Server/User Management: Difference between revisions

From Bondix Wiki
(add page; work in progress)
 
Line 1: Line 1:
(this is a work in progress article for the upcoming 1.26.01 Bondix release. Content is subject to change.)
(this is a work in progress article for the upcoming 1.26.01 Bondix release. Content is subject to change.)
==Managed User Configuration Documentation==
==Overview==
===Overview===
 
The Managed User system provides a complete user management solution for the BondingServer, including tunnel management, port forwarding, QoS settings, and optional remote synchronization. This system is designed for multi-tenant scenarios where users need to manage their own tunnels through a dedicated web interface.
The Managed User system provides a complete user management solution for the BondingServer, including tunnel management, port forwarding, QoS settings, and optional remote synchronization. This system is designed for multi-tenant scenarios where users need to manage their own tunnels through a dedicated web interface.
===Modes of Operation===
===Modes of Operation===
Line 75: Line 73:
'''Root Fields''':  
'''Root Fields''':  


- <code>version</code>: Configuration version number (uint64, required)  
* <code>version</code>: Configuration version number (uint64, required)
 
* <code>config</code>: Object containing user configurations keyed by username
- <code>config</code>: Object containing user configurations keyed by username


'''Per-User Fields''':  
'''Per-User Fields''':  


- <code>password</code>: SHA256 hash of the user’s password  
* <code>password</code>: SHA256 hash of the user’s password
* <code>tunnels</code>: Array of tunnel configurations
* <code>portForwarding</code>: Array of port forwarding rules  ('''currently not implemented!''')
* <code>qos</code>: QoS configuration object
* Enabling Managed Users


- <code>tunnels</code>: Array of tunnel configurations
'''Action''': <code>enable-user-management</code>


- <code>portForwarding</code>: Array of port forwarding rules  ('''currently not implemented''')
The following command must be added to <code>/etc/bondixserver.json</code>
 
- <code>qos</code>: QoS configuration object
===Enabling Managed Users===
 
'''Action''': <code>enable-user-management</code>


'''Configuration JSON''':
'''Configuration JSON''':
Line 111: Line 107:
'''Settings Object Fields''':  
'''Settings Object Fields''':  


- <code>config</code>: Path to local configuration file (string, required for local mode)  
* <code>config</code>: Path to local configuration file (string, required for local mode)
 
* <code>configEndpoint</code>: Remote sync URL (string, optional)
- <code>configEndpoint</code>: Remote sync URL (string, optional)  
* <code>configAuth</code>: Authentication token for remote endpoints (string, optional)
 
* <code>eventEndpoint</code>: Webhook URL for events (string, optional)
- <code>configAuth</code>: Authentication token for remote endpoints (string, optional)  
* <code>users</code>: Array of initial users (optional, discouraged)
 
- <code>eventEndpoint</code>: Webhook URL for events (string, optional)  
 
- <code>users</code>: Array of initial users (optional, discouraged)


'''SSL/TLS Options''':  
'''SSL/TLS Options''':  


- <code>caDirectory</code>: Directory containing CA certificates  
* <code>caDirectory</code>: Directory containing CA certificates
 
* <code>caFile</code>: Single CA file path
- <code>caFile</code>: Single CA file path
===Remote Mode Configuration===
===Remote Mode Configuration===


Line 141: Line 132:
'''Remote Sync Behavior''':  
'''Remote Sync Behavior''':  


1. '''Initial Fetch''': On startup, fetches configuration from remote endpoint  
# '''Initial Fetch''': On startup, fetches configuration from remote endpoint
 
# '''Periodic Sync''': Every 30 minutes, checks for remote updates
2. '''Periodic Sync''': Every 30 minutes, checks for remote updates  
# '''Change Push''': Every 5 seconds after local changes, syncs to remote
 
# '''Version Control''': Uses version numbers to prevent conflicts
3. '''Change Push''': Every 5 seconds after local changes, syncs to remote  
 
4. '''Version Control''': Uses version numbers to prevent conflicts


'''Event Webhook Events''':  
'''Event Webhook Events''':  


- <code>password_request</code>: Triggered when user requests password reset - Payload includes temporary password for the user
<code>password_request</code>: Triggered when user requests password reset - Payload includes temporary password for the user


'''Remote Endpoint Requirements''':  
'''Remote Endpoint Requirements''':  


- <code>configEndpoint</code> must accept GET for fetch and POST for store  
* <code>configEndpoint</code> must accept GET for fetch and POST for store
* Both endpoints require <code>Authorization</code> header with configured auth token
* Fetch returns 204 if no newer version exists, 200 with config JSON otherwise


- Both endpoints require <code>Authorization</code> header with configured auth token
- Fetch returns 204 if no newer version exists, 200 with config JSON otherwise
===Web Frontend===
===Web Frontend===


Line 168: Line 155:
The frontend provides:  
The frontend provides:  


- User login interface  
* User login interface
 
* Tunnel management dashboard
- Tunnel management dashboard  
* QoS settings management
 
* Password change functionality
- Port forwarding configuration


- QoS settings management
TODO: Port forwarding configuration to be implemented.


- Password change functionality
===API Endpoints===
===API Endpoints===


Line 198: Line 183:
  }
  }


 
<br />// Response (401 Unauthorized)
// Response (401 Unauthorized)
{"allowReset": true}  // If eventEndpoint configured
 
{"allowReset": true}  // If eventEndpoint configured




Line 210: Line 193:
  }
  }


 
<br />// Response: 204 No Content (if user exists and eventEndpoint configured)
// Response: 204 No Content (if user exists and eventEndpoint configured)


====Configuration Endpoints====
====Configuration Endpoints====
Line 223: Line 205:
  }
  }


 
'''POST <code>/api/config</code>'''
'''POST <code>/api/config</code>'''  
 
<syntaxhighlight lang="json">// Request - Update any combination of tunnels, port forwarding, or QoS
{
  // Request
  // Request
  {
  {
Line 244: Line 222:
     "qos": [...]
     "qos": [...]
  }
  }
  // Response
  // Response
  {
  {
Line 259: Line 238:
  }
  }


// Response
{"result": "ok"}


// Response
{"result": "ok"}
====Tunnel Management Endpoints====
====Tunnel Management Endpoints====


'''GET <code>/api/status</code>'''
'''GET <code>/api/status</code>'''
<syntaxhighlight lang="json">// Response
{
  // Response
  // Response
  {
  {
Line 311: Line 286:
     ]
     ]
  }
  }


'''POST <code>/api/restart</code>'''
'''POST <code>/api/restart</code>'''
Line 319: Line 293:
  }
  }


// Response
{"result": "ok"}


// Response
===Universal Authentication Token===
 
{"result": "ok"}
 
-----
 
<span id="universal-authentication-token"></span>
===7. Universal Authentication Token===


For third-party frontend integration or administrative operations, a universal auth token can be used to impersonate any user.
For third-party frontend integration or administrative operations, a universal auth token can be used to impersonate any user.
Line 333: Line 302:
'''Authentication Method''':  
'''Authentication Method''':  


1. Set Authorization header to the configured <code>configAuth</code> token  
# Set Authorization header to the configured <code>configAuth</code> token
 
# Set <code>X-Username</code> header to the target user’s email
2. Set <code>X-Username</code> header to the target user’s email


'''Example Request''':
'''Example Request''':
Line 356: Line 324:
'''Fields''':  
'''Fields''':  


- <code>name</code>: Unique tunnel identifier (string, required)  
* <code>name</code>: Unique tunnel identifier (string, required)
 
* <code>enabled</code>: Enable/disable tunnel (boolean, default: true)
- <code>enabled</code>: Enable/disable tunnel (boolean, default: true)  
* <code>password</code>: Tunnel password (string, required)
 
* <code>mtu</code>: MTU value between 1100-1500 (uint16, default: 1500)
- <code>password</code>: Tunnel password (string, required)  
* <code>qos</code>: QoS mode selection (string, default: “default”) - <code>&quot;default&quot;</code>: Use client QoS settings - <code>&quot;custom&quot;</code>: Use custom QoS configuration
* Other values: Use named QoS preset


- <code>mtu</code>: MTU value between 1100-1500 (uint16, default: 1500)
- <code>qos</code>: QoS mode selection (string, default: “default”) - <code>&quot;default&quot;</code>: Use client QoS settings - <code>&quot;custom&quot;</code>: Use custom QoS configuration
- Other values: Use named QoS preset
===Port Forwarding Configuration===
===Port Forwarding Configuration===
TODO: currently not implemented
TODO: currently not implemented
Line 379: Line 343:
'''Fields''':  
'''Fields''':  


- <code>enabled</code>: Enable/disable this port forward (boolean)  
* <code>enabled</code>: Enable/disable this port forward (boolean)
 
* <code>tunnel</code>: Associated tunnel name (string)
- <code>tunnel</code>: Associated tunnel name (string)  
* <code>publicPort</code>: External port number (uint16)
 
* <code>targetIp</code>: Internal target IP address (string)
- <code>publicPort</code>: External port number (uint16)  
* <code>targetPort</code>: Internal target port (uint16)
 
* <code>description</code>: Note/description (string, max 1024 chars)
- <code>targetIp</code>: Internal target IP address (string)  
 
- <code>targetPort</code>: Internal target port (uint16)  
 
- <code>description</code>: Note/description (string, max 1024 chars)
===QoS Configuration===
===QoS Configuration===
{
TODO
    "classes": [
        {
            "name": "class_name",
            "priority": 1,
            "bandwidth": 1000,
            "rules": [...]
        }
    ]
}
 
 
'''Fields''':
 
- <code>classes</code>: Array of QoS classes
 
- <code>name</code>: Class identifier (string)
 
- <code>priority</code>: Priority level (uint16)
 
- <code>bandwidth</code>: Bandwidth allocation (uint16)
 
- <code>rules</code>: Traffic classification rules
===Complete Example===
===Complete Example===


Line 436: Line 373:
     "caFile": "/etc/ssl/certs/root-ca.pem"
     "caFile": "/etc/ssl/certs/root-ca.pem"
  }
  }
'''Initial Config File''' (<code>/var/lib/bonding/managed-users.json</code>):
'''Initial Config File''' (<code>/etc/bondix/managed-users.json</code>):
  {
  {
     "version": 1,
     "version": 1,
Line 462: Line 399:
'''Common Error Responses''':  
'''Common Error Responses''':  


- <code>{&quot;result&quot;: &quot;error&quot;, &quot;error&quot;: &quot;already enabled&quot;}</code> - Managed users already active  
* <code>{&quot;result&quot;: &quot;error&quot;, &quot;error&quot;: &quot;already enabled&quot;}</code> - Managed users already active
 
* <code>401 Unauthorized</code> - Invalid or missing authentication
- <code>401 Unauthorized</code> - Invalid or missing authentication  
* <code>403 Forbidden</code> - Invalid current password for change
 
* <code>500 Internal Server Error</code> - Server-side errors
- <code>403 Forbidden</code> - Invalid current password for change  
 
- <code>500 Internal Server Error</code> - Server-side errors


'''Version Conflicts''':  
'''Version Conflicts''':  
Line 474: Line 408:
When remote mode is enabled and version conflicts occur:  
When remote mode is enabled and version conflicts occur:  


- Local changes with higher version take precedence  
* Local changes with higher version take precedence
* Remote changes with higher version are applied
* Synchronization retries automatically


- Remote changes with higher version are applied
- Synchronization retries automatically
===Password Management Details===
===Password Management Details===


'''Password Storage''':  
'''Password Storage''':  


- Passwords stored as SHA256 hashes (OpenSSL 1.x/3.x compatible)  
Passwords stored as SHA256 hashes (OpenSSL 1.x/3.x compatible), no plaintext password storage.
 
- No plaintext password storage


'''Password Reset Flow''':  
'''Password Reset Flow''':  


1. User POSTs to <code>/api/forgot-password</code> with email  
# User POSTs to <code>/api/forgot-password</code> with email
 
# Server generates 16-character temporary password
2. Server generates 16-character temporary password  
# Event sent to <code>eventEndpoint</code> with <code>eventType: &quot;password_request&quot;</code>
 
# Temporary password valid for 30 minutes
3. Event sent to <code>eventEndpoint</code> with <code>eventType: &quot;password_request&quot;</code>  
# Rate-limited to 15 minutes between requests
 
4. Temporary password valid for 30 minutes  
 
5. Rate-limited to 15 minutes between requests


'''Password Change''':  
'''Password Change''':  


- Requires current password verification  
* Requires current password verification
 
* New password hashed and stored
- New password hashed and stored  
* Temporary password cleared on successful change


- Temporary password cleared on successful change
===Synchronization Timing===
===Synchronization Timing===


'''Local Mode''':  
'''Local Mode''':  


- Changes saved immediately to config file  
* Changes saved immediately to config file
 
* No periodic sync required
- No periodic sync required


'''Remote Mode''':  
'''Remote Mode''':  


- Initial fetch on handler startup  
* Initial fetch on handler startup
 
* Store sync: Every 5 seconds after changes
- Store sync: Every 5 seconds after changes  
* Fetch sync: Every 30 minutes if no pending changes
 
* Automatic retry on failure__NOINDEX__
- Fetch sync: Every 30 minutes if no pending changes  
 
- Automatic retry on failure
 
__NOINDEX__

Revision as of 14:51, 22 January 2026

(this is a work in progress article for the upcoming 1.26.01 Bondix release. Content is subject to change.)

Overview

The Managed User system provides a complete user management solution for the BondingServer, including tunnel management, port forwarding, QoS settings, and optional remote synchronization. This system is designed for multi-tenant scenarios where users need to manage their own tunnels through a dedicated web interface.

Modes of Operation

The system operates in two modes:

Local Mode (Default)

  • Configuration stored in a local JSON file
  • No remote synchronization
  • Ideal for single-server deployments
  • All configuration changes saved locally

Remote Mode

  • Configuration synchronized with a remote server
  • Periodic sync every 30 minutes
  • Changes pushed to remote server automatically
  • Events sent to webhook endpoint
  • Ideal for distributed/multi-server deployments

Local Configuration File Layout

While users can be stored in the main server configuration, it’s discouraged. Using a separate configuration file offers greater flexibility and cleaner separation.

Recommended file: /path/to/managed-users.json

Structure: 

{
   "version": 1,
   "config": {
       "user@example.com": {
           "password": "sha256_hash",
           "tunnels": [
               {
                   "config": {
                       "name": "office-tunnel",
                       "enabled": true,
                       "password": "tunnel_password",
                       "mtu": 1500,
                       "qos": "default"
                   }
               }
           ],
           "portForwarding": [],
           "qos": []
       },
       "admin@example.com": {
           "password": "sha256_hash",
           "tunnels": [
               {
                   "config": {
                       "name": "main-tunnel",
                       "enabled": true,
                       "password": "secure_pass",
                       "mtu": 1400,
                       "qos": "custom"
                   }
               }
           ],
           "portForwarding": [],
           "qos": {
               "classes": [
                   {
                       "name": "high-priority",
                       "priority": 1,
                       "bandwidth": 1000,
                       "rules": []
                   }
               ]
           }
       }
   }
}

Root Fields:

  • version: Configuration version number (uint64, required)
  • config: Object containing user configurations keyed by username

Per-User Fields:

  • password: SHA256 hash of the user’s password
  • tunnels: Array of tunnel configurations
  • portForwarding: Array of port forwarding rules (currently not implemented!)
  • qos: QoS configuration object
  • Enabling Managed Users

Action: enable-user-management

The following command must be added to /etc/bondixserver.json

Configuration JSON: 

{
   "target": "server",
   "action": "enable-user-management",
   "settings": {
       "config": "/path/to/managed-users.json"
   },
   "caFile": "/etc/ssl/certs/root-ca.pem"
}

{
   "target": "server",
   "action": "enable-user-management",
   "settings": {
       "config": "/var/lib/bonding/managed-users.json"
   }
}

Settings Object Fields:

  • config: Path to local configuration file (string, required for local mode)
  • configEndpoint: Remote sync URL (string, optional)
  • configAuth: Authentication token for remote endpoints (string, optional)
  • eventEndpoint: Webhook URL for events (string, optional)
  • users: Array of initial users (optional, discouraged)

SSL/TLS Options:

  • caDirectory: Directory containing CA certificates
  • caFile: Single CA file path

Remote Mode Configuration

When configEndpoint is specified, the system operates in remote mode: 

{
   "target": "server",
   "action": "enable-user-management",
   "settings": {
       "config": "/var/lib/bonding/managed-users.json",
       "configEndpoint": "https://management.example.com/api/config",
       "configAuth": "Bearer universal_auth_token",
       "eventEndpoint": "https://management.example.com/api/events"
   }
}

Remote Sync Behavior:

  1. Initial Fetch: On startup, fetches configuration from remote endpoint
  2. Periodic Sync: Every 30 minutes, checks for remote updates
  3. Change Push: Every 5 seconds after local changes, syncs to remote
  4. Version Control: Uses version numbers to prevent conflicts

Event Webhook Events:

password_request: Triggered when user requests password reset - Payload includes temporary password for the user

Remote Endpoint Requirements:

  • configEndpoint must accept GET for fetch and POST for store
  • Both endpoints require Authorization header with configured auth token
  • Fetch returns 204 if no newer version exists, 200 with config JSON otherwise

Web Frontend

Frontend Location: /user

Automatic Redirect: When user management is enabled, the server automatically redirects requests from / to /user. Use /admin for full access.

The frontend provides:

  • User login interface
  • Tunnel management dashboard
  • QoS settings management
  • Password change functionality

TODO: Port forwarding configuration to be implemented.

API Endpoints

All endpoints require authentication via Bearer token or universal auth token.

Authentication Endpoints

POST /api/login 

// Request
{
   "username": "user@example.com",
   "password": "password"
}

// Response (200 OK)
{
   "token": "session_token",
   "user": {
       "email": "user@example.com",
       "name": "User"
   }
}


// Response (401 Unauthorized)
{"allowReset": true}  // If eventEndpoint configured


POST /api/forgot-password 

// Request
{
   "email": "user@example.com"
}


// Response: 204 No Content (if user exists and eventEndpoint configured)

Configuration Endpoints

GET /api/config 

// Response
{
   "tunnels": [...],
   "portForwarding": [...],
   "qos": [...]
}

POST /api/config 

// Request
{
   "tunnels": [
       {
           "config": {
               "name": "tunnel_name",
               "enabled": true,
               "password": "new_password",
               "mtu": 1500,
               "qos": "default"
           }
       }
   ],
   "portForwarding": [...],
   "qos": [...]
}

// Response
{
   "tunnels": [...],
   "portForwarding": [...],
   "qos": [...]
}

Important: This endpoint is the primary method for updating any configuration. When remote mode is enabled, calling this endpoint triggers the synchronization methods automatically.

POST /api/change-password 

// Request
{
   "currentPassword": "old_password",
   "newPassword": "new_password"
}

// Response
{"result": "ok"}

Tunnel Management Endpoints

GET /api/status 

// Response
{
   "tunnel": [
       {
           "name": "tunnel_name",
           "status": "connected|disconnected|disabled",
           "uptime": 12345,
           "clientIp": "10.0.0.1/24",
           "gatewayIp": "10.0.0.254",
           "channelConnected": 2,
           "currentIncoming": 1024,
           "currentOutgoing": 2048,
           "activeProxyConnections": 1,
           "qosName": "default",
           "totalIncoming": 1024000,
           "totalOutgoing": 2048000,
           "environment": "env_name",
           "connectedChannels": 2,
           "channels": [
               {
                   "status": "connected",
                   "enabled": true,
                   "name": "channel_name",
                   "interface": "eth0",
                   "address": "10.0.0.1",
                   "uptime": 3600,
                   "lastError": "",
                   "totalOutgoing": 512000,
                   "totalIncoming": 1024000,
                   "connectionAttempts": 1,
                   "connectionType": "TCP",
                   "stats": {
                       "currentLatency": 15,
                       "idleLatency": 10,
                       "inTransit": 1024,
                       "packetloss": 0.1
                   }
               }
           ]
       }
   ]
}

POST /api/restart 

// Request
{
   "tunnel": "tunnel_name"
}

// Response
{"result": "ok"}

Universal Authentication Token

For third-party frontend integration or administrative operations, a universal auth token can be used to impersonate any user.

Authentication Method:

  1. Set Authorization header to the configured configAuth token
  2. Set X-Username header to the target user’s email

Example Request:

TODO: add request

....

Security Note: The universal auth token should be kept secure and only used for trusted applications.

Tunnel Configuration Structure

{
   "config": {
       "name": "tunnel_name",
       "enabled": true,
       "password": "tunnel_password",
       "mtu": 1500,
       "qos": "default|custom|<preset_name>"
   }
}

Fields:

  • name: Unique tunnel identifier (string, required)
  • enabled: Enable/disable tunnel (boolean, default: true)
  • password: Tunnel password (string, required)
  • mtu: MTU value between 1100-1500 (uint16, default: 1500)
  • qos: QoS mode selection (string, default: “default”) - "default": Use client QoS settings - "custom": Use custom QoS configuration
  • Other values: Use named QoS preset

Port Forwarding Configuration

TODO: currently not implemented 

{
   "enabled": true,
   "tunnel": "tunnel_name",
   "publicPort": 8080,
   "targetIp": "192.168.1.100",
   "targetPort": 80,
   "description": "Web server forward"
}

Fields:

  • enabled: Enable/disable this port forward (boolean)
  • tunnel: Associated tunnel name (string)
  • publicPort: External port number (uint16)
  • targetIp: Internal target IP address (string)
  • targetPort: Internal target port (uint16)
  • description: Note/description (string, max 1024 chars)

QoS Configuration

TODO

Complete Example

Enable Managed Users (Local Mode): 

{
   "target": "server",
   "action": "enable-user-management",
   "settings": {
       "config": "/var/lib/bonding/managed-users.json"
   }
}

Remote Mode with Events: 

{
   "target": "server",
   "action": "enable-user-management",
   "settings": {
       "config": "/var/lib/bonding/managed-users.json",
       "configEndpoint": "https://management.example.com/api/config",
       "configAuth": "Bearer abc123universal456",
       "eventEndpoint": "https://management.example.com/api/events"
   },
   "caFile": "/etc/ssl/certs/root-ca.pem"
}

Initial Config File (/etc/bondix/managed-users.json): 

{
   "version": 1,
   "config": {
       "admin@example.com": {
           "password": "5e884898da1904719...",
           "tunnels": [
               {
                   "config": {
                       "name": "office-tunnel",
                       "enabled": true,
                       "password": "secure123",
                       "mtu": 1500,
                       "qos": "default"
                   }
               }
           ],
           "portForwarding": [],
           "qos": []
       }
   }
}

Error Handling

Common Error Responses:

  • {"result": "error", "error": "already enabled"} - Managed users already active
  • 401 Unauthorized - Invalid or missing authentication
  • 403 Forbidden - Invalid current password for change
  • 500 Internal Server Error - Server-side errors

Version Conflicts:

When remote mode is enabled and version conflicts occur:

  • Local changes with higher version take precedence
  • Remote changes with higher version are applied
  • Synchronization retries automatically

Password Management Details

Password Storage:

Passwords stored as SHA256 hashes (OpenSSL 1.x/3.x compatible), no plaintext password storage.

Password Reset Flow:

  1. User POSTs to /api/forgot-password with email
  2. Server generates 16-character temporary password
  3. Event sent to eventEndpoint with eventType: "password_request"
  4. Temporary password valid for 30 minutes
  5. Rate-limited to 15 minutes between requests

Password Change:

  • Requires current password verification
  • New password hashed and stored
  • Temporary password cleared on successful change

Synchronization Timing

Local Mode:

  • Changes saved immediately to config file
  • No periodic sync required

Remote Mode:

  • Initial fetch on handler startup
  • Store sync: Every 5 seconds after changes
  • Fetch sync: Every 30 minutes if no pending changes
  • Automatic retry on failure
Retrieved from "https://wiki.bondix.dev/index.php?title=Server/User_Management&oldid=935"