如何在 Nginx 中重定向 ssh 请求?
我在 docker 环境中使用 gitea 版本控制系统。使用的gitea是无根类型的镜像。
http 端口映射为“8084:3000”,ssh 端口映射为“2224:2222”。
我在 Linux 主机上生成了密钥,并将生成的公钥添加到了我的 Gitea 帐户中。
1.测试环境
后来我创建了ssh配置文件nano /home/campos/.ssh/config:
Host localhost
HostName localhost
User git
Port 2224
IdentityFile ~/.ssh/id_rsa
完成设置后,我创建了myRepo存储库并克隆了它。
为了执行克隆,我将 url 从 ssh://git@localhost:2224/campos/myRepo.git 更改为 git@localhost:/campos/myRepo.git
要克隆存储库,我输入: git clone git@localhost:/campos/myRepo.git
这工作得很好!
2.生产环境
但是,在定义反向代理和域名时,无法克隆存储库。
在执行克隆之前,我更改了 ssh 配置文件:
Host gitea.domain.com
HostName gitea.domain.com
User git
Port 2224
IdentityFile ~/.ssh/id_rsa
然后我再次尝试克隆存储库:
git clone [email protected]:/campos/myRepo.git
显示连接被拒绝消息:
Cloning into 'myRepo'...
ssh: connect to host gitea.domain.com port 2224: Connection refused
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
我理解该消息是因为默认情况下代理不处理 ssh请求。
搜索了一下,有些链接说在 Nginx 中使用“stream”。
但我仍然不明白如何进行此配置。我需要继续在端口 22 上访问我的代理服务器,并将代理的端口 2224 重定向到 docker 主机的端口 2224。
我使用的gitea.conf配置文件如下:
server {
listen 443 ssl http2;
server_name gitea.domain.com;
# SSL
ssl_certificate /etc/nginx/ssl/mycert_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/mycert.key;
# logging
access_log /var/log/nginx/gitea.access.log;
error_log /var/log/nginx/gitea.error.log warn;
# reverse proxy
location / {
proxy_pass http://192.168.10.2:8084;
include myconfig/proxy.conf;
}
}
# HTTP redirect
server {
listen 80;
server_name gitea.domain.com;
return 301 https://gitea.domain.com$request_uri;
}
3. Nginx 中的重定向
我花了几个小时试图了解如何配置 Nginx 的“流”功能。以下是我所做的。
在 nginx.conf 文件的末尾我添加了:
stream {
include /etc/nginx/conf.d/stream;
}
在 conf.d 中的 stream 文件中,我添加了以下内容:
upstream ssh-gitea {
server 10.0.200.39:2224;
}
server {
listen 2224;
proxy_pass ssh-gitea;
}
我测试了Nginx 配置并重新启动服务:
nginx -t && systemctl restart nginx.service
我查看了代理服务器上的端口80443、22和2224是否打开。
ss -tulpn
此配置可以使用域名执行存储库的 ssh 克隆。
4.正确使用 ssh 进行克隆
在我进行所有设置后,我明白可以使用原始 url ssh://[电子邮件受保护]:2224/campos/myRepo.git 在克隆中。
输入命令时 git clone ssh://[email protected]:2224/campos/myRepo.git,不需要在 ssh 中定义 config 文件。
此链接帮助了我:
https: //discourse.gitea.io/t/password-is-required-to-clone-repository-using-ssh/5006/2
I'm using the gitea versioning system in a docker environment. The gitea used is a rootless type image.
The http port mapping is “8084:3000” and the ssh port mapping is “2224:2222”.
I generated the keys on my Linux host and added the generated public key to my Gitea account.
1.Test environment
Later I created the ssh config file nano /home/campos/.ssh/config:
Host localhost
HostName localhost
User git
Port 2224
IdentityFile ~/.ssh/id_rsa
After finishing the settings i created the myRepo repository and cloned it.
To perform the clone, I changed the url from ssh://git@localhost:2224/campos/myRepo.git to git@localhost:/campos/myRepo.git
To clone the repository I typed: git clone git@localhost:/campos/myRepo.git
This worked perfectly!
2.Production environment
However, when defining a reverse proxy and a domain name, it was not possible to clone the repository.
Before performing the clone, I changed the ssh configuration file:
Host gitea.domain.com
HostName gitea.domain.com
User git
Port 2224
IdentityFile ~/.ssh/id_rsa
Then I tried to clone the repository again:
git clone [email protected]:/campos/myRepo.git
A connection refused message was shown:
Cloning into 'myRepo'...
ssh: connect to host gitea.domain.com port 2224: Connection refused
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I understand the message is because by default the proxy doesn't handle ssh requests.
Searching a bit, some links say to use "stream" in Nginx.
But I still don't understand how to do this configuration. I need to continue accessing my proxy server on port 22 and redirect port 2224 of the proxy to port 2224 of the docker host.
The gitea.conf configuration file i use is as follows:
server {
listen 443 ssl http2;
server_name gitea.domain.com;
# SSL
ssl_certificate /etc/nginx/ssl/mycert_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/mycert.key;
# logging
access_log /var/log/nginx/gitea.access.log;
error_log /var/log/nginx/gitea.error.log warn;
# reverse proxy
location / {
proxy_pass http://192.168.10.2:8084;
include myconfig/proxy.conf;
}
}
# HTTP redirect
server {
listen 80;
server_name gitea.domain.com;
return 301 https://gitea.domain.com$request_uri;
}
3. Redirection in Nginx
I spent several hours trying to understand how to configure Nginx's "stream" feature. Below is what I did.
At the end of the nginx.conf file I added:
stream {
include /etc/nginx/conf.d/stream;
}
In the stream file in conf.d, I added the content below:
upstream ssh-gitea {
server 10.0.200.39:2224;
}
server {
listen 2224;
proxy_pass ssh-gitea;
}
I tested the Nginx configuration and restart your service:
nginx -t && systemctl restart nginx.service
I viewed whether ports 80,443, 22 and 2224 were open on the proxy server.
ss -tulpn
This configuration made it possible to perform the ssh clone of a repository with a domain name.
4. Clone with ssh correctly
After all the settings I made, I understood that it is possible to use the original url ssh://[email protected]:2224/campos/myRepo.git in the clone.
When typing the command git clone ssh://[email protected]:2224/campos/myRepo.git, it is not necessary to define the config file in ssh.
This link helped me:
https://discourse.gitea.io/t/password-is-required-to-clone-repository-using-ssh/5006/2
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
另一种选择是使用 sslh。其唯一目的是根据对第一个数据包执行的测试将连接转发到适当的服务(ssh 或 ssl)。
以下是我如何在基于 https://ostechnix.com/ 的 Ubuntu Server 上进行设置sslh-share-port-https-ssh/:
安装 sslh
安装程序将询问是作为独立运行还是从 inetd 运行。我选择独立。
修改nginx配置文件 - 更改
为
Configure sslh - 修改DAEMON_OPTS行:
重新启动服务:
这需要安装另一个服务,但这是我能找到的实现ssh / ssl复用的最简单方法。
Another option is to use sslh. Its only purpose is to forward connections to the appropriate service (ssh or ssl) based on tests performed on the first data packet.
Here's how I set it up on Ubuntu Server based on https://ostechnix.com/sslh-share-port-https-ssh/:
Install sslh
The installer will ask whether to run as standalone or from inetd. I chose standalone.
Modify nginx configuration files - change
to
Configure sslh – modify the DAEMON_OPTS line:
Restart the services:
This requires the installation of another service, but it is the simplest way I could find to achieve ssh / ssl multiplexing.