纽约时报:毫不费力地管理你的公司网络。自动有组织的隧道施工,带Sshuttle+Supervisord+Yaml
no-you-talk-to-the-hand的Python项目详细描述
同时访问所有的公司资料和网络资料 大惊小怪
如果您正被以下人员磨损,则需要此功能:
- 从公司网站上看到“与手交谈”页面 代理/筛选器
- 隧道/代理设置的位置太多,方式也太多
- 隧道无声地下降
- 登录VPN后忘记手动打开隧道
- 一遍又一遍地重新输入ssh凭据(基于密钥的身份验证不是 任何地方都允许)
不,你可以通过提供一个 直接向前组合 sshuttle对于重的 网络提升,监督所有事情的进行和管理,以及 yaml使它保持简单和有组织
适用于Linux和MacOS,但是不是MS Windows但是由于sshuttle 有一个针对windows的解决方案 here
它的功能
- 在VPN连接时自动设置隧道
- 当您的VPN断开连接时,会自动关闭您的隧道
- 当隧道应该启动时,让隧道保持在上
- 使用一个简单的yaml配置来组织隧道
- 根据需要为您输入密码 (sshpass需要 现在)
- 支持多个vpn(根)。有不同的vpn需要 分开的隧道?在一个地方定义它们,并且仅依赖于隧道 在已启动的VPN上建立
- 支持任意数量的同时隧道(感谢 sshuttle)
- 支持嵌套依赖项。例如:(qa_db,prod_db)– 取决于–>;(公司专用)–取决于–>;(公司VPN)
config.yml替换所有隧道脚本/别名、数据库工具内的ssh设置、特定于应用程序的web代理设置等:
HOST_PERSONAL_PROXY:&HOST_PERSONAL_PROXY192.168.1.XPROXY_USER:&PROXY_USERproxy.usernameCORP_USER:&CORP_USERcompany.usernameCORP_PASS:&CORP_PASSpA$$wuuuurd# Define the corporate subnets. SUBNETS_CORP_ALL encompasses addresses that will already be sent# through your default network interace to the compnay network. This var is defined for exclusion# from other tunnels which will override your system defaults. SUBNETS_CORP_RESTRICTED is used# to forward a subset of corporate traffic through a jump server in order to reach hosts that are# not reachable directly on the VPN.SUBNETS_CORP_ALL:&SUBNETS_CORP_ALL-"10.0.0.0/8"SUBNETS_CORP_RESTRICTED:&SUBNETS_CORP_RESTRICTED-"10.0.1.0/24"-"10.0.2.0/24"# Define several special destinations on the corporate network. HOST_CORP_JUMP defines the host# through which all protected subnets must be accessed. HOST_CORP_PRIVILEGED_APP and HOST_CORP_SEURE_DB# define an application server and database where the database can only be reached from the# application server. Reaching the database will require a nested tunnelHOST_CORP_JUMP:&HOST_CORP_JUMP10.0.0.1HOST_CORP_PRIVILEGED_APP:&HOST_CORP_PRIVILEGED_APP10.0.1.1HOST_CORP_SECURE_DB:&HOST_CORP_SECURE_DB10.0.2.1# Global config optionslog_level:DEBUG# Python log level. Default is DEBUGmonitor_poll_seconds:5# Monitor thread wakeup (may be exceeded by a long tunnel check). Default is 20tunnels:# Watch for connection to corporate VPN. This is the 'root', external tunnel# In this configuraiton, if the corporate jump server is available, then the vpn is upvpn:check:host:*HOST_CORP_JUMPport:22# Bypass corporate network policies for web browsing, skype, streaming music, etc.# You must have a proxy server available that is outside the corporate network. If# you don't have one, this project is still useful for accessing restricted# resources within the corporate network.personal:depends:vpnproxy:host:*HOST_PERSONAL_PROXYuser:*PROXY_USERpass:check:# instead of an ip and port, a check target can be a url for an http checkurl:https://twitter.com/forwards:# includes and excludes. items can be ips, subnets, or lists of ip/subnets.include:# By default, forward everything through the personal proxy-0/0exclude:# exclude home network and anything corporate-192.168.0.0/16-*SUBNETS_CORP_ALL# Forward traffic destined for restricted subnets through a corporate jump server.corp_sec:depends:vpnproxy:host:*HOST_CORP_JUMPuser:*CORP_USERpass:*CORP_PASS# verify by checking ssh access to the privileged app servercheck:# If the application server is reachable, this tunnel is uphost:*HOST_CORP_PRIVILEGED_APPport:22forwards:# Include anything destined for a secured corporate subnetinclude:-*SUBNETS_CORP_RESTRICTED# Tunnel to access a secure db server from a privileged app server. This tunnel depends# on corp_restricted being established. For traffic destined for the DB, this rule will# fire first and the traffic will be forwarded through the APP server, however traffic# destined for the APP server is forwarded through the JUMP server.prod_db:depends:corp_secproxy:host:*HOST_CORP_PRIVILEGED_APPuser:*CORP_USERpass:*CORP_PASScheck:driver:mysql+pymysqldb:testdbuser:testuserpass:testpasshost:10.0.2.1port:'3306'forwards:# includes and excludes. items can be ips, subnets, or lists of ip/subnets.include:-*HOST_CORP_SECURE_DB
安装
$ pip install no_you_talk_to_the_hand
如果pip安装导致类似“tlsv1_alert_protocol_version”的错误 您可能首先需要升级pip:
$ curl https://bootstrap.pypa.io/get-pip.py | python
如果为任何远程服务器配置密码,则 sshpass是必需的。
sshuttle需要根/管理员权限才能更改转发规则。如果你的 提示用户输入sudo密码,则可能会遇到并出错 比如sudo不存在tty,也没有指定askpass程序。快速的 解决方案是在sudoers文件中设置无密码标志。这个 以下是Mac上当前的工作:
$ sudo visudo
$ %admin ALL=(ALL) NOPASSWD: ALL
如果通过sqlalchemy连接检查隧道(请参见中的prod_db tunnel 上面的示例配置)则sqlalchemy和相应的驱动程序必须 单独安装
运行
开始
启动守护程序以开始管理配置的隧道(在 ~/.nytth/config.yml)
$ nyttth start
停止
停止守护程序以及任何正在运行的隧道
$ nyttth stop
状态
帮助:
$ nyttth status --help Usage: nyttth status [OPTIONS] View status of all configured tunnels Options: -t, --tunnel [qadb|riskdb|itun|dbtun|etun|vpn|rfindb] specify a specific tunnel -s, --skip skip tunnel health checks --help Show this message and exit.
VPN关闭的示例:
$ nyttth status Process Depends Proc State Conn Check ---------------------------------------------------------- vpn N/A down itun vpn STOPPED Not started skipped dbtun itun STOPPED Not started skipped etun vpn STOPPED Not started skipped qadb vpn STOPPED Not started skipped
启用VPN的示例:
$ nyttth status Process Depends Proc State Conn Check -------------------------------------------------------------------- vpn N/A up itun vpn RUNNING pid 1595, uptime 0:09:28 up dbtun itun RUNNING pid 1603, uptime 0:09:23 up etun vpn RUNNING pid 1565, uptime 0:09:33 up qadb vpn RUNNING pid 2692, uptime 0:00:04 up
尾部
帮助:
$ nyttth tail --help Usage: nyttth tail [OPTIONS] Use system tail command to display logs. If a specific tunnel is not specified then all logs will be tailed including the supervisord main log and the vpnmon tunnel monitor process. Options: -t, --tunnel [qadb|itun|dbtun|etun|vpn] specify a specific tunnel to tail. If not specified all tunnels and the tunnel monitor (monitor) will be tailed -f, --wait wait for additional data -n, --lines INTEGER number of lines to display --help Show this message and exit.
单个(示例)通道的尾部输出:
$ nyttth tail -f -t itun server: warning: closed channel 158 got cmd=TCP_STOP_SENDING len=0 server: warning: closed channel 159 got cmd=TCP_STOP_SENDING len=0 server: warning: closed channel 160 got cmd=TCP_STOP_SENDING len=0 server: warning: closed channel 148 got cmd=TCP_STOP_SENDING len=0 server: warning: closed channel 162 got cmd=TCP_STOP_SENDING len=0 server: warning: closed channel 164 got cmd=TCP_STOP_SENDING len=0
当VPN连接时:
$ nyttth tail -f | grep nyttth 2017-05-17 11:52:53,357 DEBUG nyttth: checking tunnels 2017-05-17 11:52:53,497 INFO nyttth: qadb is down. starting 2017-05-17 11:52:53,498 INFO nyttth: dbtun is down. starting 2017-05-17 11:52:53,907 INFO nyttth: etun is down. starting 2017-05-17 11:52:55,493 INFO nyttth: itun is down. starting 2017-05-17 11:53:06,527 DEBUG nyttth: checking tunnels 2017-05-17 11:53:06,814 INFO nyttth: rfindb is down. starting 2017-05-17 11:53:17,826 DEBUG nyttth: checking tunnels 2017-05-17 11:53:28,129 DEBUG nyttth: checking tunnels
当VPN断开连接时:
$ nyttth tail -f | grep nyttth 2017-05-17 11:51:44,701 DEBUG nyttth: checking tunnels 2017-05-17 11:51:55,000 DEBUG nyttth: checking tunnels 2017-05-17 11:52:05,265 DEBUG nyttth: checking tunnels 2017-05-17 11:52:07,269 DEBUG nyttth: vpn is down 2017-05-17 11:52:07,274 INFO nyttth: qadb depends on vpn which is down. stopping 2017-05-17 11:52:07,281 INFO nyttth: itun depends on vpn which is down. stopping 2017-05-17 11:52:07,286 INFO nyttth: rfindb depends on itun which is down. stopping 2017-05-17 11:52:07,292 INFO nyttth: dbtun depends on vpn which is down. stopping 2017-05-17 11:52:07,299 INFO nyttth: etun depends on vpn which is down. stopping 2017-05-17 11:52:17,306 DEBUG nyttth: checking tunnels 2017-05-17 11:52:19,310 DEBUG nyttth: vpn is down 2017-05-17 11:52:29,324 DEBUG nyttth: checking tunnels 2017-05-17 11:52:31,329 DEBUG nyttth: vpn is down 2017-05-17 11:52:41,340 DEBUG nyttth: checking tunnels 2017-05-17 11:52:43,345 DEBUG nyttth: vpn is down
控制
运行supervisortl控制台
$ nyttth ctl
注释
本项目使用sshuttle版本0.78.1。后续版本定义PF (包过滤器)以一种当存在 在多个sshuttle实例中排除。
不支持python 3,因为supervisord不
这些文档忽略了 隧道和前进,只用“隧道”这个词。
traffic通过其转发的远程ssh服务器被引用 作为代理。
术语“vpn”指的是配置中的“根”隧道 指定不设置或转发代理。它存在于检查外部 条件(可访问的网络终结点),并且不一定是 真正的VPN