Allows AWS virtual machines to access the company's intranet resources (SSH reverse proxy), and aws virtual machines

Allows AWS virtual machines to access the company's intranet resources (SSH reverse proxy), and aws virtual machines
Background

Today, I want to upgrade AWS Virtual Machine to beta and perform some tests.

Since the beta version is only available on the company's Intranet, I need to manually copy the upgraded files to the AWS VM. The original method is easy to understand:

However, this is a problem because the size of the image file is GB. The transmission process not only occupies bandwidth resources, but also wastes a lot of time.

Study Process Scheme 1 [abandoned]

Solution I first thoughthttp://download.eng.pek2.redhat.com/pub/rhel/rel-eng/RHEL-7.4-20170621.0/compose/Server/x86_64/debug/tree/Copy it to the VM and use it to upgrade the YUM source. However, I soon discovered that I could not determine which packages were required for upgrade. Therefore, I could only upload all the files, which could not effectively solve the problem.

Solution 2 [abandoned]

Secondly, I want to install a client on an AWS Vm and access intranet resources through VPN. It is feasible to do so, but the certificates need to be copied in openvpn configuration, which worries me about potential security issues and will occupy too many VPN Server resources in the future, therefore, this idea can only be abandoned.

Solution 3 [abandoned]

Later, I came up with a way to share the HTTP Proxy server on the company's intranet with AWS virtual machines through reverse connections. The command used is probably like this:

ssh -R 8080:squid.corp.redhat.com:3128 -i ~/.pem/ap-northeast-1-cheshi.pem ec2-user@ec2-13-113-60-192.ap-northeast-1.compute.amazonaws.com

This should be the simplest solution, but there is still a small problem. All traffic needs to go around the proxy server of the company. The data path looks like this:

Aws vm <=> MyHost (intranet host) <=> ProxyServer (intranet Proxy Server) <=> FileServer (intranet Update Server)

Resource waste is one aspect. More importantly, if a large amount of updates occupy too much of the company's proxy server resources, the resources may be audited by the IT department.

Solution 4 [accepted]

So I made some improvements to this solution. I directly made MyHost A ProxyServer and mapped the proxy server port to the AWS Vm, so that it will not occupy too much of the company's server resources, and the speed should be faster. The data path is as follows:

Aws vm <=> MyHost (intranet host is Proxy Server) <=> FileServer (intranet Update Server)

The following are my implementation steps.

Build proxy service

ProxyServer I use Squid, which is an open-source software with simple configuration. It can be used as an HTTP Proxy server without having to modify any configuration. First, log on to MyHost and execute:

[Root @ dhcp-1-202 ~] # Yum install-y squid [root @ dhcp-1-202 ~] # Squid-z # initialize the database [root @ dhcp-1-202 ~] # Systemctl start squid. service

Reverse SSH tunnel)

I need3128The port (the default port of the Squid service) is mapped to the aws vm.8080Port to allow the VM to directly use the proxy server. The command used is:

# Ssh reverse ing port ssh-R [server IP address or omitted]: [server port]: [IP address accessible to the client]: [port of the IP address that can be accessed by the client] [Login Server Username @ Server IP address]-p [server ssh service port (22 by default)]

In my case, I need to use the following command:

[root@dhcp-1-202 ~]# ssh -R 8080:127.0.0.1:3128 -i ~/.pem/ap-northeast-1-cheshi.pem -l ec2-user ec2-13-113-60-192.ap-northeast-1.compute.amazonaws.comLast login: Wed Jul  5 05:00:34 2017 from 119.254.120.66[ec2-user@ip-172-31-2-249 ~]$ 

This command will open a console to the server (that is, the AWS Virtual Machine) at the same time. When the console is connected, the proxy server is valid. After the console is closed, port ing is terminated. If you want to enable port ing without opening the console, you can add-Nf.

[root@dhcp-1-202 ~]# ssh -Nf -R 8080:127.0.0.1:3128 -i ~/.pem/ap-northeast-1-cheshi.pem -l ec2-user ec2-52-193-95-192.ap-northeast-1.compute.amazonaws.com[root@dhcp-1-202 ~]# ps -ef | grep "ssh -Nf"root     25126     1  0 13:10 ?        00:00:00 ssh -Nf -R 8080:127.0.0.1:3128 -i /root/.pem/ap-northeast-1-cheshi.pem -l ec2-user ec2-52-193-95-192.ap-northeast-1.compute.amazonaws.comroot     25176 16347  0 13:16 pts/0    00:00:00 grep --color=auto ssh -Nf[root@dhcp-1-202 ~]# 

Extended reading: Using ssh for forward connection, reverse connection, and socks proxy

Note:Use-NfSetting up the tunnel option may cause you to forget its existence in the future. For security reasons, we recommend that you use-NfOption.

Use yum in VM

Go to the AWS Vm, add the YUM source, and set the proxy server (http://127.0.0.1:8080/).

[ec2-user@ip-172-31-10-95 ~]$ cat /etc/yum.repos.d/rhel7u4.repo[rhel7u4-debug]name=rhel7u4-debugbaseurl=http://download.eng.pek2.redhat.com/pub/rhel/rel-eng/RHEL-7.4-20170621.0/compose/Server/x86_64/osenabled=1gpgcheck=0proxy=http://127.0.0.1:8080/[ec2-user@ip-172-31-10-95 ~]$ 

Note: because there is a proxy serverbaseurlYou can directly enter any update server that MyHost can access.

Then, you can use the YUM source to update the data:

[ec2-user@ip-172-31-10-95 ~]$ sudo yum update --enablerepo=rhel7u4-debugLoaded plugins: amazon-id, rhui-lb, search-disabled-reposResolving Dependencies--> Running transaction check---> Package NetworkManager.x86_64 1:1.8.0-0.4.rc3.el7 will be updated---> Package NetworkManager.x86_64 1:1.8.0-9.el7 will be an update......Complete![ec2-user@ip-172-31-10-95 ~]$ 

NOTE: If no proxy server is set or the connection to the proxy server is faulty (usually caused by the firewall on MyHost), you will receive"Could not resolve host: download.eng.pek2.redhat.com; Name or service not known".

Use wget in VM

There are many benefits for building a proxy server. For example, you can usewgetDownload:

[ec2-user@ip-172-31-10-95 ~]$ export http_proxy=http://127.0.0.1:8080/[ec2-user@ip-172-31-10-95 ~]$ wget http://download.eng.bos.redhat.com/brewroot/packages/cloud-init/0.7.9/4.el7/x86_64/cloud-init-0.7.9-4.el7.x86_64.rpm......Saving to: ‘cloud-init-0.7.9-4.el7.x86_64.rpm’100%[=================================================================>] 633,112      349KB/s   in 1.8s   2017-07-05 02:17:51 (349 KB/s) - ‘cloud-init-0.7.9-4.el7.x86_64.rpm’ saved [633112/633112][ec2-user@ip-172-31-10-95 ~]$ 

Use more tools in virtual machines

In addition, there are many tools that support the use of proxy servers. Of course, you need to make proper configurations and will not describe them here.

Extended reading: Linux proxy settings

Firewall settings and function debugging

Passfirewall-cmdYou can easily add firewall rules for the Squid service:

[root@dhcp-1-202 ~]# firewall-cmd --get-default-zone FedoraServer[root@dhcp-1-202 ~]# firewall-cmd --add-service=squidsuccess[root@dhcp-1-202 ~]# firewall-cmd --list-servicesssh dhcpv6-client cockpit squid[root@dhcp-1-202 ~]# 

When debugging and troubleshooting, you can usenmapThis tool can list the ports opened by a host and the corresponding services.

On MyHost, we can see that3128/tcpThe port is opened. The corresponding service issquid-http:

[root@dhcp-1-202 ~]# nmap localhostStarting Nmap 7.40 ( https://nmap.org ) at 2017-07-05 12:31 CSTNmap scan report for localhost (127.0.0.1)Host is up (0.0000050s latency).Other addresses for localhost (not scanned): ::1Not shown: 995 closed portsPORT     STATE SERVICE22/tcp   open  ssh111/tcp  open  rpcbind2049/tcp open  nfs3128/tcp open  squid-http9090/tcp open  zeus-adminNmap done: 1 IP address (1 host up) scanned in 0.09 seconds[root@dhcp-1-202 ~]# 

In the AWS virtual machine, we should also be able to see8080/tcpPort opened:

[ec2-user@ip-172-31-2-249 ~]$ nmap localhostStarting Nmap 6.40 ( http://nmap.org ) at 2017-07-05 04:33 UTCNmap scan report for localhost (127.0.0.1)Host is up (0.00034s latency).Other addresses for localhost (not scanned): 127.0.0.1Not shown: 997 closed portsPORT     STATE SERVICE22/tcp   open  ssh25/tcp   open  smtp8080/tcp open  http-proxyNmap done: 1 IP address (1 host up) scanned in 0.07 seconds[ec2-user@ip-172-31-2-249 ~]$ 

In this case, you can usencCommand verification8080/tcpThe service status of the port.

Conclusion

As you can see,sshIt is a very powerful command, But no matter which connection method it is, for the server and the entire intranet, it will not hide your real identity, so you still need to be responsible for your own behavior, do not violate company policies.

In addition, you need to consider some security issues. BecausesshA secure connection is provided, and the Intranet is protected by the firewall. Therefore, the only question you need to care about is-is there a security risk on the server you connect? For example, if you map the port of the proxy server to an Internet host with a weak password and break the hacker of this host, you may access some intranet resources through the ing port, the occurrence of leaks. Fortunately, AWS's virtual machines are safe by default. What I can remind you is:Do not allow Password Logon and keep your certificate safe.

All in all, technology itself has no good or evil, but users must be responsible for their own actions and the security of the entire network.

ReferencesCopyright Disclaimer: This article is an original article by the blogger. For more information, see the source. Thank you for your cooperation!