marlluslustosa/SSS reverse "caseiro" (aka serveo.net))

## reverse-ssh-tunnel.sh
#! /bin/sh

local_port=$1
ssh_server=1.2.3.4
ssh_user=tunnel
ssh_port=722
url_tmpl=http://www\\1.domain.tld/

exec 3>&1
eval ssh -N -T $ssh_server -l $ssh_user -R 0:localhost:$local_port -p $ssh_port 2>&1 1>&3 \
    | sed 's|^Allocated port \([[:digit:]]\+\) for remote forward to|Your url is '$url_tmpl' will be forwarded to|'

## SSS reverse "caseiro" (aka serveo.net))
What
====

A lot of times you are developing a web application on your own laptop or home computer and would like to demo it to the public. Most of those times you are behind a router/firewall and you don't have a public IP address. Instead of configuring routers (often not possible), this solution gives you a public URL that's reverse tunnelled via ssh to your laptop.

Because of the relaxation of the sshd setup, it's best used on a dedicated virtual machine just for this (an Amazon micro instance for example).


Requirements
============

Server side:

* a server with a public ip (1.2.3.4 in this document)
* a domain name (domain.tld in this document)
* a wildcard dns entry in the domain pointing to the public ip (*.ie.mk.    1800    IN  A   1.2.3.4)
* nginx
* sshd

Client side:
* ssh client (even plink would work on Windows)


Nginx config
============

A wildcard dns should point to this nginx instance.
Every `www<port>.domain.tld` will be proxied to `127.0.0.1:<port>`

Where `<port>` needs to be 4 or 5 digits.


    server {
      server_name   "~^www(?<port>\d{4,5})\.domain\.tld$";

      location / {
        proxy_pass        http://127.0.0.1:$port;
        proxy_set_header  X-Real-IP  $remote_addr;
        proxy_set_header  Host $host;
      }
    }


SSH configuration
=================

A sshd configuration to allow a user with no password
and a forced command, so that the user can't get shell access.

    Match User tunnel
      # ChrootDirectory
      ForceCommand /bin/echo do-not-send-commands
      AllowTcpForwarding yes
      PasswordAuthentication yes
      PermitEmptyPasswords yes

PAM needs to be disabled if sshd is to allow login without a password.
That's not always possible, is not even smart. Another approach would be
a separate instance of sshd, on a different port, just for the tunnel user.

Make a copy of the config file, change/add these settings:

    UsePAM no
    AllowUsers tunnel
    Port 722

And then run `sshd -f /etc/ssh/sshd_config_tunnel`.

The `tunnel` user has an empty password field in /etc/shaddow.

    tunnel::15726:0:99999:7:::


Client
======

Just connect with:

    ssh -N -T 1.2.3.4 -l tunnel -R 0:localhost:5050 -p 722

ssh will respond with a `Allocated port 56889 for remote forward to localhost:5050` message.
Then you can use www56889.domain.tld


TODO
====

Test ChrootDirectory in sshd
	#! /bin/sh

	local_port=$1
	ssh_server=1.2.3.4
	ssh_user=tunnel
	ssh_port=722
	url_tmpl=http://www\\1.domain.tld/

	exec 3>&1
	eval ssh -N -T $ssh_server -l $ssh_user -R 0:localhost:$local_port -p $ssh_port 2>&1 1>&3 \
	\| sed 's\|^Allocated port \([[:digit:]]\+\) for remote forward to\|Your url is '$url_tmpl' will be forwarded to\|'
	What
	====

	A lot of times you are developing a web application on your own laptop or home computer and would like to demo it to the public. Most of those times you are behind a router/firewall and you don't have a public IP address. Instead of configuring routers (often not possible), this solution gives you a public URL that's reverse tunnelled via ssh to your laptop.

	Because of the relaxation of the sshd setup, it's best used on a dedicated virtual machine just for this (an Amazon micro instance for example).


	Requirements
	============

	Server side:

	* a server with a public ip (1.2.3.4 in this document)
	* a domain name (domain.tld in this document)
	* a wildcard dns entry in the domain pointing to the public ip (*.ie.mk. 1800 IN A 1.2.3.4)
	* nginx
	* sshd

	Client side:
	* ssh client (even plink would work on Windows)


	Nginx config
	============

	A wildcard dns should point to this nginx instance.
	Every `www<port>.domain.tld` will be proxied to `127.0.0.1:<port>`

	Where `<port>` needs to be 4 or 5 digits.


	server {
	server_name "~^www(?<port>\d{4,5})\.domain\.tld$";

	location / {
	proxy_pass http://127.0.0.1:$port;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header Host $host;
	}
	}



	SSH configuration
	=================

	A sshd configuration to allow a user with no password
	and a forced command, so that the user can't get shell access.

	Match User tunnel
	# ChrootDirectory
	ForceCommand /bin/echo do-not-send-commands
	AllowTcpForwarding yes
	PasswordAuthentication yes
	PermitEmptyPasswords yes

	PAM needs to be disabled if sshd is to allow login without a password.
	That's not always possible, is not even smart. Another approach would be
	a separate instance of sshd, on a different port, just for the tunnel user.

	Make a copy of the config file, change/add these settings:

	UsePAM no
	AllowUsers tunnel
	Port 722

	And then run `sshd -f /etc/ssh/sshd_config_tunnel`.

	The `tunnel` user has an empty password field in /etc/shaddow.

	tunnel::15726:0:99999:7:::


	Client
	======

	Just connect with:

	ssh -N -T 1.2.3.4 -l tunnel -R 0:localhost:5050 -p 722

	ssh will respond with a `Allocated port 56889 for remote forward to localhost:5050` message.
	Then you can use www56889.domain.tld


	TODO
	====

	Test ChrootDirectory in sshd