2

If the title sounds confusing, it is, and I am highly confused. Here's the situation:

  1. I have a prod server prod1 that's firewalled incoming/outgoing traffic from/to all external Internet
  2. Additionally, the only way I can SSH to this server is by first SSHing to an internal bastion bastion.foo.com, then ssh with sshconfig e.g. ProxyCommand ssh -W %h:%p bastion.foo.com.

On prod1 I want to be able hit an API endpoint e.g. curl -I https://api.com (which uses port 443 as it's https) by somehow tunneling through my ssh connection to that server (only when I'm connected of course). After reading some blog posts, I thought RemoteForward was the answer: 

Host prod1
HostName ...
User ...
IdentityFile ...
RemoteForward 443 api.com:443
ProxyCommand ssh -W %h:%p bastion.foo.com

But when I ssh prod1 the first thing the server says is:

Warning: remote port forwarding failed for listen port 443

How do I do what I'm trying to do? Am I on the right path?

Trevor Hartman
  • 267

1 Answers1

1

There is really cute drawing which explains RemoteForward in openssh. But the remote forwarding is probably more complicated in your use case than you describe.

You would need to change at least /etc/hosts to make it at least a bit transparent to your application:

127.0.0.1 api.com

Or change your application to connect to localhost directly instead of api.com.

And please note, that

Privileged ports can be forwarded only when logging in as root on the remote machine.

from man ssh_config(5). This means, that you can't bind port 443 without root privileges (or even other mechanisms like SELinux can block you from doing so). You need these privileges or rather you should choose different local port and it makes it even less transparent for your application.

Community
  • 1
Jakuje
  • 10,827