SSH port forwarding (Tunneling Technology)

1. Local port forwarding

  Assume the following scenarios , Local client A,  The remote server has B and C, B and C In the same intranet , And B The public network is configured on ip,C Intranet only ip.  Now there is a need , I want to make A Be able to access C The one deployed above nginx( monitor 80 port ) Service for . So how to solve this problem ?  （ Premise :  A Be able to initiate ssh Connect to B Server ）. As shown in the figure , have access to ssh Provide local port forwarding technology to realize .

( The red arrow indicates the data return flow , Black represents the requested data flow ).

So now we can do this ssh and ssh The service side ssl The flow of data is :      client A To the server B, Until then C Such a process .

curl and nginx The application data flow of is also :  from A To B Until then C

command :

ssh -L 80:192.168.1.3:80 [email protected]( This can be configured ssh adopt key Form of login , Do not enter the password , Otherwise, enter the password )

So now A On the implementation ,   curl    localhost:80  You can access C Server's nginx page .

If ssl The data flow direction is consistent with the application data flow direction , Then we call it local port forwarding .  On the contrary, it becomes remote port forwarding , I'll talk about it later .

In local port forwarding , We can see B In fact, it acts as a proxy The function of proxy server , hold A From local 80 Port data , after B When , The discovery packet is A Of 80 Forwarded , that B It will be forwarded to C So as to get the data and return to A.

Common practical application scenarios :    long-range docker Container development , But you can't connect containers directly , Only through one agent proxy In the form of ssh Connect to the container . long-range phpstorm Only through sftp The form of is direct ssh How to connect , at present phpstorm Nothing can be configured proxy Connect by proxy fstp Remote development function of Web . At this point, the local port forwarding is working , Tunnel to remote docker The port of is ok , such phpstorm  sftp The connection information can be directly connected to the local port sfpt File upload function .

2. Remote port forwarding

Suppose the above situation is now reversed ,  B can ssh Connect A, however A Make sure you can't connect B. So at this time ssl Data flow has become B->A, But the application data flow is still A->B->C At this time, the data flow and ssl Inconsistent flow is called remote port forwarding .

command :

ssh -f -N -L 80:192.168.1.3:80 [email protected] The server ip( This can be configured ssh adopt key Form of login , Do not enter the password , Otherwise, enter the password )

such , Application data flow is still A->B->C Realization A Visit local 80 port , You can access C above nginx service .

Whether to use local port forwarding or remote port forwarding , It depends on the actual situation .

3. Dynamic port forwarding

This and the local port forward the application data flow and ssl Consistent flow direction , It's just in dynamic port forwarding ,ssh-server The server acts as socks5 Such a role of agent .  It can break through the function of firewall to visit overseas websites , The premise is that you ssh-server Can visit overseas websites .

ssh -D 1080 [email protected] Offshore server ip

  At this point, set the local browser proxy to socks5 For the local 1080 Port can break through the firewall restrictions to access overseas servers .

  In essence, it is still that principle ,  When the data passes through the firewall, it is ssh-server Encrypted, so I can't judge the legitimacy of your data , So we can't intercept your request .  The same is true when data is returned . however ssl Handshake has obvious flow characteristics , As long as the firewall works hard, it can recognize your data type .

  Article reference :  https://www.ibm.com/developerworks/cn/linux/l-cn-sshforward/index.html