Server/Changing Ports: Difference between revisions

From Bondix Wiki
(Initial version)
 
mNo edit summary
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
By default, Bondix server uses TCP port 443 for both the web interface and incoming tunnel connections. As a quick reminder, Bondix uses both TCP and UDP by default, where TCP is used for control messages and UDP is used for data transfer.
The Bondix server typically uses TCP port 443 for its web interface and to handle incoming tunnel connections, employing TCP for control messages and UDP for data transport. To modify these port settings or segregate them for enhanced security and restricted access to the server's web interface, follow this guide to adjust the default TCP port configuration.


Sometimes, you want to change these ports or keep them separate, usually to limit access to the server webinterface. In this guide, we will change the default TCP port configuration to achieve exactly that.
== Modifying the TCP Port Configuration ==


=== Editing /etc/saneserver.json ===
TCP port settings are located in ''/etc/saneserver.json'', formatted in JSON. Avoid syntax errors in this file to prevent the server daemon from failing to start. The default configuration sets up a TCP listener as follows:
The TCP port configuration is stored in /etc/saneserver.json. The format in this configuration file is JSON, which you should at least be vaguely familiar with. Syntax errors in this file will result in the server daemon not starting, so be careful.


By default, there is a command line that sets up a TCP listener like this:
<pre>
{"target": "server", "action": "add-https", "host": "0.0.0.0", "port": "443", "allowMonitor": true},
{"target": "server", "action": "add-https", "host": "0.0.0.0", "port": "443", "allowMonitor": true},
A "host" value of 0.0.0.0 means that it listens to any IPv4 address that the system has configured, and "port" describing the port it should listen to.
</pre>


We see an additional "allowMonitor" parameter which is set to true, which sets whether or not the webinterface can be reachable (the name is still in use due to backwards compatibility).
This configuration listens on any IPv4 address on port 443, with "allowMonitor" enabled for web interface access.


=== Separating webinterface & incoming tunnels ===
== Differentiating Web Interface and Incoming Tunnels ==
We will replace the previous command with two commands that look like this:


<pre>  
Replace the default command with two distinct commands to separate the web interface from incoming tunnel connections:
{"target": "server", "action": "add-https", "host": "10.10.0.1", "port": "443", "allowMonitor": true, "allowTunnel": false},
 
{"target": "server", "action": "add-https", "host": "0.0.0.0", "port": "44343", "allowMonitor": false},
<pre>
{"target": "server", "action": "add-https", "host": "10.10.0.1", "port": "443", "allowMonitor": true, "allowTunnel": false},
{"target": "server", "action": "add-https", "host": "1.2.3.4", "port": "44343", "allowMonitor": false},
</pre>
</pre>


Now we have created two distinct tcp listener ports. The first port will only listen on 10.10.0.1:443, assuming that this is a private-only network that is not publicly reachable. Notice that we added an additional "allowTunnel" property, which specifies whether this listener is allowed to accept incoming tunnel connection - here it does not make much sense to do so, so we can safely disable this.
The first command configures a listener on a private network IP with web interface access only, and the second sets up a listener for incoming tunnel connections on a custom port, rejecting other requests with HTTP 405 errors.
 
== Ensuring Configuration Validity and Server Restart ==
 
Verify the JSON syntax of ''/etc/saneserver.json'' before restarting the server. Use `json_pp` for syntax verification.
<pre>
cat /etc/saneserver.json | json_pp
</pre>


The second tcp listener is now listening on any IP, port 44343 (TCP), which is the same as the default UDP port Bondix uses. You can safely use the same port for both TCP and UDP. Notice here that "allowMonitor" - aka webinterface access - is disabled here. This will result in the port only accepting incoming tunnel connections, and responding with HTTP 405 (Method not allowed) otherwise.
Restart the Bondix server with:
<pre>
sudo systemctl restart bondix
</pre>


=== Validate configuration & restart server ===
== Client Configuration for Non-standard Ports ==
Make sure that the changed saneserver.json is still valid json! Especially, all commands should be separated by a comma (","), except for the last command, as the whole configuration set is a JSON list/array.
[[File:Bondix Client Custom Port.png|thumb|Entering a endpoint server IP using custom TCP port 44343]]
If you have json_pp installed, this is one way to verify the syntax of the file:
<pre>cat /etc/saneserver.json | json_pp</pre>
If successful, this command will print out the contents of the file, or print out an error if there is a syntax error.


Once you made sure that your changes are correct, you must restart the bondix server via:
For a custom port, specify this port in the client's server string, appending the port number after the IP address, separated by a colon.
<pre>sudo systemctl restart bondix</pre>

Latest revision as of 11:22, 2 February 2024

The Bondix server typically uses TCP port 443 for its web interface and to handle incoming tunnel connections, employing TCP for control messages and UDP for data transport. To modify these port settings or segregate them for enhanced security and restricted access to the server's web interface, follow this guide to adjust the default TCP port configuration.

Modifying the TCP Port Configuration

TCP port settings are located in /etc/saneserver.json, formatted in JSON. Avoid syntax errors in this file to prevent the server daemon from failing to start. The default configuration sets up a TCP listener as follows:

{"target": "server", "action": "add-https", "host": "0.0.0.0", "port": "443", "allowMonitor": true},

This configuration listens on any IPv4 address on port 443, with "allowMonitor" enabled for web interface access.

Differentiating Web Interface and Incoming Tunnels

Replace the default command with two distinct commands to separate the web interface from incoming tunnel connections:

{"target": "server", "action": "add-https", "host": "10.10.0.1", "port": "443", "allowMonitor": true, "allowTunnel": false},
{"target": "server", "action": "add-https", "host": "1.2.3.4", "port": "44343", "allowMonitor": false},

The first command configures a listener on a private network IP with web interface access only, and the second sets up a listener for incoming tunnel connections on a custom port, rejecting other requests with HTTP 405 errors.

Ensuring Configuration Validity and Server Restart

Verify the JSON syntax of /etc/saneserver.json before restarting the server. Use `json_pp` for syntax verification.

cat /etc/saneserver.json | json_pp

Restart the Bondix server with:

sudo systemctl restart bondix

Client Configuration for Non-standard Ports

Entering a endpoint server IP using custom TCP port 44343

For a custom port, specify this port in the client's server string, appending the port number after the IP address, separated by a colon.