Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
a64df5e
Set ServerName (SNI) to *hostname. Useful for spoofing our way throug…
Aug 26, 2022
fdc1e10
Bump actions/checkout from 2 to 3.1.0
dependabot[bot] Oct 5, 2022
2b90de6
Added --sni switch to control the ServerName when connecting with TLS…
Oct 11, 2022
57ddad6
feat: dependabot workflow automation for updating dependency
Rajpratik71 Oct 27, 2022
d79bebe
Merge pull request #385 from Rajpratik71/Rajpratik71-patch-1
jpillora Oct 31, 2022
e814c44
Merge pull request #376 from ip-rw/master
jpillora Oct 31, 2022
4cd7b36
Merge pull request #381 from jpillora/dependabot/github_actions/actio…
jpillora Oct 31, 2022
dd19bc6
Bump github.com/fsnotify/fsnotify from 1.4.9 to 1.6.0 (#389)
dependabot[bot] Oct 31, 2022
230f714
UDP buffer size override with CHISEL_UDP_MAX_SIZE environment variabl…
fsiegmund Oct 31, 2022
3e703ae
Add locking around the connection count to fix a data race. (#342)
andres-portainer Oct 31, 2022
28a5018
fix: small typo error in main.go (#334)
0xflotus Oct 31, 2022
ed6adb9
Respond to /health and /version by request path rather than by the wh…
BigSully Oct 31, 2022
4f58a39
Update version.go (#288)
c-f Oct 31, 2022
200a8e2
Providing chisel's client with a logger level (#281)
zuzgon Oct 31, 2022
556db3e
add EnvBool
jpillora Oct 31, 2022
fbc8ad9
Fix #390: Use code to generate certificates for client & server (#400)
GuillaumeSmaha Jan 27, 2023
4246b64
docker alpine->google-distroless
jpillora Jan 27, 2023
e546a6d
docker to use scratch
jpillora Jan 27, 2023
e78ccc3
Fix missing NetDialContext: c.config.DialContext (#398)
GuillaumeSmaha Jan 27, 2023
feb571f
actions: setup go v3
jpillora Jan 27, 2023
5ad1141
switch to scratch image
jpillora Jan 27, 2023
3bdf6af
update dependabot
jpillora Jan 27, 2023
ce307e5
move chisel to flyio
jpillora Jan 28, 2023
69093be
Bump to Go 1.21 (#440)
jpillora Aug 19, 2023
4eb9e6a
add arm v5 builds (#395)
maurerr Aug 20, 2023
dca1156
chore: remove refs to deprecated io/ioutil (#459)
testwill Oct 19, 2023
b75390b
Bump golang.org/x/crypto from 0.12.0 to 0.16.0 (#473)
dependabot[bot] Dec 1, 2023
2efe855
Bump golang.org/x/sync from 0.3.0 to 0.5.0 (#472)
dependabot[bot] Dec 1, 2023
3de1774
Bump actions/setup-go from 3 to 5 (#484)
dependabot[bot] Jan 1, 2024
59e5362
Bump to Go 1.22. Add `.rpm` `.deb` and `.akp` to releases. Fix bad ve…
jpillora Aug 5, 2024
3208da3
fix chisel version in docker image (closes #228)
jpillora Sep 28, 2024
ab8f06a
always test with latest stable
jpillora Sep 28, 2024
f6fcf7d
Merge branch 'master' of https://github.com/jpillora/chisel into jpil…
lverrall Apr 9, 2025
92d33ff
SLB mods and garble releaser
lverrall Apr 9, 2025
20dc83a
Use latest garble
lverrall Apr 9, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .github/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# build stage
FROM golang:alpine AS build
RUN apk update && apk add git
ADD . /src
WORKDIR /src
ENV CGO_ENABLED=0
RUN go build \
-ldflags "-X github.com/jpillora/chisel/share.BuildVersion=$(git describe --abbrev=0 --tags)" \
-o /tmp/bin
# run stage
FROM scratch
LABEL maintainer="[email protected]"
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
WORKDIR /app
COPY --from=build /tmp/bin /app/bin
ENTRYPOINT ["/app/bin"]
8 changes: 7 additions & 1 deletion .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,10 @@ updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
interval: "monthly"

# Dependencies listed in go.mod
- package-ecosystem: "gomod"
directory: "/" # Location of package manifests
schedule:
interval: "monthly"
7 changes: 0 additions & 7 deletions .github/gocompare.sh

This file was deleted.

30 changes: 27 additions & 3 deletions .github/goreleaser.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# test this goreleaser config with:
# - cd chisel
# - goreleaser --skip-publish --rm-dist --config .github/goreleaser.yml
# test this file with
# goreleaser release --config goreleaser.yml --clean --snapshot
version: 2
builds:
- id: chisel
binary: chisel
Expand All @@ -13,8 +13,25 @@ builds:
goos:
- linux
- windows
- openbsd
goarch:
- amd64
- arm
- arm64
- ppc64
- ppc64le
- mips
- mipsle
- mips64
- mips64le
- s390x
goarm:
- 5
- 6
- 7
gomips:
- hardfloat
- softfloat
- id: chisel-garble
binary: chisel-garble
goos:
Expand All @@ -24,6 +41,12 @@ builds:
ldflags:
- ""
gobinary: "garble-literals"
nfpms:
- maintainer: "https://github.com/{{ .Env.GITHUB_USER }}"
formats:
- deb
- rpm
- apk
archives:
- id: chisel
builds: [chisel]
Expand All @@ -38,6 +61,7 @@ archives:
files:
- none*
release:
draft: true
prerelease: auto
changelog:
sort: asc
Expand Down
81 changes: 64 additions & 17 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -1,35 +1,41 @@
on: [push, pull_request]
name: CI
on:
pull_request: {}
push: {}
permissions: write-all
jobs:
# ================
# TEST JOB
# runs on every push and PR
# runs 2x3 times (see matrix)
# BUILD AND TEST JOB
# ================
test:
name: Test
name: Build & Test
strategy:
matrix:
go-version: [1.19.x]
platform: [ubuntu-latest, windows-latest]
# optionally test/build across multiple platforms/Go-versions
go-version: ["stable"] # '1.16', '1.17', '1.18,
platform: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.platform }}
steps:
- name: Install Go
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: ${{ matrix.go-version }}
- name: Checkout code
uses: actions/checkout@v3
check-latest: true
- name: Install garble
run: go install -v mvdan.cc/garble@v0.7.2
run: go install -v mvdan.cc/garble@latest
- name: Build
run: garble -literals -tiny build -v ${{ github.workspace }}
- name: Test
run: go test -v ./...
env:
GODEBUG: x509ignoreCN=0

goreleaser:
# ================
# RELEASE BINARIES (on push "v*" tag)
# ================
release_binaries:
name: Release Binaries
needs: test
if: startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
Expand All @@ -43,11 +49,11 @@ jobs:
name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.19
go-version: latest
-
name: Install garble
run: |
go install mvdan.cc/garble@v0.7.2
go install mvdan.cc/garble@latest
sudo cp garble-literals.sh /usr/bin/garble-literals
sudo chmod +x /usr/bin/garble-literals
-
Expand All @@ -62,3 +68,44 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Your GoReleaser Pro key, if you are using the 'goreleaser-pro' distribution
# GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}

# ================
# RELEASE DOCKER IMAGES (on push "v*" tag)
# ================
release_docker:
name: Release Docker Images
needs: test
if: startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: jpillora
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
images: jpillora/chisel
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
- name: Build and push
uses: docker/build-push-action@v3
with:
context: .
file: .github/Dockerfile
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/386,linux/arm/v7,linux/arm/v6
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
17 changes: 0 additions & 17 deletions Dockerfile

This file was deleted.

2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
MIT License

Copyright (c) 2020 Jaime Pillora <[email protected]>
Copyright (c) 2024 Jaime Pillora <[email protected]>

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
Expand Down
59 changes: 40 additions & 19 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -119,12 +119,23 @@ $ chisel server --help
--port, -p, Defines the HTTP listening port (defaults to the environment
variable PORT and fallsback to port 8080).

--key, An optional string to seed the generation of a ECDSA public
--key, (deprecated use --keygen and --keyfile instead)
An optional string to seed the generation of a ECDSA public
and private key pair. All communications will be secured using this
key pair. Share the subsequent fingerprint with clients to enable detection
of man-in-the-middle attacks (defaults to the CHISEL_KEY environment
variable, otherwise a new key is generate each run).

--keygen, A path to write a newly generated PEM-encoded SSH private key file.
If users depend on your --key fingerprint, you may also include your --key to
output your existing key. Use - (dash) to output the generated key to stdout.

--keyfile, An optional path to a PEM-encoded SSH private key. When
this flag is set, the --key option is ignored, and the provided private key
is used to secure all communications. (defaults to the CHISEL_KEY_FILE
environment variable). Since ECDSA keys are short, you may also set keyfile
to an inline base64 private key (e.g. chisel server --keygen - | base64).

--authfile, An optional path to a users.json file. This file should
be an object with users defined like:
{
Expand Down Expand Up @@ -167,7 +178,7 @@ $ chisel server --help
and you cannot set --tls-domain.

--tls-domain, Enables TLS and automatically acquires a TLS key and
certificate using LetsEncypt. Setting --tls-domain requires port 443.
certificate using LetsEncrypt. Setting --tls-domain requires port 443.
You may specify multiple --tls-domain flags to serve multiple domains.
The resulting files are cached in the "$HOME/.cache/chisel" directory.
You can modify this path by setting the CHISEL_LE_CACHE variable,
Expand Down Expand Up @@ -304,6 +315,9 @@ $ chisel client --help
--hostname, Optionally set the 'Host' header (defaults to the host
found in the server url).

--sni, Override the ServerName when using TLS (defaults to the
hostname).

--tls-ca, An optional root certificate bundle used to verify the
chisel server. Only valid when connecting to the server with
"https" or "wss". By default, the operating system CAs will be used.
Expand Down Expand Up @@ -345,38 +359,42 @@ $ chisel client --help

### Security

Encryption is always enabled. When you start up a chisel server, it will generate an in-memory ECDSA public/private key pair. The public key fingerprint (base64 encoded SHA256) will be displayed as the server starts. Instead of generating a random key, the server may optionally specify a key seed, using the `--key` option, which will be used to seed the key generation. When clients connect, they will also display the server's public key fingerprint. The client can force a particular fingerprint using the `--fingerprint` option. See the `--help` above for more information.
Encryption is always enabled. When you start up a chisel server, it will generate an in-memory ECDSA public/private key pair. The public key fingerprint (base64 encoded SHA256) will be displayed as the server starts. Instead of generating a random key, the server may optionally specify a key file, using the `--keyfile` option. When clients connect, they will also display the server's public key fingerprint. The client can force a particular fingerprint using the `--fingerprint` option. See the `--help` above for more information.

### Authentication

Using the `--authfile` option, the server may optionally provide a `user.json` configuration file to create a list of accepted users. The client then authenticates using the `--auth` option. See [users.json](example/users.json) for an example authentication configuration file. See the `--help` above for more information.

Internally, this is done using the _Password_ authentication method provided by SSH. Learn more about `crypto/ssh` here http://blog.gopheracademy.com/go-and-ssh/.

### SOCKS5 Guide
### SOCKS5 Guide with Docker

1. Print a new private key to the terminal

```sh
chisel server --keygen -
# or save it to disk --keygen /path/to/mykey
```

1. Start your chisel server

```sh
docker run \
--name chisel -p 9312:9312 \
-d --restart always \
jpillora/chisel server -p 9312 --socks5 --key supersecret
```
```sh
jpillora/chisel server --keyfile '<ck-base64 string or file path>' -p 9312 --socks5
```

2. Connect your chisel client (using server's fingerprint)
1. Connect your chisel client (using server's fingerprint)

```sh
chisel client --fingerprint 'rHb55mcxf6vSckL2AezFV09rLs7pfPpavVu++MF7AhQ=' <server-address>:9312 socks
```
```sh
chisel client --fingerprint '<see server output>' <server-address>:9312 socks
```

3. Point your SOCKS5 clients (e.g. OS/Browser) to:
1. Point your SOCKS5 clients (e.g. OS/Browser) to:

```
<client-address>:1080
```
```
<client-address>:1080
```

4. Now you have an encrypted, authenticated SOCKS5 connection over HTTP
1. Now you have an encrypted, authenticated SOCKS5 connection over HTTP


#### Caveats
Expand Down Expand Up @@ -407,6 +425,9 @@ Since WebSockets support is required:
- `1.5` - Added reverse SOCKS support (by @aus)
- `1.6` - Added client stdio support (by @BoleynSu)
- `1.7` - Added UDP support
- `1.8` - Move to a `scratch`Docker image
- `1.9` - Bump to Go 1.21. Switch from `--key` seed to P256 key strings with `--key{gen,file}` (by @cmenginnz)
- `1.10` - Bump to Go 1.22. Add `.rpm` `.deb` and `.akp` to releases. Fix bad version comparison.

## License

Expand Down
8 changes: 6 additions & 2 deletions client/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ import (
"encoding/base64"
"errors"
"fmt"
"io/ioutil"
"log"
"net"
"net/http"
Expand Down Expand Up @@ -44,6 +43,7 @@ type Config struct {
Headers http.Header
TLS TLSConfig
DialContext func(ctx context.Context, network, addr string) (net.Conn, error)
Verbose bool
}

// TLSConfig for a Client
Expand All @@ -52,6 +52,7 @@ type TLSConfig struct {
CA string
Cert string
Key string
ServerName string
}

// Client represents a client instance
Expand Down Expand Up @@ -112,13 +113,16 @@ func NewClient(c *Config) (*Client, error) {
//configure tls
if u.Scheme == "wss" {
tc := &tls.Config{}
if c.TLS.ServerName != "" {
tc.ServerName = c.TLS.ServerName
}
//certificate verification config
if c.TLS.SkipVerify {
client.Infof("TLS verification disabled")
tc.InsecureSkipVerify = true
} else if c.TLS.CA != "" {
rootCAs := x509.NewCertPool()
if b, err := ioutil.ReadFile(c.TLS.CA); err != nil {
if b, err := os.ReadFile(c.TLS.CA); err != nil {
return nil, fmt.Errorf("Failed to load file: %s", c.TLS.CA)
} else if ok := rootCAs.AppendCertsFromPEM(b); !ok {
return nil, fmt.Errorf("Failed to decode PEM: %s", c.TLS.CA)
Expand Down
Loading