books. soon.
- a server with a public ip (1.2.3.4 in this document)
- a domain name (domain.tld in this document)
- a wildcard dns entry in the domain pointing to the public ip (*.ie.mk. 1800 IN A 1.2.3.4)
- nginx
- sshd
A wildcard dns should point to this nginx instance. Every www.domain.tld will be proxied to 127.0.0.1:
needs to be 4 or 5 digits.
server {
server_name ~^www(?<port>\d\{4,5\})\.domain\.tld$;
location / {
proxy_pass http://127.0.0.1:$port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
}
}
A sshd configuration to allow a user with no password and a forced command, so that the user doesn't get shell access.
Match User tunnel
# ChrootDirectory
ForceCommand /bin/echo do-not-send-commands
AllowTcpForwarding yes
PasswordAuthentication yes
PermitEmptyPasswords yes
PAM needs to be disabled if sshd is to allow login without a password. That's not always possible, is not even smart. Another approach would be a separate instance of sshd, on a different port, just for the tunnel user.
Make a copy of the config file, change/add these settings:
UsePAM no
AllowUsers tunnel
Port 722
And then run sshd -f /etc/ssh/sshd_config_tunnel.
The tunnel user has an empty password field in /etc/shaddow.
tunnel::15726:0:99999:7:::
Test ChrootDirectory in sshd
Just connect with:
ssh -N -T 1.2.3.4 -l tunnel -R 0:localhost:5050 -p 722
ssh will respond with a Allocated port 56889 for remote forward to localhost:5050 message.
Then you can use www56889.domain.tld