wstunnel/restrictions.yaml

# Restrictions are whitelist rules for the tunnels
# By default, all requests are denied and only if a restriction match, the request is allowed
restrictions:
  - name: "Allow all"
    description: "This restriction allows all requests"
    # This restriction apply only and only if all matchers match/are evaluated to true
    # It is a logical AND
    match:
      # This match apply only if it succeeds to match the path prefix with the given regex
      # The regex does a match, so if you want to match exactly you need to bound the pattern with ^ $
      # I.e: "tesotron" is going to match "XXXtesotronXXX", but "^tesotron$" is going to match only "tesotron"
      - !PathPrefix "^.*$"
      # This match applies only if it succeeds to match the Authentication Header with the given regex.
      # If present, Authentication Header must exists and must match the regex.
      # - !Authorization "^[Bb]earer +actual_bearer_token_to_match$"
      # The only other possible match type for now is !Any, that match everything/any request
      # - !Any

    # This is the list of tunnels your restriction is going to allow
    # The list is checked in order, the first match is going to allow the request
    allow:
      # !Tunnel allows forward tunnels
      - !Tunnel
        # Protocol that are allowed. Empty list means all protocols are allowed
        # Logical OR
        protocol:
          - Tcp
          - Udp
        # Port that are allowed. Can be a single port or an inclusive range (i.e. 80..90)
        # Logical OR
        port:
          - 80
          - 443
          - 8080..8089

        # if the tunnel wants to connect to a specific host, this regex must match
        host: ^.*$
        # if the tunnel wants to connect to a specific IP, it must be included in one of the network cidr
        # Logical OR
        cidr:
          - 0.0.0.0/0
          - ::/0

      # !ReverseTunnel allows reverse tunnels
      # Not specifying anything means all reverse tunnels are allowed
      - !ReverseTunnel
        protocol:
          - Tcp
          - Udp
          - Socks5
          - Unix
        port:
          - 1..65535
        # Maps ports on the server side from X to Y (X:Y). For example with 10001:8080 configured and a client
        # which connects using '-R tcp://10001:localhost:80' the server will listen on port 8080 instead of 10001.
        # The originally requested ports (NOT the mapped ports) need to be allowed via the 'ports' directive.
        port_mapping:
          - 10001:8080
        cidr:
          - 0.0.0.0/0
          - ::/0

---
# Examples
restrictions:
  - name: "example 1"
    description: "Only allow forward tunnels to port 443 and forbid reverse tunnels"
    match:
      - !PathPrefix "^.*$"
    allow:
      - !Tunnel
        port:
          - 443
---
restrictions:
  - name: "example 2"
    description: "Only allow forward tunnels to local ssh and forbid reverse tunnels"
    match:
      - !PathPrefix "^.*$"
    allow:
      - !Tunnel
        protocol:
          - Tcp
        port:
          - 22
        host: ^localhost$
        cidr:
          - 127.0.0.1/32
---
restrictions:
  - name: "example 3"
    description: "Only allow socks5 reverse tunnels listening on port between 1080..1443 on lan network"
    match:
      - !PathPrefix "^.*$"
    allow:
      - !ReverseTunnel
        protocol:
          - Socks5
        port:
          - 1080..1443
        cidr:
          - 192.168.0.0/16
---
restrictions:
  - name: "example 4"
    description: "Allow everything for client using path prefix my-super-secret-path"
    match:
      - !PathPrefix "^my-super-secret-path$"
    allow:
      - !Tunnel
      - !ReverseTunnel
---
restrictions:
  - name: "example 5"
    description: "Forbid everything ..."
    match:
      - !Any
    allow: []