[9fans] Portable NAT-busting reverse-proxy

Tue, 03 Mar 2015 20:53:58 -0800 

I have a web service that runs localhost-only on my laptop which I'd sometimes 
like to make available on the public internet. The service listens on port 
8000. The laptop moves around periodically, is usually behind a NAT, and is 
sometimes offline. Here's how I do it.

1) In Inferno on my laptop, I export my local network stack:
        listen -Av 'tcp!*!5555' {export /net&}
(This whole setup would've been way simpler if drawterm exported the network 
stack like Inferno does. Does it on any platform?)

2) On my Plan 9 cpu server, I have a service which looks something like this 
(at, say, /rc/bin/service/tcp1234):
        #!/bin/rc
        echo -n 0 > /srv/remotenet
There's a bit more going on in the real version of this, but this version 
works. Thanks to qrstuv on irc for a reminder of the "echo -n 0 > /srv/foo" 
trick mentioned here:
        http://9fans.net/archive/2007/04/130

3) Also on my cpu server, I have a service which looks like this (call it 
/rc/bin/service/tcp4321):
        #!/bin/rc

        mount /srv/remotenet /n/remnet
        netd=/n/remnet
        host=localhost

        aux/trampoline $netd^/tcp!^$host^!8000
Again, more logging & error checking in the real thing, but this should work 
as-is (I have a fallback for if /srv/remotenet can't be mounted, when the 
laptop is offline).

4) Finally, on my laptop I run:
        trampoline -a 'tcp!localhost!5555' tcp!my-cpuserver!1234
Getting trampoline running under p9p was trivial: I just removed the mac 
checking bits. I'm not sure why p9p doesn't have the needed cs bits in the 
header files (the code seems to be there).

The p9p trampoline connects the 9p service provided by Inferno on my laptop to 
the tcp1234 listener on my cpu server, which posts a service to /srv which the 
listener on 4321 mounts on each call and then uses as a network stack for its 
own trampoline. The end result is that web requests to my cpu server port 4321 
get forwarded to localhost:8000 on my laptop, and I can re-establish this with 
just the p9p trampoline call. I have not attempted to authenticate any of the 
p9 connections, which I'd want to do if I were putting this into production 
service.

In addition to trampoline being so nice and the "echo -n 0" trick (which never 
sticks in my head for some reason), it's fun to note that there's nothing 
special about /net* directories; trampoline will use an IP stack anywhere you 
point it to.

I'll stick versions of this up on sources once I polish a bit or two.
Anthony

Reply via email to