##A | 10.21.32.106 | gdut728 | Target Server, located in Internal network
|
B | 123.123.123.123 | root |
External network Server, equivalent to the role of a bridge
|
PS: 123.123.123.123 was just randomly created by me. Please don’t attack other people’s servers.
2. Solution:
In layman’s terms: it’s Use machine A as a reverse proxy for machine B; then use machine B as a forward proxy to forward local ports
2.1 Preparations before implementation
Required for each machineInstallssh client.
Here I am using centos7, which comes with ssh. If you are using another version of Linux, please Google it manually.
2.2 Introduce the ssh parameters used:
Reverse proxy
ssh -fCNR
Forward proxy
ssh -fCNL
-f 后台执行ssh指令
-C 允许压缩数据
-N 不执行远程指令
-R 将远程主机(服务器)的某个端口转发到本地端指定机器的指定端口
-L 将本地机(客户机)的某个端口转发到远端指定机器的指定端口
-p 指定远程主机的端口
******************区分大小写啊各位亲******************
3. First operate on A:
Establish a reverse proxy from machine A to machine B, specific instructions For
ssh -fCNR [B机器IP或省略]:[B机器端口]:[A机器的IP]:[A机器端口] [登陆B机器的用户名@服务器IP]
Here I used the 7280 port of the B machine and the 22 port of the A machine. According to the above instructions, the operation is like this
ssh -fCNR 7280:localhost:22 root@123.123.123.123
Check whether it has been started and can be usedps aux | grep ssh
Command to view:
4. Then operate on B:
Create B machine Forward proxy is used for forwarding. The specific instructions are
ssh -fCNL [A机器IP或省略]:[A机器端口]:[B机器的IP]:[B机器端口] [登陆B机器的用户名@B机器的IP]
According to the instructions entered in step 3, the port of machine B here is consistent with the port of machine B above. Port 1234 is also machine B. of.
ssh -fCNL *:1234:localhost:7280 localhost
To check whether it has been started, you can use the ps aux | grep ssh
command to check:
## In this case, port 1234 is local The forwarding port is responsible for communicating with the external network and forwarding data to port 7280, which enables access from other machines. At the same time, the * sign indicates that it can accept access from any IP.
5. It’s time to show the miracleNow that we have configured the AB machine, we can log in to the intranet from a computer on the external network. Since my current computer is on the internal network and the servers are all on the external network (that is, the configured machine B), I can connect to machine A on my internal network through machine B. The specific instructions are:
ssh -p1234 gdut728@123.123.123.123
The -p parameter here is the specified login IP. We specified port 1234 as the forwarding port above, so we use port 1234 to log in. Then gdut728 is the user name of machine A on the internal network, and 123.123.123.123 is the IP address of machine B on the external network. .
#6. This reverse proxy method is unstableUnfortunately, this ssh reverse link will fail due to timeout Close. If it is closed, the channel connecting the external network to the internal network cannot be maintained. For this reason, we need another method to provide a stable ssh reverse proxy tunnel. 6.1 Each time ssh reconnects, you need to enter the password, so first set up a password-free login to the intranet Execute on machine A on the intranet:
ssh-copy-id 内网用户名@外网IP -p指定转发的端口
According to the port I set before, this command is as follows
ssh-copy-id gdut728@123.123.123.123 -p1234
After that, machine A on the internal network can log in to machine B on my external network via ssh without a password. La~ To check whether password-free login can be used, you can use the following command to check:
ssh root@123.123.123.123
##6.2 Use autossh to establish a stable tunnel
centos7
autossh is not installed by default, so use the following command to install <pre class="brush:php;toolbar:false">yum install autossh</pre>
to see the specific autossh instructions for the parameters and parameters of
autossh -M 7281 -fCNR 7280:localhost:22 root@123.123.123.123
autossh The parameters of ssh are the same, but the difference is that when the tunnel is disconnected, autossh will automatically reconnect but ssh will not. Another difference is the -M parameter that we need to point out. This parameter specifies a port. This port is used by machine B on the external network to receive information from machine A on the internal network. If the tunnel is not normal, it will be returned to machine A for him to reconnect. .
#7. Finally, configure Linux to automatically start autossh at boot, eliminating the trouble of starting autossh yourself after restarting Linux
Input:
vi /etc/rc.d/rc.local
Add content:
autossh -M 7281 -fCNR 7280 :localhost:22 root@123.123.123.123
Because after centos7, the function of directly modifying /etc/rc.d/rc.local to start the script automatically takes effect Because of the modification, you need to re-grant executable permissions
and then enter
chmod +x /etc/rc.d/rc.local<a href="//m.sbmmt.com/wiki/1294.html" target="_blank"></a>
8. Conclusion:
Finally the configuration is complete. It is unclear whether it will be disconnected. Let’s see what happens tomorrow and then update. If there is anything wrong, please correct me~
Refer to the following website
SSH into the LAN from the external network, reverse proxy + forward proxy solution
Use SSH reverse tunnel for intranet penetration
The above is the detailed content of Use ssh reverse proxy and autossh to connect to the internal network from the external network. For more information, please follow other related articles on the PHP Chinese website!