Skip to content

Instantly share code, notes, and snippets.

@aduzsardi

aduzsardi/inlets-configuration.md

Last active February 19, 2020 09:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save aduzsardi/d493ceff353769bc8d856c7b154696d8 to your computer and use it in GitHub Desktop.
Save aduzsardi/d493ceff353769bc8d856c7b154696d8 to your computer and use it in GitHub Desktop.
Download ZIP
Hosting an inlets http(s) tunnel
Raw
inlets-configuration.md

Requirements

  • A server with a public IP
  • A domain that can be used for proxying - best if you have a separate domain just for inlets
  • A wildcard SSL/TLS certificate
  • A webserver - i'm using nginx but other servers would work as well (caddy,apache,etc)

The steps should be similar with any hosting services, adapt it to your own

1. Domain configuration

Start with this step since we'll need it for every other step
If you don't have an unused domain, you can get some free domains from freenom.com , TLDs available .TK / .ML / .GA / .CF / .GQ

  • Choose a hosting service for your DNS zone/domain, i picked one from this list https://certbot.eff.org/docs/using.html#dns-plugins because it's easier to provision wildcard certificates with certbot
  • Create your DNS zone on your hosting service and take a note of your assigned NameServers
  • On your registrars control panel (where you registered the domain) you should have the NameServers somewhere defined, replace them with the one provided by your hosting service

2. Create a VPS/Instace + Configuration

  • You can choose any cloud or hosting for this , i chose scaleway because they have those ARM Cpu based servers which are pretty good price and hardware wise https://www.scaleway.com/en/virtual-instances/arm-instances/

  • Any server with a Public IP will do, even a self hosted one

  • Point your domain to your new server , i used a wildcard record here as well @ IN A SERVER-PUBLIC-IP or mydomain.tld. IN A SERVER-PUBLIC-IP and * IN A SERVER-PUBLIC-IP or *.mydomain.tld. IN A SERVER-PUBLIC-IP whichever makes sense to you

  • For OS i went with Ubuntu server , because i'm more familiar with it but again any linux distro is ok

  • Install nginx or some other webserver

sudo apt-get update
sudo apt-get install nginx
sudo systemctl daemon-reload
sudo systemctl enable inlets
sudo systemctl start inlets
  • Install cerbot and provision the wildcard certificate , again i used cloudflare here but you can use whatever you want
sudo apt-get install certbot python-certbot-nginx python3-certbot-dns-cloudflare
sudo certbot certonly --agree-tos --non-interactive --no-eff-email --email my-email-user@domain.tld --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d mydomain.tld,*.mydomain.tld --preferred-challenges dns-01

The /root/.secrets/cloudflare.ini contains the API key and email for the cloudflare account

dns_cloudflare_email = "myemail@domain.tld
dns_cloudflare_api_key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  • Configure nginx virtualhost with a config similar like this , 8180 is the inlets port, that i changed from default
server {
	listen 80;
	server_name *.mydomain.tld;

        access_log /var/log/nginx/inlets.access.log;
        error_log /var/log/nginx/inlets.error.log;	

        location / {
                proxy_pass http://127.0.0.1:8180;
                include /etc/nginx/proxy_params;
        }

        location /tunnel {
                proxy_pass http://127.0.0.1:8180;
                include /etc/nginx/proxy_params;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
        }
}

server {
	listen 443 ssl;
	server_name *.mydomain.tld;

        access_log /var/log/nginx/inlets.access.log;
        error_log /var/log/nginx/inlets.error.log;	

	ssl_certificate      /etc/letsencrypt/live/mydomain.tld/fullchain.pem;
	ssl_certificate_key  /etc/letsencrypt/live/mydomain.tld/privkey.pem;

	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# modern configuration. tweak to your needs.
	ssl_protocols TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
	ssl_prefer_server_ciphers on;

	# allow large uploads of files
	client_max_body_size 1G;
  
	location / {
		proxy_pass http://127.0.0.1:8180;
		include /etc/nginx/proxy_params;
	}

	location /tunnel {
		proxy_pass http://127.0.0.1:8180;
		include /etc/nginx/proxy_params;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "Upgrade";
	}

}
  • If you don't need the plain http/ws virtualhost you can remove it + you can also add more virtualhosts with specific purposes and hostnames instead of the wildcard one , where you can add regular nginx ACL based on IP address

Inlets Client

  • Install the client
curl -sLS https://get.inlets.dev | sudo sh
  • Run the client
inlets client --remote wss://whatever.mydomain.tld --upstream=myhost.mydomain.tld=http://127.0.0.1:8000 --token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment