On 11/12/20 7:50 AM, Jonathan Billings wrote:> On Thu, Nov 12, 2020 at 12:56:15PM +0000, Bernstein, Noam CIV USN NRL (6393) Washington DC (USA) via CentOS wrote: >> If the point is to access a specific web site only the remote >> machine can get to, you can also do it with port forwarding: >> ssh -L 8000:ip_of_web_site_to_access_from_remote:443 remote_machine >> and then locally run any browser, and access >> https://localhost:443 >> (assuming it's https. If it's plain http, use "http" and 80). Note >> that you'll be breaking some aspects of https security such as >> man-in-the-middle protection and perhaps others, and you'll need to >> accept some security exceptions. >> >> This will be useful if the point is to get to a web site only only >> the remote machine can connect to, but all the browser code/plugins >> will be the local ones. > If this is actually something you want to do with regularity, I > suggest using the SSH SOCKS proxy (with the DynamicForward port), and > configure Firefox to use the localhost:port as a SOCKS5 proxy. Then > all traffic in firefox will be routed over the ssh connection. It > won't break SNI and for the most part, everything will work in firefox > as if you were connecting from the remote side of the connection. > > It works with yum and dnf too, where you can use RemoteForward to set > up a proxy port on the remote side, set the 'proxy' settings in the > configuration, and all yum/dnf traffic will go over the established > SSH connection. Why would you do this? Well, if you've got a system > that's sitting inside a private, not NAT'd network and your > workstation/jumphost has a VPN enabled but you don't have it enabled > on the remote side, you can update a system without doing a lot of > complicated network magic. Now imagine using Ansible to do this, > which is already setting up SSH sessions... >Sounds interesting, can you point me to any examples / how to's to set this up? Thanks
On Thu, Nov 12, 2020 at 10:02:57AM -0700, S Bob wrote:> On 11/12/20 7:50 AM, Jonathan Billings wrote: > > If this is actually something you want to do with regularity, I > > suggest using the SSH SOCKS proxy (with the DynamicForward port), and > > configure Firefox to use the localhost:port as a SOCKS5 proxy. Then > > all traffic in firefox will be routed over the ssh connection. It > > won't break SNI and for the most part, everything will work in firefox > > as if you were connecting from the remote side of the connection. > > > > It works with yum and dnf too, where you can use RemoteForward to set > > up a proxy port on the remote side, set the 'proxy' settings in the > > configuration, and all yum/dnf traffic will go over the established > > SSH connection. Why would you do this? Well, if you've got a system > > that's sitting inside a private, not NAT'd network and your > > workstation/jumphost has a VPN enabled but you don't have it enabled > > on the remote side, you can update a system without doing a lot of > > complicated network magic. Now imagine using Ansible to do this, > > which is already setting up SSH sessions... > > > Sounds interesting, can you point me to any examples / how to's to set this > up?What part? For the first part, either define 'DynamicForward 8000' in a Host section in ~/.ssh/config, or run 'ssh -D 8000 hostname' to set it with command line options. Then just set your SOCKS5 proxy settings in Firefox to localhost:8000. (I'm just using port 8000 as an example here, it can be any unused port above 1024 for regular users.) For the second, it's largely the same thing, except you'd use 'RemoteForward 8000' or 'ssh -R 8000 hostname' with the command line, and on the remote side, set 'proxy=socks5://localhost:8000' in the yum.conf or dnf.conf, or set it on the command line with: yum --setopt='proxy=socks5://localhost:8000' update (replace 'yum' with 'dnf' for c8) If you are curious if it is actually doing anything, add a -v to your ssh connection and it'll send debugging information to your terminal, and you'll see each proxied connection from yum/dnf. For ansible to use it, you'd set 'ssh_connection' in your ansible.ini to have the extra -R option, and then deploy a yum/dnf config that uses the proxy. I've found this useful for managing some systems on our campus that are on a private LAN but are routed to campus only, so they can't reach 'the world' but my computer can. I would still recommend that people run their own private mirror if they are running their own private cluster but this is useful in a pinch. -- Jonathan Billings <billings at negate.org>
On Thu, Nov 12, 2020 at 03:21:02PM -0500, Jonathan Billings wrote:> What part? For the first part, either define 'DynamicForward 8000' in > a Host section in ~/.ssh/config, or run 'ssh -D 8000 hostname' to set > it with command line options. Then just set your SOCKS5 proxy > settings in Firefox to localhost:8000. (I'm just using port 8000 as > an example here, it can be any unused port above 1024 for regular > users.)If you need a full tunnel (and not just HTTP) and don't have a VPN server, but you do have an SSH connection, I heartily recommend the tool 'sshuttle' (https://github.com/sshuttle/sshuttle, in EPEL). It requires root locally but not on the remote side. Then you can just use firefox without messing with proxy settings or anything. -- Jonathan Billings <billings at negate.org>
On Thu, Nov 12, 2020 at 03:21:02PM -0500, Jonathan Billings wrote:> yum --setopt='proxy=socks5://localhost:8000' updateIt occurs to me that my private networks have working DNS, so if yours doesn't, you should use: yum --setopt='proxy=socks5h://localhost:8000' update (note the extra 'h' in the URI scheme) This means that the DNS lookups happen on the other side of the proxy, so the yum command doesn't need to do any DNS lookups. -- Jonathan Billings <billings at negate.org>