3

I have a gitlab server on my local network and a server that I can ssh to from outside my network.

Is there a way I can configure the server, that I can SSH into, so that when I use:

ssh [email protected]

It sends that to the Gitlab server on the local network? Kind of like an Nginx reverse proxy but with ssh.

Edit:

I've been looking around and I found something here that looks like what I want.

Access via Load Balancer

If you want to provide a more standard git experience you can manually > set up and configure an external load balancer to point to a given GitLab node. This should route traffic from port 22 to port 2222 on the > GitLab node. You can then point a DNS record at the load balancer.

This looks like what I am trying to do, but how do I accomplish this?

Edit 2:

Here is an image that can hopefully clarify what I am trying to do.

(Those red lines should be going through the internet too.)

Diagram

Community
  • 1
agustaf
  • 133
  • 1
  • 5

1 Answers1

1

HTTP servers like nginx are able to proxy based on the hostname because it is sent in the HTTP/1.1 Host header of the request. SSH does not have this concept of virtual hosts, the client not send the hostname at all.

You have three options:

  • Use port forwarding to make your gitlab server directly available.
  • Make your gitlab server available through an (additional) IPv4 or IPv6 address.
  • Create a SSH tunnel into your network and proxy the SSH connection to your git server through this tunnel.

Port forwarding

This is probably the easiest approach that does interfere with the "public server". Setup your gateway to forward port 2222 to 192.168.2.26:22. Then use the ssh -p2222 [email protected] to connect. For git, use URLs like ssh://[email protected]:2222/repo.git.

Alternatively, you can just use ssh://[email protected]/repo.git or [email protected]:repo.git if you create a ~/.ssh/config file with:

Host git.example.com
    Port 2222

Additional IPv4 or IPv6 address

If you have a home network, getting an IPv4 address is probably impossible, but some business providers do it. If your network supports IPv6 (end-to-end), then you can just use normal routing without nasty proxying or NAT hackery.

SSH tunnel

You can use the ProxyCommand option to specify the command that proxies the SSH connection to git.example.com. In your case, the "public server" is the proxy, so the command should be connecting to that server.

Let's start with the configuration snippet for ~/.ssh/config:

Host git.example.com
    ProxyCommand ssh -W %h:%p [email protected]

In this snippet the -W %h:%p option will be expanded to -W git.example.com:22 and redirect standard input and output to said host (git.example.com). This enables your local SSH client to speak with your gitlab server. You can again use any URL like [email protected]:repo.git, the proxy will be transparant to the git client.

Lekensteyn
  • 20,173
  • 18
  • 71
  • 111
  • This may not be in the scope of this question but, how does Github or Gitlab do it? Don't you push to a single github server/load balancer that proxies/tunnels/somethings you to the appropriate server? – agustaf Aug 12 '16 at 17:17
  • It looks like Gitlab uses haproxy and that cannot decipher who traffic is supposed to go to, but decides *itself* where traffic should go, I will try your port forwarding solution, thank you for your help. – agustaf Aug 12 '16 at 19:34
  • @agustaf I don't know how they do it, but I can imagine that they just forward based on the TCP flows, completely agnostic of the SSH protocol which delegates the computational complexity. – Lekensteyn Aug 12 '16 at 21:50
  • My gateway did not let me forward port 2222 to 22 so I ended up doing the same thing with iptables like this: `sudo iptables -t nat -A PREROUTING -p tcp --dport 2222 -j REDIRECT --to-port 22` – agustaf Aug 13 '16 at 01:12
  • @agustaf You could also add `Port 2222` to your `/etc/ssh/sshd_config` for the same effect. – Lekensteyn Aug 13 '16 at 10:12