Ubuntu – SSH Through Reverse Proxy

PROXYreverse-proxysshssh-tunnelUbuntu

Ok I have an odd but hopefully simple one. I have looked up SSH Tunneling already and I am familiar with the "ssh -r" command. But this situation is different.

Here's the setup. I have 1 gateway reverse-proxy/load-balancer/firewall server that accepts http requests and hands them off to 3 backend servers. Only the gateway has a publicly accessible IP address. All the backend servers are restricted to private IP's within the VPN. I do not have physical access to any of these servers (VPS Hosting). All the servers are Ubuntu, the proxy is pound.

What I need to be able to do is, use SSH to connect to any of the "boxes" for maintenance, updates, etc. through the gateway. As in calling from my home machine "ssh user@gateway -p [BACKEND PORT]" and have the gateway route that port number to the correct machine in a standard SSH fashion. How do I accomplish this?

Best Answer

If the pound server is a firewall, I'm assuming it will be running iptables, set up iptables to forward from external port X to internal port Y. Pound is designed to proxy http and https, port forwarding for non web traffic should be done by the appropriate software, which is not pound in this case.

Something like this might work

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 222 -j DNAT --to 192.168.1.2:22
iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 22 -j ACCEPT

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 223 -j DNAT --to 192.168.1.3:22
iptables -A FORWARD -p tcp -d 192.168.1.3 --dport 22 -j ACCEPT

And so on, adjust to your situation, etc.

Related Solutions

SSH – Best Reverse Proxy Solutions

You should open ssh tunnel from your computer to server in data center. Let's name this as "server1". If you are using openssh, you can just run

ssh -L0.0.0.0:8080:localhost:8080 you_username@server1

This will open connection from your computer at port 8080 to server, port 8080, skipping firewall in between. Assuming your apache is listening on port 8080. Port forward format is listening IP:local port:remote address:remote port. Of course for single server you can use also

ssh -L0.0.0.0:8080:remote_server_address:8080 you_username@server1

Please note that localhost in -L parameter is relative to server1. In the other words, server is seeing connections coming from localhost, when in fact those are coming from your computer over ssh connection.

You also need parameter

AllowTcpForwarding yes

in server's ssh configuration (typically /etc/ssh/sshd_config).

After this, others can connect to your computer on port 8080 to get connection via Apache Reverse Proxy. If you need general proxy (so users can choose address, not just specific addresses in Apache configuration) you should install squid on server1 and use ssh tunnel to squid port.

Ubuntu Pound Reverse Proxy Load Balancing Based off active server load

According to your timeout setting Pound waits 25 minutes for a response from the back-end. Set it to something lower during your tests, say the default of 15 secs.

Best Answer

Related Solutions

SSH – Best Reverse Proxy Solutions

Ubuntu Pound Reverse Proxy Load Balancing Based off active server load

Related Topic