Skip to content

Instantly share code, notes, and snippets.

@hSATAC

hSATAC/README.md

Forked from gdamjan/README.md
Created August 2, 2014 06:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hSATAC/d8f8f792478de3091ba6 to your computer and use it in GitHub Desktop.
Save hSATAC/d8f8f792478de3091ba6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README.md

What

A lot of times you are developing a web application on your own laptop or home computer and would like to demo it to the public. Most of those times you are behind a router/firewall and you don't have a public IP address. Instead of configuring routers (often not possible), this solution gives you a public URL that's reverse tunnelled via ssh to your laptop.

Because of the relaxation of the sshd setup, it's best used on a dedicated virtual machine just for this (an Amazon micro instance for example).

Requirements

Server side:

  • a server with a public ip (1.2.3.4 in this document)
  • a domain name (domain.tld in this document)
  • a wildcard dns entry in the domain pointing to the public ip (*.ie.mk. 1800 IN A 1.2.3.4)
  • nginx
  • sshd

Client side:

  • ssh client (even plink would work on Windows)

Nginx config

A wildcard dns should point to this nginx instance. Every www<port>.domain.tld will be proxied to 127.0.0.1:<port>

Where <port> needs to be 4 or 5 digits.

server {
  server_name   "~^www(?<port>\d{4,5})\.domain\.tld$";

  location / {
    proxy_pass        http://127.0.0.1:$port;
    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  Host $host;
  }
}

SSH configuration

A sshd configuration to allow a user with no password and a forced command, so that the user can't get shell access.

Match User tunnel
  # ChrootDirectory
  ForceCommand /bin/echo do-not-send-commands
  AllowTcpForwarding yes
  PasswordAuthentication yes
  PermitEmptyPasswords yes

PAM needs to be disabled if sshd is to allow login without a password. That's not always possible, is not even smart. Another approach would be a separate instance of sshd, on a different port, just for the tunnel user.

Make a copy of the config file, change/add these settings:

UsePAM no
AllowUsers tunnel
Port 722

And then run sshd -f /etc/ssh/sshd_config_tunnel.

The tunnel user has an empty password field in /etc/shaddow.

tunnel::15726:0:99999:7:::

Client

Just connect with:

ssh -N -T 1.2.3.4 -l tunnel -R 0:localhost:5050 -p 722

ssh will respond with a Allocated port 56889 for remote forward to localhost:5050 message. Then you can use www56889.domain.tld

TODO

Test ChrootDirectory in sshd

Raw
reverse-ssh-tunnel.sh
#! /bin/sh
local_port=$1
ssh_server=1.2.3.4
ssh_user=tunnel
ssh_port=722
url_tmpl=http://www\\1.domain.tld/
exec 3>&1
eval ssh -N -T $ssh_server -l $ssh_user -R 0:localhost:$local_port -p $ssh_port 2>&1 1>&3 \
| sed 's|^Allocated port \([[:digit:]]\+\) for remote forward to|Your url is '$url_tmpl' will be forwarded to|'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment