NPS intranet penetration construction (implemented by docker), detailed version

I have an Alibaba cloud server and an intranet server. I want to do intranet penetration for the intranet server and use the domain name https to access it

The official documents on the detailed steps of building have been very detailed: nps official documents

docker installation nps documentation: server client

Here, I will record my installation process (implemented by docker)

1. Install docker

First, there must be docker. If not, yum install -y docker

2. Install nps on the server (host with public ip)

2.1 docker pull image:

Command: docker pull ffdfgdfg/nps

Check:

2.2 configure the conf file (you can also use the default without configuration, which is also very convenient)

You need to download the official conf file and configure it yourself. This is mainly to mount the configuration file directory of nps running in docker outside docker for easy modification. If you can enter the container to modify the configuration file, you can start it directly without downloading the configuration file.

If GitHub is slow, you can synchronize GitHub image in gitee: nps mirror station

The downloaded configuration files are:

Modify NPs Conf, mainly some port numbers. I want to access it through domain name + https. There are two official ways:

Method 1: similar to nginx to implement https processing

HTTPS in configuration file_ proxy_ Set port to 443 or other ports you want to configure. Set HTTPS_ just_ When proxy is set to false, after nps restarts, modify the domain name certificate and key in the web management interface, domain name addition or modification interface.

In addition: it can be found in nps A default https configuration is set in conf. when domain name resolution without https certificate set in the web is encountered, the default certificate will be automatically used. Another case is that for some requested client Hello, sni extension information is not carried, and nps will automatically use the default certificate

Method 2: set https on the corresponding server of the Intranet

In nps https in conf_ just_ Proxy is set to true and https is turned on_ proxy_ Port port, and then nps will directly forward the https request to the intranet server for https processing

I'll use mode 2 directly here

appname = nps
runmode = dev

http_proxy_ip=0.0.0.0
http_proxy_port=20000
https_proxy_port=20001
https_just_proxy=true

https_default_cert_file=conf/server.pem
https_default_key_file=conf/server.key

bridge_type=tcp
bridge_port=20002
bridge_ip=0.0.0.0

public_vkey=123

log_level=7

web_host=a.o.com
web_username=admin
web_password=admin
web_port = 20003
web_ip=0.0.0.0
web_base_url=
web_open_ssl=false
web_cert_file=conf/server.pem
web_key_file=conf/server.key
auth_crypt_key =1234567887654321
allow_user_login=false
allow_user_register=false
allow_user_change_username=false
allow_flow_limit=false
allow_rate_limit=false
allow_tunnel_num_limit=false
allow_local_proxy=false
allow_connection_num_limit=false
allow_multi_ip=false
system_info_display=false
http_cache=false
http_cache_length=100
http_add_origin_header=false

Meaning of configuration file (/ etc/nps/conf/nps.conf):

namemeaning
web_portweb Management Port
web_passwordweb interface management password
web_usernameweb interface management account
web_base_urlThe main path of web management is used to place web management behind the sub path of proxy
bridge_portServer client communication port
https_proxy_portDomain name proxy https proxy listening port
http_proxy_portDomain name proxy http proxy listening port
auth_keyweb api key
bridge_typeThe connection mode between client and server is kcp or tcp
public_vkeyThe key when the client starts in profile mode. If it is set to blank, it means that the client profile connection mode is closed
ip_limitWhether to restrict ip access, true or false or ignore
flow_store_intervalThe persistence interval of traffic data at the server, in minutes. If ignored, it means it is not persistent
log_levelLog output level
auth_crypt_keyaes encryption key when obtaining authKey of the server, 16 bits
p2p_ipServer Ip, p2p mode is required
p2p_portudp port opened in p2p mode
pprof_ipdebug pprof server ip
pprof_portdebug pprof port
disconnect_timeoutClient connection timeout, unit: 5s, default value: 60, i.e. 300s = 5mins

2.3 docker runs an nps instance (with configuration file)

  • You mounted the external configuration file yourself:

    Docker run - D -- name NPC -- net = host - V < local conf Directory >: / conf ffdfgdfg / NPC - config = / conf / NPC conf

    Explain the parameters:

    -d run in the background, – name gives the current image a name - v mount directory (map the directory outside docker to the directory inside docker, so you can read the external directory)

    I put the configuration file in the directory / root/nps/conf, so my command is:

    docker run -d -p 20000-20010:20000-20010 -v /root/nps/conf:/conf --name=nps ffdfgdfg/nps
    
  • The external configuration file is not mounted (using the in the container)

    official:

    Docker run - D -- name NPC -- net = host ffdfgdfg / NPC - server = < IP: Port > - vkey = < key displayed in web interface > < and some other parameters >

    My order is:

    docker run --net=host --name nps-server -d image id
    docker run -td --rm --name nps_server image id
    

In Alibaba's firewall, remember to open the specified port

Then you can access the web interface (with the configuration file configured):

2.4 docker runs an nps instance (no configuration file)

It is very convenient to use the default configuration. Direct the command:

docker run --net=host --name nps_server -d image id

Then you can access the page (default port 8024)

3. Install npc on client (intranet ip host)

3.1 docker pull image

Note that npc is pulled here, not nps

docker pull ffdfgdfg/npc

Check:

3.2 configuration file (more convenient without configuration file)

[common]
server_addr=1.1.1.1:8024
conn_type=tcp
vkey=123
username=111
password=222
compress=true
crypt=true
rate_limit=10000
flow_limit=100
remark=test
max_conn=10
#pprof_addr=0.0.0.0:9999

Parameter interpretation:

termmeaning
server_addrServer ip / Domain Name: port
conn_typeCommunication mode with server (tcp or kcp)
vkeyKey in server configuration file (non web)
usernamesocks5 or http(s) password protected user name (negligible)
passwordsocks5 or http(s) password protected password (negligible)
compressWhether to compress the transmission (true or false or ignored)
cryptWhether to encrypt the transmission (true or false or ignored)
rate_limitSpeed limit, negligible
flow_limitFlow limit, negligible
remarkClient notes, can be ignored
max_connMaximum number of connections, negligible
pprof_addrdebug pprof ip:port

I want to access port 8080 of intranet host through domain name + https, so my configuration file is as follows:

[common]
server_addr=domain name:20002
conn_type=https
vkey=123
auto_reconnection=true
max_conn=1000
flow_limit=1000
rate_limit=1000
basic_username=11
basic_password=3
web_username=user
web_password=1234
crypt=true
compress=true
#pprof_addr=0.0.0.0:9999
disconnect_timeout=60

[health_check_test1]
health_check_timeout=1
health_check_max_failed=3
health_check_interval=1
health_http_url=/
health_check_type=http
health_check_target=127.0.0.1:8083,127.0.0.1:8082

[health_check_test2]
health_check_timeout=1
health_check_max_failed=3
health_check_interval=1
health_check_type=tcp
health_check_target=127.0.0.1:8083,127.0.0.1:8082

[web]
host=domain name
target_addr=127.0.0.1:8080

3.3 docker starts an image instance (with configuration file)

Also create a file mapping address outside

Command:

docker run -d -p 18080-18090:8080-8090 -v /root/npc/conf:/conf --name=npc ffdfgdfg/npc

3.4 docker starts an image instance (no configuration file)

First, we need to configure it on our website (you can add it directly without configuration):

Get the client command:

Then you can create an instance with docker on the client:

docker run -d --name npc --net=host ffdfgdfg/npc -server=ip address:20002 -vkey=z8lduhyk0g0cashx -type=tcp

Next, you can see that your client is online:

4. Configure intranet penetration

Here are a few points to note:

  • Domain name resolution cannot be configured with port number, and can only be resolved to your configured http port and https port
  • As long as https is done on the intranet host, TCP can be used directly, which is very convenient

like this:

Then you can access it directly!!!!!!!!

Tags: Operation & Maintenance Docker https Middleware

Posted by aliento on Fri, 11 Mar 2022 19:14:32 +0530