Tcp proxy with "net" plugin?


(J Dabbler) #1

(Read this, then delete it before you post.) To get the best help possible, please:

I’m trying to get a subdomain to forward traffic to localhost:5901 {vncserver} in the hopes that I can use caddy tls subdomain in vnc viewer for a tightvncserver session thus sending my password over a secure connection.

I tried $ caddy -type=net -conf /etc/caddyfile

proxy :12017 :5901 {
host vnc.example.com
tls on
}

I get the error msg “The connection was refused by the computer” in vnc viewer whenever i used vnc.example.com

below is what caddy displayed when i attempted to connect via vnc.example.com:2017

Done proxying: 1.2.3.241:12017 127.0.0.1:42862
Done proxying: 1.2.3.241:12017 127.0.0.1:43430
Done proxying: 1.2.3.241:12017 127.0.0.1:44492

i want to able to connect via using only a subdomain
dns entry has * for dynamic hosts and there is a vnc subdomain pointed to the ip address.

Remember, this community only works when those who get help also give help. Thanks for participating!


(Matthew Fay) #2

What ports are VNC listening to on the host?

What ports are open at the edge of the network?

Does it work without tls on?


(J Dabbler) #3

vnc is listening on port 5901 .

it’s running on a vps , the port is open and I just confirmed that with https://www.yougetsignal.com/tools/open-ports/

caddy runs the conf file with tls on but vncviewer doesn’t connect via the subdomain.


(Matthew Fay) #4

If you run Caddy without tls on, can vncviewer connect?


(J Dabbler) #5

I’ve run caddy with “tls off” and without a tls entry and vncviewer still saids “the connection was refused by computer” when i try to connect via the subdomain.


(Matthew Fay) #6

From what I’m reading, VNC needs port x+n, where x is usually the default 5900 and n is the display number (for virtual displays, etc).

Could it be that VNC expects more or different ports to be available? If the ports are open, and Caddy is logging the proxy, I’d have to assume that the connections are being refused at the target port i.e. 5901.


(J Dabbler) #7

I can connect with ip:5901 and domain:5901 just fine.

Done proxying: 1.2.3.241:12017 127.0.0.1:42862
Done proxying: 1.2.3.241:12017 127.0.0.1:43430
Done proxying: 1.2.3.241:12017 127.0.0.1:44492

the 127.0.0.1 ports caddy are forwarding to doesn’t make sense to me when it should be forwarding to 5901


(Matthew Fay) #8

So VNC doesn’t negotiate over the initial port and then connect to a higher port, counting up to the virtual display number?

It would explain this behaviour because connecting over 5901 and then adding port numbers for the virtual display, e.g. 5902, would work, but wouldn’t for 12017 (because Caddy isn’t listening or proxying from 12018).

Yep, they look pretty weird - to me they look more like source ports (from the connecting client) - they tend to be pretty high and a bit random.

The print line in the source code is here, I’ll look in to exactly what it’s echoing…

To clarify, it prints that line when a close signal is sent through the proxy, so either the client or the server (looks like the server) is closing the connection.


(J Dabbler) #9

Is there any way I can resolve this?


(Matthew Fay) #10

I mean, I haven’t ruled it out yet. It should be a straightforward TCP proxy, so as long as everything is configured for VNC’s requirements, it should work just fine. I’m just not familiar enough with VNC to say for sure what it needs re: port behaviour, which prompted the question from my previous comment in this thread.


(J Dabbler) #11

I followed this guide to set it up, https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04


(Joel) #12

Not sure if this is useful at all but I was able to make caddy do exactly what you are trying without any trouble. I used this Caddyfile (so obviously no TLS involved)

proxy :12017 :5901 {
    host proxy.example.com
    tls off
}

When I started a VNC server on that port I was able to access it fine (the connection refused errors were when I tried connecting without starting the VNC server):

$ ./caddy -type=net -conf Caddyfile
Activating privacy features... done.
[INFO] Proxying from  :12017  ->  :5901
WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with "ulimit -n 8192".
[ERROR] Cannot connect to remote connection: %s Err:dial tcp :5901: connect: connection refused
[ERROR] Cannot connect to remote connection: %s Err:dial tcp :5901: connect: connection refused
Done proxying: [::1]:12017 127.0.0.1:40826

In this case the second port number seems to be the port Caddy is outputting the traffic on so it does make sense - you connect to caddy on port 12017 & it then creates a connection from 127.0.0.1:42862 -> 127.0.0.1:5901 to connect to the VNC server.