Skip to content

Instantly share code, notes, and snippets.

Forked from gdamjan/
Created Jan 21, 2013
What would you like to do?


books. soon.


  • a server with a public ip ( in this document)
  • a domain name (domain.tld in this document)
  • a wildcard dns entry in the domain pointing to the public ip (* 1800 IN A
  • nginx
  • sshd

Nginx config

A wildcard dns should point to this nginx instance. Every www.domain.tld will be proxied to

needs to be 4 or 5 digits.

server {
  server_name   ~^www(?<port>\d\{4,5\})\.domain\.tld$;

  location / {
    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  Host $host;

SSH configuration

A sshd configuration to allow a user with no password and a forced command, so that the user doesn't get shell access.

Match User tunnel
  # ChrootDirectory
  ForceCommand /bin/echo do-not-send-commands
  AllowTcpForwarding yes
  PasswordAuthentication yes
  PermitEmptyPasswords yes

PAM needs to be disabled if sshd is to allow login without a password. That's not always possible, is not even smart. Another approach would be a separate instance of sshd, on a different port, just for the tunnel user.

Make a copy of the config file, change/add these settings:

UsePAM no
AllowUsers tunnel
Port 722

And then run sshd -f /etc/ssh/sshd_config_tunnel.

The tunnel user has an empty password field in /etc/shaddow.



Test ChrootDirectory in sshd


Just connect with:

ssh -N -T -l tunnel -R 0:localhost:5050 -p 722

ssh will respond with a Allocated port 56889 for remote forward to localhost:5050 message. Then you can use www56889.domain.tld

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment