gpt4 book ai didi

amazon-web-services - 通过 Ubuntu 堡垒到私有(private)子网中的 EC2 实例的 SSH 隧道

转载 作者:行者123 更新时间:2023-12-04 08:15:22 24 4
gpt4 key购买 nike

根据此 AWS 文档:Scenario 2: VPC with Public and Private Subnets (NAT)我有自己的 VPC,有两个子网:私有(private)和公共(public)。在公共(public)子网中,我部署了一个分配有 EIP 的 Ubuntu 16.04 实例。它还有下一个安全组入站规则:

Type   Protocol Port Range Source            Description
SSH TCP 22 xx.xx.xx.xx/32 Home IP

并相应地出站:
Type   Protocol Port Range Source            Description
SSH TCP 22 sg-xxprivatexx Security group ID for instance in private subnet

好看,可以 ssh它从我家外部。没问题。

在私有(private)子网中,我部署了另一台具有下一个安全组(入站规则)的 Ubuntu 16.04 机器:
Type   Protocol Port Range Source            Description
HTTP TCP 80 sg-xxpublicxxx Security Group ID for bastion instance in public subnet
SSH TCP 22 sg-xxpublicxxx -

并且没有出站规则(实际上它打开了 80、443 个出站端口,但我猜它不是一个有趣的部分)。我仍然可以使用 ssh 访问此虚拟机从我的堡垒。

现在我只想做一件简单的事情——运行 ssh 端口转发,这样我就可以在我的家用 PC 浏览器上运行 localhost:8080 并查看我在我的私有(private)实例上发布的网页。如果我从 here 正确理解和 here (以及来自 here 以及)我必须运行类似:

 ssh -N -v -L 8080:10.0.1.112:80 ubuntu@3.121.46.99

我猜这基本上意味着:只需转发来自 IP 的私有(private)子网实例的流量 10.0.1.112:80给我的 localhost:8080通过我的堡垒虚拟机,用户名 ubuntu托管在 EIP 3.121.46.99 .

调试以行结束:
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:ZyVHgnF8z5vE5gfNr1S2JDfjhdydZVTNevPRgJZ+sRA /home/matterai/.ssh/key.pem
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/matterai/.ssh/id_rsa
debug1: Trying private key: /home/matterai/.ssh/id_dsa
debug1: Trying private key: /home/matterai/.ssh/id_ecdsa
debug1: Trying private key: /home/matterai/.ssh/id_ed25519
debug1: No more authentication methods to try.
matterai@3.121.46.99: Permission denied (publickey).

我玩了几天,但我仍然不明白我做错了什么。太奇怪了:我可以 ssh -A (允许转发)到我的堡垒,我可以 ssh从堡垒到我的私有(private)实例。但是我无法建立SSH隧道来查看我的网页(将来它将是mongodb)而不会出错。需要一些建议或指出正确的方向,拜托!谢谢你。

UPD#1

好吧。如果我使用本地机器和堡垒进行手动转发,我会得到预期的结果。基本上这意味着在堡垒上运行这个命令:

ubuntu@bastion: ssh -v -N -L 5000:localhost:8000 ubuntu@10.0.1.68

之后在本地/家庭机器上运行命令:

matterai@homepc: ssh -v -N -L 5000:localhost:5000 ubuntu@3.121.46.99

当我向 localhost:5000 提出请求时在我的本地机器上,我可以看到结果页面。如果可以将这两个命令结合起来,我可以吗? (剧透:是的,有可能:见答案!)

最佳答案

好的,这很容易。希望我的回答对某人有所帮助。

  • 您需要使用 ssh -J通过堡垒虚拟机连接的选项:

  •  -J [user@]host[:port]
    Connect to the target host by first making a ssh connection to
    the jump host and then establishing a TCP forwarding to the ulti‐
    mate destination from there. Multiple jump hops may be specified
    separated by comma characters. This is a shortcut to specify a
    ProxyJump configuration directive.

  • 然后,您需要使用 :8000 将流量从应用程序(或数据库)开始的目标虚拟机端口( :5001 )转发到您的本地主机端口( ssh ) -L :

  •  -L [bind_address:]port:host:hostport
    -L [bind_address:]port:remote_socket
    -L local_socket:host:hostport
    -L local_socket:remote_socket
    Specifies that connections to the given TCP port or Unix socket
    on the local (client) host are to be forwarded to the given host
    and port, or Unix socket, on the remote side. This works by
    allocating a socket to listen to either a TCP port on the local
    side, optionally bound to the specified bind_address, or to a
    Unix socket. Whenever a connection is made to the local port or
    socket, the connection is forwarded over the secure channel, and
    a connection is made to either host port hostport, or the Unix
    socket remote_socket, from the remote machine.

    Port forwardings can also be specified in the configuration file.
    Only the superuser can forward privileged ports. IPv6 addresses
    can be specified by enclosing the address in square brackets.

    By default, the local port is bound in accordance with the
    GatewayPorts setting. However, an explicit bind_address may be
    used to bind the connection to a specific address. The
    bind_address of “localhost” indicates that the listening port be
    bound for local use only, while an empty address or ‘*’ indicates
    that the port should be available from all interfaces.

  • 完整的 ssh 命令如下所示:

  • matterai@homepc: ssh -v -N -A -J ubuntu@3.121.46.99 -L 5001:localhost:8000 ubuntu@10.0.1.112

    更新:你也可以稍微简化你的命令。在 ~/.ssh/config您可以添加您的 jumphost(堡垒)和您的最终目标 VM IP:
    Host bastion
    HostName 3.121.46.99
    User ubuntu
    Port 22
    IdentityFile ~/.ssh/secret.pem
    ForwardAgent yes

    Host server
    HostName 10.0.1.112
    User ubuntu
    Port 22
    IdentityFile ~/.ssh/secret.pem
    ProxyJump bastion

    现在,您可以运行命令:

    ssh -v -N -A -J bastion -L 80:localhost:8000 server

    看起来好多了。您也可以使用 ssh server 简单地通过 ssh 连接。 .

    关于amazon-web-services - 通过 Ubuntu 堡垒到私有(private)子网中的 EC2 实例的 SSH 隧道,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55768726/

    24 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com