I have an Alibaba cloud server and an intranet server. I want to do intranet penetration for the intranet server and use the domain name https to access it
The official documents on the detailed steps of building have been very detailed: nps official documents
docker installation nps documentation: server client
Here, I will record my installation process (implemented by docker)
1. Install docker
First, there must be docker. If not, yum install -y docker
2. Install nps on the server (host with public ip)
2.1 docker pull image:
Command: docker pull ffdfgdfg/nps
Check:
2.2 configure the conf file (you can also use the default without configuration, which is also very convenient)
You need to download the official conf file and configure it yourself. This is mainly to mount the configuration file directory of nps running in docker outside docker for easy modification. If you can enter the container to modify the configuration file, you can start it directly without downloading the configuration file.
If GitHub is slow, you can synchronize GitHub image in gitee: nps mirror station
The downloaded configuration files are:
Modify NPs Conf, mainly some port numbers. I want to access it through domain name + https. There are two official ways:
Method 1: similar to nginx to implement https processing
HTTPS in configuration file_ proxy_ Set port to 443 or other ports you want to configure. Set HTTPS_ just_ When proxy is set to false, after nps restarts, modify the domain name certificate and key in the web management interface, domain name addition or modification interface.
In addition: it can be found in nps A default https configuration is set in conf. when domain name resolution without https certificate set in the web is encountered, the default certificate will be automatically used. Another case is that for some requested client Hello, sni extension information is not carried, and nps will automatically use the default certificate
Method 2: set https on the corresponding server of the Intranet
In nps https in conf_ just_ Proxy is set to true and https is turned on_ proxy_ Port port, and then nps will directly forward the https request to the intranet server for https processing
I'll use mode 2 directly here
appname = nps runmode = dev http_proxy_ip=0.0.0.0 http_proxy_port=20000 https_proxy_port=20001 https_just_proxy=true https_default_cert_file=conf/server.pem https_default_key_file=conf/server.key bridge_type=tcp bridge_port=20002 bridge_ip=0.0.0.0 public_vkey=123 log_level=7 web_host=a.o.com web_username=admin web_password=admin web_port = 20003 web_ip=0.0.0.0 web_base_url= web_open_ssl=false web_cert_file=conf/server.pem web_key_file=conf/server.key auth_crypt_key =1234567887654321 allow_user_login=false allow_user_register=false allow_user_change_username=false allow_flow_limit=false allow_rate_limit=false allow_tunnel_num_limit=false allow_local_proxy=false allow_connection_num_limit=false allow_multi_ip=false system_info_display=false http_cache=false http_cache_length=100 http_add_origin_header=false
Meaning of configuration file (/ etc/nps/conf/nps.conf):
| name | meaning |
|---|---|
| web_port | web Management Port |
| web_password | web interface management password |
| web_username | web interface management account |
| web_base_url | The main path of web management is used to place web management behind the sub path of proxy |
| bridge_port | Server client communication port |
| https_proxy_port | Domain name proxy https proxy listening port |
| http_proxy_port | Domain name proxy http proxy listening port |
| auth_key | web api key |
| bridge_type | The connection mode between client and server is kcp or tcp |
| public_vkey | The key when the client starts in profile mode. If it is set to blank, it means that the client profile connection mode is closed |
| ip_limit | Whether to restrict ip access, true or false or ignore |
| flow_store_interval | The persistence interval of traffic data at the server, in minutes. If ignored, it means it is not persistent |
| log_level | Log output level |
| auth_crypt_key | aes encryption key when obtaining authKey of the server, 16 bits |
| p2p_ip | Server Ip, p2p mode is required |
| p2p_port | udp port opened in p2p mode |
| pprof_ip | debug pprof server ip |
| pprof_port | debug pprof port |
| disconnect_timeout | Client connection timeout, unit: 5s, default value: 60, i.e. 300s = 5mins |
2.3 docker runs an nps instance (with configuration file)
-
You mounted the external configuration file yourself:
Docker run - D -- name NPC -- net = host - V < local conf Directory >: / conf ffdfgdfg / NPC - config = / conf / NPC conf
Explain the parameters:
-d run in the background, – name gives the current image a name - v mount directory (map the directory outside docker to the directory inside docker, so you can read the external directory)
I put the configuration file in the directory / root/nps/conf, so my command is:
docker run -d -p 20000-20010:20000-20010 -v /root/nps/conf:/conf --name=nps ffdfgdfg/nps
-
The external configuration file is not mounted (using the in the container)
official:
Docker run - D -- name NPC -- net = host ffdfgdfg / NPC - server = < IP: Port > - vkey = < key displayed in web interface > < and some other parameters >
My order is:
docker run --net=host --name nps-server -d image id docker run -td --rm --name nps_server image id
In Alibaba's firewall, remember to open the specified port
Then you can access the web interface (with the configuration file configured):
2.4 docker runs an nps instance (no configuration file)
It is very convenient to use the default configuration. Direct the command:
docker run --net=host --name nps_server -d image id
Then you can access the page (default port 8024)
3. Install npc on client (intranet ip host)
3.1 docker pull image
Note that npc is pulled here, not nps
docker pull ffdfgdfg/npc
Check:
3.2 configuration file (more convenient without configuration file)
[common] server_addr=1.1.1.1:8024 conn_type=tcp vkey=123 username=111 password=222 compress=true crypt=true rate_limit=10000 flow_limit=100 remark=test max_conn=10 #pprof_addr=0.0.0.0:9999
Parameter interpretation:
| term | meaning |
|---|---|
| server_addr | Server ip / Domain Name: port |
| conn_type | Communication mode with server (tcp or kcp) |
| vkey | Key in server configuration file (non web) |
| username | socks5 or http(s) password protected user name (negligible) |
| password | socks5 or http(s) password protected password (negligible) |
| compress | Whether to compress the transmission (true or false or ignored) |
| crypt | Whether to encrypt the transmission (true or false or ignored) |
| rate_limit | Speed limit, negligible |
| flow_limit | Flow limit, negligible |
| remark | Client notes, can be ignored |
| max_conn | Maximum number of connections, negligible |
| pprof_addr | debug pprof ip:port |
I want to access port 8080 of intranet host through domain name + https, so my configuration file is as follows:
[common] server_addr=domain name:20002 conn_type=https vkey=123 auto_reconnection=true max_conn=1000 flow_limit=1000 rate_limit=1000 basic_username=11 basic_password=3 web_username=user web_password=1234 crypt=true compress=true #pprof_addr=0.0.0.0:9999 disconnect_timeout=60 [health_check_test1] health_check_timeout=1 health_check_max_failed=3 health_check_interval=1 health_http_url=/ health_check_type=http health_check_target=127.0.0.1:8083,127.0.0.1:8082 [health_check_test2] health_check_timeout=1 health_check_max_failed=3 health_check_interval=1 health_check_type=tcp health_check_target=127.0.0.1:8083,127.0.0.1:8082 [web] host=domain name target_addr=127.0.0.1:8080
3.3 docker starts an image instance (with configuration file)
Also create a file mapping address outside
Command:
docker run -d -p 18080-18090:8080-8090 -v /root/npc/conf:/conf --name=npc ffdfgdfg/npc
3.4 docker starts an image instance (no configuration file)
First, we need to configure it on our website (you can add it directly without configuration):
Get the client command:
Then you can create an instance with docker on the client:
docker run -d --name npc --net=host ffdfgdfg/npc -server=ip address:20002 -vkey=z8lduhyk0g0cashx -type=tcp
Next, you can see that your client is online:
4. Configure intranet penetration
Here are a few points to note:
- Domain name resolution cannot be configured with port number, and can only be resolved to your configured http port and https port
- As long as https is done on the intranet host, TCP can be used directly, which is very convenient
like this:
Then you can access it directly!!!!!!!!
