Closed hongyi-zhao closed 4 months ago
wzshiming
commented
4 months ago I guess the following command run on your internal machine will meet your needs.
I recommend using the ssh key to access the server will be safer.
bridge \
-b socks5://:1080 \
-b ssh://root@public_ip:22?identity_file=/root/.ssh/id_rsa \
-p -
hongyi-zhao
commented
4 months ago Then, you suggest the following steps?
bridge \
-b socks5://:1080 \
-b ssh://root@public_ip:22?identity_file=/root/.ssh/id_rsa \
-p -bridge -b socks5://:1080 -p ssh://:22
curl -x socks5://public_ip:1080 http://internal_service_address
wzshiming
commented
4 months ago The public server does nothing, only add the pub key of the internal machine to its /root/.ssh/authorized_keys.
hongyi-zhao
commented
4 months ago The public server does nothing,
Do you mean the following step can be omitted?
- On the public server:
bridge -b socks5://:1080 -p ssh://:22only add the pub key of the internal machine to its
/root/.ssh/authorized_keys.
Thank you for pointing this out.
wzshiming
commented
4 months ago Yep
hongyi-zhao
commented
4 months ago It seems that the following methods are roughly equivalent:
bridge \
-b socks5://:1080 \
-b ssh://root@public_ip:22?identity_file=/root/.ssh/id_rsa \
-p -autossh -M 0 -4 -NT -o ServerAliveInterval=30 -o "ServerAliveCountMax=3" -o "ExitOnForwardFailure=yes" -o StrictHostKeyChecking=no -R 1080:localhost -i /root/.ssh/id_rsa root@public_host -p public_host_ssh_port
#or
ssh -fNT -R 1080:localhost -i /root/.ssh/id_rsa root@public_host -p public_host_ssh_portSee the related discussions below: https://www.cnblogs.com/makefile/p/ssh-rev-tun.html https://serverfault.com/questions/361794/with-ssh-only-reverse-tunnel-web-access-via-ssh-socks-proxy
wzshiming
commented
4 months ago Yep, you can do it in any of the 3 ways.
The bridge was originally designed with the need to pass through multiple jump machines. e.g.
bridge \
-b socks5://:1080 \
-b ssh://root@internal_ip_2:22?identity_file=/root/.ssh/id_rsa \
-b ssh://root@internal_ip_1:22?identity_file=/root/.ssh/id_rsa \
-b ssh://root@public_ip:22?identity_file=/root/.ssh/id_rsa \
-p - \
-p ssh://root@other_public_ip_2:22?identity_file=/root/.ssh/id_rsa \
-p ssh://root@other_public_ip_1:22?identity_file=/root/.ssh/id_rsaIt listened to internal_ip_2 1080 via 3 machines, and forwarded via 2 machines.
hongyi-zhao
commented
4 months ago I tried to give alternative pure SSH-based counterparts to the above bridge method but failed to sort out the logic and find the corresponding implementation. Can corresponding SSH implementations handle such complex scenarios?
wzshiming
commented
4 months ago You might look at the difference between -b and -p in the bridge
wzshiming
commented
4 months ago Actually, I can't remember the command of ssh or other proxy tools
hongyi-zhao
commented
4 months ago It is certain that even if they can be implemented, there will be numerous pitfalls and extreme complications.
BTW, another wonderful tool is gost.
wzshiming
commented
4 months ago It is not the same as bridge's goal, which leads to the difference in functionality, it can not be implemented to listen to the remote server's port via jump machines, and as a parameter to the ssh ProxyCommand.
I'm trying to figure out a method to securely access resources on an internal network from the public internet using the bridge tool. The setup involves three main components:
The process works as follows:
The internal machine initiates a connection to the public server using bridge, establishing a reverse SSH tunnel:
bridge -b :0 -p ssh://public_ip:12022The public server runs bridge to listen for SSH connections and forward them to a SOCKS5 proxy:
bridge -b socks5://:1080 -p ssh://:12022Clients can then access internal network resources through the SOCKS5 proxy on the public server:
curl -x socks5://public_ip:1080 http://internal_service_addressAm I right?
Regards, Zhao