A lot of times you are developing a web application on your own laptop or home computer and would like to demo it to the public. Most of those times you are behind a router/firewall and you don't have a public IP address. Instead of configuring routers (often not possible), this solution gives you a public URL that's reverse tunnelled via ssh to your laptop.
Because of the relaxation of the sshd setup, it's best used on a dedicated virtual machine just for this (an Amazon micro instance for example).
Server side:
- a server with a public ip (1.2.3.4 in this document)
- a domain name (domain.tld in this document)
- a wildcard dns entry in the domain pointing to the public ip (*.ie.mk. 1800 IN A 1.2.3.4)
- nginx
- sshd
Client side:
- ssh client (even plink would work on Windows)
A wildcard dns should point to this nginx instance.
Every www<port>.domain.tld
will be proxied to 127.0.0.1:<port>
Where <port>
needs to be 4 or 5 digits.
server {
server_name "~^www(?<port>\d{4,5})\.domain\.tld$";
location / {
proxy_pass http://127.0.0.1:$port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
}
}
A sshd configuration to allow a user with no password and a forced command, so that the user can't get shell access.
Match User tunnel
# ChrootDirectory
ForceCommand /bin/echo do-not-send-commands
AllowTcpForwarding yes
PasswordAuthentication yes
PermitEmptyPasswords yes
PAM needs to be disabled if sshd is to allow login without a password. That's not always possible, is not even smart. Another approach would be a separate instance of sshd, on a different port, just for the tunnel user.
Make a copy of the config file, change/add these settings:
UsePAM no
AllowUsers tunnel
Port 722
And then run sshd -f /etc/ssh/sshd_config_tunnel
.
The tunnel
user has an empty password field in /etc/shaddow.
tunnel::15726:0:99999:7:::
Just connect with:
ssh -N -T 1.2.3.4 -l tunnel -R 0:localhost:5050 -p 722
ssh will respond with a Allocated port 56889 for remote forward to localhost:5050
message.
Then you can use www56889.domain.tld
Test ChrootDirectory in sshd
Brilliant, thanks !