通过 Ubuntu 堡垒的 SSH 隧道到私有子网中的 EC2 实例
SSH Tunnel through Ubuntu bastion to EC2 instance in private subnet
根据这个 AWS 文档:Scenario 2: VPC with Public and Private Subnets (NAT) 我有自己的 VPC,有两个子网:私有和 public。在 public 子网中,我部署了一个 Ubuntu 16.04 实例,并分配了 EIP。它还有下一个安全组入站规则:
Type Protocol Port Range Source Description
SSH TCP 22 xx.xx.xx.xx/32 Home IP
并相应地出站:
Type Protocol Port Range Source Description
SSH TCP 22 sg-xxprivatexx Security group ID for instance in private subnet
看起来不错,我可以 ssh 从我家外面。没问题。
我在私有子网中部署了另一台 Ubuntu 16.04 机器,下一个安全组(入站规则):
Type Protocol Port Range Source Description
HTTP TCP 80 sg-xxpublicxxx Security Group ID for bastion instance in public subnet
SSH TCP 22 sg-xxpublicxxx -
并且没有出站规则(实际上它打开了 80、443 个出站端口,但我猜这不是一个有趣的部分)。我仍然可以从我的堡垒使用 ssh 访问此虚拟机。
现在我只想做一件简单的事情 - 运行 ssh 端口转发 这样我就可以 运行 localhost:8080 在我的家用电脑浏览器上看到我发布的网页我的私人实例。如果我也从 here and here (and from here 中正确理解它)我必须 运行 类似的东西:
ssh -N -v -L 8080:10.0.1.112:80 ubuntu@3.121.46.99
我猜这基本上意味着:只需将流量从 IP 10.0.1.112:80 的私有子网实例转发到我的 localhost:8080,通过我在 EIP 3.121.46.99.
调试以以下行结束:
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:ZyVHgnF8z5vE5gfNr1S2JDfjhdydZVTNevPRgJZ+sRA /home/matterai/.ssh/key.pem
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/matterai/.ssh/id_rsa
debug1: Trying private key: /home/matterai/.ssh/id_dsa
debug1: Trying private key: /home/matterai/.ssh/id_ecdsa
debug1: Trying private key: /home/matterai/.ssh/id_ed25519
debug1: No more authentication methods to try.
matterai@3.121.46.99: Permission denied (publickey).
我已经玩了几天了,但我仍然不明白我做错了什么。太奇怪了:我可以 ssh -A(允许转发)到我的堡垒,我可以 ssh 从堡垒到我的私有实例。但是我无法建立 SSH 隧道以无错误地查看我的网页(将来它将是 mongodb)。请需要一些建议或指出正确的方向!谢谢。
UPD#1
那好吧。如果我使用我的本地机器和堡垒进行手动转发,我会得到预期的结果。基本上它意味着运行堡垒上的这个命令:
ubuntu@bastion: ssh -v -N -L 5000:localhost:8000 ubuntu@10.0.1.68
之后 运行s 在 local/home 机器上的命令:
matterai@homepc: ssh -v -N -L 5000:localhost:5000 ubuntu@3.121.46.99
当我在本地机器上向 localhost:5000 发出请求时,我可以看到结果页面。我可以吗?如果可以将这两个命令结合起来怎么办? (剧透:是的,这是可能的:看到答案!)
您似乎配置正确,但错误是找不到用于连接的私钥。
要测试端口转发,首先使用登录到您的 public 实例的 ssh 命令。
然后,执行该命令,然后简单地添加:-L 8080:10.0.1.112:80
如果它适用于 'normal' ssh,那么它也适用于端口转发。
顺便说一句,一般来说,您永远不需要修改安全组的出站规则。默认设置允许所有出站流量。 'trusts' 实例上的应用程序 运行 并允许它们向外通信到任何地方。您只需要在希望实施高安全性环境的地方限制此类规则。
好的,很简单。希望我的回答对大家有所帮助。
- 您需要使用
ssh -J 选项通过堡垒虚拟机进行连接:
-J [user@]host[:port]
Connect to the target host by first making a ssh connection to
the jump host and then establishing a TCP forwarding to the ulti‐
mate destination from there. Multiple jump hops may be specified
separated by comma characters. This is a shortcut to specify a
ProxyJump configuration directive.
- 然后您需要使用
ssh将流量从应用程序(或数据库)启动的目标虚拟机端口(:8000)转发到您的本地主机端口(:5001)-L:
-L [bind_address:]port:host:hostport
-L [bind_address:]port:remote_socket
-L local_socket:host:hostport
-L local_socket:remote_socket
Specifies that connections to the given TCP port or Unix socket
on the local (client) host are to be forwarded to the given host
and port, or Unix socket, on the remote side. This works by
allocating a socket to listen to either a TCP port on the local
side, optionally bound to the specified bind_address, or to a
Unix socket. Whenever a connection is made to the local port or
socket, the connection is forwarded over the secure channel, and
a connection is made to either host port hostport, or the Unix
socket remote_socket, from the remote machine.
Port forwardings can also be specified in the configuration file.
Only the superuser can forward privileged ports. IPv6 addresses
can be specified by enclosing the address in square brackets.
By default, the local port is bound in accordance with the
GatewayPorts setting. However, an explicit bind_address may be
used to bind the connection to a specific address. The
bind_address of “localhost” indicates that the listening port be
bound for local use only, while an empty address or ‘*’ indicates
that the port should be available from all interfaces.
- 完整的 ssh 命令如下所示:
matterai@homepc: ssh -v -N -A -J ubuntu@3.121.46.99 -L 5001:localhost:8000 ubuntu@10.0.1.112
UPD: 你也可以简化你的命令。在 ~/.ssh/config 中,您可以添加您的跳转主机(堡垒)和最终目标 VM IP:
Host bastion
HostName 3.121.46.99
User ubuntu
Port 22
IdentityFile ~/.ssh/secret.pem
ForwardAgent yes
Host server
HostName 10.0.1.112
User ubuntu
Port 22
IdentityFile ~/.ssh/secret.pem
ProxyJump bastion
现在,您可以运行命令:
ssh -v -N -A -J bastion -L 80:localhost:8000 server
看起来好多了。您也可以使用 ssh server.
通过 ssh 简单地连接
根据这个 AWS 文档:Scenario 2: VPC with Public and Private Subnets (NAT) 我有自己的 VPC,有两个子网:私有和 public。在 public 子网中,我部署了一个 Ubuntu 16.04 实例,并分配了 EIP。它还有下一个安全组入站规则:
Type Protocol Port Range Source Description
SSH TCP 22 xx.xx.xx.xx/32 Home IP
并相应地出站:
Type Protocol Port Range Source Description
SSH TCP 22 sg-xxprivatexx Security group ID for instance in private subnet
看起来不错,我可以 ssh 从我家外面。没问题。
我在私有子网中部署了另一台 Ubuntu 16.04 机器,下一个安全组(入站规则):
Type Protocol Port Range Source Description
HTTP TCP 80 sg-xxpublicxxx Security Group ID for bastion instance in public subnet
SSH TCP 22 sg-xxpublicxxx -
并且没有出站规则(实际上它打开了 80、443 个出站端口,但我猜这不是一个有趣的部分)。我仍然可以从我的堡垒使用 ssh 访问此虚拟机。
现在我只想做一件简单的事情 - 运行 ssh 端口转发 这样我就可以 运行 localhost:8080 在我的家用电脑浏览器上看到我发布的网页我的私人实例。如果我也从 here and here (and from here 中正确理解它)我必须 运行 类似的东西:
ssh -N -v -L 8080:10.0.1.112:80 ubuntu@3.121.46.99
我猜这基本上意味着:只需将流量从 IP 10.0.1.112:80 的私有子网实例转发到我的 localhost:8080,通过我在 EIP 3.121.46.99.
调试以以下行结束:
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:ZyVHgnF8z5vE5gfNr1S2JDfjhdydZVTNevPRgJZ+sRA /home/matterai/.ssh/key.pem
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/matterai/.ssh/id_rsa
debug1: Trying private key: /home/matterai/.ssh/id_dsa
debug1: Trying private key: /home/matterai/.ssh/id_ecdsa
debug1: Trying private key: /home/matterai/.ssh/id_ed25519
debug1: No more authentication methods to try.
matterai@3.121.46.99: Permission denied (publickey).
我已经玩了几天了,但我仍然不明白我做错了什么。太奇怪了:我可以 ssh -A(允许转发)到我的堡垒,我可以 ssh 从堡垒到我的私有实例。但是我无法建立 SSH 隧道以无错误地查看我的网页(将来它将是 mongodb)。请需要一些建议或指出正确的方向!谢谢。
UPD#1
那好吧。如果我使用我的本地机器和堡垒进行手动转发,我会得到预期的结果。基本上它意味着运行堡垒上的这个命令:
ubuntu@bastion: ssh -v -N -L 5000:localhost:8000 ubuntu@10.0.1.68
之后 运行s 在 local/home 机器上的命令:
matterai@homepc: ssh -v -N -L 5000:localhost:5000 ubuntu@3.121.46.99
当我在本地机器上向 localhost:5000 发出请求时,我可以看到结果页面。我可以吗?如果可以将这两个命令结合起来怎么办? (剧透:是的,这是可能的:看到答案!)
您似乎配置正确,但错误是找不到用于连接的私钥。
要测试端口转发,首先使用登录到您的 public 实例的 ssh 命令。
然后,执行该命令,然后简单地添加:-L 8080:10.0.1.112:80
如果它适用于 'normal' ssh,那么它也适用于端口转发。
顺便说一句,一般来说,您永远不需要修改安全组的出站规则。默认设置允许所有出站流量。 'trusts' 实例上的应用程序 运行 并允许它们向外通信到任何地方。您只需要在希望实施高安全性环境的地方限制此类规则。
好的,很简单。希望我的回答对大家有所帮助。
- 您需要使用
ssh-J选项通过堡垒虚拟机进行连接:
-J [user@]host[:port] Connect to the target host by first making a ssh connection to the jump host and then establishing a TCP forwarding to the ulti‐ mate destination from there. Multiple jump hops may be specified separated by comma characters. This is a shortcut to specify a ProxyJump configuration directive.
- 然后您需要使用
ssh将流量从应用程序(或数据库)启动的目标虚拟机端口(:8000)转发到您的本地主机端口(:5001)-L:
-L [bind_address:]port:host:hostport -L [bind_address:]port:remote_socket -L local_socket:host:hostport -L local_socket:remote_socket Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to the given host and port, or Unix socket, on the remote side. This works by allocating a socket to listen to either a TCP port on the local side, optionally bound to the specified bind_address, or to a Unix socket. Whenever a connection is made to the local port or socket, the connection is forwarded over the secure channel, and a connection is made to either host port hostport, or the Unix socket remote_socket, from the remote machine. Port forwardings can also be specified in the configuration file. Only the superuser can forward privileged ports. IPv6 addresses can be specified by enclosing the address in square brackets. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.
- 完整的 ssh 命令如下所示:
matterai@homepc: ssh -v -N -A -J ubuntu@3.121.46.99 -L 5001:localhost:8000 ubuntu@10.0.1.112
UPD: 你也可以简化你的命令。在 ~/.ssh/config 中,您可以添加您的跳转主机(堡垒)和最终目标 VM IP:
Host bastion
HostName 3.121.46.99
User ubuntu
Port 22
IdentityFile ~/.ssh/secret.pem
ForwardAgent yes
Host server
HostName 10.0.1.112
User ubuntu
Port 22
IdentityFile ~/.ssh/secret.pem
ProxyJump bastion
现在,您可以运行命令:
ssh -v -N -A -J bastion -L 80:localhost:8000 server
看起来好多了。您也可以使用 ssh server.