8.0 KiB
This section describes detailed usage for the bore CLI command.
Local Forwarding You can forward a port on your local machine by using the bore local command. This takes a positional argument, the local port to forward, as well as a mandatory --to option, which specifies the address of the remote server.
bore local 5000 --to bore.pub You can optionally pass in a --port option to pick a specific port on the remote to expose, although the command will fail if this port is not available. Also, passing --local-host allows you to expose a different host on your local area network besides the loopback address localhost.
The full options are shown below.
Starts a local proxy to the remote server
Usage: bore local [OPTIONS] --to <LOCAL_PORT>
Arguments: <LOCAL_PORT> The local port to expose [env: BORE_LOCAL_PORT=]
Options: -l, --local-host The local host to expose [default: localhost] -t, --to Address of the remote server to expose local ports to [env: BORE_SERVER=] -p, --port Optional port on the remote server to select [default: 0] -s, --secret Optional secret for authentication [env: BORE_SECRET] -h, --help Print help Self-Hosting As mentioned in the startup instructions, there is a public instance of the bore server running at bore.pub. However, if you want to self-host bore on your own network, you can do so with the following command:
bore server That's all it takes! After the server starts running at a given address, you can then update the bore local command with option --to
to forward a local port to this remote server.It's possible to specify different IP addresses for the control server and for the tunnels. This setup is useful for cases where you might want the control server to be on a private network while allowing tunnel connections over a public interface, or vice versa.
The full options for the bore server command are shown below.
Runs the remote proxy server
Usage: bore server [OPTIONS]
Options: --min-port <MIN_PORT> Minimum accepted TCP port number [env: BORE_MIN_PORT=] [default: 1024] --max-port <MAX_PORT> Maximum accepted TCP port number [env: BORE_MAX_PORT=] [default: 65535] -s, --secret Optional secret for authentication [env: BORE_SECRET] --bind-addr <BIND_ADDR> IP address to bind to, clients must reach this [default: 0.0.0.0] --bind-tunnels <BIND_TUNNELS> IP address where tunnels will listen on, defaults to --bind-addr -h, --help Print help Protocol There is an implicit control port at 7835, used for creating new connections on demand. At initialization, the client sends a "Hello" message to the server on the TCP control port, asking to proxy a selected remote port. The server then responds with an acknowledgement and begins listening for external TCP connections.
Whenever the server obtains a connection on the remote port, it generates a secure UUID for that connection and sends it back to the client. The client then opens a separate TCP stream to the server and sends an "Accept" message containing the UUID on that stream. The server then proxies the two connections between each other.
For correctness reasons and to avoid memory leaks, incoming connections are only stored by the server for up to 10 seconds before being discarded if the client does not accept them.
Authentication On a custom deployment of bore server, you can optionally require a secret to prevent the server from being used by others. The protocol requires clients to verify possession of the secret on each TCP connection by answering random challenges in the form of HMAC codes. (This secret is only used for the initial handshake, and no further traffic is encrypted by default.)
on the server
bore server --secret my_secret_string
on the client
bore local <LOCAL_PORT> --to --secret my_secret_string If a secret is not present in the arguments, bore will also attempt to read from the BORE_SECRET environment variable.
Acknowledgements Created by Eric Zhang (@ekzhang1). Licensed under the MIT license.
The author would like to thank the contributors and maintainers of the Tokio project for making it possible to write ergonomic and efficient network services in Rust.
本节介绍 bore CLI 命令的详细用法。
本地转发 您可以使用 bore local 命令转发本地计算机上的端口。该命令需要一个位置参数,即要转发的本地端口,以及一个强制性的 --to 选项,该选项指定远程服务器的地址。
bore local 5000 --to bore.pub 您可以选择传入 --port 选项以在远程服务器上选择要公开的特定端口,但如果该端口不可用,则命令将失败。此外,传入 --local-host 允许您在本地网络上公开除环回地址 localhost 之外的不同主机。
完整选项如下所示。
启动到远程服务器的本地代理
用法:bore local [OPTIONS] --to <LOCAL_PORT>
参数: <LOCAL_PORT> 要公开的本地端口 [env: BORE_LOCAL_PORT=]
选项: -l, --local-host 要公开的本地主机 [default: localhost] -t, --to 要将本地端口公开到的远程服务器地址 [env: BORE_SERVER=] -p, --port 远程服务器上要选择的可选端口 [default: 0] -s, --secret 用于身份验证的可选密钥 [env: BORE_SECRET] -h, --help 打印帮助 自托管 如启动说明中所述,bore.pub 上运行着 bore 服务器的公共实例。但是,如果您想在自己的网络上自托管 bore,可以使用以下命令:
bore server 就是这样!服务器在给定地址启动运行后,您可以更新 bore local 命令并使用选项 --to
将本地端口转发到此远程服务器。可以为控制服务器和隧道指定不同的 IP 地址。此设置对于您可能希望控制服务器位于专用网络而允许通过公共接口进行隧道连接的情况非常有用,反之亦然。
bore server 命令的完整选项如下所示。
运行远程代理服务器
用法:bore server [OPTIONS]
选项: --min-port <MIN_PORT> 接受的最小 TCP 端口号 [env: BORE_MIN_PORT=] [default: 1024] --max-port <MAX_PORT> 接受的最大 TCP 端口号 [env: BORE_MAX_PORT=] [default: 65535] -s, --secret 用于身份验证的可选密钥 [env: BORE_SECRET] --bind-addr <BIND_ADDR> 要绑定的 IP 地址,客户端必须能够访问此地址 [default: 0.0.0.0] --bind-tunnels <BIND_TUNNELS> 隧道将侦听的 IP 地址,默认为 --bind-addr -h, --help 打印帮助 协议 存在一个隐式控制端口 7835,用于按需创建新连接。在初始化时,客户端通过 TCP 控制端口向服务器发送“Hello”消息,请求代理选定的远程端口。然后服务器响应确认并开始侦听外部 TCP 连接。
每当服务器在远程端口上获得连接时,它都会为该连接生成一个安全的 UUID 并将其发送回客户端。然后客户端向服务器打开一个单独的 TCP 流,并在该流上发送包含 UUID 的“Accept”消息。然后服务器在两者之间代理这两个连接。
出于正确性原因并避免内存泄漏,如果客户端不接受传入连接,服务器只会将其存储最多 10 秒,然后将其丢弃。
身份验证 在 bore server 的自定义部署中,您可以选择要求一个密钥以防止服务器被其他人使用。该协议要求客户端通过回答 HMAC 代码形式的随机挑战来验证每个 TCP 连接上密钥的所有权。(此密钥仅用于初始握手,默认情况下不会对进一步的流量进行加密。)
在服务器上
bore server --secret my_secret_string
在客户端上
bore local <LOCAL_PORT> --to --secret my_secret_string 如果参数中不存在密钥,bore 也会尝试从 BORE_SECRET 环境变量中读取。
致谢 由 Eric Zhang (@ekzhang1) 创建。在 MIT 许可下获得许可。
作者要感谢 Tokio 项目的贡献者和维护者,他们使在 Rust 中编写符合人体工程学且高效的网络服务成为可能。