Add support for SSH remote port forwarding

pressly / sup

Super simple deployment tool - think of it like 'make' for a network of servers

https://pressly.github.io/sup

MIT License

2.48k stars 178 forks source link

Add support for SSH remote port forwarding #120

Open juergenhoetzel opened 6 years ago

juergenhoetzel commented 6 years ago

Use cases:

Deploy from local repository server (without public URL)
Use local HTTP-Proxy server if remote doesn't have Internet access

Still the error reporting (related to tunnel setup: bind error, connection-refused, ...) is not satisfactory. I would prefer to mix it with remotes stderr but I don't see how this can be done.

juergenhoetzel commented 6 years ago

We have bastion functionality for accessing SSH servers via a middle-man SSH server.

Is this solving any other use case?

Yes, bastion hosts allow to access ssh hosts which are not accessible via a direct network connection. In OpenSSH config:


Host remote
  ProxyCommand ssh user@bastion -W %h:%p

Whereas remote port tunneling/forwarding allows access to tcp-services on the ssh-client side by listening on a tcp port on the remote side . In OpenSSH config:

RemoteForward 127.0.0.1:8080 my-proxy-server.local:8080`

You can then use this environment variable on the remote site to access the local proxy:

export http_proxy=http://localhost:8080/

In your Supfile you get the same feature with this pull request:

env:
  http_proxy: http://localhost:8080

networks:
  testnet:
    tunnels:
      - listen: 8080
        host: my-proxy-server.local
        port: 8080
    hosts:
      - remote1
commands:
    proxy-test:
      run: >
           curl -v  http://my-host.local

VojtechVitek commented 6 years ago

@juergenhoetzel I see, thanks. I'm still missing the point, though.

How is this useful again? Can you give us some real life use cases / examples?
How is this supposed to work with multiple remote hosts, since you're binding a remote port to a single localhost port?

juergenhoetzel commented 6 years ago

@juergenhoetzel I see, thanks. I'm still missing the point, though.

How is this useful again? Can you give us some real life use cases / examples?

I publish my non-public NPM modules to a Sonatype repository server (not accessible via public IP): http://blog.sonatype.com/using-nexus-3-as-your-repository-part-2-npm-packages I can install this modules from a remote server when forwarding port 8081using:
```
npm --registry http://localhost:8081/repository/npm-group/ install -g my-pac
```
Some of my hosts don't have internet access. I forward the remote port to a local proxy and configure Centos yum to use this proxy via port forwarding: https://www.centos.org/docs/5/html/yum/sn-yum-proxy-server.html

How is this supposed to work with multiple remote hosts, since you're binding a remote port to a single localhost port?

This would be the case if you do local Port forwarding (I didn't find a use-case for this). But I implemented only remote Port forwarding: Thus the binding/listening is done on the remote site.