1

Using NGINX I have multiple reverse proxies that work with normal http(s) for various websites. I have just one public ip address but several vhosts behind it. This part is working as it should.

I want to ssh into all of the hosts behind nginx, there are currently just three but more to come into the future.

As nginx is above version 1.9.1 I think was the version that allowed streams I have begun to configure for ssh, I will later want to add databases into the mix and maybe mail but for now ssh is the priority.

So, to begin I have added ssh_available and ssh_enabled to the nginx directory.

/etc/nginx/nginx.conf I have added the following:

stream {
  include /etc/nginx/ssh_enabled/*;
}

/etc/nginx/ssh_available/domain.com.rproxy.conf I have the following:

upstream ssh {
  server 192.168.1.61:22;
}

server {
  listen 22;
  proxy_pass ssh;
}

I have used the usual method of adding symlinks in ssh_enabled to the conf files in ssh_available.

This allows me to ssh into one host that is behind my nginx reverse proxy but one host only.

With this current configuration the SSH connection always lands on the same host no matter if I use the public IP, subdomain or fqdn.

How might I turn this into something more portable so that it can work with multiple host/domain names instead of just a single ip/domain?

What I want to happen is to ssh in using a domain and connect to the server that hosts it.

Improve this question

1 Answer 1

Reset to default
1

I have come up with a work around, it means more open ports than I would like because to date ssh does not accept domains, there is an IPV6 solution floating around but that's currently not a solution for me.

So more ports it is.

Here is my solution. Forward a small port range to nginx, enough ports for each server. You can choose pretty much any ports range or cherry picked its your choice, but to make this example as simple as possible a range is easier.

I modified the conf file that I created in /etc/nginx/ssh_available/

upstream 59 {
      server 192.168.1.59:22;
}

server {
  listen 22059;
  proxy_pass 59;
}

upstream 61 {
      server 192.168.1.61:22;
}

server {
  listen 22061;
  proxy_pass 61;
}

upstream 62 {
      server 192.168.1.62:22;
}

server {
  listen 22062;
  proxy_pass 62;
}

upstream 63 {
      server 192.168.1.63:22;
}

server {
  listen 22063;
  proxy_pass 63;
}

Of course with this you are limited by the number of available IPV4 addresses on your network, IPV6 would have ben a better option but I don't have it yet.

Note, if you use this example as is, you are advertising a part of your network infrastructure by giving the internal IP as a port number to anybody who may want to work it out. You should really cherry pick the ports that you open and set up the configuration appropriately.

Final not, this is IMO not a great answer but its a working answer, so for that reason I am posting it, but not accepting it as the solution. You may have a better method for IPV4 than I have come up with and I absolutely welcome your answers.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .