From: Anthony Sorace <a@9srv.net>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: [9fans] Portable NAT-busting reverse-proxy
Date: Tue, 3 Mar 2015 23:53:02 -0500 [thread overview]
Message-ID: <12374CC2-B6E7-4353-BA9C-A2B4B5B9AA69@9srv.net> (raw)
I have a web service that runs localhost-only on my laptop which I'd sometimes like to make available on the public internet. The service listens on port 8000. The laptop moves around periodically, is usually behind a NAT, and is sometimes offline. Here's how I do it.
1) In Inferno on my laptop, I export my local network stack:
listen -Av 'tcp!*!5555' {export /net&}
(This whole setup would've been way simpler if drawterm exported the network stack like Inferno does. Does it on any platform?)
2) On my Plan 9 cpu server, I have a service which looks something like this (at, say, /rc/bin/service/tcp1234):
#!/bin/rc
echo -n 0 > /srv/remotenet
There's a bit more going on in the real version of this, but this version works. Thanks to qrstuv on irc for a reminder of the "echo -n 0 > /srv/foo" trick mentioned here:
http://9fans.net/archive/2007/04/130
3) Also on my cpu server, I have a service which looks like this (call it /rc/bin/service/tcp4321):
#!/bin/rc
mount /srv/remotenet /n/remnet
netd=/n/remnet
host=localhost
aux/trampoline $netd^/tcp!^$host^!8000
Again, more logging & error checking in the real thing, but this should work as-is (I have a fallback for if /srv/remotenet can't be mounted, when the laptop is offline).
4) Finally, on my laptop I run:
trampoline -a 'tcp!localhost!5555' tcp!my-cpuserver!1234
Getting trampoline running under p9p was trivial: I just removed the mac checking bits. I'm not sure why p9p doesn't have the needed cs bits in the header files (the code seems to be there).
The p9p trampoline connects the 9p service provided by Inferno on my laptop to the tcp1234 listener on my cpu server, which posts a service to /srv which the listener on 4321 mounts on each call and then uses as a network stack for its own trampoline. The end result is that web requests to my cpu server port 4321 get forwarded to localhost:8000 on my laptop, and I can re-establish this with just the p9p trampoline call. I have not attempted to authenticate any of the p9 connections, which I'd want to do if I were putting this into production service.
In addition to trampoline being so nice and the "echo -n 0" trick (which never sticks in my head for some reason), it's fun to note that there's nothing special about /net* directories; trampoline will use an IP stack anywhere you point it to.
I'll stick versions of this up on sources once I polish a bit or two.
Anthony
reply other threads:[~2015-03-04 4:53 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=12374CC2-B6E7-4353-BA9C-A2B4B5B9AA69@9srv.net \
--to=a@9srv.net \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).