This lets you use a proxy for connecting to the SSH server, which
is useful on networks that block SSH/port 22. For example you can
use the boringproxy tuntls command to create a proxy that will
tunnel the client's SSH connections over TLS to the server.
It's all very meta and forces at least double encryption, but it
could be useful.
Previously it was RESTful and required both a user and client
name in order to PUT new clients. Now this information is taken
from the token if possible (user is always available, client name
may not be) and a simple POST /clients endpoint is provided.
Before not giving any command didn't really give much feedback beyond
"invalid arguments". This adds a basic usage message, and tells people
that you can use "boringproxy server -h".
I moved the "Starting up" log message because otherwise that would get
printed when asking for "server -h".
I also added error checks for the flag parsing; I think this isn't
*strictly* needed, but I remember running in to problems once by
omitting it (although I've forgotten what that problem was, exactly).
This is useful for systems like Android which doesn't follow
normal DNS conventions like /etc/resolv.conf, so normal golang
DNS (ie when CGO_ENABLED=0) fails on Android.
Also fixed a bug where client TLS termination was failing to get
new certs I believe because the TLS listener hadn't started up
yet. I didn't notice it before because I'm running the client and
server on the same machine and the server currently gets certs on
startup even for non-server TLS tunnels
Can now put "https://" in front of Client Address to force it to
use TLS. It doesn't do any verification of the upstream cert. This
is intended to work similarly to the way ngrok does it:
https://ngrok.com/docs#http-local-https
Just needed to add an option to allow external connections to the
ports from the server, then set the proper values in the
authorized_keys file and on the client.
Allows tunnels to specify what address the client with connect to
for upstream connections.
Also changed the tunnel-adder UI.
Also fixed a bug where invalid domains would crash. Needed to
properly return an error dialog.
It pretty much only accomplishes what you can already do with a
normal SSH client. The difference is that keys are generated on
the fly by the server and transmitted for the client to use for
the tunnel.
