Inlets
Inlets are something like ngrok, which exposes a server behind a firewall on a public IP (on a VPS). It will route all traffic to a specific port to the client which connects remotely behind a firewall. You can read more about it in this blog post or inlets github.
Installation
The installation is very straight-forward. Just run the following command:
curl -sLS https://get.inlets.dev | sudo sh
Next, we can learn how we can test out the server and client (to make sure the ports are exposed and traffic is being routed). Then, we will install them as a service.
Here is a very good starting point for installing inlets on a VPS:
Test Server
This step starts the service writing all the logs in stdout. Then, if everything worked, move on to the next steps.
export INLETSPORT=8090
# Generate a token and write it to a file
echo $(head -c 16 /dev/urandom | shasum | cut -d" " -f1) >> .inlettoken
# start the server and test it
export INLETSTOKEN=$(cat .inlettoken)
inlets server --port=$INLETSPORT --token="$INLETSTOKEN"
Test Client
This lets you test out the network connectivity with easy connections.
export REMOTE="THE_SERVER_ADDRESS:8090"
export INLETSTOKEN=$(cat .inlettoken)
export UPSTREAM="http://127.0.0.1:8888" # this is the local port that will be exposed
inlets client \
--remote=$REMOTE \
--upstream=$UPSTREAM \
--token $INLETSTOKEN
Server as Service (easy installation)
You can do the easy installation like this:
echo $(head -c 16 /dev/urandom | shasum | cut -d" " -f1) >> .inlettoken
export INLETSPORT=8090
# This assumes you have already generated token is in the .inlettoken file
export INLETSTOKEN=$(cat .inlettoken)
export SERVICENAME=inletsserver
curl -sSL https://nimamahmoudi.github.io/cicd-cheatsheet/inlets/inlets_service.sh | bash
Server as Service
This sets up the server as a systemd service that can be used more consistently.
# source: https://github.com/inlets/inlets/blob/master/hack/userdata.sh
echo $(head -c 16 /dev/urandom | shasum | cut -d" " -f1) >> .inlettoken
export INLETSPORT=8090
# This assumes you have already generated token is in the .inlettoken file
export INLETSTOKEN=$(cat .inlettoken)
export SERVICENAME=inletsserver
# Install inlet
curl -sLS https://get.inlets.dev | sudo sh
# The original service link: https://raw.githubusercontent.com/inlets/inlets/master/hack/inlets.service
curl -sLO https://nimamahmoudi.github.io/cicd-cheatsheet/inlets/inlets.service && \
sed -i "s/ENVFILE/$SERVICENAME/g" inlets.service && \
sudo mv inlets.service /etc/systemd/system/$SERVICENAME.service && \
echo "AUTHTOKEN=$INLETSTOKEN" | sudo tee /etc/default/$SERVICENAME && \
echo "INLETSPORT=$INLETSPORT" | sudo tee -a /etc/default/$SERVICENAME && \
sudo systemctl daemon-reload && \
sudo systemctl start $SERVICENAME && \
sudo systemctl enable $SERVICENAME
The inlets service file can be found in here. This is the source of this file. Here is a copy of the service:
[Unit]
Description=Inlets Server Service
After=network.target
[Service]
Type=simple
Restart=always
RestartSec=1
StartLimitInterval=0
EnvironmentFile=/etc/default/ENVFILE
ExecStart=/usr/local/bin/inlets server --port=${INLETSPORT} --token="${AUTHTOKEN}"
[Install]
WantedBy=multi-user.target
Client as Service (easy installation)
You can do the easy installation like this:
# This assumes you have already generated token is in the .inlettoken file
export INLETSTOKEN=$(cat .inlettoken)
export REMOTE="THE_SERVER_ADDRESS:8090"
export UPSTREAM=http://127.0.0.1:8888
export SERVICENAME=inletsclient
curl -sSL https://nimamahmoudi.github.io/cicd-cheatsheet/inlets/inletsclient_service.sh | bash
Client as Service
This sets up the client as a systemd service that can be used more consistently.
# This assumes you have already generated token is in the .inlettoken file
export INLETSTOKEN=$(cat .inlettoken)
export REMOTE="THE_SERVER_ADDRESS:8090"
export UPSTREAM=http://127.0.0.1:8888
export SERVICENAME=inletsclient
# Install inlet
curl -sLS https://get.inlets.dev | sudo sh
# Setup the service as inletsclient
curl -sLO https://nimamahmoudi.github.io/cicd-cheatsheet/inlets/inletsclient.service && \
sed -i "s/ENVFILE/$SERVICENAME/g" inletsclient.service && \
sudo mv inletsclient.service /etc/systemd/system/$SERVICENAME.service && \
echo "AUTHTOKEN=$INLETSTOKEN" | sudo tee /etc/default/$SERVICENAME && \
echo "UPSTREAM=$UPSTREAM" | sudo tee -a /etc/default/$SERVICENAME && \
echo "REMOTE=$REMOTE" | sudo tee -a /etc/default/$SERVICENAME && \
sudo systemctl daemon-reload && \
sudo systemctl start $SERVICENAME && \
sudo systemctl enable $SERVICENAME
The inlets service file can be found in here. Here is a copy of the service:
[Unit]
Description=Inlets Server Service
After=network.target
[Service]
Type=simple
Restart=always
RestartSec=1
StartLimitInterval=0
EnvironmentFile=/etc/default/ENVFILE
ExecStart=/usr/local/bin/inlets client --remote=${REMOTE} --upstream=${UPSTREAM} --token="${AUTHTOKEN}"
[Install]
WantedBy=multi-user.target
Setting Up SSL/TLS
It is very easy to setup SSL with inlets using Caddy Server. Here are the references for setting it up:
Basically, you can set it us using the following ./Caddyfile:
YOUR_HOST_ADDRESS:4443
## in case you have a pre-configured SSL certificate, uncomment the following code with the address:
## Use fullchain.pem in orther to avoid issues with certificate (x509 related errors)
# tls cert.pem privkey.pem
proxy / 127.0.0.1:8090 {
transparent
websocket
}
proxy /tunnel 127.0.0.1:8090 {
transparent
websocket
}
Then, we can use this Caddyfile in to run the Caddy Server.
Installing Caddy
Installing Caddy is pretty easy, just do the following:
# Install caddy server with telemetry on, and with the service hook which we use to setup service
CADDY_TELEMETRY=on curl https://getcaddy.com | bash -s personal hook.service
# increase the file descriptor limit
ulimit -n 8192
# run caddy in bash
caddy
# to setup Caddy as a service
sudo caddy -service install -conf=$(pwd)/Caddyfile
caddy -service start