Original link: https://www.boyhu.cn/notes/pagoda-panel-and-nps-start-the-journey-of-intranet-penetration-tutorial.html
cause
Since the little black dress in my hand was upgraded to the DSM6.1 version, I have been keen to toss with Docker containers. Because it is an X86 architecture, I will not have the slightest concern when running the project. I can’t wait to toss all practical and interesting Docker images. Over and over! At present, web projects such as flare, linkding, memos, and playmusic have been run on Docker; because the hard disks have also been replaced and the storage pools have been re-allocated after the DSM6.1 upgrade, and RAID1 has been enabled for each pair, so there will be no hard disk tossing for the time being. .
With some of the above web projects, the support of intranet penetration is needed, so…the pagoda panel and NPS coexist and start the intranet penetration journey.
1. Conditions that need to be met
There is a server with a public network IP with the pagoda panel installed, and the Nginx service is installed so that it can bind the website normally.
How to install the pagoda panel and web server will not be elaborated further, please refer to the official website tutorial for details.
Pagoda Linux Panel Installation Tutorial – July 14, 2022 Update – 7.9.3 Official Version
2. Obtain the root account and password of SSH
Because the acquisition method of each server manufacturer is different in this step, if you are from Tencent Cloud like me, you can refer to the official website tutorial.
Cloud Server Management Login Password-Operation Guide-Document Center-Tencent Cloud
Cloud Server Reset Instance Password-Operation Guide-Document Center-Tencent Cloud
Third, use the terminal tool to install the wget service
1. Use the terminal tool to add the host information and enter the terminal page, as shown below:
If you are not a root account, you can also use the sudo -i command to temporarily gain root privileges after logging in as a normal user.
2. You need to install the wget service to use the wget command to pull the nps project image. You can also use the following command to confirm whether you need to install the wget service.
rpm -qa|grep "wget" //检查是否需要安装wget服务
If the words wget-1.14-18.el7_6.1.x86_64 are displayed, it means that there is no need to install it! As shown below:
3. If the wget service is not installed, enter the following command to install it.
yum -y install wget yum -y install setup yum -y install perl
Fourth, install the NPS server
1. Use the wget command to pull the latest source image of NPS, and still operate in the pagoda terminal.
wget https://github.com/ehang-io/nps/releases/download/v0.26.10/linux_amd64_server.tar.gz
2. Unzip NPS to the server directory
tar -xzvf linux_amd64_server.tar.gz
At this point, there is no screenshot demonstration, just copy and paste the command directly. (already installed)
3. Install and deploy to the server
sudo ./nps install
4. Start the nps service
nps start
5. Modify the configuration file and enable the nps service
1. Because the default TCP port used by nps is 80 443 8080 8024 , 80 433 8080 of the pagoda panel will be occupied, so the front-end web management page of nps cannot be opened at this time; we need to modify the configuration file of nps, and then restart nps Serve.
2. Find the nps.conf file, in the etc folder of the pagoda root directory, the path is /etc/nps/conf/nps.conf .
3. Use a text editor to open the nps.conf file and modify it. For the specific modification method, see the code comments.
appname = nps #Boot mode(dev|pro) runmode = dev #HTTP(S) proxy port, no startup if empty http_proxy_ip=0.0.0.0 #http_proxy_port=80 //80端口建议禁止注释掉,在宝塔面板上安装的nps不会用到#https_proxy_port=443 //443端口建议禁止注释掉,在宝塔面板上安装的nps不会用到https_just_proxy=true #default https certificate setting https_default_cert_file=conf/server.pem https_default_key_file=conf/server.key ##bridge bridge_type=tcp bridge_port=8024 //与npc客户端通讯的默认端口,建议修改为其他端口如:8424 bridge_ip=0.0.0.0 # Public password, which clients can use to connect to the server # After the connection, the server will be able to open relevant ports and parse related domain names according to its own configuration file. public_vkey=123 #Traffic data persistence interval(minute) #Ignorance means no persistence #flow_store_interval=1 # log level LevelEmergency->0 LevelAlert->1 LevelCritical->2 LevelError->3 LevelWarning->4 LevelNotice->5 LevelInformational->6 LevelDebug->7 log_level=7 #log_path=nps.log #Whether to restrict IP access, true or false or ignore #ip_limit=true #p2p #p2p_ip=127.0.0.1 #p2p_port=6000 //p2p代理要使用的端口,如果需要使用p2p代理服务,也可以修改一下端口#web web_host=aocom web_username=admin //nps默认登录账号,建议更换为自己牢记的账号,如admin123 web_password=123 //nps默认登录密码,建议更换为自己牢记的密码,如admin123 web_port = 8080 //nps默认web管理页面访问端口,建议修改为其他端口如:9090 web_ip=0.0.0.0 web_base_url= web_open_ssl=false web_cert_file=conf/server.pem web_key_file=conf/server.key # if web under proxy use sub path. like http://host/nps need this. #web_base_url=/nps #Web API unauthenticated IP address(the len of auth_crypt_key must be 16) #Remove comments if needed #auth_key=test auth_crypt_key =1234567812345678 #allow_ports=9001-9009,10001,11000-12000 #Web management multi-user login allow_user_login=false allow_user_register=false allow_user_change_username=false #extension allow_flow_limit=false allow_rate_limit=false allow_tunnel_num_limit=false allow_local_proxy=false allow_connection_num_limit=false allow_multi_ip=false system_info_display=false #cache http_cache=false http_cache_length=100 #get origin ip http_add_origin_header=false #pprof debug options #pprof_ip=0.0.0.0 #pprof_port=9999 #client disconnect timeout disconnect_timeout=60
Other TCP ports do not need to be modified. After the modification is completed, save it and go to the next step. Please keep in mind the TCP port you modified, which will be used later.
4. After returning to the pagoda terminal and using the nps restart command, the configuration file in the previous step will be successfully applied, and the following commands will be used.
sudo nps restart
5. At this time, you also need to release all the modified TCP ports above, so that your nps service can run normally. The corresponding location is in the security options of the pagoda panel and the server firewall/security group. Many people make mistakes in not doing this step . As shown below:
[photos] 
[/photos]
6. The use of Synology npc client
1. Congratulations! At this time, the nps server can run normally. Using the服务器公网IP:9090 , you can open the nps web login page! Enter the modified account password in the configuration file to log in to the management background normally.
2. Installation of Synology npc client
The npc client recommends to use the I am not a mine god kit , which is simple and does not require extra tossing. Xiaobai recommends it.
Mining God Synology SPK Kit Center is online! Support DSM6, DSM7 – I am not a mine god
Synology NPC intranet penetration client, NPS server kit supports DSM6, 7 – I am not a mine god
3. Add a new client in the nps server management page (add as many clients as there are), as shown below:
4. Open the npc client to connect with the nps server, fill in and save it correctly and it will take effect automatically. As shown below:
[photos] 
[/photos]
7. Start the intranet penetration journey after adding a TCP tunnel
1. This step shows that you are very patient, and thank you for your review! The next step is to add your TCP tunnel in the nps server management page to make it take effect. As shown below:
[photos] 
[/photos]
Note: As before, you need to release the server port here to take effect normally. If you don’t need to open domain name access , then you can happily use the server IP+TCP tunnel port to access your Synology at this step. As shown in the figure: the server public IP: 5000, you can log in after opening it in the browser or Synology APP.
8. Use a domain name to access Synology services
1. After adding a static website in the pagoda panel, configure the SSL certificate. It is recommended to use the one-click access to the HTTPS certificate function in the pagoda panel, as shown below:
[photos] 
[/photos]
3. Set up the website reverse proxy and add domain name resolution in the domain name service, as shown in the following figure:
[photos] 
[/photos]
127.0.0.1:5000 //端口为TCP隧道端口,而不是内网端口
4. At this point, you can use the resolved subdomain or main domain name to access your Synology. For example, the demo is https://nas.boyhu.cn . If you need to penetrate other services, please repeat the seventh step above. , It is not recommended to use the domain name service to access services that are unwilling to disclose to the external network, so it is easy to GG, don’t ask why!
This is a tutorial and record of the replay, because it has been recorded before.
[cid=”21″]
Don’t you go through such a detailed tutorial three times in a row? The client also supports many platform architectures, just check the official nps documentation for details.
This article is reprinted from: https://www.boyhu.cn/notes/pagoda-panel-and-nps-start-the-journey-of-intranet-penetration-tutorial.html
This site is for inclusion only, and the copyright belongs to the original author.