Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Setup for an easy to use, simple reverse http tunnels with nginx and ssh. It's that simple there's no authentication at all.The end result, a single ssh command invocation gives you a public url for your web app hosted on your laptop.
#! /bin/sh
local_port=$1
ssh_server=1.2.3.4
ssh_user=tunnel
ssh_port=722
url_tmpl=http://www\\1.domain.tld/
exec 3>&1
eval ssh -N -T $ssh_server -l $ssh_user -R 0:localhost:$local_port -p $ssh_port 2>&1 1>&3 \
| sed 's|^Allocated port \([[:digit:]]\+\) for remote forward to|Your url is '$url_tmpl' will be forwarded to|'
What
====
A lot of times you are developing a web application on your own laptop or home computer and would like to demo it to the public. Most of those times you are behind a router/firewall and you don't have a public IP address. Instead of configuring routers (often not possible), this solution gives you a public URL that's reverse tunnelled via ssh to your laptop.
Because of the relaxation of the sshd setup, it's best used on a dedicated virtual machine just for this (an Amazon micro instance for example).
Requirements
============
Server side:
* a server with a public ip (1.2.3.4 in this document)
* a domain name (domain.tld in this document)
* a wildcard dns entry in the domain pointing to the public ip (*.ie.mk. 1800 IN A 1.2.3.4)
* nginx
* sshd
Client side:
* ssh client (even plink would work on Windows)
Nginx config
============
A wildcard dns should point to this nginx instance.
Every `www<port>.domain.tld` will be proxied to `127.0.0.1:<port>`
Where `<port>` needs to be 4 or 5 digits.
server {
server_name "~^www(?<port>\d{4,5})\.domain\.tld$";
location / {
proxy_pass http://127.0.0.1:$port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
}
}
SSH configuration
=================
A sshd configuration to allow a user with no password
and a forced command, so that the user can't get shell access.
Match User tunnel
# ChrootDirectory
ForceCommand /bin/echo do-not-send-commands
AllowTcpForwarding yes
PasswordAuthentication yes
PermitEmptyPasswords yes
PAM needs to be disabled if sshd is to allow login without a password.
That's not always possible, is not even smart. Another approach would be
a separate instance of sshd, on a different port, just for the tunnel user.
Make a copy of the config file, change/add these settings:
UsePAM no
AllowUsers tunnel
Port 722
And then run `sshd -f /etc/ssh/sshd_config_tunnel`.
The `tunnel` user has an empty password field in /etc/shaddow.
tunnel::15726:0:99999:7:::
Client
======
Just connect with:
ssh -N -T 1.2.3.4 -l tunnel -R 0:localhost:5050 -p 722
ssh will respond with a `Allocated port 56889 for remote forward to localhost:5050` message.
Then you can use www56889.domain.tld
TODO
====
Test ChrootDirectory in sshd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.