froger-me · January 24, 2024 12:48
diff --git a/sshtunnel.txt b/sshtunnel.txt
 # Inspired from:
 # https://dev.to/bulletmark/create-a-reverse-ssh-tunnel-for-remote-access-to-a-restricted-machine-1ma0
 # https://unix.stackexchange.com/questions/474848/ssh-remote-port-forwarding-with-multiple-ports

 # ----------------------------------------------- #

 # On local restricted machine to access
 sudo mkdir -p /etc/sshtunnel && \
 sudo ssh-keygen -qN "" -f /etc/sshtunnel/id_rsa && \
 sudo vim /etc/systemd/system/sshtunnel.service

 # BEGIN File content
 [Unit]
 Description=Service to maintain an ssh reverse tunnel
 Wants=network-online.target
 After=network-online.target
 StartLimitIntervalSec=0

 [Service]
 Type=simple
 ExecStart=/usr/bin/ssh -qgNn \
  -o ServerAliveInterval=30 \
  -o ServerAliveCountMax=3 \
  -o ExitOnForwardFailure=yes \
  -o StrictHostKeyChecking=no \
  -o UserKnownHostsFile=/dev/null \
  -o PreferredAuthentications=publickey \
  -i /etc/sshtunnel/id_rsa \
  -R 0.0.0.0:3389:localhost:3389 \
  -R 0.0.0.0:60022:localhost:22 \
  -R 0.0.0.0:8080:localhost:80 \
  -R 0.0.0.0:60443:localhost:443 \
  -R 0.0.0.0:10000:localhost:10000 \
  [email protected] -p 22
 Restart=always
 RestartSec=60

 [Install]
 WantedBy=multi-user.target
 # END File content

 # Make sure to only use key authentication and
 # disallow root login in /etc/ssh/sshd_config
 PermitRootLogin no
 PasswordAuthentication no
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no

 # ----------------------------------------------- #

 # On the server used to tunnel connexions
 sudo useradd -m -s /bin/true sshtunnel &&
 sudo mkdir -p ~sshtunnel/.ssh &&
 sudo vim ~sshtunnel/.ssh/authorized_keys
 # paste the content of local id_rsa.pub in ~sshtunnel/.ssh/authorized_keys and save-quit
 sudo chown -R sshtunnel:sshtunnel ~sshtunnel/.ssh && \
 sudo chmod 700 ~sshtunnel/.ssh && \
 sudo chmod 600 ~sshtunnel/.ssh/authorized_keys


 # WARNING: Exposes the restricted machine's ssh access to the public Internet
 # Make sure to use key authentication on the restricted machine!

 # Set the following in /etc/ssh/sshd_config
 GatewayPorts yes
 AllowTcpForwarding yes

 # Check with:
 sshd -T | grep -E 'GatewayPorts|AllowTcpForwarding'

 # Use after editing /etc/ssh/sshd_config
 sudo systemctl restart ssh

 # Edit /etc/apache2/sites-available/vhost-sub.domain.tld.conf
 <VirtualHost *:80>
 	ServerName vhost-sub.domain.tld

 	Redirect permanent / "https://vhost-sub.domain.tld"
 </VirtualHost>

 <VirtualHost *:443>
 	ServerName vhost-sub.domain.tld

 	ProxyPreserveHost On
 	ProxyRequests Off
 	ProxyVia On
 	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
            
 	# Proxy all traffic to vhost-sub.domain.tld
 	ProxyPass / http://localhost:60080/
 	ProxyPassReverse / http://vhost-sub.domain.tld/
 </VirtualHost>

 # ----------------------------------------------- #

 # On local restricted machine to access

 sudo systemctl enable --now sshtunnel
 sudo systemctl status sshtunnel
 sudo journalctl -u sshtunnel

 # ----------------------------------------------- #

 # Removal

 # On the restricted machine:
 sudo systemctl disable --now sshtunnel
 sudo rm /etc/systemd/system/sshtunnel.service
 sudo rm -rf /etc/sshtunnel
 # On the server:
 sudo userdel -r sshtunnel

 # Set the following in /etc/ssh/sshd_config
 GateWayPorts no

 # Use after editing /etc/ssh/sshd_config
 sudo systemctl restart ssh
	# Inspired from:
	# https://dev.to/bulletmark/create-a-reverse-ssh-tunnel-for-remote-access-to-a-restricted-machine-1ma0
	# https://unix.stackexchange.com/questions/474848/ssh-remote-port-forwarding-with-multiple-ports

	# ----------------------------------------------- #

	# On local restricted machine to access
	sudo mkdir -p /etc/sshtunnel && \
	sudo ssh-keygen -qN "" -f /etc/sshtunnel/id_rsa && \
	sudo vim /etc/systemd/system/sshtunnel.service

	# BEGIN File content
	[Unit]
	Description=Service to maintain an ssh reverse tunnel
	Wants=network-online.target
	After=network-online.target
	StartLimitIntervalSec=0

	[Service]
	Type=simple
	ExecStart=/usr/bin/ssh -qgNn \
	-o ServerAliveInterval=30 \
	-o ServerAliveCountMax=3 \
	-o ExitOnForwardFailure=yes \
	-o StrictHostKeyChecking=no \
	-o UserKnownHostsFile=/dev/null \
	-o PreferredAuthentications=publickey \
	-i /etc/sshtunnel/id_rsa \
	-R 0.0.0.0:3389:localhost:3389 \
	-R 0.0.0.0:60022:localhost:22 \
	-R 0.0.0.0:8080:localhost:80 \
	-R 0.0.0.0:60443:localhost:443 \
	-R 0.0.0.0:10000:localhost:10000 \
	[email protected] -p 22
	Restart=always
	RestartSec=60

	[Install]
	WantedBy=multi-user.target
	# END File content

	# Make sure to only use key authentication and
	# disallow root login in /etc/ssh/sshd_config
	PermitRootLogin no
	PasswordAuthentication no
	PermitEmptyPasswords no
	ChallengeResponseAuthentication no

	# ----------------------------------------------- #

	# On the server used to tunnel connexions
	sudo useradd -m -s /bin/true sshtunnel &&
	sudo mkdir -p ~sshtunnel/.ssh &&
	sudo vim ~sshtunnel/.ssh/authorized_keys
	# paste the content of local id_rsa.pub in ~sshtunnel/.ssh/authorized_keys and save-quit
	sudo chown -R sshtunnel:sshtunnel ~sshtunnel/.ssh && \
	sudo chmod 700 ~sshtunnel/.ssh && \
	sudo chmod 600 ~sshtunnel/.ssh/authorized_keys


	# WARNING: Exposes the restricted machine's ssh access to the public Internet
	# Make sure to use key authentication on the restricted machine!

	# Set the following in /etc/ssh/sshd_config
	GatewayPorts yes
	AllowTcpForwarding yes

	# Check with:
	sshd -T \| grep -E 'GatewayPorts\|AllowTcpForwarding'

	# Use after editing /etc/ssh/sshd_config
	sudo systemctl restart ssh

	# Edit /etc/apache2/sites-available/vhost-sub.domain.tld.conf
	<VirtualHost *:80>
	ServerName vhost-sub.domain.tld

	Redirect permanent / "https://vhost-sub.domain.tld"
	</VirtualHost>

	<VirtualHost *:443>
	ServerName vhost-sub.domain.tld

	ProxyPreserveHost On
	ProxyRequests Off
	ProxyVia On
	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

	# Proxy all traffic to vhost-sub.domain.tld
	ProxyPass / http://localhost:60080/
	ProxyPassReverse / http://vhost-sub.domain.tld/
	</VirtualHost>

	# ----------------------------------------------- #

	# On local restricted machine to access

	sudo systemctl enable --now sshtunnel
	sudo systemctl status sshtunnel
	sudo journalctl -u sshtunnel

	# ----------------------------------------------- #

	# Removal

	# On the restricted machine:
	sudo systemctl disable --now sshtunnel
	sudo rm /etc/systemd/system/sshtunnel.service
	sudo rm -rf /etc/sshtunnel
	# On the server:
	sudo userdel -r sshtunnel

	# Set the following in /etc/ssh/sshd_config
	GateWayPorts no

	# Use after editing /etc/ssh/sshd_config
	sudo systemctl restart ssh