Tunnels Restricted
The tunnels_restricted
permission property allows you to define restrictions for tunnel creation. To set up tunnel
restrictions, follow the steps below:
- Create or update a user group with the
tunnels: true
permission. - Add the
tunnels_restricted
property to the user group’s permissions object, defining the restrictions.
RPort comes with two layers of tunnel restrictions
- Client side restrictions
After a tunnel is requested, the client validates the request it against
a list of allowed tunnel targets.
The server cannot leverage this validation. Client side restrictions are per client. They cannot be changed from the server. You cannot create user or user group specific restrictions. - Server side restrictions
These restrictions are implemented on the API. They prevent dispatching tunnel requests to the client based on user
groups.
If server side restrictions allow the request for a specific tunnel, client side restrictions may still deny it.
Server side restrictions are per user group. They are combined with client access permissions.
To request a tunnel on a client the user group first needs client access permissions. Furthermore, tunnel creation
must be allowed and the tunnel request must pass the extended tunnel permission check.
The following JSON structure provides an exhaustive example of the tunnels_restricted
property and its available
options (each option should be considered separately):
{
"tunnels_restricted": {
"local": ["20000", "20001"],
"remote": ["22", "3389"],
"scheme": ["ssh", "rdp"],
"acl": ["201.203.40.9"],
"idle_timeout_minutes": { "min" : 5 },
"auto_close": { "max" : "60m", "min" : "1m" },
"protocol": ["tcp", "udp", "tcp-udp"],
"skip_idle_timeout": false,
"http_proxy": true,
"host_header": ".*",
"auth_allowed": true,
"terminate_foreign_tunnels": false
}
}
local
: Specifies the allowed local ports for tunnels. If omitted or an empty list, any local port can be used.
In the example above, only tunnels using the local ports 20000 or 20001 are allowed. Omit, if you want to use a random
free port.
remote
: Specifies the allowed remote ports for tunnels. In the example above, only tunnels using the remote ports
22 or 3389 are allowed.
scheme
: Defines the allowed tunnel schemes, such as SSH or RDP in this case.
acl
: Specifies the allowed CIDR or IP addresses for tunnel ACL. With the above example all tunnel requests must have
the given ACL value.
idle_timeout_minutes
: Sets the minimum idle timeout (in minutes) for tunnel creation, 5 minutes in this case.
auto_close
: Specifies the permitted values for auto_close. In this case the user will not be able to create a
tunnel declaring an auto_close that is more than 60 minutes and that is less than 1 minute.
protocol
: Defines the allowed tunnel protocols. In this case, any tunnel protocol is allowed.
skip_idle_timeout
: Specifies whether the user can enable the “skip_idle_timeout” feature. In this case, the user is
not allowed to enable this feature.
http_proxy
: Specifies whether the user can enable the HTTP proxy feature. In this case, the user is allowed to enable
it.
host_header
: Defines the allowed host header for tunnels with a regular expression.
auth_allowed
: Specifies whether the user can enable HTTP basic authentication for a tunnel. In this case, the user is
allowed to enable it.
terminate_foreign_tunnels
: Specified whether the user is allowed to terminate tunnels created by any user (true
) or
only own tunnels.
Omitting or using an empty list for any list property will remove the corresponding restriction.