Using ngrok for intranet penetration

Intranet through

Intranet through , namely NAT through , Let the computer nodes of the external network and the internal network connect and communicate .
Sometimes we need to access our LAN applications from the Internet , At this time, you need to use the intranet penetration technology .

NAT

NAT The full English name is “Network Address Translation”, Chinese meaning “ Network address translation ”, It's a IETF(Internet Engineering Task Force, Internet Engineering task force ) standard , Allow a whole organization to share a common IP（Internet Protocol） The address appears in Internet On . seeing the name of a thing one thinks of its function , It's a way to put an internal private network address （IP Address ） Translated into legal network IP Address technology .
NAT You can connect those internal networks that use private addresses to Internet Or other IP On the Internet .NAT The router sends packets from the internal network to the public network , stay IP The header of the packet converts the private address into a legal IP Address .

Ngrok

ngrok It's a reverse agent , By running on a common endpoint and locally Web Set up a secure channel between servers .ngrok Capture and analyze traffic on all channels , Convenient for later analysis and playback .
To put it bluntly, it is a tool for intranet penetration .

Ngrok working principle

ngrok It is divided into server and client .
ngrok The server and client programs with certificate encryption will be generated according to the configured domain name .
ngrok After the server program starts , Will listen for links from the client .
When the client starts , After verification, the server and client will establish a TCP Connection channel . The client maintains the heartbeat . After all, the server cannot actively contact the client . When the connection is established , The server will record the configuration when the client starts url And channel information . Make a mapping . It can be understood that the connection is a master process .
When the user has data and needs to request services in the client , The server will find the established channel according to the requested domain name , Transmit some control information to the client . The main idea is to let the client initiate a data transmission channel . Then the subsequent transmission data will go through the newly established data channel . It can be understood as worker process .
To put it bluntly ngrok It is a traffic transfer station . Through certain agreements , A tool responsible for establishing transmission channels between the public network and the intranet .
therefore ngrok A public network server must be used for transfer .

Ngrok Use

install

This paper introduces the use of docker Installation mode .
ngrok There is no official docker Mirror image . So from github Found one on to build ngrok Mirrored items .
thank https://github.com/hteen/docker-ngrok
I modified something . One is to change go The version of is the latest version . Changed ngrok by github The version library with the most stars on . Changed n Ports .
Revised Dockerfile The documents are as follows ：

FROM golang:1.11-alpine3.8

RUN apk add --no-cache git make openssl

RUN git clone https://github.com/inconshreveable/ngrok.git /ngrok

ADD *.sh /

ENV DOMAIN **None**
ENV MY_FILES /myfiles
ENV TUNNEL_ADDR :8880
ENV HTTP_ADDR :80
ENV HTTPS_ADDR :443

EXPOSE 8880
EXPOSE 80
EXPOSE 443

CMD /bin/sh

You can use the above Dockerfile file . You can also use the original author's default .
Now let's start to introduce the use process .
1. Generate docker Mirror image , Enter into docker-ngrok root directory

docker build -t ngrok .

2. Generate ngrok Server and client programs

docker run --rm -it -e DOMAIN="ngrok. domain name .com" -v /usr/local/ngrok/data/:/myfiles ngrok /bin/sh /build.sh

3. Run the server program

docker run -idt --name ngrok-server\
-e DOMAIN="ngrok. domain name .com" \ -p 8880:80 \ -p 8883:443 \ -p 8885:8880 \ -v /usr/local/ngrok/data/:/myfiles ngrok:v1 /bin/sh /server.sh

4. To configure nginx Reverse proxy , Refer to note 2

Domain name resolution

Add two domain name resolutions , That is, the domain name configured above ：
ngrok. domain name
*.ngrok. domain name

Client side usage

Take the above steps 2 Download the generated client program . The directory is the directory you mounted .
for example linux Next , download linux Version of the client ：
1. Create a new one ngrok.cfg Configuration file for

server_addr: "ngrok. domain name .com:8885"
trust_host_root_certs: false

2. Execute the following command

./ngrok -subdomain sonar -config=ngrok.cfg 192.168.0.111:9000

3. See the following , It indicates that the intranet penetration is successful

Tunnel Status                 online                                            
Version                       1.7/1.7                                           
Forwarding                    http://sonar.ngrok. domain name .com -> 192.168.0.111:90000
Forwarding                    https://sonar.ngrok. domain name .com -> 192.168.0.111:9000
Web Interface                 127.0.0.1:4040                                    
# Conn 9 
Avg Conn Time                 96.07ms   

browser

visit http://sonar.ngrok. domain name .com You can access the services deployed on the intranet through the external network .

matters needing attention

1.ngrok By default 80 and 443 port , My machine has been installed with nginx, To avoid port conflicts , When I start the container, I put the 8880 Inside the mapping container 80 port ,8883 mapping 443 port .
2. If... Is used 1 How to do it , Need configuration nginx Reverse proxy , Listening for domain names 80 port , Point to the local 8880 port . Also, to avoid entering the port number every time , You can also configure nginx Reverse proxy to solve . Here's the configuration nginx An example of reverse proxy ：

server {
     listen       80;
     server_name  ngrok. domain name  *.ngrok. domain name ;
     location / {
             proxy_redirect off;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_pass http://127.0.0.1:8880;
     }
 }
 server {
     listen       443;
     server_name  ngrok. domain name  *.ngrok. domain name ;
     location / {
             proxy_redirect off;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_pass http://127.0.0.1:8883;
     }
 }

3. If you are using Alibaba cloud ECS do ngrok Service for , Remember to configure the access port rules of the channel port . For example, the channel port I configured is 8885, You need to open it on the Alibaba cloud console TCP8885 Network access port of .