GOST.PLUS — Public Reverse Proxy Service¶
The reverse proxy tunnel is one of the major new features in GOST, and a very important one. With reverse proxy and intranet penetration, you can easily expose internal web services to the public network for access anytime, anywhere.
To test this feature more comprehensively and provide a quick way for users needing temporary public access to internal services, we launched the GOST.PLUS public reverse proxy test service. This service is open to all users without registration.
This is primarily a testing service. All public access points are temporary, with a 24-hour validity period.
Usage¶
Suppose you have a local HTTP service 192.168.1.1:80 that needs temporary public exposure. Run the following command on your local machine:
gost -L rtcp://:0/192.168.1.1:80 -F tunnel+wss://tunnel.gost.plus:443?tunnel.id=f8baa731-4057-4300-ab75-c4e603834f1b
Or use a randomly generated tunnel ID (omit the tunnel.id option):
Tunnel ID
Each tunnel is uniquely identified by its tunnel.id. Each tunnel ID corresponds to a unique public access point. The tunnel ID is a valid UUID, which can be generated using any UUID generator.
Caution
The tunnel ID is the sole credential for the tunnel and service. Keep it secure to prevent leakage and abuse.
If the tunnel is established successfully, the following log output appears:
{"connector":"tunnel","dialer":"wss","endpoint":"f1bbbb4aa9d9868a","hop":"hop-0","kind":"connector","level":"info",
"msg":"create tunnel on f1bbbb4aa9d9868a:0/tcp OK, tunnel=f8baa731-4057-4300-ab75-c4e603834f1b, connector=df4d62df-8b73-478a-96a2-26826e9cd675",
"node":"node-0","time":"2023-10-15T14:21:29.580Z",
"tunnel":"f8baa731-4057-4300-ab75-c4e603834f1b"}
The endpoint field value f1bbbb4aa9d9868a is the public access point. You can now access the internal 192.168.1.1:80 service via https://f1bbbb4aa9d9868a.gost.plus.
Custom Public Access Point¶
You can also specify a custom access point name:
gost -L rtcp://hello/192.168.1.1:80 -F tunnel+wss://tunnel.gost.plus:443?tunnel.id=f8baa731-4057-4300-ab75-c4e603834f1b
This sets the access point to hello, accessible via https://hello.gost.plus.
Binding Access Points
Each access point registers and binds to a tunnel ID on first use, with a binding duration of 1 hour. During this time, other tunnels cannot bind to this access point. After timeout, the binding expires and the access point can be bound to a different tunnel.
For more settings and usage, refer to the reverse proxy documentation.
TCP Services¶
TCP services can also be accessed via private tunnels. Assume 192.168.1.1:22 is an SSH service:
gost -L rtcp://:0/192.168.1.1:22 -F tunnel+wss://tunnel.gost.plus:443?tunnel.id=f8baa731-4057-4300-ab75-c4e603834f1b
To access this service, start a private entry point on the accessing end:
gost -L tcp://:2222/f1bbbb4aa9d9868a.gost.plus -F tunnel+wss://tunnel.gost.plus:443?tunnel.id=f8baa731-4057-4300-ab75-c4e603834f1b
The tunnel IDs on both ends must match for access to work.
Then SSH to 192.168.1.1:22:
UDP Services¶
Similarly, shared UDP services can be exposed via private tunnels. Assume 192.168.1.1:53 is a DNS service:
gost -L rudp://:0/192.168.1.1:53 -F tunnel+wss://tunnel.gost.plus:443?tunnel.id=f8baa731-4057-4300-ab75-c4e603834f1b
Start a private entry point on the accessing end:
gost -L udp://:1053/f1bbbb4aa9d9868a.gost.plus -F tunnel+wss://tunnel.gost.plus:443?tunnel.id=f8baa731-4057-4300-ab75-c4e603834f1b
Test it:
Self-Hosted Public Reverse Proxy¶
You can also set up your own reverse proxy service:
gost.yml
services:
- name: service-0
addr: :8080
handler:
type: tunnel
metadata:
entrypoint: :8000
ingress: ingress-0
listener:
type: ws
ingresses:
- name: ingress-0
plugin:
type: grpc
addr: gost-plugins:8000