I'm using
ssh [email protected] -g -L 4321:localhost:28017
to establish a tunnel from my MacBook to my dedicated server at my hosting provider. It works well. Now I want to access several admin sites on the remote server (a MongoDB status page, a RabbitMQ page etc, all on different ports). All of them are bound to 127.0.0.1 on the remote machine. How can I tweak this ssh command to
- assign a name to the tunnel and use e.g. "my.tunnel.name" in my browser
- to be able to define the remote port in my browser; I would like to connect to my.tunnel.name:port, in order to be able to call the different sites
Is this possible with ssh? I've read the man pages and googled around for two days now, but it does not seem to work.
--edit 2012-06-01 23:36-- Thanks to the provided answers and comments the port forwarding works now using
ssh [email protected] -D 4321
I can set this up as a proxy in my browser and the browser will treat any request to localhost:anyport as if it was made on the remote server. Using a name is now not necessary, since the browser is for remote server sites only.
You can assign a name by using the fact your loopback adapter will basically respond to any address in the 127.0.0.0/8 network.
So instead of binding to port 4321 you could bind to 127.1.2.3:4321. Then simply setup a host entry that map a name to the loopback address that you used so foo.bar maps to
127.1.2.3
.In my SSH configuration on my admin workstation I have many tunnels configured so that they bind to some address in the loopback range, and I have entries in my host file so I open up many tunnels in parallel using the same port and distinguish between them via name.
So if you connect like this
And your hosts file has a line like this.
Then you should be able to connect to my.tunnel.name:4321 from your local machine.
If you have additional IP address space on the network your ssh client is connected to you could even assign a secondary address to your Ethernet interface and use one of your real IPs, and then setup entries in your DNS if you wanted other systems to be able to use your SSH tunnel.
The -L option
-L [bind_address:]port:host:hostport
will let you use any valid IP address on the local system to bind to. You do need to include the-g
option as well if you want other hosts to be able to connect via your ssh tunnel.What you describe is not possible. But there's still good news:
What is possible however is to establis a Dynamic connection with the SSH Server. This will open a port on your local computer to which you can point the Proxy setting of your Browser and allow you to use the tunnel as a proxy server. But you have to type a hostname/ip and port into the browser as if the browser were running on the machine the SSH Server is on.
Command looks like this:
ssh [email protected] -D 1234
Then point your browser's proxy to
localhost:1234
.So if you tunnel into Server A, and want to connect to server B, you type into your browser whatever address you would type into a Browser running on Server A. If a browser running on server A could not connect to Server B (if the process on Server B only listens on 127.0.0.1) then you still couldn't connect. It sounds like you just have the one server, but I wanted to be sure this was clear.
If you just have the one server, you tunnel into it with the Dynamic connection, set your proxy. You will then be able to type "localhost:1234" (for example) into the browser and it will connect to the service running on the remote server on port 1234.
Securit Side Note: Never never never setup a server where root can SSH in! Serious security flaw. Create a normal user account (who is allow to su or sudo) and SSH in as that user.
Create a Dynamic application-level port forwarding (socks proxy basically) with your SSH tunnel, and then point your applications through this one. To create a dynamic tunnel, connect as follows:
Then configure your application to use this as a SOCKSv5 proxy.
If you want a hostname bound to this, just add
/etc/hosts
entries that points to 127.0.0.1, but a more pretty way might be to add 127.0.0.2 for the first tunnel, and a hosts entry for this one, 127.0.0.3 for the second tunnel and a separate host entry for this one, etc. If you add aliases for 127.0.0.1, sometimes this alias will appear in other commands lookups of localhost which can be confusing!To smoothly use this in a webbrowser you can use a proxy addon, as an example I favor the Chrome webbrowser and for this one I use an addon called
Proxy Switchy!
. You can download it here:https://chrome.google.com/webstore/detail/caehdcpeofiiigpdhbabniblemipncjj
In the configuration of this addon I can define several separate proxies, and then bind regular expressions of hosts/URLs to use certain proxies, this way I'll always be properly redirected through the right tunnels without having to manually switch. Please let me know if you need further clarification on any of the steps!