apps/wstunnel
1
0
Fork 0
mirror of https://github.com/erebe/wstunnel.git synced 2025-12-24 13:47:51 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
main
wstunnel/restrictions.yaml
Erèbe - Romain Gerard 97ddf47978 Update restrictions.yaml with Unix socket rule 
Added restriction for reverse tunnel on Unix socket.
2025-11-26 09:10:19 +01:00

129 lines
3.9 KiB
YAML
Raw Permalink Blame History

# Restrictions are whitelist rules for the tunnels
# By default, all requests are denied and only if a restriction match, the request is allowed
restrictions:
- name: "Allow all"
description: "This restriction allows all requests"
# This restriction apply only and only if all matchers match/are evaluated to true
# It is a logical AND
match:
# This match apply only if it succeeds to match the path prefix with the given regex
# The regex does a match, so if you want to match exactly you need to bound the pattern with ^ $
# I.e: "tesotron" is going to match "XXXtesotronXXX", but "^tesotron$" is going to match only "tesotron"
- !PathPrefix "^.*$"
# This match applies only if it succeeds to match the Authentication Header with the given regex.
# If present, Authentication Header must exists and must match the regex.
# - !Authorization "^[Bb]earer +actual_bearer_token_to_match$"
# The only other possible match type for now is !Any, that match everything/any request
# - !Any
# This is the list of tunnels your restriction is going to allow
# The list is checked in order, the first match is going to allow the request
allow:
# !Tunnel allows forward tunnels
- !Tunnel
# Protocol that are allowed. Empty list means all protocols are allowed
# Logical OR
protocol:
- Tcp
- Udp
# Port that are allowed. Can be a single port or an inclusive range (i.e. 80..90)
# Logical OR
port:
- 80
- 443
- 8080..8089
# if the tunnel wants to connect to a specific host, this regex must match
host: ^.*$
# if the tunnel wants to connect to a specific IP, it must be included in one of the network cidr
# Logical OR
cidr:
- 0.0.0.0/0
- ::/0
# !ReverseTunnel allows reverse tunnels
# Not specifying anything means all reverse tunnels are allowed
- !ReverseTunnel
protocol:
- Tcp
- Udp
- Socks5
- Unix
port:
- 1..65535
# Maps ports on the server side from X to Y (X:Y). For example with 10001:8080 configured and a client
# which connects using '-R tcp://10001:localhost:80' the server will listen on port 8080 instead of 10001.
# The originally requested ports (NOT the mapped ports) need to be allowed via the 'ports' directive.
port_mapping:
- 10001:8080
cidr:
- 0.0.0.0/0
- ::/0
unix_path: "^.*$"
---
# Examples
restrictions:
- name: "example 1"
description: "Only allow forward tunnels to port 443 and forbid reverse tunnels"
match:
- !PathPrefix "^.*$"
allow:
- !Tunnel
port:
- 443
---
restrictions:
- name: "example 2"
description: "Only allow forward tunnels to local ssh and forbid reverse tunnels"
match:
- !PathPrefix "^.*$"
allow:
- !Tunnel
protocol:
- Tcp
port:
- 22
host: ^localhost$
cidr:
- 127.0.0.1/32
---
restrictions:
- name: "example 3"
description: "Only allow socks5 reverse tunnels listening on port between 1080..1443 on lan network"
match:
- !PathPrefix "^.*$"
allow:
- !ReverseTunnel
protocol:
- Socks5
port:
- 1080..1443
cidr:
- 192.168.0.0/16
---
restrictions:
- name: "example 4"
description: "Allow everything for client using path prefix my-super-secret-path"
match:
- !PathPrefix "^my-super-secret-path$"
allow:
- !Tunnel
- !ReverseTunnel
---
restrictions:
- name: "example 5"
description: "Forbid everything ..."
match:
- !Any
allow: []
---
restrictions:
- name: "example 6"
description: "Allow reverse tunnel for Unix socket on /tmp/xxxx "
match:
- !Any
allow:
- !ReverseTunnel
unix_path: "^/tmp/"
Reference in New Issue View Git Blame Copy Permalink