marlluslustosa · May 5, 2018 16:07
diff --git a/reverse-ssh-tunnel.sh b/reverse-ssh-tunnel.sh
 #! /bin/sh

 local_port=$1
 ssh_server=1.2.3.4
 ssh_user=tunnel
 ssh_port=722
 url_tmpl=http://www\\1.domain.tld/

 exec 3>&1
 eval ssh -N -T $ssh_server -l $ssh_user -R 0:localhost:$local_port -p $ssh_port 2>&1 1>&3 \
    | sed 's|^Allocated port \([[:digit:]]\+\) for remote forward to|Your url is '$url_tmpl' will be forwarded to|'
diff --git a/SSS reverse "caseiro" (aka serveo.net)) b/SSS reverse "caseiro" (aka serveo.net))
 What
 ====

 A lot of times you are developing a web application on your own laptop or home computer and would like to demo it to the public. Most of those times you are behind a router/firewall and you don't have a public IP address. Instead of configuring routers (often not possible), this solution gives you a public URL that's reverse tunnelled via ssh to your laptop.

 Because of the relaxation of the sshd setup, it's best used on a dedicated virtual machine just for this (an Amazon micro instance for example).
 

 Requirements
 ============

 Server side:

 * a server with a public ip (1.2.3.4 in this document)
 * a domain name (domain.tld in this document)
 * a wildcard dns entry in the domain pointing to the public ip (*.ie.mk.    1800    IN  A   1.2.3.4)
 * nginx
 * sshd

 Client side:
 * ssh client (even plink would work on Windows)


 Nginx config
 ============

 A wildcard dns should point to this nginx instance.
 Every `www<port>.domain.tld` will be proxied to `127.0.0.1:<port>`

 Where `<port>` needs to be 4 or 5 digits.


    server {
      server_name   "~^www(?<port>\d{4,5})\.domain\.tld$";

      location / {
        proxy_pass        http://127.0.0.1:$port;
        proxy_set_header  X-Real-IP  $remote_addr;
        proxy_set_header  Host $host;
      }
    }



 SSH configuration
 =================

 A sshd configuration to allow a user with no password
 and a forced command, so that the user can't get shell access.

    Match User tunnel
      # ChrootDirectory
      ForceCommand /bin/echo do-not-send-commands
      AllowTcpForwarding yes
      PasswordAuthentication yes
      PermitEmptyPasswords yes

 PAM needs to be disabled if sshd is to allow login without a password.
 That's not always possible, is not even smart. Another approach would be
 a separate instance of sshd, on a different port, just for the tunnel user.

 Make a copy of the config file, change/add these settings:

    UsePAM no
    AllowUsers tunnel
    Port 722

 And then run `sshd -f /etc/ssh/sshd_config_tunnel`.

 The `tunnel` user has an empty password field in /etc/shaddow.

    tunnel::15726:0:99999:7:::


 Client
 ======

 Just connect with:

    ssh -N -T 1.2.3.4 -l tunnel -R 0:localhost:5050 -p 722

 ssh will respond with a `Allocated port 56889 for remote forward to localhost:5050` message.
 Then you can use www56889.domain.tld


 TODO
 ====

 Test ChrootDirectory in sshd
	#! /bin/sh

	local_port=$1
	ssh_server=1.2.3.4
	ssh_user=tunnel
	ssh_port=722
	url_tmpl=http://www\\1.domain.tld/

	exec 3>&1
	eval ssh -N -T $ssh_server -l $ssh_user -R 0:localhost:$local_port -p $ssh_port 2>&1 1>&3 \
	\| sed 's\|^Allocated port \([[:digit:]]\+\) for remote forward to\|Your url is '$url_tmpl' will be forwarded to\|'
	What
	====

	A lot of times you are developing a web application on your own laptop or home computer and would like to demo it to the public. Most of those times you are behind a router/firewall and you don't have a public IP address. Instead of configuring routers (often not possible), this solution gives you a public URL that's reverse tunnelled via ssh to your laptop.

	Because of the relaxation of the sshd setup, it's best used on a dedicated virtual machine just for this (an Amazon micro instance for example).


	Requirements
	============

	Server side:

	* a server with a public ip (1.2.3.4 in this document)
	* a domain name (domain.tld in this document)
	* a wildcard dns entry in the domain pointing to the public ip (*.ie.mk. 1800 IN A 1.2.3.4)
	* nginx
	* sshd

	Client side:
	* ssh client (even plink would work on Windows)


	Nginx config
	============

	A wildcard dns should point to this nginx instance.
	Every `www<port>.domain.tld` will be proxied to `127.0.0.1:<port>`

	Where `<port>` needs to be 4 or 5 digits.


	server {
	server_name "~^www(?<port>\d{4,5})\.domain\.tld$";

	location / {
	proxy_pass http://127.0.0.1:$port;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header Host $host;
	}
	}



	SSH configuration
	=================

	A sshd configuration to allow a user with no password
	and a forced command, so that the user can't get shell access.

	Match User tunnel
	# ChrootDirectory
	ForceCommand /bin/echo do-not-send-commands
	AllowTcpForwarding yes
	PasswordAuthentication yes
	PermitEmptyPasswords yes

	PAM needs to be disabled if sshd is to allow login without a password.
	That's not always possible, is not even smart. Another approach would be
	a separate instance of sshd, on a different port, just for the tunnel user.

	Make a copy of the config file, change/add these settings:

	UsePAM no
	AllowUsers tunnel
	Port 722

	And then run `sshd -f /etc/ssh/sshd_config_tunnel`.

	The `tunnel` user has an empty password field in /etc/shaddow.

	tunnel::15726:0:99999:7:::


	Client
	======

	Just connect with:

	ssh -N -T 1.2.3.4 -l tunnel -R 0:localhost:5050 -p 722

	ssh will respond with a `Allocated port 56889 for remote forward to localhost:5050` message.
	Then you can use www56889.domain.tld


	TODO
	====

	Test ChrootDirectory in sshd