pagles · January 31, 2019 14:53 · Jan 31, 2019 · Feb 11, 2013 · Feb 11, 2013 · Jan 21, 2013
diff --git a/README.md → nginx-to-ssh-tunnel.md b/README.md → nginx-to-ssh-tunnel.md
diff --git a/reverse-ssh-tunnel.sh b/reverse-ssh-tunnel.sh
@@ -4,7 +4,8 @@ local_port=$1
 ssh_server=1.2.3.4
 ssh_user=tunnel
 ssh_port=722
+url_tmpl=http://www\\1.domain.tld/
 
 exec 3>&1
 eval ssh -N -T $ssh_server -l $ssh_user -R 0:localhost:$local_port -p $ssh_port 2>&1 1>&3 \
-    | sed 's|^Allocated port \([[:digit:]]\+\) for remote forward to|Your url is http://www\1.domain.tld/ will be forwarded to|'
+    | sed 's|^Allocated port \([[:digit:]]\+\) for remote forward to|Your url is '$url_tmpl' will be forwarded to|'
diff --git a/README.md b/README.md
@@ -1,18 +1,25 @@
 What
 ====
 
-...
+A lot of times you are developing a web application on your own laptop or home computer and would like to demo it to the public. Most of those times you are behind a router/firewall and you don't have a public IP address. Instead of configuring routers (often not possible), this solution gives you a public URL that's reverse tunnelled via ssh to your laptop.
 
+Because of the relaxation of the sshd setup, it's best used on a dedicated virtual machine just for this (an Amazon micro instance for example).
+
 
 Requirements
 ============
 
+Server side:
+
 * a server with a public ip (1.2.3.4 in this document)
 * a domain name (domain.tld in this document)
 * a wildcard dns entry in the domain pointing to the public ip (*.ie.mk.    1800    IN  A   1.2.3.4)
 * nginx
 * sshd
 
+Client side:
+* ssh client (even plink would work on Windows)
+
 
 Nginx config
 ============
@@ -34,11 +41,12 @@ Where `<port>` needs to be 4 or 5 digits.
     }
 
 
+
 SSH configuration
 =================
 
 A sshd configuration to allow a user with no password
-and a forced command, so that the user doesn't get shell access.
+and a forced command, so that the user can't get shell access.
 
     Match User tunnel
       # ChrootDirectory
@@ -63,11 +71,6 @@ The `tunnel` user has an empty password field in /etc/shaddow.
 
     tunnel::15726:0:99999:7:::
 
-TODO
-====
-
-Test ChrootDirectory in sshd
-
 
 Client
 ======
@@ -77,4 +80,10 @@ Just connect with:
     ssh -N -T 1.2.3.4 -l tunnel -R 0:localhost:5050 -p 722
 
 ssh will respond with a `Allocated port 56889 for remote forward to localhost:5050` message.
-Then you can use www56889.domain.tld
+Then you can use www56889.domain.tld
+
+
+TODO
+====
+
+Test ChrootDirectory in sshd
diff --git a/README.md b/README.md
@@ -18,9 +18,9 @@ Nginx config
 ============
 
 A wildcard dns should point to this nginx instance.
-Every www<port>.domain.tld will be proxied to 127.0.0.1:<port>
+Every `www<port>.domain.tld` will be proxied to `127.0.0.1:<port>`
 
-<port> needs to be 4 or 5 digits.
+Where `<port>` needs to be 4 or 5 digits.
 
 
     server {

diff --git a/reverse-ssh-tunnel.sh b/reverse-ssh-tunnel.sh
@@ -3,8 +3,8 @@
 local_port=$1
 ssh_server=1.2.3.4
 ssh_user=tunnel
-ssh_opts=722
+ssh_port=722
 
 exec 3>&1
-eval ssh -N -T $ssh_server -l $ssh_user -R 0:localhost:$local_port $ssh_opts 2>&1 1>&3 \
-    | sed 's|^Allocated port \([[:digit:]]\+\) |Your url is http://www\1.domain.tld/ |'
+eval ssh -N -T $ssh_server -l $ssh_user -R 0:localhost:$local_port -p $ssh_port 2>&1 1>&3 \
+    | sed 's|^Allocated port \([[:digit:]]\+\) for remote forward to|Your url is http://www\1.domain.tld/ will be forwarded to|'
diff --git a/README.md b/README.md
@@ -24,7 +24,7 @@ Every www<port>.domain.tld will be proxied to 127.0.0.1:<port>
 
 
     server {
-      server_name   ~^www(?<port>\d+)\.domain\.tld$;
+      server_name   "~^www(?<port>\d{4,5})\.domain\.tld$";
 
       location / {
         proxy_pass        http://127.0.0.1:$port;

diff --git a/README.md b/README.md
@@ -24,7 +24,7 @@ Every www<port>.domain.tld will be proxied to 127.0.0.1:<port>
 
 
     server {
-      server_name   ~^www(?<port>\d\{4,5\})\.domain\.tld$;
+      server_name   ~^www(?<port>\d+)\.domain\.tld$;
 
       location / {
         proxy_pass        http://127.0.0.1:$port;

diff --git a/reverse-ssh-tunnel.sh b/reverse-ssh-tunnel.sh
@@ -1,10 +1,9 @@
 #! /bin/sh
 
-ssh_server=$1
-ssh_user=$2
-local_port=$3
-shift 3
-ssh_opts=$*
+local_port=$1
+ssh_server=1.2.3.4
+ssh_user=tunnel
+ssh_opts=722
 
 exec 3>&1
 eval ssh -N -T $ssh_server -l $ssh_user -R 0:localhost:$local_port $ssh_opts 2>&1 1>&3 \

diff --git a/reverse-ssh-tunnel.sh b/reverse-ssh-tunnel.sh
@@ -0,0 +1,11 @@
+#! /bin/sh
+
+ssh_server=$1
+ssh_user=$2
+local_port=$3
+shift 3
+ssh_opts=$*
+
+exec 3>&1
+eval ssh -N -T $ssh_server -l $ssh_user -R 0:localhost:$local_port $ssh_opts 2>&1 1>&3 \
+    | sed 's|^Allocated port \([[:digit:]]\+\) |Your url is http://www\1.domain.tld/ |'
diff --git a/README.md b/README.md
@@ -61,6 +61,8 @@ And then run `sshd -f /etc/ssh/sshd_config_tunnel`.
 
 The `tunnel` user has an empty password field in /etc/shaddow.
 
+    tunnel::15726:0:99999:7:::
+
 TODO
 ====
 

diff --git a/README.md b/README.md
@@ -9,7 +9,7 @@ Requirements
 
 * a server with a public ip (1.2.3.4 in this document)
 * a domain name (domain.tld in this document)
-* a wildcard dns entry in the domain pointing to the public ip
+* a wildcard dns entry in the domain pointing to the public ip (*.ie.mk.    1800    IN  A   1.2.3.4)
 * nginx
 * sshd
 
@@ -47,7 +47,7 @@ and a forced command, so that the user doesn't get shell access.
       PasswordAuthentication yes
       PermitEmptyPasswords yes
 
-PAM needs to be disabled if sshd is to allow login with no password.
+PAM needs to be disabled if sshd is to allow login without a password.
 That's not always possible, is not even smart. Another approach would be
 a separate instance of sshd, on a different port, just for the tunnel user.
 
@@ -59,6 +59,7 @@ Make a copy of the config file, change/add these settings:
 
 And then run `sshd -f /etc/ssh/sshd_config_tunnel`.
 
+The `tunnel` user has an empty password field in /etc/shaddow.
 
 TODO
 ====

diff --git a/README.md b/README.md
@@ -7,11 +7,11 @@ What
 Requirements
 ============
 
-a server with a public ip (1.2.3.4 in this document)
-a domain name (domain.tld in this document)
-a wildcard dns entry in the domain pointing to the public ip
-nginx
-sshd
+* a server with a public ip (1.2.3.4 in this document)
+* a domain name (domain.tld in this document)
+* a wildcard dns entry in the domain pointing to the public ip
+* nginx
+* sshd
 
 
 Nginx config

diff --git a/README.md b/README.md
@@ -0,0 +1,77 @@
+What
+====
+
+...
+
+
+Requirements
+============
+
+a server with a public ip (1.2.3.4 in this document)
+a domain name (domain.tld in this document)
+a wildcard dns entry in the domain pointing to the public ip
+nginx
+sshd
+
+
+Nginx config
+============
+
+A wildcard dns should point to this nginx instance.
+Every www<port>.domain.tld will be proxied to 127.0.0.1:<port>
+
+<port> needs to be 4 or 5 digits.
+
+
+    server {
+      server_name   ~^www(?<port>\d\{4,5\})\.domain\.tld$;
+
+      location / {
+        proxy_pass        http://127.0.0.1:$port;
+        proxy_set_header  X-Real-IP  $remote_addr;
+        proxy_set_header  Host $host;
+      }
+    }
+
+
+SSH configuration
+=================
+
+A sshd configuration to allow a user with no password
+and a forced command, so that the user doesn't get shell access.
+
+    Match User tunnel
+      # ChrootDirectory
+      ForceCommand /bin/echo do-not-send-commands
+      AllowTcpForwarding yes
+      PasswordAuthentication yes
+      PermitEmptyPasswords yes
+
+PAM needs to be disabled if sshd is to allow login with no password.
+That's not always possible, is not even smart. Another approach would be
+a separate instance of sshd, on a different port, just for the tunnel user.
+
+Make a copy of the config file, change/add these settings:
+
+    UsePAM no
+    AllowUsers tunnel
+    Port 722
+
+And then run `sshd -f /etc/ssh/sshd_config_tunnel`.
+
+
+TODO
+====
+
+Test ChrootDirectory in sshd
+
+
+Client
+======
+
+Just connect with:
+
+    ssh -N -T 1.2.3.4 -l tunnel -R 0:localhost:5050 -p 722
+
+ssh will respond with a `Allocated port 56889 for remote forward to localhost:5050` message.
+Then you can use www56889.domain.tld