Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Trabas – HTTP tunneling tool (ngrok alternative). Star us on GitHub.
Issues Discussions

TLS Setup

This guide will cover remote server setup especially with TLS for client-server connection. For simplicity, we will focus on Docker setup.

Proxy

Trabas utilizes standard TCP Connection for data sharing. It has its own data format (not tied to a particular protocol, i.e: HTTP) for client-server data sharing. If you use a reverse proxy, ensure it forwards the data packet without protocol specific validation. You may use NGINX with stream enabled or other tools that offer such feature.

Setting up TLS

To establish connection via TLS, we have two options:

  • Behind Reverse Proxy (e.g: NGINX, HAProxy, etc.)
    • The server service will not handle TLS directly, but rather the reverse proxy will handle it.
  • Direct TLS Connection (supported since v0.2.0)

Generate CA and Server Certification

You may generate these certificates using trusted issuers e.g: Let's Encrypt, DigiCert, etc. But, if your prefer self-signed certificates, you can use the following methods:

A. Using trabas CLI:

Since v0.2.0, trabas CLI supports generating self-signed certificates for server service. You can generate the CA and server certificates using trabas CLI:

trabas server ssl-config generate-keys --host localhost --ip 127.0.0.1

This command will generate the CA and server certificates in the trabas_config directory. The generated files will be:

  • ca.crt: The CA certificate.
  • ca.key: The CA private key.
  • server.crt: The server certificate signed by the CA.
  • server.csr: The server certificate signing request.
  • server.key: The server private key.

B. Manual Generation with openssl:

In this case, we try to generate certificates for localhost (You should change some details for a real server deployment).

Generate CA Certificate

Create a private key:

openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:2048

Create a self-signed certificate:

openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj "/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=Example CA"

Generate Server Certificate signed by the CA

Create a server private key:

openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048

Create a certificate signing request (CSR):

openssl req -new -key server.key -out server.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=localhost"

Prepare a configuration file (server.conf) for the certificate:

[ v3_req ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = localhost
IP.1 = 127.0.0.1

Sign the server certificate with the CA certificate:

foo@bar:~$ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.conf -extensions v3_req

Verify the generated certificates

foo@bar:~$ openssl verify -CAfile ca.crt server.crt

Running the Server Service with Docker

You can deploy the server using Docker in two main ways:

A. Behind NGINX (Reverse Proxy)

  • Use the provided Dockerfiles and docker-compose.yml in docker/server/with_proxy.
  • Copy server.crt and server.key to the ssl directory.
  • Adjust nginx.conf and ensure NGINX listens on your chosen port (default: 3377).
  • Start the service:
    • With Redis: cd docker/server/with_proxy/with_redis && docker compose up
    • Without Redis: cd docker/server/with_proxy/without_redis && docker compose up
  • Default ports: public 8787, client 8789. Containers: trabas_server, trabas_nginx.

B. Direct Access (No Proxy)

  • Use the provided Dockerfiles and docker-compose.yml in docker/server/direct.
  • Copy server.crt and server.key to [bin directory]/trabas_config/ssl (already present if generated by Trabas CLI).
  • Start the service:
    • With Redis: cd docker/server/direct/with_redis && docker compose up
    • Without Redis: cd docker/server/direct/without_redis && docker compose up
  • Default ports: public 8787, client 8789. Container: trabas_server.

If the server starts successfully, you should see logs like:

[Public Listerner] Listening on: 0.0.0.0:8787.
[Client Listerner] Listening on: 0.0.0.0:8789.

Client Setup

Setting up Client Service

Trabas has supported TLS connection from client service.

You can follow these steps:

  • In your client host machine (local), copy the generated ca.crt to [bin directory]/trabas_config/ssl/. Otherwise, you may enable CL_TLS_TOFU_ENABLE config to enable Trust On First Use (TOFU) for TLS connection.

  • Ensure the server host and server port are correctly set to our server service (or target NGINX proxy).

  • You run as the client service normally with additional --tls option:

    trabas client serve --host localhost --port 3000 --tls

Once all steps are complete, the services should function properly.