同步操作将从 Gitee 极速下载/rathole 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
By default, rathole
forwards traffic as it is. Different options can be enabled to secure the traffic.
Checkout the example
Normally, a self-signed certificate is used. In this case, the client needs to trust the CA. trusted_root
is the path to the root CA's certificate PEM file.
hostname
is the hostname that the client used to validate aginst the certificate that the server presents.
[client.transport.tls]
trusted_root = "example/tls/ca-cert.pem"
hostname = "0.0.0.0"
PKCS#12 archives are needed to run the server.
It can be created using openssl like:
openssl pkcs12 -export -out identity.pfx -inkey server-key.pem -in server-cert.pem -certfile ca_chain_certs.pem
In one word, the Noise Protocol is a lightweigt, easy to configure and drop-in replacement of TLS. No need to create a self-sign certificate to secure the connection.
rathole
comes with a reasonable default configuration for noise protocol. You can a glimpse of the minimal example for how it will look like.
The default noise protocol that rathole
uses, which is Noise_NK_25519_ChaChaPoly_BLAKE2s
, providing the authentication of the server, just like TLS with properly configured certificates. So MITM is no more a problem.
To use it, a X25519 keypair is needed.
rathole --genkey
, which will generate a keypair using the default X25519 algorithm.It emits:
$ rathole --genkey
Private Key:
cQ/vwIqNPJZmuM/OikglzBo/+jlYGrOt9i0k5h5vn1Q=
Public Key:
GQYTKSbWLBUSZiGfdWPSgek9yoOuaiwGD/GIX8Z1kkE=
(WARNING: Don't use the keypair from the Internet, including this one)
So relevant snippets of configuration are:
# Client Side Configuration
[client.transport]
type = "noise"
[client.transport.noise]
remote_public_key = "GQYTKSbWLBUSZiGfdWPSgek9yoOuaiwGD/GIX8Z1kkE="
# Server Side Configuration
[server.transport]
type = "noise"
[server.transport.noise]
local_private_key = "cQ/vwIqNPJZmuM/OikglzBo/+jlYGrOt9i0k5h5vn1Q="
Then rathole
will run under the protection of the Noise Protocol.
The default configuration of Noise Protocol that comes with rathole
satifies most use cases, which is described above. But there're other patterns that can be useful.
This configuration provides encryption of the traffic but provides no authentication, which means it's vulnerable to MITM attack, but is resistent to the sniffing and replay attack. If MITM attack is not one of the concerns, this is more convenient to use.
# Server Side Configuration
[server.transport.noise]
pattern = "Noise_XX_25519_ChaChaPoly_BLAKE2s"
# Client Side Configuration
[client.transport.noise]
pattern = "Noise_XX_25519_ChaChaPoly_BLAKE2s"
# Server Side Configuration
[server.transport.noise]
pattern = "Noise_KK_25519_ChaChaPoly_BLAKE2s"
local_private_key = "server-priv-key-here"
remote_public_key = "client-pub-key-here"
# Client Side Configuration
[client.transport.noise]
pattern = "Noise_KK_25519_ChaChaPoly_BLAKE2s"
local_private_key = "client-priv-key-here"
remote_public_key = "server-pub-key-here"
To find out which pattern to use, refer to:
Note that PSKs are not supported currently. Free to open an issue if you need it.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。