In many scenarios, intranet penetration is a requirement that we often encounter. We have used some tools such as peanut shell, ngrok, FRP and so on before, but due to various factors such as speed limit, charges, and safety, we had to give up.
Recently, I accidentally saw "Portal: lanproxy", an open source tool. I just purchased a Huawei cloud host server for free, which can just achieve intranet penetration.
I. Overview
1. What is intranet penetration service
Intranet penetration, that is, NAT penetration, a term used for network connection. When the computer is in a local area network, the computer nodes on the external network and the internal network need to be connected and communicated. Sometimes, intranet penetration is not supported.
2. What is lanproxy
lanproxy is an intranet penetration tool that proxies LAN personal computers and servers to the public network. Currently, it only supports tcp traffic forwarding, and can support any tcp upper-level protocol (access to intranet website, local payment interface debugging, ssh access, remote desktop... ). At present, there are peanut shell, TeamView, GoToMyCloud, etc. on the market that provide similar services, but to use a third-party public network server, you must pay for the third party, and these services have various restrictions. In addition, due to the data package It will flow through a third party, so it is also a major hidden danger to data security. https://lanproxy.io2c.com
3. The principle of intranet penetration
The principle of intranet penetration is shown in the figure below:
- The user visits our server, this server has a public IP, so users can access without pressure
- The server maintains a long link with the local computer. When there is a request, the server forwards the request to our local computer
- The local computer replies the response to the server
- The server replies the response to the user
2. Start deployment
1. Prepare the environment
Host | IP | Roles | YOU | service |
---|---|---|---|---|
internet-yanmb | Internet IP | Cloud Server | centos 7.6 | docker (simplify more configuration, use docker container to build here); Nginx environment |
didi | Intranet IP | Intranet PC | centos 7.6 | Java JDK 1.8 Maven (package dependency management tool) |
2. Public network server configuration (docker)
2.1 Deploy docker and nginx in the basic environment
1、安装依赖包
[root@internet-yanmb ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
2、安装
[root@internet-yanmb ~]# yum install docker nginx
3、启动doker、nginx
[root@internet-yanmb ~]# systemctl start docker && systemctl enable docker
[root@internet-yanmb ~]# systemctl start nginx && systemctl enable nginx
2.2 Start the lanproxy service through Docker
[root@internet-yanmb ~]# docker run -d --name lanproxy-server -p 8090:8090 -p 4900:4900 -p 4993:4993 -p 9000-9100:9000-9100 --restart=always biodwhu/lanproxy
2.3 Enter your public network server IP: 8090
Default password admin/admin
2.4 Nginx reverse proxy configuration domain name (optional)
In the previous step, we started a lanproxy environment through docker, but it can only be accessed through the IP address. Configuring the Nginx reverse proxy only serves the domain name access function.
vim /etc/nginx/conf.d/lanproxy.didi.cn.conf
server {
listen 80;
# 这里使用自己的域名
server_name lanproxy.didi.com;
charset utf-8;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
# 这里根据你的 lanproxy 配置,改成 config.server.port的值
proxy_pass http://127.0.0.1:8090;
client_max_body_size 35m;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Configure intranet service proxy
vim etc/nginx/conf.d/kodcloud.didi.cn.conf
server {
listen 80;
# 这里使用自己的域名
server_name kodcloud.didi.cn;
charset utf-8;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
# 这里根据你的lanproxy配置,改成 外网接口 的值,在lanproxy后台网页上配置,后面配置
proxy_pass http://127.0.0.1:9000;
client_max_body_size 35m;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
127.0.0.1: port These ports can be used
Restart Nginx
systemctl restart nginx
2.5 Continue to configure the lanproxy background service
Configure a client
Add configuration
3. Intranet PC configuration (Java client)
3.1 Install jdk1.8 environment
# jdk下载地址
https://www.oracle.com/java/technologies/javase/javase-jdk8-downloads.html
tar -zxvf jdk-8u281-linux-x64.tar.gz -C /usr/local/
# 配置环境变量
vim /etc/profile
export JAVA_HOME=/usr/local/jdk1.8.0_281/
export JRE_HOME=${JAVA_HOME}/jre
export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib
export PATH=${JAVA_HOME}/bin:$PATH
# 执行命令使修改立即生效
source /etc/profile
# 验证
java -version
# 配置软连接
update-alternatives --install /usr/bin/java java /usr/local/jdk1.8.0_181/java 300
update-alternatives --install /usr/bin/javac javac /usr/local/jdk1.8.0_181/bin/javac 300
3.2 Install maven environment
http://maven.apache.org/download.cgi Download maven.
# 下载maven
wget https://mirrors.bfsu.edu.cn/apache/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz
# 解压到/opt/maven 目录
mkdir /opt/maven
tar zxvf apache-maven-3.6.0-bin.tar.gz -C /opt/maven
# 配置maven 配置环境变量
vim /etc/profile
export M2_HOME=/opt/maven/apache-maven-3.6.3
export CLASSPATH=$CLASSPATH:$M2_HOME/lib
export PATH=$PATH:$M2_HOME/bin
# 执行命令使修改立即生效
source /etc/profile
# 验证
mvn -v
# 修改 maven 源为阿里云,以及仓库默认存放路径。这样 maven 下载 jar 包的速度会快很多。添加如下参数
<localRepository>maven/reposity</localRepository>
----------------------------------------------------
<mirror>
<id>alimaven</id>
<name>aliyun maven</name>
<url>http://maven.aliyun.com/nexus/content/groups/public/</url>
<mirrorOf>central</mirrorOf>
</mirror>
----------------------------------------------------
vim /opt/maven/apache-maven-3.6.3/conf/settings.xml
Insert code snippet here
Verify that the intranet service is true and effective
3.3 Run lanproxy client service
# 克隆到内网电脑
mkdir /appstorage/ && cd /appstorage
git clone https://github.com/ffay/lanproxy.git lanproxy
# 打包
cd lanproxy
mvn package
After the packaging is complete, the client file will appear in the distribution/proxy-client-0.1 directory. After opening, there will be a folder: bin, conf, lib and log. The configuration information is in the conf/config.properties file. According to the previous server Modify the configuration information.
vim distribution/proxy-client-0.1/conf/config.properties
# 这里是在lanproxy后台配置的密钥
client.key=ca670d0e95fb4ad68626d174ed357efe
# 配置ssl信息,根据服务端的配置填写(enable = false 就不需要配置)
ssl.enable=false
ssl.jksPath=test.jks
ssl.keyStorePassword=123456
# 服务器的ip
server.host=123.60.x.x
#proxy-server ssl默认端口4993,默认普通端口4900
#ssl.enable=true时这里填写ssl端口,ssl.enable=false时这里填写普通端口
server.port=4900
Client start
cd distribution/proxy-client-0.1/conf
bash bin/startup.sh
# 设置开机自启动
echo "/usr/bin/bash bin/startup.sh" >> /etc/rc.local
chmod a+x /etc/rc.d/rc.local
4. Client test access
Local host resolves kodcloud.didi.cn
success
You can also access the
public network IP through the IP address : 9000