...

• a server with a public ip (1.2.3.4 in this document)
• a domain name (domain.tld in this document)
• a wildcard dns entry in the domain pointing to the public ip (*.ie.mk. 1800 IN A 1.2.3.4)
• nginx
• sshd

A wildcard dns should point to this nginx instance. Every www.domain.tld will be proxied to 127.0.0.1:

needs to be 4 or 5 digits.

server {
  server_name   ~^www(?<port>\d\{4,5\})\.domain\.tld$;

  location / {
    proxy_pass        http://127.0.0.1:$port;
    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  Host $host;
  }
}

A sshd configuration to allow a user with no password and a forced command, so that the user doesn't get shell access.

Match User tunnel
  # ChrootDirectory
  ForceCommand /bin/echo do-not-send-commands
  AllowTcpForwarding yes
  PasswordAuthentication yes
  PermitEmptyPasswords yes

PAM needs to be disabled if sshd is to allow login without a password. That's not always possible, is not even smart. Another approach would be a separate instance of sshd, on a different port, just for the tunnel user.

Make a copy of the config file, change/add these settings:

UsePAM no
AllowUsers tunnel
Port 722

And then run sshd -f /etc/ssh/sshd_config_tunnel.

The tunnel user has an empty password field in /etc/shaddow.

Test ChrootDirectory in sshd

Just connect with:

ssh -N -T 1.2.3.4 -l tunnel -R 0:localhost:5050 -p 722

ssh will respond with a Allocated port 56889 for remote forward to localhost:5050 message. Then you can use www56889.domain.tld