Jay Strauss
2005-Aug-24 19:24 UTC
rsync via tunnel - 3 boxes separated by internet [solved]
Hi Wayne, I'm not subscribed anymore, but I once sent you this example/FAQ. I searched the archives (because I needed to implement this) and noticed I never posted the solution (like a dummy). Would you post it for me? Thanks Jay Backing up through a firewall Its very common to have a setup where you can not reach the machine you want to backup directly, because it is behind a firewall. Below are common layouts. (layout1): you --internet-- firewall -- target (layout2): you --internet-- firewall -- ssh server -- target where the "firewall" either lets you log in directly using ssh or the firewall forwards ssh connections to another machine "ssh server" which you can log into. Either way you can't log into the "target" directly from the outside, but the files you want to back up live on the target. Below are 2 methods for accomplishing this feat, both have advantages and disadvantages, your choice. Method #1 - Use ssh to hop to the target machine 1) Configure passwordless login from the machine which you can log into (the "firewall" in layout1 and the "ssh server" in layout2) to "target". Numerous examples of configuring this exist a google away, but in general on the machine you can log into, you create a public/private key pair. Copy the public key to the "target" and append the contents of the public key to the .ssh/auauthorized_keys file. 2) execute your rsync command - its that easy you~$ rsync -av --rsync-path="ssh target rsync" firewall:/source/ /dest/ This command looks like it is copying a file from the firewall, but the remote command run on the firewall to start rsync really contacts the target and runs the remote rsync there, so "/source/" is coming from the target. Advantages of Method #1 ----------------------- * you can do it without any sys admin help (avoid the BOFH) * you can backup any file to which you have access to on the target Disadvantages of Method #1 -------------------------- * you have to manage you public/private keys * adds another security hole in that if your login onto the firewall or ssh server is compromised, the invader can reach the target easily. Method #2 - Install and configure an rsync server on the target and use an ssh tunnel to reach the rsync sever Installing the rsync server is beyond the scope of this document, but again it's just a google away. Once your rsync server is up and running you build an ssh tunnel through you firewall like: you~$ ssh -N -l userid_on_firewall -L 873:target:873 firewall What this does is connects to the firewall, and directs port 873 on "you" through the ssh tunnel, and out the other end at port 873 on the target. Now when rsync is executed, which talks on port 873, the conversation is directed to the target. In another window execute you~$ rsync -arv localhost::<rsync_server_module_name>/source ./dest Advantages of Method #2 ----------------------- * If you are the one administering the rsync server, you have finer control over who can access what files * Removes the passwordless access to the target machine Disadvantages of Method #2 -------------------------- * More issues with file permissions * More servers running more stuff to administer