# Restrictions are whitelist rules for the tunnels # By default, all requests are denied and only if a restriction match, the request is allowed restrictions: - name: "Allow all" description: "This restriction allows all requests" # This restriction apply only and only if all matchers match/are evaluated to true # It is a logical AND match: # This match apply only if it succeeds to match the path prefix with the given regex # The regex does a match, so if you want to match exactly you need to bound the pattern with ^ $ # I.e: "tesotron" is going to match "XXXtesotronXXX", but "^tesotron$" is going to match only "tesotron" - !PathPrefix "^.*$" # The only other possible match type for now is !Any, that match everything/any request # - !Any # This is the list of tunnels your restriction is going to allow # The list is checked in order, the first match is going to allow the request allow: # !Tunnel allows forward tunnels - !Tunnel # Protocol that are allowed. Empty list means all protocols are allowed # Logical OR protocol: - Tcp - Udp # Port that are allowed. Can be a single port or an inclusive range (i.e. 80..90) # Logical OR port: - 80 - 443 - 8080..8089 # if the tunnel wants to connect to a specific host, this regex must match host: ^.*$ # if the tunnel wants to connect to a specific IP, it must be included in one of the network cidr # Logical OR cidr: - 0.0.0.0/0 - ::/0 # !ReverseTunnel allows reverse tunnels # Not specifying anything means all reverse tunnels are allowed - !ReverseTunnel protocol: - Tcp - Udp - Socks5 - Unix port: - 1..65535 # Maps ports on the server side from X to Y (X:Y). For example with 10001:8080 configured and a client # which connects using '-R tcp://10001:localhost:80' the server will listen on port 8080 instead of 10001. # The originally requested ports (NOT the mapped ports) need to be allowed via the 'ports' directive. port_mapping: - 10001:8080 cidr: - 0.0.0.0/0 - ::/0 --- # Examples restrictions: - name: "example 1" description: "Only allow forward tunnels to port 443 and forbid reverse tunnels" match: - !PathPrefix "^.*$" allow: - !Tunnel port: - 443 --- restrictions: - name: "example 2" description: "Only allow forward tunnels to local ssh and forbid reverse tunnels" match: - !PathPrefix "^.*$" allow: - !Tunnel protocol: - Tcp port: - 22 host: ^localhost$ cidr: - 127.0.0.1/32 --- restrictions: - name: "example 3" description: "Only allow socks5 reverse tunnels listening on port between 1080..1443 on lan network" match: - !PathPrefix "^.*$" allow: - !ReverseTunnel protocol: - Socks5 port: - 1080..1443 cidr: - 192.168.0.0/16 --- restrictions: - name: "example 4" description: "Allow everything for client using path prefix my-super-secret-path" match: - !PathPrefix "^my-super-secret-path$" allow: - !Tunnel - !ReverseTunnel --- restrictions: - name: "example 5" description: "Forbid everything ..." match: - !Any allow: []