diff --git a/ssh-tunnelling.md b/ssh-tunnelling.md index 5d1e15cd..271294fe 100644 --- a/ssh-tunnelling.md +++ b/ssh-tunnelling.md @@ -1,13 +1,40 @@ # SSH Tunnelling +## Generic SSH Port Forwarding + +SSH login to `host1` and bind local port number to forward through the ssh tunnel to `host2` on the specified port. + +```shell +ssh -L :: @ +``` + +Then just connect to the localhost `127.0.0.1:` so network packets sent to that local port will tunnel through +SSH and be forwarded on the other side from the ssh server on that same port. + +WARNING: you probably don't want to use `-R` because that would bind the port on the remote `host1` in a way that +anybody could connect to it - it wouldn't be protected inside an SSH tunnel on your local machine, and nor would +your network packets between your machine and `host1`. + +##### Use Case Example + +I used to use this `-L` tunnel to my home Subversion server in the 2000s to commit my home directory configs and +personal scripts for my l33t Gentoo workstation & laptop. Thankfully the superior [Git](git.md) and remote working both +kill the need for such tunnelling just to commit. + +## HTTP Proxying + +See [HTTP Proxying](http-proxying.md). + ## GCP -On GCP, you may tunnel through a proxy host like this: +On GCP, you may tunnel through a bastion host like this: -unsetting `HTTPS_PROXY` ensures `gcloud` commands can access the Google APIs (could also just move `NO_PROXY` higher up) +(exclude `googleapis.com` otherwise `gcloud` CLI won't be able to connect to Google since it is the tunnel which is +not up yet) ```shell -unset HTTPS_PROXY +export no_proxy="googleapis.com" +export NO_PROXY="$no_proxy" export PROJECT_PROXY_PORT=8888 gcloud compute ssh bastion-vm -- -4 -N \ @@ -15,8 +42,6 @@ gcloud compute ssh bastion-vm -- -4 -N \ -o "ExitOnForwardFailure yes" \ -o "ServerAliveInterval 10" -export HTTPS_PROXY="http://localhost:$PROJECT_PROXY_PORT" -export NO_PROXY="googleapis.com" +export https_proxy="http://localhost:$PROJECT_PROXY_PORT" +export HTTPS_PROXY="$https_proxy" ``` - -`NO_PROXY` is necessary to not suffer the performance or blocking should the port become unavailable