I don't want any more domestic servers except for filing. Many internal network services need to be accessed from the external network, so intranet penetration is essential. However, if you use foreign servers, you need to go through an unknown layer, which is inevitably prone to misjudgment. It is also necessary to integrate into the vast ocean. Previously, I tried to disguise it by wrapping it with QUIC, but for some reason, it was always unstable. After searching, I found another intranet penetration tool with fewer features: ProxyNT. ProxyNT is a reverse proxy server based on WebSocket written in Python, which can expose local servers to the public network through NAT and firewalls. From the principle, it is also possible to protect the public network IP with a layer of CDN.
Server#
mkdir -p ~/app/proxynt && cd ~/app/proxynt && nano Dockerfile && nano docker-compose.yml
docker build -t limour/proxynt .
nano config.json
sudo docker-compose up -d
FROM python:3.9-alpine
RUN pip install -U proxynt
ENTRYPOINT ["nt_server", "-c", "/opt/config.json"]
version: '3.3'
services:
proxynt:
restart: unless-stopped
volumes:
- './config.json:/opt/config.json'
- '/etc/localtime:/etc/localtime:ro'
image: limour/proxynt
networks:
default:
external: true
name: ngpm
{
"port": 18888,
"log_file": "/dev/null",
"path": "/websocket_path",
"password": "helloworld",
"admin": {
"enable": true,
"admin_password": "new_password"
}
}
Client#
mkdir -p ~/app/proxynt && cd ~/app/proxynt
pip install -U proxynt -i https://pypi.tuna.tsinghua.edu.cn/simple
whereis nt_client
nano config.json
nt_client -c config.json # Test
nano proxynt.service
sudo mv proxynt.service /etc/systemd/system/proxynt.service
sudo systemctl enable proxynt
sudo systemctl start proxynt
sudo systemctl status proxynt
{
"server": {
"url": "wss://limour.top:443/websocket_path",
"password": "helloworld"
},
"client_name": "home_pc",
"log_file": "/home/limour/app/proxynt/nt.log"
}
[Unit]
Description=proxynt
After=network.target
[Service]
ExecStart=/home/limour/miniconda3/bin/nt_client -c /home/limour/app/proxynt/config.json
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target
- Visit
https://limour.top:443/websocket_path/admin
- After seeing the client online, create a new configuration
Additional WebSSH#
In conjunction with the above intranet penetration, when connecting, fill in proxynt
for the host, which can ensure that the internal SSH is not exposed to the public network while being able to connect via the public network.
mkdir -p ~/app/webssh && cd ~/app/webssh && nano docker-compose.yml
sudo docker-compose up -d
version: '3.3'
services:
webssh:
restart: unless-stopped
environment:
- GIN_MODE=release
- savePass=true
volumes:
- '/etc/localtime:/etc/localtime:ro'
image: jrohy/webssh:latest
networks:
default:
external: true
name: ngpm