{"id":36532689,"url":"https://github.com/moresec-io/conduit","last_synced_at":"2026-01-12T03:03:01.459Z","repository":{"id":126651534,"uuid":"465644524","full_name":"moresec-io/conduit","owner":"moresec-io","description":"A transparent proxy mesh. 一个透明代理网格，为你集群间安全保驾护航！","archived":false,"fork":false,"pushed_at":"2025-07-10T06:30:54.000Z","size":3502,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-09-01T12:44:36.737Z","etag":null,"topics":["iptables","mesh-networks","mtls","security","tls","tob","transparent-proxy"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/moresec-io.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-03-03T09:07:50.000Z","updated_at":"2025-07-10T06:30:57.000Z","dependencies_parsed_at":"2025-07-10T09:35:51.984Z","dependency_job_id":"0cd44d2f-d1a0-427e-9d18-5fc608d6433f","html_url":"https://github.com/moresec-io/conduit","commit_stats":null,"previous_names":["moresec-io/conduit","jumboframes/conduit"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/moresec-io/conduit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moresec-io%2Fconduit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moresec-io%2Fconduit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moresec-io%2Fconduit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moresec-io%2Fconduit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/moresec-io","download_url":"https://codeload.github.com/moresec-io/conduit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moresec-io%2Fconduit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28332848,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T00:36:25.062Z","status":"online","status_checked_at":"2026-01-12T02:00:08.677Z","response_time":98,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["iptables","mesh-networks","mtls","security","tls","tob","transparent-proxy"],"created_at":"2026-01-12T03:03:00.788Z","updated_at":"2026-01-12T03:03:01.453Z","avatar_url":"https://github.com/moresec-io.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=center\u003e\n\u003cimg src=\"./docs/diagrams/logo.png\" width=\"30%\"\u003e\n\u003c/p\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n[![Go](https://github.com/moresec-io/conduit/actions/workflows/go.yml/badge.svg)](https://github.com/moresec-io/conduit/actions/workflows/go.yml)\n[![Go Report Card](https://goreportcard.com/badge/github.com/moresec-io/conduit)](https://goreportcard.com/report/github.com/moresec-io/conduit)\n[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n\n\u003c/div\u003e\n\nConduit是一个透明代理和Mesh代理，劫持并加密你的流量，无需任何软件开发和改造成本，几分钟即可部署完成使用，为你的集群间通信保驾护航。如果你面临：集群间通信未考虑加密、网络中数据泄漏并被检测、使用未配置TLS的MySQL/PostgreSQL、被中间人攻击，Conduit就是你的天命之选！\n\n## 特性\n\n- **无需编码/改造** 没有任何代码改造成本，分钟级部署和交付\n- **部署简单** 配置易理解，一行命令启动，点到点代理和加密\n- **集群安全** 支持TLS和mTLS，更安全，更防中间人\n- **性能无损** 使用Netfilter提供的透明代理，几乎无性能损耗\n- **全场景代理** 支持简单N:1的Client/Server代理，也支持N:M的透明代理Mesh\n- **中心化管理** 支持全局控制面，随时加入新节点\n\n\n## 使用\n\n* Client/Server模式\n* Mesh模式\n\n| ![](./docs/diagrams/client-server.jpg)| ![](./docs/diagrams/conduit.jpg) |\n|-----------------------|-----------------------|\n| Client-Server模式      | Mesh模式              |\n\n\n### 1. Client-Server模式\n\n所有在```Host A```访问```:80```端口都会经过```Host B(172.168.0.11:5053)```访问到```127.0.0.1:80```:\n\n![](./docs/diagrams/client-server.jpg)\n\n\nHost A配置做为客户端：\n\n**conduit.yaml**\n\n```yaml\nclient:\n  enable: true\n  network: tcp\n  listen: 127.0.0.1:5052 # Host A监听\n  check_time: 60\n  forward_table:\n    - dst: :80 # 支持ip:port或者:port\n      dst_as: 127.0.0.1:80\n      peer_index: 1\n  peers:\n    - index: 1\n      network: tcp\n      addresses:\n        - 172.168.0.11:5053 # Host B配置\n\nlog:\n  maxsize: 10\n  level: debug\n  file: /opt/conduit/log/conduit.log\n```\n\nHost B配置做为服务端\n**conduit.yaml**\n\n```yaml\nserver:\n  enable: true\n  listen:\n    network: tcp\n    addr: 172.168.0.11:5053 # Host B监听\n\nlog:\n  maxsize: 10\n  level: debug\n  file: /opt/conduit/log/conduit.log\n```\n\n分别在```Host A```和```Host B```运行两个Conduit\n\n```\n/opt/conduit/bin/conduit -c /opt/conduit/conf/conduit.yaml\n\n```\n\n### 2. Mesh模式\n配置集群成为一个A B C D互相访问都走mTLS通道的透明代理Mesh。\n\n![](./docs/diagrams/conduit.jpg)\n\n\nManager配置：\n\n**manager.yaml**\n\n```yaml\nconduit_manager:\n  listen:\n   network: \"tcp\"\n   addr: \"0.0.0.0:5051\"\n\ndb:\n  driver: sqlite\n  address: /opt/conduit/data/\n  db: manager.db\n  debug: false\n\ncert: # cert strategy for conduits\n  ca:\n    not_after: 1,0,0 # 1 year 0 month 0 day\n    common_name: \"conduit.com\"\n  cert:\n    not_after: 1,0,0\n    common_name: \"conduit.com\"\n    organization: \"moresec.com\"\n\nlog:\n  maxsize: 10\n  level: info\n  file: /opt/conduit/log/manager.log\n```\n\n配置做为客户端和服务端：\n\n**conduit.yaml**\n\n```yaml\nmanager:\n  enable: true\n  dial:\n    network: tcp\n    addresses:\n      - 172.168.0.17:5051\n\nserver:\n  enable: true\n  listen:\n    network: tcp\n    addr: 172.168.0.11:5053\n\nclient:\n  enable: true\n  network: tcp\n  listen: 127.0.0.1:5052\n  check_time: 60\n\nlog:\n  maxsize: 10\n  level: debug\n  file: /opt/conduit/log/conduit.log\n```\n\n在任意一台可达节点部署Manager：\n\n```bash\n/opt/conduit/bin/manager -c /opt/conduit/conf/manager.yaml\n```\n\n在Host A B C D部署Conduit：\n\n```bash\n/opt/conduit/bin/conduit -c /opt/conduit/conf/conduit.yaml\n\n```\n\n\n## 获取\n\n```\nmake conduit\n```\n\n得到release/bin/conduit\n\n```\nmake manager\n```\n\n得到release/bin/manager\n\n\n## Q\u0026A\n\n**1. Conduit会影响我的iptables表吗**\n\nConduit独立建立了CONDUIT Chain，只有命中了ipset的才会进入透明代理。并且在正常退出后，会清除所有规则。\n\n```\n-A PREROUTING -i br+ -j CONDUIT\n-A OUTPUT -p tcp -m mark --mark 0x5a4 -j ACCEPT\n-A OUTPUT ! -o br+ -j CONDUIT\n-A CONDUIT -p tcp -m set --match-set CONDUIT_IPPORT dst,dst -j MARK --set-xmark 0x5a6/0xffffffff\n-A CONDUIT -p tcp -m set --match-set CONDUIT_PORT dst -j MARK --set-xmark 0x5a7/0xffffffff\n-A CONDUIT -p tcp -m set --match-set CONDUIT_IP dst -j MARK --set-xmark 0x5a5/0xffffffff\n-A CONDUIT -p tcp -m set --match-set CONDUIT_IPPORT dst,dst -j DNAT --to-destination 127.0.0.1:5052\n-A CONDUIT -p tcp -m set --match-set CONDUIT_PORT dst -j DNAT --to-destination 127.0.0.1:5052\n-A CONDUIT -p tcp -m set --match-set CONDUIT_IP dst -j DNAT --to-destination 127.0.0.1:5052\n```\n\n**2. 性能怎么样**\n\n使用iperf可以打满带宽\n\n```\n-----------------------------------------------------------\nServer listening on 80\n-----------------------------------------------------------\nAccepted connection from 127.0.0.1, port 47363\n[  5] local 127.0.0.1 port 80 connected to 127.0.0.1 port 47364\n[ ID] Interval           Transfer     Bandwidth\n[  5]   0.00-1.00   sec   311 MBytes  2.61 Gbits/sec\n[  5]   1.00-2.00   sec   322 MBytes  2.70 Gbits/sec\n[  5]   2.00-3.00   sec   312 MBytes  2.61 Gbits/sec\n[  5]   3.00-4.00   sec   318 MBytes  2.67 Gbits/sec\n[  5]   4.00-5.00   sec   304 MBytes  2.55 Gbits/sec\n[  5]   5.00-6.00   sec   326 MBytes  2.74 Gbits/sec\n[  5]   6.00-7.00   sec   330 MBytes  2.77 Gbits/sec\n[  5]   7.00-8.00   sec   326 MBytes  2.74 Gbits/sec\n[  5]   8.00-9.00   sec   320 MBytes  2.68 Gbits/sec\n[  5]   9.00-10.00  sec   318 MBytes  2.67 Gbits/sec\n...\n```\n\n**3. 适用于什么场景**\n\n* ToB交付产品时，经常需要暴露mysql/redis端口，但是历史原因没有配置tls，可以使用Conduit来接管安全\n* 没有微隔离，但是需要把几台主机流量隔离起来，可以使用Conduit来构成Mesh网络\n* 不希望对外端口开放过多，可以使用Conduit做为代理使用\n\n**4. 为什么会给流量打Mark**\n\n为了防止Conduit发出的流量又被iptables劫持，所以使用Mark来忽略。\n\n**5. 我需要开通fw_mark吗**\n\nfw_mark是为了iptables的mark在socket接收时能够查到这个mark，以快速确定匹配了哪个ipset，如果没有也没关系，会多一层判断\n\n**6. 配置了Mesh还能额外配置forward_table吗**\n\n可以，Mesh的流量会走CONDUIT_IP的ipset，forward_table配置是CONDUIT_IP或CONDUIT_IPPORT的ipset，而且优先级更高\n\n### 贡献\n\n如果你发现任何Bug，请提出Issue，项目Maintainers会及时响应相关问题。\n \n 如果你希望能够提交Feature，更快速解决项目问题，满足以下简单条件下欢迎提交PR：\n \n * 代码风格保持一致\n * 每次提交一个Feature\n * 提交的代码都携带单元测试\n\n\n## 许可证\n\nReleased under the [Apache License 2.0](https://github.com/moresec-io/conduit/blob/main/LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoresec-io%2Fconduit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmoresec-io%2Fconduit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoresec-io%2Fconduit/lists"}