Millet Porridge

English version of https://corvo.myseu.cn

0%

OpenSSH Series 5: Jump Server and HTTP proxy

Posted on Edited on In Disqus:
When I work for a company, for some security reasons, I should connect to the jump server before connecting to the real server.

Jump Server

This picture is from ssh-kung-fu.

It describes a scenario where the “secondary” host only allows connections from the “primary” host. Which means, when we want to connect to the secondary host, we need to log in to the primary host first, and then execute the ssh command on the primary host

How to use it

I give a sample configuration from my daily life.

1
2
3
4
5
6
7
8
9
10
11
12
13
Host jumper
    User root
    HostName 1.2.3.4
    IdentityFile ~/.ssh/id_rsa_test

Host production
    HostName 127.0.0.1
    Port 2233
    User root
    Controlmaster auto
    Controlpath ~/.ssh/ssh-%r@%h:%p.sock
    ControlPersist 600
    ProxyCommand ssh -q -W %h:%p jumper

Well, when I want to connect to the production host, I use a jumper as a Jump Server. OpenSSH will help do two things: 1. Log in jumper, 2 In jumper, Log in production.

Also you may notice the ControlMaster for multiplexing, which can help you save time in establishing two TCP connections when logging into production.

Use HTTP for ssh ProxyCommand

I used to work for Tencent, at that time(2017) we needed to use http proxy to access the Internet. It’s very uncomfortable to use HTTP protocol to push code to GitHub. But when I know it’s possible to use HTTP proxy for OpenSSH, I realized that I can use this feature to push code by ssh protocol with HTTP proxy.

Well, when you have to set HTTP_PROXY=xxx.yyy.zzz:8080 in your terminal, your could use this configuration.

1
2
3
4
5
Host ali
    User root
    HostName 1.2.3.4
    IdentityFile ~/.ssh/id_rsa_test
    ProxyCommand=socat - PROXY:xxx.yyy.zzz:%h:%p,proxyport=8080

As a good reader, I hope you will notice that ProxyCommand can be used for socks4/5 proxies. :)

Related Posts