Server/Changing Ports: Difference between revisions

From Bondix Wiki
(make it more concise)
mNo edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
By default, Bondix server uses TCP port 443 for both the web interface and incoming tunnel connections. As a quick reminder, Bondix uses both TCP and UDP by default, where TCP is used for control messages and UDP is used for data transfer.
The Bondix server typically uses TCP port 443 for its web interface and to handle incoming tunnel connections, employing TCP for control messages and UDP for data transport. To modify these port settings or segregate them for enhanced security and restricted access to the server's web interface, follow this guide to adjust the default TCP port configuration.


Sometimes, you want to change these ports or keep them separate, usually to limit access to the server webinterface. In this guide, we will change the default TCP port configuration to achieve exactly that.
== Modifying the TCP Port Configuration ==


=== Editing /etc/saneserver.json ===
TCP port settings are located in ''/etc/saneserver.json'', formatted in JSON. Avoid syntax errors in this file to prevent the server daemon from failing to start. The default configuration sets up a TCP listener as follows:
The TCP port configuration is stored in /etc/saneserver.json. The format in this configuration file is JSON, which you should at least be vaguely familiar with. Syntax errors in this file will result in the server daemon not starting, so be careful.


By default, there is a command line that sets up a TCP listener like this:
<pre>
{"target": "server", "action": "add-https", "host": "0.0.0.0", "port": "443", "allowMonitor": true},
{"target": "server", "action": "add-https", "host": "0.0.0.0", "port": "443", "allowMonitor": true},
A "host" value of 0.0.0.0 means that it listens to any IPv4 address that the system has configured, and "port" describing the port it should listen to.
</pre>


We see an additional "allowMonitor" parameter which is set to true, which sets whether or not the webinterface can be reachable (the name is still in use due to backwards compatibility).
This configuration listens on any IPv4 address on port 443, with "allowMonitor" enabled for web interface access.


=== Separating webinterface & incoming tunnels ===
== Differentiating Web Interface and Incoming Tunnels ==
We will replace the previous command with two commands that look like this:


<pre>  
Replace the default command with two distinct commands to separate the web interface from incoming tunnel connections:
{"target": "server", "action": "add-https", "host": "10.10.0.1", "port": "443", "allowMonitor": true, "allowTunnel": false},
 
{"target": "server", "action": "add-https", "host": "1.2.3.4", "port": "44343", "allowMonitor": false},
<pre>
{"target": "server", "action": "add-https", "host": "10.10.0.1", "port": "443", "allowMonitor": true, "allowTunnel": false},
{"target": "server", "action": "add-https", "host": "1.2.3.4", "port": "44343", "allowMonitor": false},
</pre>
</pre>


Now we have created two distinct tcp listener ports. The first port will only listen on 10.10.0.1:443, assuming that this is a private-only network that is not publicly reachable. Notice that we added an additional "allowTunnel" property, which specifies whether this listener is allowed to accept incoming tunnel connection - here it does not make much sense to do so, so we can safely disable this.
The first command configures a listener on a private network IP with web interface access only, and the second sets up a listener for incoming tunnel connections on a custom port, rejecting other requests with HTTP 405 errors.
 
== Ensuring Configuration Validity and Server Restart ==


The second tcp listener is now listening on IP 1.2.3.4, port 44343 (TCP), which is the same as the default UDP port Bondix uses. You can safely use the same port for both TCP and UDP. The IP address used here is only used for examplanatory purposes, you must enter your own interface IP address of the server here that you want the service to listen on. Notice that "allowMonitor" - aka webinterface access - is disabled here. This will result in the port only accepting incoming tunnel connections, and responding with HTTP 405 (Method not allowed) otherwise.
Verify the JSON syntax of ''/etc/saneserver.json'' before restarting the server. Use `json_pp` for syntax verification.  
<pre>
cat /etc/saneserver.json | json_pp
</pre>


=== Validate configuration & restart server ===
Restart the Bondix server with:
Make sure that the changed saneserver.json is still valid json! Especially, all commands should be separated by a comma (","), except for the last command, as the whole configuration set is a JSON list/array.
<pre>
If you have json_pp installed, this is one way to verify the syntax of the file:
sudo systemctl restart bondix
<pre>cat /etc/saneserver.json | json_pp</pre>
</pre>
If successful, this command will print out the contents of the file, or print out an error if there is a syntax error.


Once you made sure that your changes are correct, you must restart the bondix server via:
== Client Configuration for Non-standard Ports ==
<pre>sudo systemctl restart bondix</pre>
===Client Considerations ===
[[File:Bondix Client Custom Port.png|thumb|Entering a endpoint server IP using custom TCP port 44343]]
[[File:Bondix Client Custom Port.png|thumb|Entering a endpoint server IP using custom TCP port 44343]]
When using a non-standard port (anything beside 443), you must explicitly specify the port in the server string on the client. This is done by simply adding the port number at the end of the endpoint string, separated by ":".
 
For a custom port, specify this port in the client's server string, appending the port number after the IP address, separated by a colon.

Latest revision as of 11:22, 2 February 2024

The Bondix server typically uses TCP port 443 for its web interface and to handle incoming tunnel connections, employing TCP for control messages and UDP for data transport. To modify these port settings or segregate them for enhanced security and restricted access to the server's web interface, follow this guide to adjust the default TCP port configuration.

Modifying the TCP Port Configuration

TCP port settings are located in /etc/saneserver.json, formatted in JSON. Avoid syntax errors in this file to prevent the server daemon from failing to start. The default configuration sets up a TCP listener as follows:

{"target": "server", "action": "add-https", "host": "0.0.0.0", "port": "443", "allowMonitor": true},

This configuration listens on any IPv4 address on port 443, with "allowMonitor" enabled for web interface access.

Differentiating Web Interface and Incoming Tunnels

Replace the default command with two distinct commands to separate the web interface from incoming tunnel connections:

{"target": "server", "action": "add-https", "host": "10.10.0.1", "port": "443", "allowMonitor": true, "allowTunnel": false},
{"target": "server", "action": "add-https", "host": "1.2.3.4", "port": "44343", "allowMonitor": false},

The first command configures a listener on a private network IP with web interface access only, and the second sets up a listener for incoming tunnel connections on a custom port, rejecting other requests with HTTP 405 errors.

Ensuring Configuration Validity and Server Restart

Verify the JSON syntax of /etc/saneserver.json before restarting the server. Use `json_pp` for syntax verification.

cat /etc/saneserver.json | json_pp

Restart the Bondix server with:

sudo systemctl restart bondix

Client Configuration for Non-standard Ports

Entering a endpoint server IP using custom TCP port 44343

For a custom port, specify this port in the client's server string, appending the port number after the IP address, separated by a colon.