Add support for ssh proxies

[ghost]

capistrano can deploys to hosts behind a ssh gateway server via the :gateway setting. We use the this little piece of magic to transparently deploy in or outside the office:

unless `hostname -f` =~ /#{intranet}$/
        hosts_via_gateway = find_servers.map { |sd| sd.to_s }.select { |h| h =~ /#{intranet}$/ }
        unless hosts_via_gateway.empty?
                set :gateway, '#{gateway}' => hosts_via_gateway
        end
end

[nicolai86]

You can deploy using a gateway by properly configuring your ssh config file. e.g:

I want to deploy to intranet.example.com. My $HOME/.ssh/config file should contain this:

Host gateway.example.com
  IdentityFile ~/.ssh/id_rsa
  User administrator
  ProxyCommand none

Host intranet.example.com
  Hostname 192.168.0.38
  ForwardAgent yes
  ProxyCommand ssh gateway.example.com nc %h %p

Running ssh intranet.example.com will then use gateway.example.com as proxy. And thus will mina.

Just make sure you're telling mina to ssh to intern.example.com and everything will work properly...

[ghost]

On 2013-11-20 06:49:19, Raphael Randschau wrote:

You can deploy using a gateway by properly configuring your ssh config file.

Thanks for the suggestion. One thing that may not have been
clear is that we only want to use the gateway outside the office,
and not use it in the office. The capistrano configuration I
included does that, while I think we would need two different
ssh_config files and each developer deploy user would have to
replicate that setup.

/Allan

Allan Wind
Life Integrity, LLC
http://lifeintegrity.com

[nicolai86]

As a matter of fact you can have conditional ProxyCommand host resolution which helps you achieve just that.
See serverfault for an example.

You'd still need to share this setup with all developers, though.

[ghost]

On 2013-11-27 01:23:04, Raphael Randschau wrote:

As a matter of fact you can have conditional ProxyCommand resolution which helps you achieve just that.
See [serverfault][1] for an example.

You'd still need to share this setup with all developers, though.

I actually use something similar already, but this means you now
have the server twice in your config. Once for the direct route,
and additionally for the proxy command. And you need to have
different targets depending on which one you want. Or am I
missing something?

Could you easily run-time generate a ssh_config for mina and have
it use it? That way you could read $HOME/.ssh/config and you
could combine or augment it based on your environment.

Btw, feel free to resolve this ticket, doesn't solve the problem
cleanly for me, but your suggestion is a valid solution.

/Allan

Allan Wind
Life Integrity, LLC
http://lifeintegrity.com

[nicolai86]

according to the ssh manpage you can change the configuration file in use by specifying the -F option.
So you could use a different config file, just for mina, like this:

set :ssh_options, "-F /path/to/mina_ssh_config"

Running mina deploy -S will show something like this:

# Executing the following via 'ssh foobar.com -F /path/to/mina_ssh_config -t':

I'm also not sure how to conquer the duplication ATM. Also I can't close the ticket, I'm just a bystander wanting to help :)

[jeremy]

This is doable with ssh config, but native support would be very friendly. Very common to deploy to hosts behind a gateway/firewall. Getting ssh proxying working just right for N devs is harder than doing it properly once. Specifying -F ./config/deploy/ssh_config is a nice option for that. Managing the gateway automatically would be even smoother, though.

[d4be4st]

You can make a gem for this that will extend mina to support gateways.