Server/Changing Ports

From Bondix Wiki
Revision as of 12:11, 2 February 2024 by Red (talk | contribs) (Initial version)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

By default, Bondix server uses TCP port 443 for both the web interface and incoming tunnel connections. As a quick reminder, Bondix uses both TCP and UDP by default, where TCP is used for control messages and UDP is used for data transfer.

Sometimes, you want to change these ports or keep them separate, usually to limit access to the server webinterface. In this guide, we will change the default TCP port configuration to achieve exactly that.

Editing /etc/saneserver.json

The TCP port configuration is stored in /etc/saneserver.json. The format in this configuration file is JSON, which you should at least be vaguely familiar with. Syntax errors in this file will result in the server daemon not starting, so be careful.

By default, there is a command line that sets up a TCP listener like this: 

{"target": "server", "action": "add-https", "host": "0.0.0.0", "port": "443", "allowMonitor": true},

A "host" value of 0.0.0.0 means that it listens to any IPv4 address that the system has configured, and "port" describing the port it should listen to.

We see an additional "allowMonitor" parameter which is set to true, which sets whether or not the webinterface can be reachable (the name is still in use due to backwards compatibility).

Separating webinterface & incoming tunnels

We will replace the previous command with two commands that look like this: 

 
 {"target": "server", "action": "add-https", "host": "10.10.0.1", "port": "443", "allowMonitor": true, "allowTunnel": false},
 {"target": "server", "action": "add-https", "host": "0.0.0.0", "port": "44343", "allowMonitor": false},

Now we have created two distinct tcp listener ports. The first port will only listen on 10.10.0.1:443, assuming that this is a private-only network that is not publicly reachable. Notice that we added an additional "allowTunnel" property, which specifies whether this listener is allowed to accept incoming tunnel connection - here it does not make much sense to do so, so we can safely disable this.

The second tcp listener is now listening on any IP, port 44343 (TCP), which is the same as the default UDP port Bondix uses. You can safely use the same port for both TCP and UDP. Notice here that "allowMonitor" - aka webinterface access - is disabled here. This will result in the port only accepting incoming tunnel connections, and responding with HTTP 405 (Method not allowed) otherwise.

Validate configuration & restart server

Make sure that the changed saneserver.json is still valid json! Especially, all commands should be separated by a comma (","), except for the last command, as the whole configuration set is a JSON list/array. If you have json_pp installed, this is one way to verify the syntax of the file: 

cat /etc/saneserver.json | json_pp

If successful, this command will print out the contents of the file, or print out an error if there is a syntax error.

Once you made sure that your changes are correct, you must restart the bondix server via: 

sudo systemctl restart bondix
Retrieved from "https://wiki.bondix.dev/index.php?title=Server/Changing_Ports&oldid=630"