If you want to make a cluster for jump host/bastion to your server, you can install Teleport. on this guide, will be guided to install then expose with NGINX Reverse proxy.
- Ubuntu 20.04LTS
- 1 GB RAM
- 1 VCPU
- 20 GB Storage
sudo curl https://apt.releases.teleport.dev/gpg \
-o /usr/share/keyrings/teleport-archive-keyring.asc
source /etc/os-release
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \
https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/v10" \
| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null
sudo apt-get update
sudo apt-get install teleport
cd /var/lib/teleport/
## OPTIONAL, if you dont have SSL lets generate self-signed
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=teleport.domain.com" -out server.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:teleport.domain.com,DNS:teleport.domain.com") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
mv server.crt server.pem
mv server.key server-key.pem
## If you have ssl lets copy crt & key (.pem) to /var/lib/teleport
cp server.pem /var/lib/teleport
cp server-key.pem /var/lib/teleport
## Installation Init
teleport configure -o /etc/teleport.yaml \
--cluster-name=teleport.domain.com \
--public-addr=teleport.domain.com:4443 \
--cert-file=/var/lib/teleport/server.pem \
--key-file=/var/lib/teleport/server-key.pem
sudo systemctl enable teleport
sudo systemctl start teleport
sudo systemctl status teleport
sudo tctl users add gilang --roles=editor,access --logins=root,ubuntu
nano /etc/teleport.yaml
auth_service:
authentication:
second_factor: off
systemctl restart teleport
- Define on /etc/hosts
nano /etc/hosts
localhost teleport.domain.com
- Create conf
nano /etc/nginx/conf.d/teleport.conf
server {
listen 443 ssl;
server_name teleport.domain.com *.teleport.domain.com;
ssl_certificate /etc/letsencrypt/live/teleport.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/teleport.domain.com/privkey.pem;
location / {
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
proxy_pass https://teleport.domain.com:4443;
}
}
nginx -t
service nginx reload