ssh will start a WS proxy server for server mode or copy from stdin/stdout for client mode useful for proxying other protocols (like ssh) over websockets (which you can put Access in front of)
(c *cli.Context)
| 62 | // useful for proxying other protocols (like ssh) over websockets |
| 63 | // (which you can put Access in front of) |
| 64 | func ssh(c *cli.Context) error { |
| 65 | // If not running as a forwarder, disable terminal logs as it collides with the stdin/stdout of the parent process |
| 66 | outputTerminal := logger.DisableTerminalLog |
| 67 | if c.IsSet(sshURLFlag) { |
| 68 | outputTerminal = logger.EnableTerminalLog |
| 69 | } |
| 70 | log := logger.CreateSSHLoggerFromContext(c, outputTerminal) |
| 71 | |
| 72 | // get the hostname from the cmdline and error out if its not provided |
| 73 | rawHostName := c.String(sshHostnameFlag) |
| 74 | url, err := parseURL(rawHostName) |
| 75 | if err != nil { |
| 76 | log.Err(err).Send() |
| 77 | return cli.ShowCommandHelp(c, "ssh") |
| 78 | } |
| 79 | |
| 80 | // get the headers from the cmdline and add them |
| 81 | headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag)) |
| 82 | if c.IsSet(sshTokenIDFlag) { |
| 83 | headers.Set(cfAccessClientIDHeader, c.String(sshTokenIDFlag)) |
| 84 | } |
| 85 | if c.IsSet(sshTokenSecretFlag) { |
| 86 | headers.Set(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag)) |
| 87 | } |
| 88 | headers.Set("User-Agent", userAgent) |
| 89 | |
| 90 | carrier.SetBastionDest(headers, c.String(sshDestinationFlag)) |
| 91 | |
| 92 | options := &carrier.StartOptions{ |
| 93 | OriginURL: url.String(), |
| 94 | Headers: headers, |
| 95 | Host: url.Host, |
| 96 | IsFedramp: c.Bool(fedrampFlag), |
| 97 | } |
| 98 | |
| 99 | if connectTo := c.String(sshConnectTo); connectTo != "" { |
| 100 | parts := strings.Split(connectTo, ":") |
| 101 | switch len(parts) { |
| 102 | case 1: |
| 103 | options.OriginURL = fmt.Sprintf("https://%s", parts[0]) |
| 104 | case 2: |
| 105 | options.OriginURL = fmt.Sprintf("https://%s:%s", parts[0], parts[1]) |
| 106 | case 3: |
| 107 | options.OriginURL = fmt.Sprintf("https://%s:%s", parts[2], parts[1]) |
| 108 | options.TLSClientConfig = &tls.Config{ |
| 109 | InsecureSkipVerify: true, // #nosec G402 |
| 110 | ServerName: parts[0], |
| 111 | } |
| 112 | log.Warn().Msgf("Using insecure SSL connection because SNI overridden to %s", parts[0]) |
| 113 | default: |
| 114 | return fmt.Errorf("invalid connection override: %s", connectTo) |
| 115 | } |
| 116 | } |
| 117 | |
| 118 | // we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side |
| 119 | wsConn := carrier.NewWSConnection(log) |
| 120 | |
| 121 | if c.NArg() > 0 || c.IsSet(sshURLFlag) { |
nothing calls this directly
no test coverage detected