通过堡垒主机到 VPC 中的 Elasticsearch 集群的 ssh 端口转发不起作用
ssh port forwarding through bastion host to Elasticsearch cluster in VPC not working
我想 运行 我的 Macbook 上的一些代码通过堡垒主机访问 VPC 中的一个 Elasticsearch 集群。
这是我的 ssh 隧道命令:
ssh -i ~/Downloads/keypairs/20210402-02.pem ubuntu@ec2-123-456.us-west-2.compute.amazonaws.com -N -L 9200:https://vpc-123-es-domain-20210406-3abc123.us-west-2.es.amazonaws.com:443
然而,这给了我以下错误:
bind [0.0.35.240]:443: Can't assign requested address
channel_setup_fwd_listener_tcpip: cannot listen to port: 443
Could not request local forwarding.
已添加 -v 提供了以下详细信息:
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to ec2-123-456.us-west-2.compute.amazonaws.com port 22.
debug1: Connection established.
debug1: identity file /Users/fisher/Downloads/keypairs/20210402-02.pem type -1
debug1: identity file /Users/fisher/Downloads/keypairs/20210402-02.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to ec2-123-456.us-west-2.compute.amazonaws.com:22 as 'ubuntu'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:7C3VWdZcCglhxtk4ejyayRABeEsVgEMgj+Fp4K3DNFk
debug1: Host 'ec2-123-456.us-west-2.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /Users/fisher/.ssh/known_hosts:9
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/fisher/Downloads/keypairs/20210402-02.pem explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/fisher/Downloads/keypairs/20210402-02.pem
debug1: Authentication succeeded (publickey).
Authenticated to ec2-123-456.us-west-2.compute.amazonaws.com ([54.214.52.40]:22).
debug1: Local connections to 9200:443 forwarded to remote address //vpc-123-es-domain-20210406-3abc123.us-west-2.es.amazonaws.com:443
debug1: Local forwarding listening on 0.0.35.240 port 443.
bind [0.0.35.240]:443: Can't assign requested address
channel_setup_fwd_listener_tcpip: cannot listen to port: 443
Could not request local forwarding.
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /home/ubuntu/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
我的研究指出我要添加 -4 以强制它使用 IPv4 而不是 IPv6,这不是我的情况而且它没有用。
任何人都可以就如何连接隧道提出任何见解?
Ubuntu是堡垒机的root用户:
ubuntu@ip-11-0-31-228:~$ sudo -s
root@ip-10-0-31-228:/home/ubuntu# id
uid=0(root) gid=0(root) groups=0(root)
谢谢!
-L 9200:https://vpc-123-es-domain-20210406-3abc123.us-west-2.es.amazonaws.com:443
您的转发指令似乎格式不正确。 ssh 将其解释为这样的四部分形式:
- 本地地址 9200(是的,this is a valid IP address format)
- 本地端口“https”,即端口 443
- 远程地址 pc-123-es-domain-20210406-3abc123.etc.
- 远程端口 443
潜在的问题是您将 URL 指定为远程,而不仅仅是主机名。试试这个:
-L 9200:vpc-123-es-domain-20210406-3abc123.us-west-2.es.amazonaws.com:443
这是我深入研究后犯下的愚蠢错误,这一行泄露了它:
debug1: Local connections to 9200:443 forwarded to remote address //vpc-123-es-domain-20210406-3abc123.us-west-2.es.amazonaws.com:443
如果正确,它会像下面这样:
debug1: Local connections to LOCALHOST:9200 forwarded to remote address vpc-es-domain-20210406-3abc123.us-west-2.es.amazonaws.com:443
有两件事帮助我完成了这项工作:
1. remove the "https://" in front of the vpc endpoint
2. stop any other local processes that run on port 9200 on my Macbook.
我想 运行 我的 Macbook 上的一些代码通过堡垒主机访问 VPC 中的一个 Elasticsearch 集群。
这是我的 ssh 隧道命令:
ssh -i ~/Downloads/keypairs/20210402-02.pem ubuntu@ec2-123-456.us-west-2.compute.amazonaws.com -N -L 9200:https://vpc-123-es-domain-20210406-3abc123.us-west-2.es.amazonaws.com:443
然而,这给了我以下错误:
bind [0.0.35.240]:443: Can't assign requested address
channel_setup_fwd_listener_tcpip: cannot listen to port: 443
Could not request local forwarding.
已添加 -v 提供了以下详细信息:
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to ec2-123-456.us-west-2.compute.amazonaws.com port 22.
debug1: Connection established.
debug1: identity file /Users/fisher/Downloads/keypairs/20210402-02.pem type -1
debug1: identity file /Users/fisher/Downloads/keypairs/20210402-02.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to ec2-123-456.us-west-2.compute.amazonaws.com:22 as 'ubuntu'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:7C3VWdZcCglhxtk4ejyayRABeEsVgEMgj+Fp4K3DNFk
debug1: Host 'ec2-123-456.us-west-2.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /Users/fisher/.ssh/known_hosts:9
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/fisher/Downloads/keypairs/20210402-02.pem explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/fisher/Downloads/keypairs/20210402-02.pem
debug1: Authentication succeeded (publickey).
Authenticated to ec2-123-456.us-west-2.compute.amazonaws.com ([54.214.52.40]:22).
debug1: Local connections to 9200:443 forwarded to remote address //vpc-123-es-domain-20210406-3abc123.us-west-2.es.amazonaws.com:443
debug1: Local forwarding listening on 0.0.35.240 port 443.
bind [0.0.35.240]:443: Can't assign requested address
channel_setup_fwd_listener_tcpip: cannot listen to port: 443
Could not request local forwarding.
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /home/ubuntu/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
我的研究指出我要添加 -4 以强制它使用 IPv4 而不是 IPv6,这不是我的情况而且它没有用。
任何人都可以就如何连接隧道提出任何见解?
Ubuntu是堡垒机的root用户:
ubuntu@ip-11-0-31-228:~$ sudo -s
root@ip-10-0-31-228:/home/ubuntu# id
uid=0(root) gid=0(root) groups=0(root)
谢谢!
-L 9200:https://vpc-123-es-domain-20210406-3abc123.us-west-2.es.amazonaws.com:443
您的转发指令似乎格式不正确。 ssh 将其解释为这样的四部分形式:
- 本地地址 9200(是的,this is a valid IP address format)
- 本地端口“https”,即端口 443
- 远程地址 pc-123-es-domain-20210406-3abc123.etc.
- 远程端口 443
潜在的问题是您将 URL 指定为远程,而不仅仅是主机名。试试这个:
-L 9200:vpc-123-es-domain-20210406-3abc123.us-west-2.es.amazonaws.com:443
这是我深入研究后犯下的愚蠢错误,这一行泄露了它:
debug1: Local connections to 9200:443 forwarded to remote address //vpc-123-es-domain-20210406-3abc123.us-west-2.es.amazonaws.com:443
如果正确,它会像下面这样:
debug1: Local connections to LOCALHOST:9200 forwarded to remote address vpc-es-domain-20210406-3abc123.us-west-2.es.amazonaws.com:443
有两件事帮助我完成了这项工作:
1. remove the "https://" in front of the vpc endpoint
2. stop any other local processes that run on port 9200 on my Macbook.