Home >Operation and Maintenance >Linux Operation and Maintenance >Use ssh reverse proxy and autossh to connect to the internal network from the external network

Use ssh reverse proxy and autossh to connect to the internal network from the external network

大家讲道理
大家讲道理Original
2017-05-28 10:29:213502browse

Preface

I encountered such a problem recently. I set up a server in the laboratory for my juniors or friends to practiceLinux , and usually there is no problem with direct connection here in the laboratory, it is all intranet. But the problem arises when I return to the dormitory. Children's shoes using the campus network can still connect, but young rich people using the external network cannot enter the intranet. Is there a way to connect to the intranet server through the external network? The answer is yes, but the following conditions are required: a server that can be accessed from the external network.

1. Describe the current machine status and sort it out:

##A10.21.32.106gdut728Target Server, located in B123.123.123.123root

PS: 123.123.123.123 was just randomly created by me. Please don’t attack other people’s servers.


2. Solution:

In layman’s terms: it’s Use machine A as a reverse proxy for machine B; then use machine B as a forward proxy to forward local ports

2.1 Preparations before implementation

Required for each machineInstallssh client.

Here I am using centos7, which comes with ssh. If you are using another version of Linux, please Google it manually.

2.2 Introduce the ssh parameters used:

Reverse proxy

ssh -fCNR

Forward proxy

ssh -fCNL

-f 后台执行ssh指令
-C 允许压缩数据
-N 不执行远程指令
-R 将远程主机(服务器)的某个端口转发到本地端指定机器的指定端口
-L 将本地机(客户机)的某个端口转发到远端指定机器的指定端口
-p 指定远程主机的端口

******************区分大小写啊各位亲******************

3. First operate on A:

Establish a reverse proxy from machine A to machine B, specific instructions For

ssh -fCNR [B机器IP或省略]:[B机器端口]:[A机器的IP]:[A机器端口] [登陆B机器的用户名@服务器IP]

Here I used the 7280 port of the B machine and the 22 port of the A machine. According to the above instructions, the operation is like this

ssh -fCNR 7280:localhost:22 root@123.123.123.123

Check whether it has been started and can be usedps aux | grep sshCommand to view:

Use ssh reverse proxy and autossh to connect to the internal network from the external network


4. Then operate on B:

Create B machine Forward proxy is used for forwarding. The specific instructions are

ssh -fCNL [A机器IP或省略]:[A机器端口]:[B机器的IP]:[B机器端口] [登陆B机器的用户名@B机器的IP]

According to the instructions entered in step 3, the port of machine B here is consistent with the port of machine B above. Port 1234 is also machine B. of.

ssh -fCNL *:1234:localhost:7280 localhost

To check whether it has been started, you can use the ps aux | grep ssh command to check:

Use ssh reverse proxy and autossh to connect to the internal network from the external network

## In this case, port 1234 is local The forwarding port is responsible for communicating with the external network and forwarding data to port 7280, which enables access from other machines. At the same time, the * sign indicates that it can accept access from any IP.


5. It’s time to show the miracle

Now that we have configured the AB machine, we can log in to the intranet from a computer on the external network. Since my current computer is on the internal network and the servers are all on the external network (that is, the configured machine B), I can connect to machine A on my internal network through machine B. The specific instructions are:

ssh -p1234 gdut728@123.123.123.123
The -p parameter here is the specified login IP. We specified port 1234 as the forwarding port above, so we use port 1234 to log in. Then gdut728 is the user name of machine A on the internal network, and 123.123.123.123 is the IP address of machine B on the external network. .

Use ssh reverse proxy and autossh to connect to the internal network from the external network


#6. This reverse proxy method is unstable

Unfortunately, this ssh reverse link will fail due to timeout Close. If it is closed, the channel connecting the external network to the internal network cannot be maintained. For this reason, we need another method to provide a stable ssh reverse proxy tunnel.

6.1 Each time ssh reconnects, you need to enter the password, so first set up a password-free login to the intranet

Execute on machine A on the intranet:

ssh-copy-id 内网用户名@外网IP -p指定转发的端口
According to the port I set before, this command is as follows

ssh-copy-id gdut728@123.123.123.123 -p1234

Use ssh reverse proxy and autossh to connect to the internal network from the external network

After that, machine A on the internal network can log in to machine B on my external network via ssh without a password. La~

To check whether password-free login can be used, you can use the following command to check:

ssh root@123.123.123.123

Use ssh reverse proxy and autossh to connect to the internal network from the external network##6.2 Use autossh to establish a stable tunnel

centos7

autossh

is not installed by default, so use the following command to install <pre class="brush:php;toolbar:false">yum install autossh</pre> to see the specific autossh instructions for the parameters and parameters of

autossh -M 7281 -fCNR 7280:localhost:22 root@123.123.123.123

autossh

The parameters of ssh are the same, but the difference is that when the tunnel is disconnected, autossh will automatically reconnect but ssh will not. Another difference is the -M parameter that we need to point out. This parameter specifies a port. This port is used by machine B on the external network to receive information from machine A on the internal network. If the tunnel is not normal, it will be returned to machine A for him to reconnect. .

Use ssh reverse proxy and autossh to connect to the internal network from the external network

#7. Finally, configure Linux to automatically start autossh at boot, eliminating the trouble of starting autossh yourself after restarting Linux

Input:

vi /etc/rc.d/rc.local

Add content:

autossh -M 7281 -fCNR 7280 :localhost:22 root@123.123.123.123

Because after centos7, the function of directly modifying
/etc/rc.d/rc.local

to start the script automatically takes effect Because of the modification, you need to re-grant executable permissions

and then enter

chmod +x /etc/rc.d/rc.local<a href="//m.sbmmt.com/wiki/1294.html" target="_blank"></a>

8. Conclusion:

Finally the configuration is complete. It is unclear whether it will be disconnected. Let’s see what happens tomorrow and then
update

. If there is anything wrong, please correct me~

Refer to the following website

SSH into the LAN from the external network, reverse proxy + forward proxy solution

Use SSH reverse tunnel for intranet penetration

Machine IP Username Remarks
Internal network
External network Server, equivalent to the role of a bridge

The above is the detailed content of Use ssh reverse proxy and autossh to connect to the internal network from the external network. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn