openssh unix dev - Sep 2022 - SNI-like routing

On Fri, Sep 23, 2022, 3:08 AM Cyril Servant <cyril.servant at cea.fr>
wrote:
> Hi,
>
> Le 21/09/2022 ? 22:59, Carl Karsten a ?crit :
> > The goal is to host 4 or 5 websites for friends. all low traffic, so a
> > single box should be fine. 16 cores, 32g ram, 1 nic, 1 public IP.
> > hostname: prox
> >
> > each site gets a VM, created manually, (they all get debian) add
> > friends ssh keys and let them ssh in and do whatever they want in
> > their vm.  and be able to ansible over ssh like ansible does.
> >
> > hostnames vm1, vm2... friends all manage their own domain name
> > register / dns, point their www's at my IP.
> >
> > I would like to keep ports all standard: 22 for ssh, 80/443 for
> > http/s, etc. and route to the VM based on hostname.
> >
> > ssh user at prox gets the host, ssh user at vm1 gets vm1. curl
http://vm1
> gets vm1.
> >
> > There are lots of ways to do this, I'm trying to work out a config
> > that makes it easy on their end.
>
> you can use sshproxy which I'm maintaining
> : https://github.com/cea-hpc/sshproxy
> With sshproxy's routing system, you can proxy each user to its
> respective VM, without them having a shell on the gateway.
>
> This looks promising.   Could you give me the conf for what I described?
> My setup will end up in a public repo, so maybe someone else can use it
too.
>
>
> >
> > Telling them all to use ProxyJump isn't out of the question, but
I'm
> > hoping there are other options.
> >
> > I don't mind a separate solution for ssh and http.  like for http
I
> > can run an nginx on the public IP with
> >
> >   server_name vm1;
> >    location / { proxy_pass http://10.0.0.1;
> >
>
> --
> Cyril
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

Le 23/09/2022 ? 20:48, Carl Karsten a ?crit?:
> On Fri, Sep 23, 2022, 3:08 AM Cyril Servant <cyril.servant at cea.fr
<mailto:cyril.servant at cea.fr>> wrote:
> 
>     Hi,
> 
>     Le 21/09/2022 ? 22:59, Carl Karsten a ?crit?:
>     > The goal is to host 4 or 5 websites for friends. all low traffic,
so a
>     > single box should be fine. 16 cores, 32g ram, 1 nic, 1 public IP.
>     > hostname: prox
>     >
>     > each site gets a VM, created manually, (they all get debian) add
>     > friends ssh keys and let them ssh in and do whatever they want in
>     > their vm.? and be able to ansible over ssh like ansible does.
>     >
>     > hostnames vm1, vm2... friends all manage their own domain name
>     > register / dns, point their www's at my IP.
>     >
>     > I would like to keep ports all standard: 22 for ssh, 80/443 for
>     > http/s, etc. and route to the VM based on hostname.
>     >
>     > ssh user at prox gets the host, ssh user at vm1 gets vm1. curl
http://vm1 <http://vm1> gets vm1.
>     >
>     > There are lots of ways to do this, I'm trying to work out a
config
>     > that makes it easy on their end.
> 
>     you can use sshproxy which I'm maintaining
>     :?https://github.com/cea-hpc/sshproxy
<https://github.com/cea-hpc/sshproxy>
>     With sshproxy's routing system, you can proxy each user to its
>     respective VM, without them having a shell on the gateway.
> 
>     This looks promising.? ?Could you give me the conf for what I
described?? My setup will end up in a public repo, so maybe someone else can
>     use it too.
Well at first, you have to add this at the end of /etc/ssh/sshd_config :

Match User foo,bar
	ForceCommand /sbin/sshproxy

And then, in /etc/sshproxy/sshproxy.yaml :

users:
	- foo
		routes:
			default:
				dest: [ip.of.foo.vm]
	- bar
		routes:
			default:
				dest: [ip.of.bar.vm]

It should be enough. There is no daemon to run, sshproxy will be forked by the
ForceCommand.
Etcd is not mandatory, in your case you'll probably don't want to use
it.
>     > Telling them all to use ProxyJump isn't out of the question,
but I'm
>     > hoping there are other options.
>     >
>     > I don't mind a separate solution for ssh and http.? like for
http I
>     > can run an nginx on the public IP with
>     >
>     >? ?server_name vm1;
>     >? ? location / { proxy_pass http://10.0.0.1
<http://10.0.0.1>;
-- 
Cyril