I need a reverse proxy solution for SSH
You should open ssh tunnel from your computer to server in data center. Let's name this as "server1". If you are using openssh, you can just run
ssh -L0.0.0.0:8080:localhost:8080 you_username@server1
This will open connection from your computer at port 8080 to server, port 8080, skipping firewall in between. Assuming your apache is listening on port 8080. Port forward format is listening IP:local port:remote address:remote port. Of course for single server you can use also
ssh -L0.0.0.0:8080:remote_server_address:8080 you_username@server1
Please note that localhost in -L parameter is relative to server1. In the other words, server is seeing connections coming from localhost, when in fact those are coming from your computer over ssh connection.
You also need parameter
AllowTcpForwarding yes
in server's ssh configuration (typically /etc/ssh/sshd_config).
After this, others can connect to your computer on port 8080 to get connection via Apache Reverse Proxy. If you need general proxy (so users can choose address, not just specific addresses in Apache configuration) you should install squid on server1 and use ssh tunnel to squid port.
Related videos on Youtube
Bond
Updated on September 17, 2022Comments
-
Bond almost 2 years
Hi here is a situation I have a server in a corporate data center for a project. I have an SSH access to this machine at port 22.There are some virtual machines running on this server and then at the back of every thing many other Operating systems are working. Now Since I am behind the data centers firewall my supervisor asked me if I can do some thing by which I can give many people on Internet access to these virtual machines directly. I know if I were allowed to get traffic on port other than 22 then I can do a port forwarding. But since I am not allowed this so what can be a solution in this case. The people who would like to connect might be complete idiots.Who may be happy just by opening putty at their machines or may be even filezilla.I have configured an Apache Reverse Proxy for redirecting the Internet traffic to the virtual machines on these hosts.But I am not clear as for SSH what can I do.So is there some thing equivalent to an Apache Reverse Proxy which can do similar work for SSH in this situation.
I do not have firewall in my hands or any port other than 22 open and in fact even if I request they wont allow to open.2 times SSH is not some thing that my supervisor wants.
-
Kaii almost 12 yearsrelated question with another great solution: serverfault.com/questions/361794/…
-
farmer1992 about 7 yearsSSH Reverse Proxy github.com/tg123/sshpiper
-
Király István about 7 yearssshpiperd works great!
-
-
Bond over 13 yearsYou mean to say when I do
ssh -L0.0.0.0:8080:localhost:8080 you_username@server1
then if the connection will still be going through port 22 of firewall (because if that does not happen then I can't do any thing) and the ssh tunnel would be established between local machine and the remote machine at the specified ports but the entire traffic would coming going on (port 22 ) at firewall. -
Olli over 13 yearsWhen you run ssh tunnel, that traffic (from port 8080 to port 8080) goes inside ssh connection, using port 22. Firewall do see traffic to port 22, not 8080.
-
Bond over 13 yearsWhen you give this command
ssh -L0.0.0.0:8080:remote_server_address:8080 you_username@server1
I want to know what can be put as remote_server_address is that the IP of the internal machine to which I want to using server1 as an intermediate one.Have I understood this correctly? -
Olli over 13 yearsBond: yes, that's correct. You can also specify multiple -L tunnels (with different source ports, of course) to open connections to multiple internal machines. For example "-L0.0.0.0:8080:remote_server1:80 -L0.0.0.0:8081:remote_server2:80 -L0.0.0.0:8082:remote_server2:22" (without quotes).
-
jmary about 6 yearsMaking this solid would require to set a server acting as as rebound outside the data center and allowing traffic in. Of course the ssh tunnel is ok as a temporary solution, but for something in production, I would advise to install a real reverse proxy on the rebound, and adapt the firewall setting to allow 8080 connections only from that rebound. This said, it is smarter to place the reverse proxy as one of the virtual machines inside the DC. So that the connection needs to be secured with SSL only toward this machine.