OhidurArticles

Setting Up Reverse SSH Tunnel with Port Forwarding on Apache Linux

Learn how to create a secure and reliable reverse SSH tunnel with port forwarding, offering an alternative to ngrok.

Introduction

Discover how to create your own ngrok alternative using a reverse SSH tunnel with port forwarding. This guide will walk you through the entire process.

Prerequisites

Ensure you can connect to your remote server via SSH:

ssh user@<REMOTE_IP_ADDRESS>

Step 1: Configure Gateway Ports

Edit the SSH configuration to allow gateway ports. Add the following line:

echo "GatewayPorts yes" >> /etc/ssh/sshd_config

If you encounter permission issues, use a text editor like nano.

Restart SSH Service

service ssh restart
exit

Reauthenticate as prompted.

Understanding Port Forwarding Basics

Read more at: Everything CLI

Local vs Remote SSH Port Forwarding

  • Local Port Forwarding: Relays a port from a remote server to your local machine using ssh -L.
  • Remote Port Forwarding: Makes your local port available on a remote server using ssh -R.

TL;DR

  • Remote MySQL server (port 3306) to local machine:

    ssh -L 5000:localhost:3306 user@remote-server

  • Local web-server (port 80) to remote server:

    ssh -R 5000:localhost:80 user@remote-server

Detailed Commands

Local Port Forwarding

Forward a remote MySQL server to your local machine on port 5000:

ssh -L 127.0.0.1:5000:localhost:3306 user@remote-server

Remote Port Forwarding

Forward a local web-server to a remote machine on port 5000:

ssh -R 5000:localhost:80 user@remote-server

Handling Ports Below 1024

Allocate ports below 1024 using sudo:

  • Local:

    sudo ssh -L 10:localhost:3306 user@remote-server

  • Remote:

    ssh -R 10:localhost:80 root@remote-server

Automating with autossh

Install autossh for persistent connections:

sudo apt install autossh

Use it like:

autossh -M -f -R

Custom Script for Persistent Tunneling

Create a monitoring script:

#!/bin/bash
createTunnel() {
  /usr/bin/ssh -N -R 2222:localhost:22 user@remote-server
  if [[ $? -eq 0 ]]; then
    echo Tunnel to jumpbox created successfully
  else
    echo Error occurred. RC was $?
  fi
}
/bin/pidof ssh
if [[ $? -ne 0 ]]; then
  echo Creating new tunnel connection
  createTunnel
fi

Make it executable:

chmod 700 ~/create_ssh_tunnel.sh

Add to crontab for automated checking:

*/1 * * * * ~/create_ssh_tunnel.sh > tunnel.log 2>&1

Setting Up a Proxy to the SSH Tunnel

Configure Apache’s httpd.conf to forward traffic:

<Location "/my-path">
   ProxyPass "http://127.0.0.1:8000"
   ProxyPassReverse "http://127.0.0.1:8000"
</Location>

Virtual Host Configuration on Apache

Example configuration:

Listen 8000
<VirtualHost *:8000>
    DocumentRoot /usr/local/apache2/some-dir
    <Directory "/usr/local/apache2/some-dir">
        Order allow,deny
        AllowOverride All
        Allow from all
        Require all granted
    </Directory>
    ProxyPass /my-endpoint http://172.17.0.1:5000/my-endpoint
    ProxyPassReverse /my-endpoint http://172.17.0.1:5000/my-endpoint
</VirtualHost>

Conclusion

Utilizing reverse SSH tunneling with port forwarding can be a powerful tool for remote server management, offering flexibility and security enhancements. Experiment with these commands and configurations to suit your specific needs.