Add ssh proxying example

hintjen · Jul 31, 2024 · 3ca655a · 3ca655a
1 parent a91c3d3
commit 3ca655a
Show file tree

Hide file tree

Showing 5 changed files with 95 additions and 0 deletions.
diff --git a/examples/ssh/Dockerfile b/examples/ssh/Dockerfile
@@ -0,0 +1,6 @@
+FROM nginx:latest
+
+COPY entrypoint.sh /entrypoint.sh
+COPY nginx.conf /etc/nginx/nginx.conf
+
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/examples/ssh/README.md b/examples/ssh/README.md
@@ -0,0 +1,19 @@
+# Proxying SSH connections
+
+The files in this directory illustrate how the selfhosted-gateway can be used to proxy
+ssh connections to remote hosts without publicly routable IP addresses.
+
+## Start local ssh server
+```
+docker compose up -d
+```
+
+## Connect to local ssh server via the Gateway
+```
+ssh -o "ProxyCommand=openssl s_client -connect %h:%p -quiet" -p 443 root@gateway.host -o ServerAliveInterval=30 -o ServerAliveCountMax=120
+root@gateway.host's password:
+```
+
+Note that ServerAliveInterval and ServerAliveCountMax are required to maintain a stable connection.
+
+Try lowering the local link container's `MTU` environment variable if you experience connections getting stuck.
diff --git a/examples/ssh/docker-compose.yaml b/examples/ssh/docker-compose.yaml
@@ -0,0 +1,14 @@
+services:
+  link:
+    image: fractalnetworks/gateway-client:latest
+    environment:
+      LINK_DOMAIN: ssh.gateway.host # resolves to same ip as gateway.host
+      EXPOSE: nginx:443
+      EXPOSE_HTTPS: nginx:443
+      GATEWAY_CLIENT_WG_PRIVKEY: OEG6zqDh3OxHvrhsLD2SG6cejORC8QF9HkXEsV2+w3I=
+      GATEWAY_LINK_WG_PUBKEY: H1AluWTxRGurIw/3RtUXXPCPAiQEZefvhgDY5OPoml4=
+      GATEWAY_ENDPOINT: gateway.host:32768
+      FORWARD_ONLY: true
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
diff --git a/examples/ssh/entrypoint.sh b/examples/ssh/entrypoint.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Generate a self-signed certificate
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+    -keyout nginx-selfsigned.key \
+    -out nginx-selfsigned.crt \
+    -subj "/C=US/ST=State/L=City/O=Organization/OU=Organizational Unit/CN=example.com"
+
+# Move the files
+mkdir -p /etc/nginx/ssl
+mv nginx-selfsigned.key nginx-selfsigned.crt /etc/nginx/ssl/
+
+
+# Start nginx
+nginx -g 'daemon off;'
diff --git a/examples/ssh/nginx.conf b/examples/ssh/nginx.conf
@@ -0,0 +1,41 @@
+
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+}
+
+stream {
+    server {
+        listen 443 ssl proxy_protocol;
+        ssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt;
+        ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;
+
+        proxy_pass ssh:22;  # Forward to SSH server
+    }
+}