SNI-like routing

SERVANT Cyril cyril.servant at cea.fr
Mon Sep 26 19:48:09 AEST 2022


Le 23/09/2022 à 20:48, Carl Karsten a écrit :
> On Fri, Sep 23, 2022, 3:08 AM Cyril Servant <cyril.servant at cea.fr <mailto:cyril.servant at cea.fr>> wrote:
> 
>     Hi,
> 
>     Le 21/09/2022 à 22:59, Carl Karsten a écrit :
>     > The goal is to host 4 or 5 websites for friends. all low traffic, so a
>     > single box should be fine. 16 cores, 32g ram, 1 nic, 1 public IP.
>     > hostname: prox
>     >
>     > each site gets a VM, created manually, (they all get debian) add
>     > friends ssh keys and let them ssh in and do whatever they want in
>     > their vm.  and be able to ansible over ssh like ansible does.
>     >
>     > hostnames vm1, vm2... friends all manage their own domain name
>     > register / dns, point their www's at my IP.
>     >
>     > I would like to keep ports all standard: 22 for ssh, 80/443 for
>     > http/s, etc. and route to the VM based on hostname.
>     >
>     > ssh user at prox gets the host, ssh user at vm1 gets vm1. curl http://vm1 <http://vm1> gets vm1.
>     >
>     > There are lots of ways to do this, I'm trying to work out a config
>     > that makes it easy on their end.
> 
>     you can use sshproxy which I'm maintaining
>https://github.com/cea-hpc/sshproxy <https://github.com/cea-hpc/sshproxy>
>     With sshproxy's routing system, you can proxy each user to its
>     respective VM, without them having a shell on the gateway.
> 
>     This looks promising.   Could you give me the conf for what I described?  My setup will end up in a public repo, so maybe someone else can
>     use it too.

Well at first, you have to add this at the end of /etc/ssh/sshd_config :

Match User foo,bar
	ForceCommand /sbin/sshproxy

And then, in /etc/sshproxy/sshproxy.yaml :

users:
	- foo
		routes:
			default:
				dest: [ip.of.foo.vm]
	- bar
		routes:
			default:
				dest: [ip.of.bar.vm]

It should be enough. There is no daemon to run, sshproxy will be forked by the ForceCommand.
Etcd is not mandatory, in your case you'll probably don't want to use it.

>     > Telling them all to use ProxyJump isn't out of the question, but I'm
>     > hoping there are other options.
>     >
>     > I don't mind a separate solution for ssh and http.  like for http I
>     > can run an nginx on the public IP with
>     >
>     >   server_name vm1;
>     >    location / { proxy_pass http://10.0.0.1 <http://10.0.0.1>;

-- 
Cyril


More information about the openssh-unix-dev mailing list