-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Use cases
chisel can be used for a variety of use-cases. The pages aims to document them all. Feel free to add more to this page. I originally wrote chisel to tunnel my work VPN traffic out of a restrictive HTTP-only network. This first use case covers this:
You are user. You have chisel installed. You want to get to endpoint but you are blocked by a MitM (outbound firewall, http proxy, etc). Only HTTP (port 80) or HTTPS (port 443) traffic is allowed. So you
TODO user with chisel-client -> chisel-server -> endpoint
You have use case 1. above though you want your disguise your chisel server
TODO user -> chisel-client -> chisel-server -> endpoint/dummy-backend
You have use case 1. above though instead of a VPN, you want to use SSH. You can do it with a local tunnel and then point ssh at localhost, though it's cleaner with:
TODO stdio remote
You have use case 1, however the server's port 80 and 443 is already in-use by apache web server, you can circumvent this by setup a virtual host and configure it to be a proxy to chisel server
suppose you already have a domain named test.domain.example that have A record point to the web server's IPv4 address, then you can configure the virtual host file like this (the example is tested on ubuntu and saved as /etc/apache2/sites-available/test.domain.example.conf):
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName test.domain.example
ErrorLog /dev/null
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
<VirtualHost *:443>
ServerName test.domain.example
SSLEngine on
SSLCertificateFile /home/myuser/self_sign_cert/server.cert
SSLCertificateKeyFile /home/myuser/self_sign_cert/server.key
ProxyPreserveHost On
ProxyPass / http://localhost:5000/ upgrade=websocket
ProxyPassReverse / http://localhost:5000/
ErrorLog /dev/null
</VirtualHost>Since Apache HTTP Server 2.4.47, protocol Upgrade (tunneling) can be better handled by mod_proxy_http.
thus, you don't need to load proxy_wstunnel_module, just make sure to load proxy_http_module and set upgrade=websocket on ProxyPass directive.
and for TLS certificate, I use self-sign that are created with openssl:
openssl req -newkey rsa:2048 -nodes -x509 -subj '/CN=test.domain.example' -days 3650 -out server.cert -keyout server.key
and since this is self signed certificate, you may want to disable verify tls verification on the chisel client.
make sure the apache2 configuration is applied properly and you're ready to go to start chisel server and netcat server:
./chisel_1.10.1_linux_amd64 server -v --port 5000 &
nc -k -v -l 6969
and test it with chisel client and netcat:
./chisel_1.10.1_linux_amd64 client -v --tls-skip-verify https://test.domain.example 6969 &
nc -v 0 6969