hnakra/README.md

109 lines
4.9 KiB
Markdown
Raw Normal View History

2023-05-25 16:08:56 -06:00
# hnakra
The successor to HLHV. More stable and capable than ever!
Hnakra is similar to an HTTP reverse proxy, but it uses a custom protocol to
allow services to connect to the router instead of the other way around. This
approach provides a greater level of security and ease of setup, and allows
services to do cool things like hide behind a firewall on a completely different
network.
Hnakra is also designed to be multi-protocol, so services can make their content
and functionality available over HTTP, HTTPS, gemini, etc. In theory, any
request/response based protocol that uses URLs could be integrated into Hnakra.
Currently, only HTTPS is supported, but other protocols are coming soon.
## Security features
Hnakra has a highly configurable user/permission system for dictating what
services are allowed to do what. Services authenticate the identity of the
router using its TLS certificate, and the router authenticates the identity of
connecting services using a supplied username/key combination. This is so each
service can be given limited access to a particular portion of the site.
## Router server
This module comes with a basic router implementation, located at `cmd/router`.
It can be configured using `/etc/hnakra/hnakra.conf`. Each line in the
configuration file can be blank, a command, or a comment. A list of available
commands:
### `alias <alias> -> <target>`
When a request comes in with a host matching `alias`, it is replaced with
`target` before being routed to the appropriate service. If `(fallback)` is
specified as `alias`, any host that doesn't match a pre-existing alias will be
rewritten as `target`. By default, hosts equivalent to `localhost` are aliased
to the target `@`. It is reccomended to alias your domain name to `@` as well so
you don't need to hard-code it into your services.
### `unalias <alias>`
`unalias` undoes an alias that was created previously.
### `keyPath <path>`
`keyPath` specifies the location of the TLS key to load.
### `certPath <path>`
`certPath` specifies the location of the TLS certificate to load.
### `rcon`
This command enables the remote console, which lets you monitor the state of the
router from a webpage. It is available at `https://@/debug/rcon`. Before
accessing it, you must set up at least one user with rcon access.
### `router <port>`
This command specifies the port that services will connect to. If not specified,
the value of `$HNAKRA_ROUTER_PORT` will be used. If that is also blank, it will
default to a value of `2048`.
### `https [port]`
This command enables the HTTPS protocol. If the port is left blank, the value of
`$HNAKRA_HTTPS_PORT` will be used. If that is also blank, it will default to a
value of `443`.
### `http [port]`
This command enables the insecure HTTP protocol. If the port is left blank, the
value of `$HNAKRA_HTTP_PORT` will be used. If that is also blank, it will
default to a value of `80`.
### `gemini [port]`
This command enables the gemini protocol. If the port is left blank, the value
of `$HNAKRA_GEMINI_PORT` will be used. If that is also blank, it will defaul to
a value of `1965`.
### `noSecurity I AM NOT USING THIS IN PRODUCTION.`
This command disables username/key authentication entirely and lets any service
mount anywhere. For this to work, it must be typed exactly as shown above.
### `user <name>:<key hash> -> <capability>, ...`
The `user` command creates a new user under the specified name, with the
specified bcrypt key hash. Following the user is a `->` symbol, then a
comma-separated list of capabilities that user has. A capability can be a mount
point pattern, or the value `(rcon)`. Mount point patterns are interpreted as
follows:
- A singular glob, `*`, allows the user to mount services on any host or path.
- A URL pattern without any globs or trailing slashes (such as `https://@/path`)
allows the user to mount services on that exact path only.
- If the host component of the pattern is prefixed with a `.`, it will match
subdomains of that host as well as the host itself.
- If the host component of the pattern is prefixed with a `*`, it will match any
host ending in the host component (not including the glob).
- If the path component of the pattern is affixed with a `/`, it will match any
paths under it, as well as the path itself.
- If the path component of the pattern is affixed with a `*`, it will match any
path that starts with the path component (not including the glob).
For example, the pattern `https://.@/static/` allows a user to mount services on
`@` (or any subdomain of `@`) at `/static` (or anything underneath `/static`) on
the HTTPS protocol.
Specifiying a value as `(rcon)` as opposed to a mount point pattern will allow
access to the rcon panel (if it is enabled) by logging in with this user's
credentials.
## Service package
This module also comes with a package that allows you to easily create a service
in just a few lines of code. Some examples can be found in the `examples`
directory.