amalshaji / portr Goto Github PK

When running portr in HTTP mode, I get "Tunnel connected: https://test.example.com -> 🌐 -> localhost:1111," but I can't connect it to my local API. When I look into the DNS > Records tab in the Cloudflare panel, I don't see any new record created for the "test" subdomain.

To Reproduce
Steps to reproduce the behavior:

1. Run portr in Docker
2. Start client
3. No connection via defined subdomain

Expected behavior
When the client is run, the defined subdomain should be created in Cloudflare, and I could connect to my local resources.

Additional context
It's not working in HTTP mode, but it works in TCP mode, so I know that the connection itself is working.

Is your feature request related to a problem? Please describe.
It is not a problem, but I would like to have an option to display unsafe decoded query values

On screenshot, I have request and there are [] in query

Describe the bug
After setup when I forward a port it gives an url, when going to the URL it asks for login, after login, it says "Invalid state'

Is your feature request related to a problem? Please describe.
Ensuring secure SSH authorization is paramount, especially for users concurrently hosting multiple projects on a single server. The current lack of SSH security poses a significant vulnerability that needs addressing promptly.

Describe the solution you'd like
Enhancing security within the Docker Compose file by enabling users to specify the path to their public key or password for SSH authorization would be a significant improvement. This feature would empower users to fortify their instances against potential security breaches effectively.

Describe alternatives you've considered
While less preferable due to potential user inconvenience, an alternative method could involve clients providing passwords or certificates during authorization. However, this approach might sacrifice some user-friendliness for increased security measures.

Describe the bug
A clear and concise description of what the bug is.
run portr in ubuntu throw error

2024/04/04 14:57:56 /home/runner/work/portr/portr/tunnel/internal/client/db/db.go:19
[error] failed to initialize database, got error unable to open database file: out of memory (14)
2024/04/04 14:57:56 failed to connect database: unable to open database file: out of memory (14)

To Reproduce
Steps to reproduce the behavior:

1. wget https://github.com/amalshaji/portr/releases/download/0.0.10-beta/portr_0.0.10-beta_Linux_x86_64.zip
2. unzip portr_0.0.10-beta_Linux_x86_64.zip
3. ./portr http 8088
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

Describe the bug
I tried to start the program with portr http 1615 and it said 'Post "https://localhost:8000/api/v1/connections/": dial tcp [::1]:8000: connectex: No connection could be made because the target machine actively refused it.'

To Reproduce
Steps to reproduce the behavior:

1. type portr http 1615

Expected behavior
A clear and concise description of what you expected to happen.
my expected behavior is for it to start
Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.
pls fix

Describe the bug
If a super user is created but then - say, because they get distracted watching Galaxy of Terror 😅 - gets logged out without creating a team, they're stuck. They can't authenticate again that way because they aren't on a team, they never created one.

To Reproduce
Steps to reproduce the behavior:

1. Set up an empty portr instance
2. Log in and create the first superuser but DO NOT create a team
3. Delete cookie for session
4. Attempt to Log in again
5. See error message

Expected behavior
Superuser can log in even if they aren't on a team - so they can create a team

Screenshots

Error message is shown User not part of any team

Additional context
Fixed as part of #25 but there's a number of other changes there..

Is your feature request related to a problem? Please describe.
In my local set up I'm using traefik and forwardAuth -- this means that I have a trusted single sign on that goes from traefik -> oauth2-proxy -> keycloak.

Once that authentication occurs (+ authorization as defined in keycloak) users will be granted access to various services -- including portr. Aat that point, currently they then need to connect portr to their github account for a second authentication.

That's not ideal. I'd prefer if there's a simpler flow given I already manage the authentication and authorization.

Describe the solution you'd like
If configured via some sort of environment variables, I'd like for portr to check that it's currently connected to the trusted proxy & if it is accept a particular header as the authenticated user's email. Then create a user if they don't already exist - and if they do exist, allow them to continue as normal.

Describe alternatives you've considered
I'm currently using a patched dockerfile that implements this behavior - patching particular files so that this feature works, but it's very specific to my use environment.

I did think of turning off the traefik auth entirely for portr - relying solely on github -- but I'd really rather not require a github specific flow.

Additional context

The header is X-Auth-Request-Email for oauth2-proxy & Remote-Email by default for authelia.

I think this should also work for other reverse proxies such as caddy & nginx setups.

I always get a dial tcp [2a06:98c1:3120::2]:2222: connect: operation timed out

For example with

❯ portr http 5173 
🌍 Starting tunnel connection for :5173
🚨 Portr inspector running on http://localhost:7777

dial tcp [2a06:98c1:3120::2]:2222: connect: operation timed out

The localhost:7777 show an empty table.
On the admin side sometime I see a connection with a domain name but it doesnt end up working.

I'm using the following docker compose config:

services:
  # Caddy reverse proxy: Reverse proxy and SSL manager
  caddy:
    image: lucaslorentz/caddy-docker-proxy:latest
    container_name: caddy
    environment:
      PUID: 1000
      PGID: 1000
      TZ: Europe/Paris
      CADDY_INGRESS_NETWORKS: caddy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ../config/caddy:/data:rw
    restart: unless-stopped
    networks:
      - caddy
    ports:
      - 80:80 # Public HTTP Port
      - 443:443 # Public HTTPS Port
    labels:
      com.centurylinklabs.watchtower.enable: true
      caddy.email: ${EMAIL}

portr_admin:
    image: amalshaji/portr-admin:0.0.15-beta
    container_name: portr_admin
    restart: unless-stopped
    env_file: .env
    depends_on:
      portr_postgres:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8000/api/v1/healthcheck"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - caddy
    labels:
      com.centurylinklabs.watchtower.enable: true
      caddy_0: ${HOSTNAME:?error}
      caddy_0.reverse_proxy: "{{upstreams 8000}}"
      caddy_0.encode: gzip

  portr_tunnel:
    image: amalshaji/portr-tunnel:0.0.15-beta
    container_name: portr_tunnel
    command: ["start"]
    env_file: .env
    restart: unless-stopped
    depends_on:
      portr_admin:
        condition: service_healthy
      portr_postgres:
        condition: service_healthy
    networks:
      - caddy
    ports:
      - 2222:2222
    expose:
      - 2222
    labels:
      com.centurylinklabs.watchtower.enable: true
      caddy_1: "*.${HOSTNAME:?error}"
      caddy_1.reverse_proxy: "{{upstreams 8001}}"
      caddy_1.tls.dns: "cloudflare $CLOUDFLARE_API_TOKEN"
      caddy_1.encode: gzip

  portr_postgres:
    image: postgres:16.2
    container_name: portr_postgres
    environment:
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: postgres
      POSTGRES_DB: postgres
    volumes:
      - portr_postgres_data:/var/lib/postgresql/data
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - caddy
      
networks:
  # Caddy network: Network for exposing services using Caddy
  caddy:
    external: true
    name: caddy

With caddy network

64552f4c211e   caddy               bridge    local

Do you have any idea ?

TL;DR DROPPING CONNECTION, GETTING 'Unregistered subdomain' CONSTANTLY on client. Have to restart client and comes back up.

The longer version:
First of all, thank you for your project! It is EXACTLY what I was had in mind. Yay!
I have used ngrok since before it was ngrok and ssh tunnels for Xen, bhyve, and other virt hosts before that.
And this is SO MUCH BETTER than the horrible script(s) I wrote in zsh that I used for a couple of years.

So, thanks for open sourcing your project, it is awesome and I really appreciate it! <3
FYI: I had some issues getting set up and I figured that if I am having issues, you can definitely assume others are or will be, too.

Least I can do is take some time to report in with my thoughts and nitpicks :P

Couple of things (both with the binary and building the project, didn't try on mac as I am assuming that's what you dev on and prob works solid I'm guessing):

• docs were nice and unexpected! kudos!
• portr config = I am logged in via ssh to a remote server without X, I think you are trying to open a file manager or browser or something, yeah? If you could do a check first or even just dump WHERE the file is supposed to be/go, but I appreciate what you are trying to do, make it easier. Ideally, it would do an X/Wayland check (I use FreeBSD primarily which is a whole nother story)/DISPLAY env var check, and if no DISPLAY, check for EDITOR/vi/nano, if none, print /path/to/file. Actually, I suggest you have the /path/to/config print anyway, why not right?
• missing portr config file = the only other 'major' issue at that point was that the config file was blank, whereas it seemed like it was not supposed to be based on my understanding at that point. That took me a bit of hair pulling as while your docs are great, going from blank file to connecting remotely to my server portr endpoint successfully was a jump. Not only blank on the server but also the 4 or 5 clients I installed to as well.

Now, some 'get off my lawn' gripes:

• Docker Dependency (Ok ok, I am a FreeBSD guy, one of the few ppl on Earth that can't run a Docker container (well, we can on FreeBSD, using bhyve to run a container host, which ironically is what EVERYONE will be doing soon, including Linux (that's what Docker Desktop is). If I can figure it out, I will usually try fairly hard to shake the Docker dependency so I can run it on FreeBSD easily.
• Cloudflare ? How can I shake that one? We don't use Cloudflare and if it's for personal, I'm on afraid.org. Cloudflare is pretty cool, no doubt, but is there a not super difficult way for me to NOT use it? That would be killer.
• Github Auth: I love that you are security focused but ssh tunnels, I'm good with it. It would be SUPER NICE to just have a brute force login method. A simple hash. I mean, I am root, it's ok. Is that harder than OAUTH, I honestly have no idea, I'm a sysadmin (old, before 'devops'). Having been stuck a few times here and there, not able to 2-factor auth while at a datacenter really sucks so that is just an FYI, too.

Out of those 3, Github auteh dependency would be my REALLY want to have. Then Cloudflare, then docker.

++++++++++++++++++++++++++++++++
Alrighty then, now for my ACTUAL problem lol:
** Unregistered Subdomain =Timeout Too Soon? **
++++++++++++++++++++++++++++++++

So, I have a flaky service on a flaky box at a flaky location (only half-kidding!) and so I have Supervisor kicking the service constantly to keep it available. It seems like the portr server endpoint drops it in a hot microsecond.

Is that adjustable anywhere somewhere? Like, it's not a big deal for me if it doesn't check for a minute or 3, you know? It would be extra sweet if that was a knob that was tunnel adjustable! Like tunnel1 is high availability if it isn't there in 5s, it's already spinning up elsewhere and trying to connect but tunnel2 is my sad offsite server in the desert on a satlink. Shady. It can wait 5m.

Anyway, I am also most likely 'doing it wrong', so feel free to educate me :D

Along those lines, can I easily turn a knob to quiet the logging too?

Once again, thanks for open sourcing, it was the right choice.

Maybe you will be bigger ngrok one day.

ciao,
-matt

Describe the bug
I have configured portr server on hetzner, did client auth and now trying to see inspector dashboard. When trying to open http://localhost:7777 I'm getting just ERR_CONNECTION_RESET.

To Reproduce
Steps to reproduce the behavior:

1. Install portr client on wsl2 and try to open inspector dash.

Expected behavior
Dashboard working