SSH – Best Reverse Proxy Solutions

linux-networkingreverse-proxysshssh-tunnel

Hi here is a situation I have a server in a corporate data center for a project.
I have an SSH access to this machine at port 22.There are some virtual machines running on this server and then at the back of every thing many other Operating systems are working.
Now Since I am behind the data centers firewall my supervisor asked me if I can do some thing by which I can give many people on Internet access to these virtual machines directly.
I know if I were allowed to get traffic on port other than 22 then I can do a port forwarding.
But since I am not allowed this so what can be a solution in this case.
The people who would like to connect might be complete idiots.Who may be happy just by opening putty at their machines or may be even filezilla.I have configured an Apache Reverse Proxy for redirecting the Internet traffic to the virtual machines on these hosts.But I am not clear as for SSH what can I do.So is there some thing equivalent to an Apache Reverse Proxy which can do similar work for SSH in this situation.

I do not have firewall in my hands or any port other than 22 open and in fact even if I request they wont allow to open.2 times SSH is not some thing that my supervisor wants.

Best Answer

You should open ssh tunnel from your computer to server in data center. Let's name this as "server1". If you are using openssh, you can just run

ssh -L0.0.0.0:8080:localhost:8080 you_username@server1

This will open connection from your computer at port 8080 to server, port 8080, skipping firewall in between. Assuming your apache is listening on port 8080. Port forward format is listening IP:local port:remote address:remote port. Of course for single server you can use also

ssh -L0.0.0.0:8080:remote_server_address:8080 you_username@server1

Please note that localhost in -L parameter is relative to server1. In the other words, server is seeing connections coming from localhost, when in fact those are coming from your computer over ssh connection.

You also need parameter

AllowTcpForwarding yes

in server's ssh configuration (typically /etc/ssh/sshd_config).

After this, others can connect to your computer on port 8080 to get connection via Apache Reverse Proxy. If you need general proxy (so users can choose address, not just specific addresses in Apache configuration) you should install squid on server1 and use ssh tunnel to squid port.

Related Solutions

Ssh – name based virtual host SSH reverse proxy

I don't believe name-based SSH is something that will be possible given how the protocol works.

Here are some alternatives.

You could do is setup the host that answers for port 22 to act as a gateway. Then you can configure the ssh server to forward requests to the inside based on the key. SSH Gateway example with keys
You could adjust your client to use that host as a proxy. That is, it would ssh to the gateway host, and then make use that host to make a connection to the internal host. SSH proxy with client configuration.
You could also setup a simple http proxy on the edge. Then use that to allow incoming connections. SSH via HTTP proxy.

Obviously with all the above, making sure you properly configure and lock down the gateway is pretty important.

Ssh – http reverse-proxy on one server passing through ssh/socks proxy to second server

I don't know of a way for apache or lighttpd to use a SOCKS proxy, but I think this is still doable with just ssh and a web server.

There are three servers.

your.server
gateway.server
web.server

your.server cannot access websites on web.server or ssh to web.server. From your.server you can ssh to gateway.server. From gateway.server you can access websites on web.server.

First, set up ssh such that when a previously unused port (say, 3000) is accessed the traffic is sent via ssh to gateway.server and then via a normal connection to port 80 (or whatever the relevant port is) on web.server.

[your.server]$ ssh -fnL 3000:web.server:80 gateway.server

Second, configure the proxy in apache.

<VirtualHost *:80>
    ServerName your.server
    ProxyPass /some_path http://localhost:3000
    ProxyPassReverse /some_path http://localhost:3000
    ProxyPassReverseCookieDomain web.server your.server
    ProxyPassReverseCookiePath / /some_path
</VirtualHost>

Now, you should be able to access http://your.server/some_path and get content from http://web.server. You may be done, or another step may be necessary.

The potential flaw in this setup is that the Host header will be set to localhost when apache on your.server connects to web.server. If web.server host multiple sites and uses the Host header to decide what site to return, this won't work. I don't know of a way to have apache's mod_proxy change the Host header to something that isn't either the host that the request was made to (your.server) or the host of the backend server (which thanks to our ssh tunnel is localhost). A hack to work around this would be to edit the hosts file on your.server so that the domain names for the sites on web.server actually point to your.server. Let's say there are two sites you want to access, site1.web.server and site2.web.server. In /etc/hosts you would put

127.0.0.1 site1.web.server site2.web.server

and your apache configuration would change to

<VirtualHost *:80>
    ServerName your.server

    ProxyPass /some_path http://site1.web.server:3000
    ProxyPassReverse /some_path http://site1.web.server:3000
    ProxyPassReverseCookieDomain site1.web.server your.server
    ProxyPassReverseCookiePath / /some_path

    ProxyPass /another_path http://site2.web.server:3000
    ProxyPassReverse /another_path http://site2.web.server:3000
    ProxyPassReverseCookieDomain site2.web.server your.server
    ProxyPassReverseCookiePath / /another_path
</VirtualHost>

To secure access to your reverse proxy, look at Apache's authentication howto.

Best Answer

Related Solutions

Ssh – name based virtual host SSH reverse proxy

Ssh – http reverse-proxy on one server passing through ssh/socks proxy to second server

Related Topic