OpenNG is a network ingress manager.
It is a highly configurable, extensible network ingress manager designed for labs.
It currently supports linux, windows, macos
- TCP PORT MUX
- Supported Protocols
- TLS
- HTTP1 HTTP2
- RDP
- SSH
- PROXYPROTOCOL
- the feature enables to serve multi-protocols on one port
- Supported Protocols
- Simple Auth
- the feature provides simple but strong protection for exposing internal http services like qbitorrent, router management, your own services and etc.
- regexp match for path and host
- flexible configuration
- delicate web auth page
- partially support ldap as auth backend
- the feature provides simple but strong protection for exposing internal http services like qbitorrent, router management, your own services and etc.
- HTTP Virtual Host & Reserve Proxy
- support websocket without any configuration
- support h2
- compliant for most IPMI html5 consoles
- HTTP Forward Proxy
- support http proxy basic auth
- SSH Virtual Host
- high compatibility with all backend ssh features
- can use with vscode, etc.
- only allow pubkey auth
- support a custom banner and random quote memes
- high compatibility with all backend ssh features
- TLS
- supports sni, alpn and multi-certificates
- IP Filter & Host Filter
- support ip range
- support host regexp for white list
- Logging
- supports udp logging output
- with a analyzer, we can turn the log data structed to write to influxdb
- supports udp logging output
You can find the (not that)latest OpenNG release on the release page. But a release is not made so often. So I recommend you to build it yourself.
We provide a up-to-date docker image on dockerhub, which is built by github actions from the latest main branch. I highly recommend you to use the docker image.
git clone https://github.com/mrhaoxx/OpenNG
cd OpenNG
bash build.shdocker run -it -v /path/to/config.yaml:/config.yaml --network host mrhaoxx/ng:mainOpenNG currently uses only one yaml as configuration file.
The yaml file is divided into several sections.
You can find the structure of the configuration file in the builtin.go.
The _builtin_refs_assertions holds all structure of the configuration file.
A simple example of the configuration file is as follows:
version: 5
Config:
Logger:
EnableSSELogger: true
Verbose: true
Services:
- name: tls
kind: builtin::tls
spec:
certificates:
- CertFile: /cert/fullchain.cer
KeyFile: /cert/example.com.key
- name: fauth
kind: builtin::auth::backend::file
spec:
users:
- name: user
PasswordHash: # Gen you password hash with the tool below
AllowForwardProxy: true
SSHAuthorizedKeys:
- ssh pubkey (ssh authoried_keys format)
- name: policyd
kind: builtin::auth::policyd
spec:
Policies:
- name: Public
Allowance: true
Users: [ "" ]
Hosts:
- $dref{http:proxier.spec.hosts.pub.hosts}...
- name: Private
Allowance: true
Users: ["user"]
- name: Refuse
Allowance: false
Users: [""]
Hosts:
- "*"
backends:
- $ptr{fauth}
- name: auth
kind: builtin::auth::manager
spec:
backends:
- $ptr{policyd}
- name: http:proxier
kind: builtin::http::reverseproxier
spec:
hosts:
- name: router
hosts: [router.example.com]
backend: https://192.168.1.1
TlsSkipVerify: true
MaxConnsPerHost: 8
- name: pub
hosts: ["*.example.com", "example.com"]
backend: https://a-backend-host
- name: http:stdforward
kind: builtin::http::forwardproxier
- name: http:midware
kind: builtin::http::midware
spec:
cgis:
- logi: $ptr{policyd}
forward: # forward proxy
- logi: $ptr{policyd}
name: auth
- logi: $ptr{http:stdforward}
name: stdfwd
- name: sshrp
kind: builtin::ssh::reverseproxier
spec:
hosts:
- name: backend-1 # default
HostName: sshhost1
- name: backend-2
HostName: sshhost2
privatekeys: $dref{ssh.spec.privatekeys}
- name: ssh
kind: builtin::ssh::midware
spec:
services:
- name: reverseproxy
logi: $ptr{sshrp}
privatekeys: |
Fill your private key (PEM Encoding) here
banner: |
Authorized access only!
Your IP: %h
policyd: $ptr{policyd}
- name: tcp:det
kind: builtin::tcp::det
spec:
protocols:
[tls,ssh,rdp,http,proxyprotocol]
timeout: 3000000000 # 3s
timeoutprotocol: TIMEOUT
- name: tcp:securehttp
kind: builtin::tcp::securehttp
- name: tcp:controller
kind: builtin::tcp::controller
spec:
services:
"":
- logi: $ptr{tcp:det}
name: det
TLS:
# - logi: $ptr{hif}
# name: hif
- logi: $ptr{tls}
name: tls
- logi: $ptr{tcp:det}
name: det
TLS HTTP2:
- logi: $ptr{http:midware}
name: http
TLS HTTP1:
- logi: $ptr{http:midware}
name: http
HTTP1:
# - logi: $ptr{tcp:securehttp}
# name: http
## Use the above line if you want to redirect all http to https
- logi: $ptr{http:midware}
name: http
SSH:
- name: ssh
logi: $ptr{ssh}
TIMEOUT:
- name: ssh
logi: $ptr{ssh}
- name: ui
kind: builtin::webui
spec:
httpmidware: $ptr{http:midware}
tcpcontroller: $ptr{tcp:controller}
- kind: builtin::http::midware::addservice
name: bi
spec:
midware: $ptr{http:midware}
services:
- logi: $ptr{auth}
name: auth
- name: ui
logi: $ptr{ui}
hosts:
- netgate.example.com
- logi: $ptr{http:proxier}
name: prx
- kind: builtin::tcp::listen
spec:
AddressBindings:
- 0.0.0.0:4430
- 0.0.0.0:4431
ptr: $ptr{tcp:controller}
We use bcrypt to hash the password
package main
import (
"fmt"
"golang.org/x/crypto/bcrypt"
)
func HashPassword(password string) (string, error) {
bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
return string(bytes), err
}
func main() {
var password string
fmt.Print("Enter password: ")
fmt.Scanln(&password)
hash, _ := HashPassword(password)
fmt.Println("Hash: ", hash)
}