Support SSH over HTTP Proxy

[ozbillwang]

There are some discussions about ssh proxy support through bastion box: https://github.com/hashicorp/terraform/issues/1709

But my request is different. We are behind the corporate proxy, I need to deploy an ec2 instance into vpc.

Refer the terraform example https://github.com/hashicorp/terraform/blob/master/examples/aws-two-tier/main.tf

But in our current environment, we don't have bastion box, or if I need to deploy the first bastion box.

I stuck at the proxy setting to run remote-exe commands after ec2 instance has been created by terraform

Here is my try

resource "aws_instance" "web01_np" { 
 connection {
    type = "ssh"
    user = "ubuntu"
    private_key = "${var.private_key_path}"
    options    = "ProxyCommand=nc -X connect -x proxy_server:3128 %h %p"
  }
...
}

It is not successful, and get i/o timeout error

* dial tcp 54.26.2.6:22: i/o timeout
2016/01/06 01:45:36 [ERROR] root: eval: *terraform.EvalOpFilter, err: 1 error(s) occurred:

How to fix this issue?

[ozbillwang]

An update. After the ec2 instance is created by terraform, I can login with ~/.ssh/config setting, such as ssh 54.26.2.6:22

$ cat ~/.ssh/config

Host ec2*
  ProxyCommand nc -X connect -x proxy_server:3128 %h %p
  User ubuntu
  IdentityFile ~/.ssh/ec2.pem

Host 5*
  ProxyCommand nc -X connect -x proxy_server:3128 %h %p
  User ubuntu
  IdentityFile ~/.ssh/ec2.pem

But run terraform apply, it gives up at remote-exec

[phinze]

Hi @SydOps, Terraform uses Go's crypto/ssh package, which does not do anything with the OpenSSH config file. It also doesn't support the OpenSSH config options like ProxyCommand etc.

It looks like what you're looking for is HTTP proxy support similar to what's described in this article:

https://www.perkin.org.uk/posts/ssh-via-http-proxy-in-osx.html

We'd have to investigate how this might be possible via Go. Any expertise from the community here would be welcome!

In the meantime, I'll update the title of this issue to reflect that it's SSH over an HTTP Proxy.

[ozbillwang]

Thanks, @phinze

May not related with this topic. Any chance or how hard to switch from Go's crypto/ssh package to OpenSSH, which is more mature and popular tool.

[bodgit]

Just ran into this issue, although I'm using corkscrew to poke through the proxy. I can SSH to the provisioned hosts, but Terraform can't.

Resisting the urge to rant about language-specific reimplementations of tools that don't implement all of said tools features... :speak_no_evil:

[toedter]

+1 for ssh over HTTP proxy. This would be appreciated by all terraform users who work behind a corporate firewall.

[koalalorenzo]

+1 We are running terraform into a ad-hoc vm, but would be awesome to avoid that by running it directly from our Jenkins (connecting using ssh over HTTP Proxy). Hopefully this will be there!

[Crapworks]

+1 Same issue here. SSH via corkscrew works, but Terraform provisioners don't. I also agree with @bodgit about implementing things differently that are already there. But that seems to be the Go way anyways.. *cough* openssl *cough*. Any news on this topic?

[edivaserman]

+1, I've just started to run recently terraform in OCI ( Oracle Cloud Infrastructure) and I ran into this 1st issue myself. I know many customers are behind proxies and therefore they can ssh strictly over http proxy so it will be nice to include it into provisioner "remote-exec" connection

options = "ProxyCommand=nc -X connect -x proxyServer:proxyPort %h %p"

It will be nice to have it there already.

[dangregorysony]

How about an option (either in configuration or as a command line argument) to use the local ssh binary instead of the native Go implementation?

This is how Docker Machine solves the same problem (actually, Docker Machine will use the local ssh binary unless explicitly instructed to use crypto/ssh via the --native-ssh option).

https://docs.docker.com/machine/reference/ssh/

[said026]

+1

[mictchen]

Is there any solution to have use ssh with http proxy in terraform yet?

[tomiloza]

+1

[nodomain]

+1 This is a blocker for using Terraform behind our corporate proxy. For provisioning I always have to change connection to a mobile hotspot.

[voyera]

Also a blocker here, unfortunately.

[joshua-tianci]

Blocker here also.

[muneeshpandi]

is there any options to use ssh proxy in terraform? any update?

[wilderrodrigues]

Extreme blocker!

[htamakos]

Hi all, I have implemented support for SSH over HTTP proxy like below. https://github.com/htamakos/terraform/commit/dd9f7075f3b68217ad17c141fb243107ba343486

How about this? I'll submit a PR about support for SSH over HTTP proxy.

[dnperfors]

We just found out that terraform doesn't use the proxycommand set inside the ssh config files. Therefore we can't deploy an application we are working on, since the deployment server is behind a corporate proxy and SSH is not allowed directly. It would be extremely helpful to have PR #24611 finalized, since it looks like it could work that way.

[hariharanragothaman]

Is this going to be fixed anytime soon? Please update.

[sorenisanerd]

This has been supported since Terraform v1.3.0. See https://developer.hashicorp.com/terraform/language/resources/provisioners/connection#connection-through-a-http-proxy-with-ssh for how to use. Pro-tip: Contrary to what the docs say, it also supports socks5.

[ozbillwang]

Thanks for the updates, @sorenisanerd.

After several years, I no longer need the proxy (it's now a transparent proxy). If this feature has been implemented, I'm fine with closing it.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.