Server/Changing Ports: Difference between revisions

From Bondix Wiki
(Initial version)
 
(Add client settings)
Line 32: Line 32:
Once you made sure that your changes are correct, you must restart the bondix server via:
Once you made sure that your changes are correct, you must restart the bondix server via:
<pre>sudo systemctl restart bondix</pre>
<pre>sudo systemctl restart bondix</pre>
===Client Considerations ===
[[File:Bondix Client Custom Port.png|thumb|Entering a endpoint server IP using custom TCP port 44343]]
When using a non-standard port (anything beside 443), you must explicitly specify the port in the server string on the client. This is done by simply adding the port number at the end of the endpoint string, separated by ":".

Revision as of 11:13, 2 February 2024

By default, Bondix server uses TCP port 443 for both the web interface and incoming tunnel connections. As a quick reminder, Bondix uses both TCP and UDP by default, where TCP is used for control messages and UDP is used for data transfer.

Sometimes, you want to change these ports or keep them separate, usually to limit access to the server webinterface. In this guide, we will change the default TCP port configuration to achieve exactly that.

Editing /etc/saneserver.json

The TCP port configuration is stored in /etc/saneserver.json. The format in this configuration file is JSON, which you should at least be vaguely familiar with. Syntax errors in this file will result in the server daemon not starting, so be careful.

By default, there is a command line that sets up a TCP listener like this:

{"target": "server", "action": "add-https", "host": "0.0.0.0", "port": "443", "allowMonitor": true},

A "host" value of 0.0.0.0 means that it listens to any IPv4 address that the system has configured, and "port" describing the port it should listen to.

We see an additional "allowMonitor" parameter which is set to true, which sets whether or not the webinterface can be reachable (the name is still in use due to backwards compatibility).

Separating webinterface & incoming tunnels

We will replace the previous command with two commands that look like this:

 
 {"target": "server", "action": "add-https", "host": "10.10.0.1", "port": "443", "allowMonitor": true, "allowTunnel": false},
 {"target": "server", "action": "add-https", "host": "0.0.0.0", "port": "44343", "allowMonitor": false},

Now we have created two distinct tcp listener ports. The first port will only listen on 10.10.0.1:443, assuming that this is a private-only network that is not publicly reachable. Notice that we added an additional "allowTunnel" property, which specifies whether this listener is allowed to accept incoming tunnel connection - here it does not make much sense to do so, so we can safely disable this.

The second tcp listener is now listening on any IP, port 44343 (TCP), which is the same as the default UDP port Bondix uses. You can safely use the same port for both TCP and UDP. Notice here that "allowMonitor" - aka webinterface access - is disabled here. This will result in the port only accepting incoming tunnel connections, and responding with HTTP 405 (Method not allowed) otherwise.

Validate configuration & restart server

Make sure that the changed saneserver.json is still valid json! Especially, all commands should be separated by a comma (","), except for the last command, as the whole configuration set is a JSON list/array. If you have json_pp installed, this is one way to verify the syntax of the file:

cat /etc/saneserver.json | json_pp

If successful, this command will print out the contents of the file, or print out an error if there is a syntax error.

Once you made sure that your changes are correct, you must restart the bondix server via:

sudo systemctl restart bondix

Client Considerations

Entering a endpoint server IP using custom TCP port 44343

When using a non-standard port (anything beside 443), you must explicitly specify the port in the server string on the client. This is done by simply adding the port number at the end of the endpoint string, separated by ":".