-
Notifications
You must be signed in to change notification settings - Fork 136
/
rport.example.conf
152 lines (131 loc) · 6.41 KB
/
rport.example.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#======================================================================================================================
# vim: softtabstop=2 shiftwidth=2 expandtab fenc=utf-8 spell spelllang=en cc=120
#======================================================================================================================
#
# FILE: rport.example.config
#
# DESCRIPTION: Configuration file for the rport client
#
# BUGS: https://github.com/cloudradar-monitoring/rport/issues
#
# HELP: https://github.com/cloudradar-monitoring/rport/blob/master/README.md
#
# COPYRIGHT: (c) 2020 by the CloudRadar Team,
#
# LICENSE: MIT
# ORGANIZATION: cloudradar GmbH, Potsdam, Germany (cloudradar.io)
# CREATED: 10/10/2020
#======================================================================================================================
[client]
## rportd server address.
## Mandatory IP address and port divided by a colon.
server = "0.0.0.0:8080"
## fingerprint string to perform host-key validation against the server's public key.
## Highly recommended. Not using it is a big security risk.
#fingerprint = "36:98:56:12:f3:dc:e5:8d:ac:96:48:23:b6:f0:42:15"
## Required client authentication credentials in the form: "<client-auth-id>:<password>".
auth = "clientAuth1:1234"
## An optional HTTP CONNECT or SOCKS5 proxy which will be used to reach the rport server.
## Authentication can be specified inside the URL.
#proxy = "http://admin:[email protected]:8081"
## An optional client ID to better identify the client.
## NOTE: all history for a client is stored based on this id.
## If not set, a random id will be created that changes on every client start.
## That's why it's highly recommended to set it with a value that was generated on the first
## start or just set it on the very beginning. So on client restart all his history will be preserved.
## The server rejects connections on duplicated ids.
#id = "5616a70e-81a0-4eec-bab3-0861e3c88334"
## An optional client name to better identify the client.
## Useful if you use numeric ids to make client identification easier.
#name = "my_win_vm_1"
## An optional list of tags to give your clients attributes.
## Used for filtering clients on the server.
#tags = ['win', 'server', 'vm']
## Optional remote connections tunneled through the server, each of which come in the form:
## <local-port>
## or
## <remote-port>:<local-port>
## or
## <remote-port>:<local-interface>:<local-port>
## Examples:
## 1) remotes = ['22']
## Makes the local port 22 available on a random port of the rport server.
## 2) remotes = ['2222:127.0.0.1:22'] or shorthand
## remotes = ['2222:22']
## Makes the local SSH port 22 available on port 2222 of the rport server.
## 3) remotes = ['9999:192.168.1.1:80']
## Makes the Port 80 of 192.168.1.1 available on port 9999 of the rport server.
## sharing <remote-host>:<remote-port> from the client to the server's <local-interface>:<local-port>.
## If not set, client connects without active tunnel(s) waiting for tunnels to be initialized by the server.
## Multiple remotes must be comma separated. Using linebreaks after the comma is possible.
#remotes = [
# '3389:3389',
# '5050'
#]
## There is no technical requirement to run the rport client under the root user.
## Running it as root is an unnecessary security risk.
## Rport exits with an error if started as root unless you explicitly allow it.
## Defaults to false, ignored on Windows.
#allow_root = false
[connection]
## An optional keepalive interval. You must specify a time with a unit, for example '30s' or '2m'.
## Defaults to '0s' (disabled)
keep_alive = '30s'
## Maximum number of times to retry before exiting. Defaults to unlimited (-1)
#max_retry_count = 10
## Maximum wait time before retrying after a disconnection. Defaults to 5 minutes
max_retry_interval = '5m'
## Optionally set the 'Host' header. Defaults to the host found in the server url
#hostname = "myvm1.lan"
## Other custom headers in the form "HeaderName: HeaderContent"
#headers = ['User-Agent: test1', 'Authorization: Basic XXXXXX']
[logging]
## Specifies log file path for global logging.
## Not setting "log_file" turns logging off.
#log_file = 'C:\Program Files\rport\rport.log'
log_file = "/var/log/rport/rport.log"
## Specify log level. Values: 'error', 'info', 'debug'.
## Defaults to 'error'
log_level = "error"
[remote-commands]
## Enable or disable execution of remote commands sent by server.
## Defaults: true
#enabled = true
## Limit the maximum length of the command output that is sent back to server.
## Applies to the stdout and stderr separately.
## If exceeded {send_back_limit} bytes are sent.
## Defaults: 2048
#send_back_limit = 2048
## Allow commands matching the following regular expressions.
## The filter is applied to the command sent. Full path must be used.
## See {order} parameter for more details how it's applied together with {deny}.
## Defaults: ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']
#allow = ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']
## Deny commands matching one of the following regular expressions.
## The filter is applied to the command sent. Full path must be used.
## See {order} parameter for more details how it's applied together with {allow}.
## With the below default filter only single commands are allowed.
## Defaults: ['(\||<|>|;|,|\n|&)']
#deny = ['(\||<|>|;|,|\n|&)']
## Order: ['allow','deny'] or ['deny','allow']. Order of which filter is applied first.
## Defaults: ['allow','deny']
##
## order: ['allow','deny']
## First, all allow directives are evaluated; at least one must match, or the command is rejected.
## Next, all deny directives are evaluated. If any matches, the command is rejected.
## Last, any commands which do not match an allow or a deny directive are denied by default.
## Example:
## allow: ['^/usr/bin/.*']
## deny: ['^/usr/bin/zip']
## All commands in /usr/bin except '/usr/bin/zip' can be executed. Full path must be used.
##
## order: ['deny','allow']
## First, all deny directives are evaluated; if any match,
## the command is denied UNLESS it also matches an allow directive.
## Any command which do not match any allow or deny directives are permitted.
## Example:
## deny: ['.*']
## allow: ['zip$']
## All commands are denied except those ending in zip.
##
#order = ['allow','deny']