Ssh – Forward ssh connections to docker container by hostname

dockerreverse-proxyssh

I have gotten into a very specific situation and although there are other ways to do this, I've kinda gotten obsessed with this and would like to find out a way to do it exactly like this:

Background

Say I have a server running several services tucked away in isolated docker containers. Since most of those services are http, I'm using an nginx proxy to expose specific subdomains to each service. For example, a node server is running on a docker container with its port 80 bound to 127.0.0.1:8000 on the host. I'll create a vhost in nginx that proxies all requests to myapp.mydomain.com to http://127.0.0.1:8000. That way, the docker container cannot be accessed from outside, except through myapp.mydomain.com.

Now I want to start a gogs docker container in such a way that gogs.mydomain.com points to the gogs container. So I start this gogs container with port 8000 bound to 127.0.0.1:8001 on the host. And an nginx site proxying requests to gogs.mydomain.com to http://127.0.0.1:8001 and it works well…

However, gogs being a git container, I would also like to access the repos like through git@gogs.mydomain.com:org/repo but that doesn't work with the current setup. One way to make that work would be to bind the port 22 of the container to the port 0.0.0.0:8022 on the host, and then the git ssh url can be something like git@gogs.mydomain.com:8022/repo.

(That doesn't seem to work; when I push to an origin with uri like that, git demands the password for user git on gogs.mydomain.com – instead of gogs.mydomain.com:8022 – but that's probably something I'm doing wrong and out of scope for this question, however, I would appreciate any diagnosis for that too)

Problem

My main concern is, that I want the ssh port <gogs container>:22 to be proxied just like I am proxying http ports using nginx; i.e. any ssh connections to gogs.mydomain.com get passed on to the container's port 22. Now I can't bind the container's ssh port to the host's ssh port because there is already an sshd running on the host. Also, that would mean that any connections to *.mydomain.com get passed to the container's sshd.

I want any ssh connections to:

mydomain.com host.mydomain.com or mydomain's IP address to be accepted and forwarded to the sshd on the host
gogs.mydomain.com or git.mydomain.com to be accepted an passed on to the sshd on the gogs container
*.mydomain.com (where * is anything other than the possibilities above) to be rejected

If it were http, I could easily make that work through nginx. Is there a way to do that for ssh?

(Also would like to go out on a limb and ask: is there a way to accomplish that with any tcp service in general?)

Any insights into the way I'm trying to do it here, are also welcome. I don't mind being told when what I'm trying to do is utterly stupid.

What I've already got in my mind:

Maybe I could share the sshd socket on host with the container as a ro volume? That would mean the sshd inside the container could pick up all connections to *.mydomain.com. Could there be a way to make the sshd inside the container reject all connections other than gogs.mydomain.com or git.mydomain.com? However, the sshd on the host will pick up all the connections to *.mydomain.com anyway including gogs.mydomain.com; so there would be a conflict. I dunno, I haven't actually tried it. Should I try it?

Best Answer

Doing this "by hostname" is simply not inside the scope of ssh. The ssh protocol itself does not support name-based virtual hosting (in fact HTTP is the exception from the rule here).

The SSHd on the receiving side can never know what hostname you asked your client to connect to as this information is not passed inside the protocol.

If you just need a few clients to work with this you can configure each client to connect to your server and then jump to the docker container like follows:

Host yourcontainer
        Hostname internal.ip.of.your.container
        ProxyCommand ssh your.docker.host nc %h %p

This way ssh will invoke the proxy command which will open an ssh session to your host and call netcat to establish a connection to your container. This way you don't really need to expose your containers ssh port to the outside world.

Related Solutions

SSH Keys – Add Correct Host Key in Known Hosts for Multiple SSH Host Keys

get the rsa key of your server, where server_ip is your server's IP address, such as 192.168.2.1:

$ ssh-keyscan -t rsa server_ip

Sample response:

# server_ip SSH-2.0-OpenSSH_4.3
server_ip ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwH5EXZG...

and on the client, copy the entire response line server_ip ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwH5EXZG..., and add this key to the bottom of your ~/.ssh/known_hosts file:

server_ip ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqx9m529...(the offending key, and/or the very bottom of the `known_hosts` file)
server_ip ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwH5EXZG... (line you're adding, copied and pasted from above)

Linux – Mount Docker container contents in host file system

Take a look at docker export.

To quickly list the files in your container:

docker export CONTAINER|tar -t

To export:

docker export CONTAINER>snapshot.tar
docker export CONTAINER|tar x PATH-IN-CONTAINER

Or to look at a file:

docker export CONTAINER|tar x --to-stdout PATH-IN-CONTAINER
# e.g. 
docker export consul|tar x --to-stdout etc/profile

Docker 1.8 supports cp:

https://docs.docker.com/reference/commandline/cp/

Usage:  docker cp [options] CONTAINER:PATH LOCALPATH|-
        docker cp [options] LOCALPATH|- CONTAINER:PATH

update: you should ssh to your docker machine when you run this.