How to use Tencent Cloud CVM for SSH reverse proxy

How to use CVM for SSH reverse proxy? This article will tell you the answer

Scenario requirements

Most of the company's internal test servers are placed on the company's intranet. Generally speaking, this access is one-way due to NAT. For example, we can access Baidu's server with the help of a computer or mobile phone, but Baidu's server cannot actively access our terminal. Since it can only be accessed through the company's intranet, employees cannot access it after returning home. The security is safe, but what if there is a demand that needs to be accessed from outside the company?
Children's shoes who are more familiar with routers will say: "Just do port mapping and forwarding on the router." This solution does work, but there are 2 problems. First, you have to be able to control the router and make settings on it. Secondly, the broadband of the general company does not have a fixed IP, which means that the public network IP will change every 10-20 hours.

scene introduction

1. There is a server A in the company, the ip address is: 192.168.2.112, only devices on the same network segment within the company can access
2. There is a CVM with public IP on Tencent Cloud , the IP address is: 119.28.143.101, and everyone can use the key to log in. At this time, if external personnel need to access server A, under normal circumstances, since the company's network exit uses NAT, IT will not open the port forwarding authority, so it cannot be accessed. However, by using SSH port forwarding, it is easy for external personnel to access the internal server. The specific commands are as follows:

 ssh -fNR 222:localhost:22 root@119.28.143.101

Another point is very important, you need to open a configuration for ssh on the server 119.28.143.101 (usually in the /etc/ssh/sshd_config file in linux systems):

 GatewayPorts yes

The meaning of this command is to forward the 222 port request to the CVM to the 22 port of server A, so that we ssh -p 222 119.28.143.101 is equivalent to accessing ssh 192.168.2.112 22 port, of course, you can also forward other ports, such as Common 3389, 22, 21 and other ports.

Telnet 119.28.143.101 port 22 on any computer

Local forwarding and dynamic forwarding

The method mentioned above is also called SSH port remote forwarding. There is also a corresponding method called local forwarding. The command is as follows:

 `ssh -fNL 8080:119.28.143.101:80 root@192.168.2.112` 
 `-f Ask to go to the background before executing a command. It is used when preparing to ask for a password or passphrase, but the user wants it to be done in the background. This option implies the -n option. The recommended way to start an X11 program on a remote machine is something like ssh -f host xterm command` 
 `-N Does not execute remote commands. Used to forward ports. (Protocol version 2 only)` 
 `-L port:host:hostport Forward a port of the local machine (client) to the designated port of the remote designated machine. The working principle is this, a socket listening port port is allocated on the local machine, and once there is a connection on this port, the connection will be Forwarded through a secure channel, and the remote host establishes a connection with the host's hostport port. Port forwarding can be specified in the configuration file. Only root can forward privileged ports. IPv6 addresses are specified in another format: port/host/hostport` 

The above command forwards the request for the local port 8080 to port 80 of 119.28.143.101. At this time, accessing http://127.0.0.1:8080 is equivalent to accessing http://119.28.143.101:80. For example, the company has two servers, which can be interconnected. One of the servers can access the Internet, but the other server is restricted from accessing the public network. At this time, this command can be used to "visit foreign websites".
There is another way called dynamic forwarding, the command is as follows:

 ssh -D 50000 root@119.28.143.101

This method is actually equivalent to a socks proxy. It forwards all local requests to the remote server, which is very practical. If the remote server is abroad, foreign proxy access can be achieved.

Remote intranet Windows server

The above explains how to forward a Linux server with only an internal network through the SSH port. The following will introduce how to forward it to a Windows machine that only has an internal network and relies on NAT to access the external network.
Windows forwarding requires the help of the PuTTY tool, which has a simple and friendly interface and is easy to operate. The detailed environment information is as follows:

1. Windows intranet machine A, IP address: 192.168.2.110, this machine is to access the Internet through NAT.
2. There is a Linux CVM with public IP in Tencent Cloud, IP address: 119.29.14.248 Open PuTTY on machine A, and enter the IP address and corresponding port of the CVM public network. Enter the public network address and port of the CVM Configure the remote port and the local IP and port that need to be mapped in Connection-SSH-Auth-Tunnels in PuTTY, and click the Add button to add it to the PuTTY configuration. Tunnels configuration introduction Click open, enter the account and password to log in (the account and password of the CVM server) Check the monitor on CVM, you can see that there are already 8080 monitors I see that there is already port 8080 listening on CVM If you need to use RDP to log in to the Windows server, because Windows cannot log in to itself, the above method to remotely log in to Windows requires the help of a third server for intranet forwarding.

Cloud Virtual Machine (CVM) provides you with secure and flexible computing capabilities. You can enable CVM in the cloud in just minutes to meet your diverse computing needs. Through CVM, you can easily scale up or down your computing resources as your business needs change. Billed based on your actual resource consumption, CVM reduces your computing costs and simplifies IT-related OPS. Did you learn it? Buy a CVM and try it out!