拉新网 - 挖掘京东今日特价爆款商品 - 线报平台

小天天

Moderator

注册时间： 2019-09-29

帖子： 886

ssh反向代理实现内网穿透

应用场景：服务端A和用户端B在隔离的内部环境中，无法互通，但都能跟公网上的C端通信
可采取ssh反向代理A的方式，实现和B互通，本案可适用各类常见tcp，http协议

即
C代理A（服务端）：反向代理
C代理B（用户端）：正向代理
-------------

ssh，需要启用的参数：

-C      Requests compression of all data (including stdin, stdout, stderr, and data for forwarded X11, TCP and UNIX-domain
             connections).  The compression algorithm is the same used by gzip(1), and the “level” can be controlled by the
             CompressionLevel option for protocol version 1.  Compression is desirable on modem lines and other slow connec‐
             tions, but will only slow down things on fast networks.  The default value can be set on a host-by-host basis in
             the configuration files; see the Compression option.

-N      Do not execute a remote command.  This is useful for just forwarding ports.

     
-L [bind_address:]port:host:hostport     
-L [bind_address:]port:remote_socket     
-L local_socket:host:hostport     
-L local_socket:remote_socket

             Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to
             the given host and port, or Unix socket, on the remote side.  This works by allocating a socket to listen to
             either a TCP port on the local side, optionally bound to the specified bind_address, or to a Unix socket.  When‐
             ever a connection is made to the local port or socket, the connection is forwarded over the secure channel, and a
             connection is made to either host port hostport, or the Unix socket remote_socket, from the remote machine.

             Port forwardings can also be specified in the configuration file.  Only the superuser can forward privileged
             ports.  IPv6 addresses can be specified by enclosing the address in square brackets.

             By default, the local port is bound in accordance with the GatewayPorts setting.  However, an explicit
             bind_address may be used to bind the connection to a specific address.  The bind_address of “localhost” indicates
             that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should
             be available from all interfaces.

     
-R [bind_address:]port:host:hostport   
-R [bind_address:]port:local_socket     
-R remote_socket:host:hostport   
-R remote_socket:local_socket
             Specifies that connections to the given TCP port or Unix socket on the remote (server) host are to be forwarded to
             the given host and port, or Unix socket, on the local side.  This works by allocating a socket to listen to either
             a TCP port or to a Unix socket on the remote side.  Whenever a connection is made to this port or Unix socket, the
             connection is forwarded over the secure channel, and a connection is made to either host port hostport, or
             local_socket, from the local machine.

             Port forwardings can also be specified in the configuration file.  Privileged ports can be forwarded only when
             logging in as root on the remote machine.  IPv6 addresses can be specified by enclosing the address in square
             brackets.

             By default, TCP listening sockets on the server will be bound to the loopback interface only.  This may be over‐
             ridden by specifying a bind_address.  An empty bind_address, or the address ‘*’, indicates that the remote socket
             should listen on all interfaces.  Specifying a remote bind_address will only succeed if the server's GatewayPorts
             option is enabled (see sshd_config(5)).

             If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the
             client at run time.  When used together with -O forward the allocated port will be printed to the standard output.

总结：
-R remoteip:remoteport:localip:localport  实现远程服务器代理本地服务
-L localip1:localport1:localip2:localport2  实现本地内部转发 //localip1,localip2通常在同一个台机器上，比如把eth1---转发到lo上

案例1： 通过公网B，把内网A的http服务代理到公网上可访问
--------
内网A webserver： 192.168.100.227/24  port 80
公网B 代理服务器：  182.92.xxx.xxx/24   port 80

-------

操作：
A机：
yum install epel-release.noarch
yum install autossh
ssh-keygen
ssh-copy-id root@182.92.xxx.xxx
autossh -M 7280 -fCNR 182.92.xxx.xxx:80:localhost:80 root@182.92.xxx.xxx

放行需要暴露的服务端口
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address='B机公网IP' port port=80 protocol=tcp accept'
firewall-cmd --reload

B机：
>vi /etc/ssh/sshd_config
修改GatewayPorts yes，允许ssh做代理网关

代理跑起来后，B机的socket，能看到B机自动建立80,7280端口：
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      18145/sshd: root   
tcp        0      0 0.0.0.0:7280            0.0.0.0:*               LISTEN      18145/sshd: root

访问B的80,实际请求到A上

案例2： 公网B机做A机代理，同时隐藏真实服务端口
A机：
autossh -M 20081 -fCNR  20080:localhost:80 root@182.92.xxx.xxx

B机：
同案例1,修改GatewayPorts yes

其次，让用户访问B机80端口，然后采用端口转发的方式，转发流量到ssh通道，去往A机80

ssh -fCNL 182.92.xxx.xxx:80:127.0.0.1:20080 127.0.0.1

---可选：haproxy替代，以下---

vi /etc/haproxy/haproxy.cfg

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

listen  ssh
        mode            http
        option        httplog
        option          dontlognull
        retries         1
        timeout connect      50000
        timeout client      50000
        timeout server      50000
        maxconn 40000
        bind 182.92.xxx.xxx:80
        server  srv1 127.0.0.1:20080

最近编辑记录 小天天 (2020-09-18 17:18:31)