MikeyE's questions

I am trying to proxy SSH traffic from nginx (listening on port 7999) to a bitbucket server (listening on port 7998) on the back-end. Both nginx and bitbucket are running inside Docker containers. If I login to the nginx container and do telnet bitbucket.domain-name.com 7998 it connects. On the host machine if I do netstat -pnlt I get:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp6       0      0 :::2377                 :::*                    LISTEN      24477/dockerd       
tcp6       0      0 :::7946                 :::*                    LISTEN      24477/dockerd       
tcp6       0      0 :::80                   :::*                    LISTEN      24477/dockerd       
tcp6       0      0 :::443                  :::*                    LISTEN      24477/dockerd       
tcp6       0      0 :::7999                 :::*                    LISTEN      24477/dockerd   

But, I when I do this on my computer: git clone ssh://[email protected]:7999/project_key/repo_name.git I get

Cloning into 'repo_name'...
ssh: connect to host domain-name.com port 7999: Connection refused
fatal: Could not read from remote repository.

And when I do telnet domain-name.com 7999 I get telnet: Unable to connect to remote host: Connection refused.

It seems the problem is nginx is not listening on port 7999 inside the docker container. But, on the host I can see dockerd is listening on port 7999. I imagine I might not have the nginx config correct, but am not sure. Here are the relevant bits from the config files.

docker-compose.yaml (nginx)

services:
    nginx:
        ports:
            - "80:8080"
            - "443:8443"
            - "7999:7997"

nginx.conf (inside the nginx container)

stream {
    server {
        listen 7997;
        proxy_pass bitbucket1.cybertron.ninja:7998;
    }
}

And here's some output executed inside the nginx container:

root@6d123f454eef:/# netstat -pnlt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name                                                                        
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      10/nginx: master pr                                                                     
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      10/nginx: master pr                                                                     
tcp        0      0 127.0.0.11:44703        0.0.0.0:*               LISTEN      -            

Any ideas how to fix this issue? I'm stumped.

Is there are way I can restrict access to an Amazon EC2 instance, so that no one except me will be able to login to my EC2 instance? I want to restrict access such that not even Amazon data center admins can login to my EC2 instance. If it is possible, what is the easiest way of doing so?

EDIT To clarify, I understand anyone with physical access to the hardware my EC2 instance is running on, they can get into my EC2 instance if they hack it open. But, I'm not concerned with that level of security.

Assuming I remove any SSH keys from the EC2 instance, are there any "authorized" ways an Amazon employee could get into my EC2 instance? And if so, what can be done to prevent them from doing do?

I hope I'm stating my question the right way. Now that I'm thinking about it in more depth, I realize it might be a tough question to answer. So, I hope you get the "spirit" of my question, if that makes sense.

I've been banging my head against this problem since yesterday, and figured it's time to phone some friends for help. I've read other similar answers on ServerFault, but they didn't help.

I and my co-workers are able to connect to the JIRA server from within our internal network. But, are not able to connect to it from the internet (a.k.a. an external IP address). Port forwarding is enabled, and has been verified to be working correctly. I'll describe the configuration of everything below.

Network Configuration

I verified port forwarding is working by forwarding port 80 from the host machine (hostname: macmini, ip address: 192.168.1.127). I can access the web-page served up by the host machine from the internet, so it looks like everything is setup correctly on my firewall/router.

I'm not sure if it matters, but I'm using Xfinity internet. With the Xfinity router configured to pass all traffic through via DMB to my ASUS RT-AC66U router. The host and guest machines are both connecting to the network through the ASUS router.

The JIRA Server (the guest machine)

I have a JIRA server as a Vagrant box with Debian 8.7 installed. JIRA is running on port 8080. The vagrant box is configured with a static IP address of 192.168.1.3. I believe I was successful in completely disabling the firewall on Debian. I followed a guide I found using Google-Fu, but I must admit I'm not proficient with firewall configuration on Linux.

Here is the contents of the JIRA server's Vagrantfile:

And here is the contents of the JIRA server's /etc/network/interfaces file:

The Host machine

The host machine is running Ubuntu 16.04, and I believe I was successful in disabling the firewall. But, I could be wrong, as I stated earlier I'm not proficient with firewall configurations on Linux. Again, the host machine's IP address is: 192.168.1.127. The host machine has an Apache www server on it. Using the WAN section of the ASUS router's admin page, I forwarded port 80 to the host machine. And I'm able to see the web-page from outside my network.

Well, there you have it sports fans. I'm completely stumped on this one, so any help would be greatly appreciated!

I installed citadel-suite using apt-get on Ubuntu 15.10. I then uninstalled it using 'sudo apt-get remove citadel-suite; sudo apt-get purge citadel-suite', manually deleted the directory '/etc/citadel/', and then re-installed it using apt-get. I thought it would re-run the easy install, but alas no. After reading the Citadel's FAQs and docs, I ran Citadel's 'setup' executable. Now it's totally borked. It's spitting out messages like the following as fast as it can go:

Broadcast message from systemd-journald@hostname (Thu 2016-07-14 21:09:52 PDT): citserver[12510]: failed to create directory /etc/citadel/messages/: No such file or directory Broadcast message from systemd-journald@hostname (Thu 2016-07-14 21:09:52 PDT): citserver[12510]: failed to access & create directories Broadcast message from systemd-journald@hostname (Thu 2016-07-14 21:09:52 PDT): citserver[12511]: configuration setting c_default_cal_zone is empty, but must not - check your config! Broadcast message from systemd-journald@hostname (Thu 2016-07-14 21:09:52 PDT): citserver[12511]: failed to create directory /etc/citadel/messages/: No such file or directory Broadcast message from systemd-journald@hostname (Thu 2016-07-14 21:09:52 PDT): citserver[12511]: failed to access & create directories

I then rebooted the server, but it's still spitting out the same messages from systemd-journald. Anyone have any ideas on how to fix it and get Citadel re-installed?