又一个tcp over http(s)隧道
chunk-nordic的Python项目详细描述
北欧板块
又一个TCP over HTTP(S)隧道
客户端组件接受TCP连接,并在流模式下通过一对HTTP(s)连接将它们转发到服务器组件(Content-Encoding: chunked
)。服务器组件将连接转发到目标主机和端口(例如VPN守护进程)
功能
- 多链路完全异步操作
- 通过代理服务器(通过http_proxy、https_proxy环境变量和.netrc文件)执行客户端支持操作。
- 高级TLS支持:
- 支持客户机和服务器的自定义CA
- 支持具有证书的客户端和服务器之间的相互TLS身份验证
有关TLS引用,请参阅调用概要中的“TLS选项”组
要求
- Python3.5.3+
- aiohttp
- sdnotify
安装
使用基本的Python事件循环:
pip3 install chunk-nordic
具有高性能uvloop事件循环:
pip3 install chunk-nordic[uvloop]
概要
服务器:
$ chunk-server --help
usage: chunk-server [-h] [-u URI] [-v {debug,info,warn,error,fatal}]
[--disable-uvloop] [-a BIND_ADDRESS] [-p BIND_PORT]
[-w TIMEOUT] [-c CERT] [-k KEY] [-C CAFILE]
dst_host dst_port
Yet another TCP-over-HTTP(S) tunnel. Server-side component.
positional arguments:
dst_host target hostname
dst_port target port
optional arguments:
-h, --help show this help message and exit
-u URI, --uri URI path where connections served (default: /chunk-nordic)
-v {debug,info,warn,error,fatal}, --verbosity {debug,info,warn,error,fatal}
logging verbosity (default: info)
--disable-uvloop do not use uvloop even if it is available (default:
False)
listen options:
-a BIND_ADDRESS, --bind-address BIND_ADDRESS
bind address (default: 127.0.0.1)
-p BIND_PORT, --bind-port BIND_PORT
bind port (default: 8080)
timing options:
-w TIMEOUT, --timeout TIMEOUT
backend connect timeout (default: 4)
TLS options:
-c CERT, --cert CERT enable TLS and use certificate (default: None)
-k KEY, --key KEY key for TLS certificate (default: None)
-C CAFILE, --cafile CAFILE
require client TLS auth using specified CA certs
(default: None)
客户:
$ chunk-client --help
usage: chunk-client [-h] [-v {debug,info,warn,error,fatal}] [--disable-uvloop]
[-a BIND_ADDRESS] [-p BIND_PORT] [-w TIMEOUT] [-c CERT]
[-k KEY] [-C CAFILE] [--no-hostname-check]
server_url
Yet another TCP-over-HTTP(S) tunnel. Client-side component.
positional arguments:
server_url target hostname
optional arguments:
-h, --help show this help message and exit
-v {debug,info,warn,error,fatal}, --verbosity {debug,info,warn,error,fatal}
logging verbosity (default: info)
--disable-uvloop do not use uvloop even if it is available (default:
False)
listen options:
-a BIND_ADDRESS, --bind-address BIND_ADDRESS
bind address (default: 127.0.0.1)
-p BIND_PORT, --bind-port BIND_PORT
bind port (default: 1940)
timing options:
-w TIMEOUT, --timeout TIMEOUT
server connect timeout (default: 4)
TLS options:
-c CERT, --cert CERT use certificate for client TLS auth (default: None)
-k KEY, --key KEY key for TLS certificate (default: None)
-C CAFILE, --cafile CAFILE
override default CA certs by set specified in file
(default: None)
--no-hostname-check do not check hostname in cert subject. This option is
useful for private PKI and available only together
with "--cafile" (default: False)
示例
假设我们在server gate.example.com的TCP端口1194上有OpenVPN实例
服务器命令:
chunk-server 127.0.0.1 1194
客户端命令:
chunk-client http://gate.example.com:8080/chunk-nordic
客户端的OpenVPN配置片段:
<connection>
remote 127.0.0.1 1940 tcp
</connection>