Proxying » Danted Perfect Setup
secure Danted setup, but without authentication
Razlog za ovako nešto je to što Chrome ne podržava SOCKS5 authentication, pa sam morao da smislim neki bolji način.
Ukratko, prvo poseti “https://orotec … /_socks.php” a zatim će SOCKS5 proxy da radi.
Determine main interface name in Ubuntu
There are two one-liners, both equally efficient and elegant. They are based on the principle of discarding all virtual network interfaces and then taking the first remaining one. Both one-liners will assign the interface name to the variable iname
.
1
2
3
4
5
|
# more robust method that checks for the actual existence of the interface
iname=$(ls /sys/class/net | while read -r iface; do if [[ -d /sys/class/net/$iface/device ]]; then echo $iface; break; fi; done)
# more elegant as it discards virtual interfaces based on whether the phrase `virtual` appears in the symlink
iname=$(find /sys/class/net -type l -not -lname '*virtual*' -printf '%f\n' | head -n 1)
|
Install danted
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
# install dante
apt update && apt install -y dante-server
# assign variables
iname=$(find /sys/class/net -type l -not -lname '*virtual*' -printf '%f\n' | head -n 1)
port="22333" # SOCKS5 port number
# backup the original conf file
sudo mv /etc/danted.conf /etc/danted.conf.backup
# ensure that file exists
sudo touch /etc/danted.whitelist
# create /etc/danted.conf as elevated user
cat << EOF | sudo tee "/etc/danted.conf" > /dev/null
logoutput: stderr
internal: $iname port = $port
external: $iname
socksmethod: none
clientmethod: none
user.privileged: proxy
user.notprivileged: nobody
user.libwrap: nobody
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect disconnect error
}
# client pass rules are below this line
EOF
# and use it also as a template
sudo cp /etc/danted.conf /etc/danted.conf.template
# create a script that will combine ip's into dante rules
cat << 'EOF' | sudo tee "/etc/danted.combine.sh" > /dev/null
#!/bin/bash
# start with a template
cp "/etc/danted.conf.template" "/etc/danted.conf"
# and apend whitelisted ips
while IFS= read -r IP; do
cat << MARKER >> "/etc/danted.conf"
client pass {
from: $IP/32 to: 0.0.0.0/0
log: connect disconnect error
}
MARKER
done < "/etc/danted.whitelist"
# restart service
sudo systemctl restart danted
EOF
# make it executable
chmod +x /etc/danted.combine.sh
# restart to apply the changes
sudo systemctl restart danted
# firewall must have port opened
# for example: sudo ufw allow $port
# verify that Dante is running and listening on the correct port:
sudo systemctl status danted
sudo netstat -tuln | grep $port
|
Now, I’ll monitor file changes and regenerate config and restart dante on change. I’m implementing it this way as I don’t want web server user to have sudo access for the systemctl command. Tako da otpada da moj PHP skript sam restartuje danted proces i zato radim ovaj file monitoring. Odlučio sam ovo da uradim koristeći systemd
a ne inotify
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
# systemd.service Unit File
sudo tee "/etc/systemd/system/danted-reconfigure.service" > /dev/null << 'EOF'
[Unit]
Description=Reload danted when whitelist changes
[Service]
Type=oneshot
ExecStart=/etc/danted.combine.sh
EOF
# systemd.path Unit File
sudo tee "/etc/systemd/system/danted-reconfigure.path" > /dev/null << 'EOF'
[Unit]
Description=Monitor /etc/danted.whitelist for changes
[Path]
PathModified=/etc/danted.whitelist
[Install]
WantedBy=multi-user.target
EOF
# Reload the configuration
sudo systemctl daemon-reload
# Enable and start our service
sudo systemctl enable --now danted-reconfigure.path
|
Now everything is working perfectly. Specifically, every time there is a change in the /etc/danted.whitelist
file, the entire danted system is reconfigured. I just need a simple way to add my IP address to the whitelist, and I will do this using PHP.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
cat << 'EOF' | sudo tee "/home/orotec/htdocs/orotec.jao.rs/_socks.php" > /dev/null
<?php
# username is the most left part of domain
$expectedUsername = strtok($_SERVER['HTTP_HOST'], '.');
# password is filename
$expectedPassword = pathinfo(basename($_SERVER['REQUEST_URI']), PATHINFO_FILENAME);
# If not authenticated, send a 401 Unauthorized header and exit
$isAuthenticated = $_SERVER['PHP_AUTH_USER'] === $expectedUsername && $_SERVER['PHP_AUTH_PW'] === $expectedPassword;
if (!$isAuthenticated) {
header('WWW-Authenticate: Basic realm="Restricted Area"');
header('HTTP/1.0 401 Unauthorized');
exit('Authorization Required.');
}
# Get the client IP address from the server superglobal
$clientIP = $_SERVER['REMOTE_ADDR'];
# If "clear" query parameter is present, clear the file, otherwise append the IP
file_put_contents('/etc/danted.whitelist', $clientIP . PHP_EOL, isset($_GET['clear']) ? 0 : FILE_APPEND);
# Output just the client IP
echo $clientIP . "\n";
EOF
|
just change owner user
sudo chown orotec /etc/danted.whitelist
so add an IP by visiting
user: ‘orotec’, pass: ‘_socks’