[ale] SSH Reverse Proxy
Michael B. Trausch
mbt at zest.trausch.us
Sat Sep 26 08:30:54 EDT 2009
On Fri, 2009-09-25 at 21:06 -0400, Brian Pitts wrote:
> When an ssh client initiates a connection to an ssh server, does it
> send the hostname of the ssh server?
Unless there is something in the SSH protocol itself to say that it
does, it does not. Network connections do not transmit the hostname,
they just send packets to an address in DNS that matches the hostname.
HTTP/1.1 makes virtual hosting possible by including a "Host:" header in
an HTTP transaction, for example. (This does not work for SSL, since
the SSL connection is negotiated before the Host: header is sent; it
will only work if the SSL certificate is a wildcard and the hostname of
the virtual host matches the wildcard.) But, see below for a possible
solution.
>
> I'm trying to figure out if it's feasible to write a reverse proxy for
> ssh. Imagine several NATed hosts behind a public gateway. Instead of
> forwarding ports, using ProxyCommand, or some other solution that
> requires changes client side, you could have a reverse proxy running
> on port 22 of the gateway that checks the hostname and transparently
> redirects traffic to the right host.
If you control the circumstances of getting to your server, you can use
an IPv6 connection and multiple IP addresses to make a mapping work.
That way, if on your proxy machine, it gets an address on the IP ending
in ::1, it directs to real server X, on the IP ending in ::2, it directs
to real server Y, and so forth.
You can also use DNS SRV as a possibility, so that when you 'ssh
host.foo' it can use the DNS SRV record to find out what port SSH is
running on for 'host.foo'. This will only work if the SSH
implementation supports looking up ports on the target host that way,
though, and I do not know if this is the case for OpenSSH.
--- Mike
--
Blog: http://mike.trausch.us/blog/
Misc. Software: http://mike.trausch.us/software/
“The greater danger for most of us lies not in setting our aim too
high and falling short; but in setting our aim too low, and achieving
our mark.” —Michelangelo
More information about the Ale
mailing list