so idn-hostname allows every supported intercept address, although ip addresses, wildcards and cidrs are only being validated as hostnames by this format. client applications will need to look for _valid_ ips, cidrs, and wildcards when parsing intercept addresses and treat them accordingly. anything else should be interpreted as a dns label. this means e.g. that '1.2.3.4/56' should be treated as a dns label, since it is not a valid cidr",
"format": "idn-hostname",
"not": {
"pattern": "^$"
},
"type": "string"
},
"portNumber": {
"maximum": 65535,
"minimum": 0,
"type": "integer"
},
"portRange": {
"additionalProperties": false,
"properties": {
"high": {
"$ref": "#/definitions/portNumber"
},
"low": {
"$ref": "#/definitions/portNumber"
}
},
"required": [
"low",
"high"
],
"type": "object"
},
"protocolName": {
"enum": [
"tcp",
"udp"
],
"type": "string"
},
"timeoutSeconds": {
"maximum": 2147483647,
"minimum": 0,
"type": "integer"
}
},
"properties": {
"addresses": {
"allOf": [
{
"$ref": "#/definitions/inhabitedSet"
},
{
"items": {
"$ref": "#/definitions/listenAddress"
}
}
]
},
"dialOptions": {
"additionalProperties": false,
"properties": {
"connectTimeoutSeconds": {
"$ref": "#/definitions/timeoutSeconds",
"description": "defaults to 5 seconds if no dialOptions are defined. defaults to 15 if dialOptions are defined but connectTimeoutSeconds is not specified."
},
"identity": {
"description": "Dial a terminator with the specified identity. '$dst_protocol', '$dst_ip', '$dst_port are resolved to the corresponding value of the destination address.",
"type": "string"
}
},
"type": "object"
},
"portRanges": {
"allOf": [
{
"$ref": "#/definitions/inhabitedSet"
},
{
"items": {
"$ref": "#/definitions/portRange"
}
}
]
},
"protocols": {
"allOf": [
{
"$ref": "#/definitions/inhabitedSet"
},
{
"items": {
"$ref": "#/definitions/protocolName"
}
}
]
},
"sourceIp": {
"description": "The source IP (and optional :port) to spoof when the connection is egressed from the hosting tunneler. '$tunneler_id.name' resolves to the name of the client tunneler's identity. '$tunneler_id.tag[tagName]' resolves to the value of the 'tagName' tag on the client tunneler's identity. '$src_ip' and '$src_port' resolve to the source IP / port of the originating client. '$dst_port' resolves to the port that the client is trying to connect.",
"type": "string"
}
},
"required": [
"protocols",
"addresses",
"portRanges"
],
"type": "object"
}