mirror of
https://github.com/openziti/zrok.git
synced 2024-11-22 08:03:49 +01:00
Merge pull request #679 from openziti/expand-linux-service-private-modes
support private share modes
This commit is contained in:
commit
85c08b6ab5
@ -112,6 +112,9 @@ nfpms:
|
|||||||
- dst: /lib/systemd/system/
|
- dst: /lib/systemd/system/
|
||||||
src: ./nfpm/zrok-share.service
|
src: ./nfpm/zrok-share.service
|
||||||
|
|
||||||
|
- dst: /etc/systemd/system/zrok-share.service.d/override.conf
|
||||||
|
src: ./nfpm/zrok-share.service.override.conf
|
||||||
|
|
||||||
- dst: /opt/openziti/etc/zrok
|
- dst: /opt/openziti/etc/zrok
|
||||||
type: dir
|
type: dir
|
||||||
file_info:
|
file_info:
|
||||||
|
@ -112,6 +112,9 @@ nfpms:
|
|||||||
- dst: /lib/systemd/system/
|
- dst: /lib/systemd/system/
|
||||||
src: ./nfpm/zrok-share.service
|
src: ./nfpm/zrok-share.service
|
||||||
|
|
||||||
|
- dst: /etc/systemd/system/zrok-share.service.d/override.conf
|
||||||
|
src: ./nfpm/zrok-share.service.override.conf
|
||||||
|
|
||||||
- dst: /opt/openziti/etc/zrok
|
- dst: /opt/openziti/etc/zrok
|
||||||
type: dir
|
type: dir
|
||||||
file_info:
|
file_info:
|
||||||
|
@ -108,6 +108,9 @@ nfpms:
|
|||||||
- dst: /lib/systemd/system/
|
- dst: /lib/systemd/system/
|
||||||
src: ./nfpm/zrok-share.service
|
src: ./nfpm/zrok-share.service
|
||||||
|
|
||||||
|
- dst: /etc/systemd/system/zrok-share.service.d/override.conf
|
||||||
|
src: ./nfpm/zrok-share.service.override.conf
|
||||||
|
|
||||||
- dst: /opt/openziti/etc/zrok
|
- dst: /opt/openziti/etc/zrok
|
||||||
type: dir
|
type: dir
|
||||||
file_info:
|
file_info:
|
||||||
|
@ -55,7 +55,7 @@ fi
|
|||||||
}
|
}
|
||||||
|
|
||||||
# default mode is 'reserved-public', override modes are reserved-private, temp-public, temp-private.
|
# default mode is 'reserved-public', override modes are reserved-private, temp-public, temp-private.
|
||||||
: "${ZROK_FRONTEND_MODE:-reserved-public}"
|
: "${ZROK_FRONTEND_MODE:=reserved-public}"
|
||||||
if [[ "${ZROK_FRONTEND_MODE:-}" == temp-public ]]; then
|
if [[ "${ZROK_FRONTEND_MODE:-}" == temp-public ]]; then
|
||||||
ZROK_CMD="share public --headless ${ZROK_VERBOSE:-}"
|
ZROK_CMD="share public --headless ${ZROK_VERBOSE:-}"
|
||||||
elif [[ "${ZROK_FRONTEND_MODE:-}" == temp-private ]]; then
|
elif [[ "${ZROK_FRONTEND_MODE:-}" == temp-private ]]; then
|
||||||
@ -121,13 +121,41 @@ case "${ZROK_BACKEND_MODE}" in
|
|||||||
echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
|
echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
tcpTunnel|udpTunnel|socks|vpn)
|
||||||
|
if ! [[ "${ZROK_FRONTEND_MODE}" =~ -private$ ]]; then
|
||||||
|
echo "ERROR: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is a private share backend mode and cannot be used with ZROK_FRONTEND_MODE='${ZROK_FRONTEND_MODE}'" >&2
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
case "${ZROK_BACKEND_MODE}" in
|
||||||
|
tcpTunnel|udpTunnel)
|
||||||
|
echo "INFO: ${ZROK_BACKEND_MODE} backend mode has target '${ZROK_TARGET}'"
|
||||||
|
;;
|
||||||
|
vpn)
|
||||||
|
if [[ -n "${ZROK_TARGET}" ]]; then
|
||||||
|
ZROK_SVC_FILE=/etc/systemd/system/zrok-share.service.d/override.conf
|
||||||
|
if ! grep -qE '^AmbientCapabilities=CAP_NET_ADMIN' "${ZROK_SVC_FILE}"; then
|
||||||
|
echo "ERROR: you must uncomment 'AmbientCapabilities=CAP_NET_ADMIN' in '${ZROK_SVC_FILE}'"\
|
||||||
|
"and run 'systemctl daemon-reload' to enable VPN mode" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
socks)
|
||||||
|
if [[ -n "${ZROK_TARGET}" ]]; then
|
||||||
|
echo "WARNING: ZROK_TARGET='${ZROK_TARGET}' is ignored with ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}'" >&2
|
||||||
|
unset ZROK_TARGET
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
echo "WARNING: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is not a recognized mode for a zrok public share."\
|
echo "WARNING: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is not a recognized mode for a zrok public share."\
|
||||||
" ZROK_TARGET value will not validated before running." >&2
|
" ZROK_TARGET value will not validated before running." >&2
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
[[ -n "${ZROK_UNIQUE_NAME:-}" ]] && {
|
[[ "${ZROK_FRONTEND_MODE:-}" =~ ^reserved- && -n "${ZROK_UNIQUE_NAME:-}" ]] && {
|
||||||
ZROK_CMD+=" --unique-name ${ZROK_UNIQUE_NAME}"
|
ZROK_CMD+=" --unique-name ${ZROK_UNIQUE_NAME}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -17,48 +17,65 @@ ZROK_ENABLE_TOKEN=""
|
|||||||
#
|
#
|
||||||
ZROK_ENVIRONMENT_NAME=""
|
ZROK_ENVIRONMENT_NAME=""
|
||||||
|
|
||||||
# You MUST set this if not using the default zrok.io API endpoint
|
# You MUST set this if not using the default API endpoint
|
||||||
#ZROK_API_ENDPOINT="https://api.zrok.io"
|
#ZROK_API_ENDPOINT="https://api.zrok.io"
|
||||||
|
|
||||||
#
|
#
|
||||||
## ZROK BACKEND TARGET
|
## ZROK BACKEND MODE AND TARGET
|
||||||
#
|
#
|
||||||
# You MUST define the backend target and mode. The frontend URL will be provisioned when the service starts. You MAY
|
# You MUST define the backend target and mode. The frontend URL will be provisioned when the service starts. You MAY
|
||||||
# change ZROK_TARGET and frontend URL will remain the same after a restart as long as the backend mode and frontend
|
# change ZROK_TARGET and frontend URL will remain the same after a restart as long as the backend mode and frontend
|
||||||
# authentication options are the same. Options that require provisioning a new frontend URL when changed are marked with
|
# authentication options are the same. Options that require provisioning a new frontend URL when changed are marked with
|
||||||
# WARNING. You may delete /var/lib/zrok-share/.zrok/reserved.json and restart the service to provision a new frontend URL.
|
# WARNING. You may delete /var/lib/zrok-share/.zrok/reserved.json and restart the service to provision a new frontend URL.
|
||||||
|
|
||||||
#
|
#
|
||||||
|
## BACKEND MODES THAT WORK WITH PUBLIC AND PRIVATE HTTP SHARES
|
||||||
|
#
|
||||||
|
|
||||||
# backend-mode "proxy" (default): share a backend web server URL that's reachable by this host; must begin with 'http://' or
|
# backend-mode "proxy" (default): share a backend web server URL that's reachable by this host; must begin with 'http://' or
|
||||||
# 'https://'; must accept the HOST header of the proxy frontend. Check out backend mode "caddy" if you need more control.
|
# 'https://'; must accept the HOST header of the proxy frontend. Check out backend mode "caddy" if you need more control.
|
||||||
ZROK_TARGET="" # e.g., http://127.0.0.1:3000
|
|
||||||
ZROK_BACKEND_MODE="proxy"
|
ZROK_BACKEND_MODE="proxy"
|
||||||
|
ZROK_TARGET="" # e.g., http://127.0.0.1:3000
|
||||||
# if defined, an https share's backend server certificate will not be verified with backend-mode 'proxy'
|
# if defined, an https share's backend server certificate will not be verified with backend-mode 'proxy'
|
||||||
# NOTE: changing this value does not require provisioning a new frontend URL
|
# NOTE: changing this value does not require provisioning a new frontend URL
|
||||||
#ZROK_INSECURE="--insecure"
|
#ZROK_INSECURE="--insecure"
|
||||||
|
|
||||||
# backend-mode "web": run a web server and share a static HTML directory that's present on this host. Must be an
|
# backend-mode "web": run a web server and share a static HTML directory that's present on this host. Must be an
|
||||||
# absolute path to a directory that is readable by 'other'
|
# absolute path to a directory that is readable by 'other'
|
||||||
#ZROK_TARGET="/var/www/html"
|
|
||||||
#ZROK_BACKEND_MODE="web"
|
#ZROK_BACKEND_MODE="web"
|
||||||
|
#ZROK_TARGET="/var/www/html"
|
||||||
|
|
||||||
# backend-mode "drive": run a WebDAV file server sharing a directory that's present on this host. Must be an absolute
|
# backend-mode "drive": run a WebDAV file server sharing a directory that's present on this host. Must be an absolute
|
||||||
# path to a directory that is readable by 'other'
|
# path to a directory that is readable by 'other'
|
||||||
#ZROK_TARGET="/usr/share/doc"
|
|
||||||
#ZROK_BACKEND_MODE="drive"
|
#ZROK_BACKEND_MODE="drive"
|
||||||
|
#ZROK_TARGET="/usr/share/doc"
|
||||||
|
|
||||||
# backend-mode "caddy": run an embedded Caddy server configured by the supplied Caddyfile. Must be an absolute path that
|
# backend-mode "caddy": run an embedded Caddy server configured by the supplied Caddyfile. Must be an absolute path that
|
||||||
# is readable by 'other'.
|
# is readable by 'other'.
|
||||||
#ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile"
|
|
||||||
#ZROK_BACKEND_MODE="caddy"
|
#ZROK_BACKEND_MODE="caddy"
|
||||||
|
#ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile"
|
||||||
|
|
||||||
# DEBUG log level
|
#
|
||||||
# NOTE: changing this value does not require provisioning a new frontend URL
|
## BACKEND MODES THAT ONLY WORK WITH PRIVATE SHARES
|
||||||
#ZROK_VERBOSE="--verbose"
|
#
|
||||||
|
|
||||||
# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints
|
# you MUST set ZROK_FRONTEND_MODE to 'reserved-private' or 'temp-private' to use private share backend modes
|
||||||
# WARNING: changes take effect the next time the frontend URL is reserved
|
|
||||||
# NOTE: basic auth and oauth are mutually exclusive
|
#ZROK_BACKEND_MODE="tcpTunnel"
|
||||||
ZROK_SHARE_OPTS=""
|
#ZROK_TARGET="127.0.0.1:25565"
|
||||||
|
|
||||||
|
#ZROK_BACKEND_MODE="udpTunnel"
|
||||||
|
#ZROK_TARGET="127.0.0.1:53"
|
||||||
|
|
||||||
|
# you MUST grant NET_ADMIN capability to the service to enable vpn mode, e.g., run these two commands:
|
||||||
|
# sed -Ei 's/.*AmbientCapabilities=CAP_NET_ADMIN/AmbientCapabilities=CAP_NET_ADMIN/' /etc/systemd/system/zrok-share.service.d/override.conf
|
||||||
|
# systemctl daemon-reload
|
||||||
|
#ZROK_BACKEND_MODE="vpn"
|
||||||
|
#ZROK_TARGET="172.16.0.1/12"
|
||||||
|
|
||||||
|
# there is no target for socks mode because the share is only a dynamic exit for the proxy client
|
||||||
|
#ZROK_BACKEND_MODE="socks"
|
||||||
|
#ZROK_TARGET=""
|
||||||
|
|
||||||
#
|
#
|
||||||
## ZROK FRONTEND
|
## ZROK FRONTEND
|
||||||
@ -88,5 +105,15 @@ ZROK_SHARE_OPTS=""
|
|||||||
#ZROK_FRONTENDS="public"
|
#ZROK_FRONTENDS="public"
|
||||||
|
|
||||||
# you MAY set to change the frontend mode: reserved-public (default), reserved-private, temp-public, temp-private
|
# you MAY set to change the frontend mode: reserved-public (default), reserved-private, temp-public, temp-private
|
||||||
# WARNING: changes take effect the next time the frontend URL is reserved
|
|
||||||
#ZROK_FRONTEND_MODE="reserved-public"
|
#ZROK_FRONTEND_MODE="reserved-public"
|
||||||
|
|
||||||
|
#
|
||||||
|
## OPTIONS
|
||||||
|
#
|
||||||
|
|
||||||
|
# DEBUG log level
|
||||||
|
# NOTE: changing this value does not require provisioning a new frontend URL
|
||||||
|
#ZROK_VERBOSE="--verbose"
|
||||||
|
|
||||||
|
# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints
|
||||||
|
ZROK_SHARE_OPTS=""
|
||||||
|
10
nfpm/zrok-share.service.override.conf
Normal file
10
nfpm/zrok-share.service.override.conf
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
[Service]
|
||||||
|
|
||||||
|
#
|
||||||
|
## extra permissions
|
||||||
|
#
|
||||||
|
|
||||||
|
# allow adding tun device and IP routes and iptables rules; required when ZROK_BACKEND_MODE=vpn
|
||||||
|
# AmbientCapabilities=CAP_NET_ADMIN
|
||||||
|
|
||||||
|
# you must run 'systemctl daemon-reload' after modifying this file
|
Loading…
Reference in New Issue
Block a user