Supporting other protocols?
262 views
Skip to first unread message
Jon Spriggs
May 22, 2013, 5:57:44 PM5/22/13
to pagekite...@googlegroups.com
A while ago I mentioned SSLH (I don't recall if it was on here or on twitter or what) and Bjarni said it looked like an interesting tool. So, here's my dilemma: I'm currently chaining sslh to pagekite with an apache backend and I'm totally losing all my ip information. At least when it was just pagekite and apache I could rely on the x-forward-for header. SSLH also recognises openvpn, XMPP and a few other protocols, and for my limited requirements (two laptops and localhost) pagekite would be perfect for me.
I've not heard much from pagekite in the last year or so, and I was wondering if there might be any interest in perhaps trying to bring a multiplexing feature into pagekite?
All the best,
--
Jon "The Nice Guy" Spriggs
Bjarni Rúnar Einarsson
May 23, 2013, 8:00:24 AM5/23/13
to pagekite...@googlegroups.com
Hi Jon,
PageKite is already a protocol multiplexer, but it only transparently
multiplexes protocols which it can route by name (so HTTP using the
Host: header, SSL using SNI, Minecraft). SSH does not provide any
naming information in its initial handshake, so PageKite needs a bit
of help in order to select the right backend tunnel for incoming
connections.
The way this works, is PageKite supports SSH, VNC and other "binary
streams" by emulating an HTTP Proxy. The client must first send an
HTTP CONNECT request which PageKite uses to then route requests to the
right backend.
Configuring SSH clients to work with that is described here:
http://pagekite.net/wiki/Howto/SshOverPageKite/
You can use this method with the local SSH server on the frontend
relay itself, just as easily as with remote (tunneled) SSH servers -
just configure a local backend in the frontend configs. If you need
some help with that, let me know and I'll post some config fragments.
- Bjarni
> --
> You received this message because you are subscribed to the Google Groups
> "pagekite-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pagekite-discu...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Bjarni R. Einarsson
Founder, lead developer of PageKite.
Make localhost servers visible to the world: https://pagekite.net/
PageKite is already a protocol multiplexer, but it only transparently
multiplexes protocols which it can route by name (so HTTP using the
Host: header, SSL using SNI, Minecraft). SSH does not provide any
naming information in its initial handshake, so PageKite needs a bit
of help in order to select the right backend tunnel for incoming
connections.
The way this works, is PageKite supports SSH, VNC and other "binary
streams" by emulating an HTTP Proxy. The client must first send an
HTTP CONNECT request which PageKite uses to then route requests to the
right backend.
Configuring SSH clients to work with that is described here:
http://pagekite.net/wiki/Howto/SshOverPageKite/
You can use this method with the local SSH server on the frontend
relay itself, just as easily as with remote (tunneled) SSH servers -
just configure a local backend in the frontend configs. If you need
some help with that, let me know and I'll post some config fragments.
- Bjarni
> You received this message because you are subscribed to the Google Groups
> "pagekite-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pagekite-discu...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Bjarni R. Einarsson
Founder, lead developer of PageKite.
Make localhost servers visible to the world: https://pagekite.net/
Christoph Witzany
May 23, 2013, 8:23:21 AM5/23/13
to pagekite...@googlegroups.com
Hi Bjarni!
How about smtp?
How about smtp?
I'd be interested in working on this.
Christoph
Bjarni Rúnar Einarsson
May 23, 2013, 9:06:04 AM5/23/13
to pagekite...@googlegroups.com
SMTP is an interesting case, one I am interested in as well. It is a
bit trickier than the protocols we've supported so far, though, for a
few reasons:
- We have to forbid STARTTLS, because...
- We have to watch all RCPT TO commands and respond with 400 errors
(temporarily unavailable) for ones destined to the incorrect domain
(because we might get a mix of recipients destined for multiple
backends) and each session is only connected to one backend at a time.
This means we can't just watch the first few packets and then make a
final routing decision for each connection based on them, we have to
implement a state machine which watches and interacts with the SMTP
stream for the full lifetime of the connection.
Not impossible, but tricky. I haven't yet been convinced that the
benefits of this feature warrent the complication, which is why I
haven't started working on it yet. But I would love to accept patches
and would be happy to help out if you want to give it a shot.
- Bjarni
bit trickier than the protocols we've supported so far, though, for a
few reasons:
- We have to forbid STARTTLS, because...
- We have to watch all RCPT TO commands and respond with 400 errors
(temporarily unavailable) for ones destined to the incorrect domain
(because we might get a mix of recipients destined for multiple
backends) and each session is only connected to one backend at a time.
This means we can't just watch the first few packets and then make a
final routing decision for each connection based on them, we have to
implement a state machine which watches and interacts with the SMTP
stream for the full lifetime of the connection.
Not impossible, but tricky. I haven't yet been convinced that the
benefits of this feature warrent the complication, which is why I
haven't started working on it yet. But I would love to accept patches
and would be happy to help out if you want to give it a shot.
- Bjarni
Christoph Witzany
May 23, 2013, 9:19:24 AM5/23/13
to pagekite...@googlegroups.com
So my use case is the following: (and maybe there is some better way to solve this)
I want to create a box with the essential cloud services for a small business/startup that can be self hosted by just plugging it into your router.
still bent on following through)
Bjarni Rúnar Einarsson
May 23, 2013, 10:52:38 AM5/23/13
to pagekite...@googlegroups.com
Yeah, I think this is a very worthwhile project, and is pretty much
exactly the use case I see which would almost justify adding SMTP
support...
Sadly, there is no way to make this work with TLS - the SMTP protocol
mandates that the STARTTLS command happen before any command which
could allow PageKite to route the data.
I'm afraid the best solution for your use case may be to use a
traditional in-the-cloud SMTP server and encrypted POP or IMAP to
fetch the mail (I like fetchmail). Note that many providers forbid
outgoing direct SMTP and many spam blocking solutions reject mail
coming from "consumer" IP addresses. So in practice, spam prevention
policies mean you need an in-the-cloud SMTP relay to send mail anyway
and at that point you may as well just use the same infrastructure for
incoming mail as well.
(This logic is why I keep deciding against implementing SMTP support
myself in PageKite, it fails the cost-benefit analysis due to "how
mail works in the real world" and limitations on what is technically
possible).
On a semi-related note, have you seen my other project, Mailpile? It's
still at very early stages, but making good progress and is one of my
main projects for the summer. The goal is to create a self-hosted
GMail replacement, leveraging PageKite and the pagekite.net
infrastructure to make installation as simple as possible (which means
I may end up providing the SMTP relay services mentioned above, if I
figure out a reasonable business model to cover the costs). It might
be a good fit for your project, if it reaches maturity within the
right timeframe: https://github.com/pagekite/Mailpile
On Thu, May 23, 2013 at 1:19 PM, Christoph Witzany
exactly the use case I see which would almost justify adding SMTP
support...
Sadly, there is no way to make this work with TLS - the SMTP protocol
mandates that the STARTTLS command happen before any command which
could allow PageKite to route the data.
I'm afraid the best solution for your use case may be to use a
traditional in-the-cloud SMTP server and encrypted POP or IMAP to
fetch the mail (I like fetchmail). Note that many providers forbid
outgoing direct SMTP and many spam blocking solutions reject mail
coming from "consumer" IP addresses. So in practice, spam prevention
policies mean you need an in-the-cloud SMTP relay to send mail anyway
and at that point you may as well just use the same infrastructure for
incoming mail as well.
(This logic is why I keep deciding against implementing SMTP support
myself in PageKite, it fails the cost-benefit analysis due to "how
mail works in the real world" and limitations on what is technically
possible).
On a semi-related note, have you seen my other project, Mailpile? It's
still at very early stages, but making good progress and is one of my
main projects for the summer. The goal is to create a self-hosted
GMail replacement, leveraging PageKite and the pagekite.net
infrastructure to make installation as simple as possible (which means
I may end up providing the SMTP relay services mentioned above, if I
figure out a reasonable business model to cover the costs). It might
be a good fit for your project, if it reaches maturity within the
right timeframe: https://github.com/pagekite/Mailpile
On Thu, May 23, 2013 at 1:19 PM, Christoph Witzany
Christoph Witzany
May 23, 2013, 11:18:05 AM5/23/13
to pagekite...@googlegroups.com
Yes probably there will have to some sort of SMTP relaying independently of pagekite (but in the same spirit).
Maybe my idea will provide the business case for Mailpile and the time frame on my side is still flexible enough. Would you be interested in a cooperation?
Reply all
Reply to author
Forward
0 new messages