Example of multiplexing ssh-over-tls to different hosts #101
Comments
|
@mholt Any idea how to get that to listen on port 80 and respond to http strategy ACME challenges? |
|
Use the |
Merged
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
I've got an example of multiplexing SSH over HTTPS to different hosts.
If there's a way to maintain the same functionality, but simplify the config, I'd love to know how to do it.
Is there some sort of template system I could use to say "here's a ruleset" and then "apply that ruleset, but for these hostnames"?
I believe the caddyfile has something like that.
1. Install xcaddy
xcaddy(
pathmancan help if you're unfamiliar with that)2. Build with layer4
Needs layer4, l4tls, l4ssh, l4proxy.
We'll be using
duckdnsfor real TLS certs since many clients don't issue SNI at all in-k, --insecuremode, and therefore cannot test against self-issued certs without putting the cert in the client's chain.2b. How to run
Assuming an
.envwith theDUCKDNS_API_TOKEN:3. Multiplexing HTTPS and SSH
Configure SSH Client
You can use
openssl s_client,socat,sclient, or one of many other tls-terminating tools. Demonstrating withsclientbecause it is purpose-built for this use case and works on Windows.~/.ssh/config:Host example-a Hostname example-a.duckdns.org ProxyCommand sclient %h Host example-b Hostname example-b.duckdns.org ProxyCommand sclient %hConfigure Caddy
This feels a little too verbose. Is there a some sort of ruleset that could be created and then applied per-host?
{ "logging": { "logs": { "default": { "level": "DEBUG" } } }, "apps": { "layer4": { "servers": { "my-sshttp": { "listen": ["0.0.0.0:443"], "routes": [ { "match": [ { "tls": {} } ], "handle": [ { "handler": "subroute", "routes": [ { "match": [ { "tls": { "sni": ["example-a.duckdns.org"] } } ], "handle": [ { "handler": "tls", "connection_policies": [ { "alpn": ["http/1.1"] } ] }, { "handler": "subroute", "routes": [ { "match": [{ "ssh": {} }], "handle": [ { "handler": "proxy", "upstreams": [{ "dial": ["localhost:22"] }] } ] }, { "match": [ { "http": [ { "host": ["example-a.duckdns.org"] } ] } ], "handle": [ { "handler": "proxy", "upstreams": [{ "dial": ["localhost:3000"] }] } ] } ] } ] }, { "match": [ { "tls": { "sni": ["example-b.duckdns.org"] } } ], "handle": [ { "handler": "tls", "connection_policies": [ { "alpn": ["http/1.1"] } ] }, { "handler": "subroute", "routes": [ { "match": [{ "ssh": {} }], "handle": [ { "handler": "proxy", "upstreams": [{ "dial": ["10.0.0.222:22"] }] } ] }, { "match": [ { "http": [ { "host": ["example-b.duckdns.org"] } ] } ], "handle": [ { "handler": "proxy", "upstreams": [{ "dial": ["10.0.0.222:3000"] }] } ] } ] } ] } ] } ] } ] } } }, "tls": { "certificates": { "automate": [ "localhost", "192.168.0.4", "example-a.duckdns.org", "example-b.duckdns.org" ] }, "automation": { "policies": [ { "subjects": ["localhost", "192.168.0.4"], "issuers": [ { "module": "internal" } ] }, { "subjects": ["example-a.duckdns.org", "example-b.duckdns.org"], "issuers": [ { "challenges": { "dns": { "provider": { "api_token": "{env.DUCKDNS_API_TOKEN}", "name": "duckdns" } } }, "module": "acme" }, { "challenges": { "dns": { "provider": { "api_token": "{env.DUCKDNS_API_TOKEN}", "name": "duckdns" } } }, "module": "zerossl" } ] } ] } } } }TODO
How to pass HTTP traffic through to Caddy's normal http handler? Perhaps related to #70 and #78?
How to simplify?
The text was updated successfully, but these errors were encountered: