Does anyone have an idea on steps of setting up an SSH tunnel for the CloudFoundry? I want to do remote debugging on cloud, but am blocked behind a firewall. So need to setup an SSH tunnel for that.
I wrote a blog post on setting up remote debugging for Java apps on Cloud Foundry. It covers using an SSH Tunnel to work around a firewall / NAT.
The answer from the article is this...
Obtain a public server.
Install SSHD. Edit /etc/ssh/sshd_config, add or set GatewayPorts to yes. Restart SSHD.
On your local machine run ssh -f -N -T -R 0.0.0.0:<public-port>:127.0.0.1:<debugger-port> <user>#<public-server-ip> (Windows users can use cygwin or possibly Putty, although the command will be different). This will instruct SSH to connect to the remote host, setup a reverse tunnel and go into the background. The reverse tunnel will listen on your public server on the port you specify (i.e. public-port) and forward traffic to the debugger port on your local machine. You can use different port numbers, but it is easiest if you just use the same port.
Start the debugger and listen on the same port (i.e. debugger-port) that you used in the SSH command.
Edit your manifest.yml file. Set JAVA_OPTS to -agentlib:jdwp=transport=dt_socket,address=<your-ip>:<your-port>.
Run cf push.
For a gentler walk through, see the post.
Related
I am trying to configure the puppet server and agent making my local laptop with ubuntu 18.04 as puppet server and aws ec2 instance as puppet agent. When trying to do so i am facing the issues related to hostname adding in /etc/hosts file and whether to use the public ip or private ip address and how to do the final configuration and make this work.
I have used the public ip and public dns of both the system to specify in the /etc/hosts file but when trying to run the puppet agent --test from the agent getting the error as temporary failure in name resolution and connecting to https://puppet:8140 failed. I am using this for a project and my setup needs to remain like this.
The connection is initiated from the Puppet agent to the PE server, so the agent is going to be looking for your laptop, even if you have the details of your laptop in the hosts file it probably has no route back to your laptop across the internet as the IP of your laptop was probably provided by your router at home.
Why not build your Puppet master on an ec2 instance and keep it all on the same network, edit code on your laptop, push to github/gitlab and then deploy the code from there to your PE server using code-manager.
Alternatively you may be able to use a VPN to get your laptop onto the AWS VPC directly in which case it'll appear as just another node on the network and everything should work.
The problem here is that the puppet server needs a public IP or an IP in the same network as your ec2 instance to which your puppet agent can connect to. However, there's one solution without using a VPN though it can't be permanent. You can tunnel your local port to the ec2 instance
ssh -i <pemfile-location> -R 8140:localhost:8140 username#ec2_ip -> This tunnels port 8140 on your ec2 instance to port 8140 in your localhost.
Then inside your ec2 instance you can modify your /etc/hosts file to add this:
127.0.0.1 puppet
Now run the puppet agent on your ec2 instance and everything should work as expected. Also note that if you close the ssh connection created above then the ssh tunnel will stop working.
If you want to keep the ssh tunnel open a bit more reliably then this answer might be helpful: https://superuser.com/questions/37738/how-to-reliably-keep-an-ssh-tunnel-open
Background
Three subnets exist in an AZ in AWS. Two of them are private and one is public.
The Public Subnet has a Jumpbox which can be connected to from my local machine via ssh using a pem file (Sample - ssh -i my-key-file.pem ec2-user#host1
The First private subnet has an EC2 Instance that acts as a Application Server. It can only be reached from the Jumbox via ssh. The same pem file is used here. (Sample - ssh -i my-key-file.pem ec2-user#host2). This command is executed on host1.
The second private subnet hosts an Oracle Instance using AWS RDS Service. It is running on port 1521. The DB Can only be accessed from the App Server/host2.
How I am working currently
host2 has sqlplus client installed.
First,I connect to host1, then to host2, and then execute sqlplus to execute Queries at the Command line (No GUI).
I am planning to use GUI tools like SQL Developer to connect right from my local machine. I thought using Port forwarding/SSH Tunneling It can be achieved.
I tried using different options, but with no success. The following links are useful:
https://superuser.com/questions/96489/an-ssh-tunnel-via-multiple-hops
https://rufflewind.com/2014-03-02/ssh-port-forwarding
My Approach to SSH Tunneling
ssh -N -L 9999:127.0.0.1:1234 ec2-user#host1 -i my-key-file.pem -v -v -v
This is executed on my local machine.
It does not do much as I can already connect to host1 using ssh. I did not know how to forward many levels. Using this host as my first hop. After this, ssh listens on port 9999 which is Local to my machine. It forwards any traffic to host1 to Port 1234. My assumption is that, If I use sqlplus on my local machine connecting to localhost:9999, the traffic will arrive at host1:1234
I used 127.0.0.1 because the target of SSH tunneling is with respect to the SSH Server, which is host1. Basically, Both Target, SSH Server are on the same host.
ssh -N -L 1234:db-host:1521 ec2-user#host2 -i my-key-file.pem -v -v- v
This is executed on host1
After this, ssh forwards any incoming traffic on port 1234 to target host (DB Host)/1521 using host2 as the Tunnel.
Again, my assumption is that, ssh is listening on port 1234 on host1. Any traffic arriving from anywhere will be delivered to DB Host using host2 as the tunnel.
I executed both commands and did not see any error. I verified which ports are listening using netstat -tulpn | grep LISTEN.
After these two, My plan was to connect to the Database using Hostname as localhost and Port number as 9999.
What's going wrong !
But when I try to connect to the DB from my local machine, getting an error from my SQL Client Got minus one from a read call. I could not understand the Debug messages from ssh logs.
I believe my understanding of how port forwarding works might not be right. Any inputs would be helpful.
Thanks for your time !
To experiment with VPN, I have created a VPN firewall rule that allows access to all the ports from all the IPs.
But when I telnet to the machine from my windows machine, I get error telnet 35.197.238.136
Connecting To 35.197.238.136...Could not open connection to the host, on port 23: Connect failed
Why am I not able to telnet?
The most likely story is that that, by default, a default Compute Engine doesn't have the telnet server software installed. If it is not installed, it is obviously not listening. If it is not listening, then a client connection to port 23 (the default telnet port) will fail.
You can install the Telnet server on your Compute Engine using:
sudo apt-get install telnetd
You will also have to "think ahead". Once telnet is running and you connect a client, you will be asked to login. Logging in requires a userid/password pair. By default, your Compute Engine has none. Consider creating a user using the Linux command adduser.
You might also want to consider your usage of telnet as compared to SSH. It appears that SSH has all but supplanted telnet connections these days.
Having trouble connecting to remote server via ssh tunneling.
I'm not that experienced with ssh or portforwarding. I'm trying to forward traffic from an application on a remote lab server to a port on my laptop so I can monitor the traffic. I can log into the server without a problem using:
ssh -i ~/.ssh/mykey.pem username#server.com
However, when I try to create a tunnel (which I am routing through a proxy server via SwitchyOmega):
ssh -L 3128:localhost:8888 -N -i ~/.ssh/mykey.pem username#server.com
I still can't access the page.
My OS is El Capitan and I'm using Chrome, but the remote server is running ubuntu. I appreciate any advice or suggested reading!
EDIT: Initially thought the server was on AWS with a fixed IP, but it turns out its a physical lab server.
You need to create the fowarding accessible by others, therefore do not bind localhost, but the external IP or *. Also you need to specify the -g switch, if you are connecting to the forwarded port remotely:
ssh -g -L *:3128:localhost:8888 -N -i ~/.ssh/mykey.pem username#server.com
In a new terminal window on your local machine, SSH into the remote machine using the following options to setup port forwarding.
ssh -N -L 3128:localhost:8888 user#remote_server
-N options tells SSH that no commands will be run and it’s useful for port forwarding, and -L lists the port forwarding configuration that we setup.
To close the SSH tunnel simply do ctrl-c.
I'm developing javascript applications in Webstorm. For now I am connecting to a remote deployment server through sftp. (tools > deployment)
For security reasons we want to do it this way:
First make an ssh connection (tunnel) to server1, and from there connect to server2/devFolder.
Is this possible in Webstorm? Any plug-ins?
Even if it isn't possible directly with Webstorm, you can always make a tunnel through server1 to server2 with ssh. You do need an account on both servers, and you need to setup agent forwarding, so you don't need your private key on server1.
I do this frequently.
Let's say server2 is on a private network only accessible from server1, here's how you'd setup a tunnel to server2 (assume it's 10.0.0.5, and x.x.x.x is the ip of server1 on your workstation:
ssh -f you#x.x.x.x -L 2022:10.0.0.5:22 -N
Now that you have the tunnel up, just connect with Webstorm using localhost:2022.
The only thing you need in Webstorm to make this work is the ability to change the default sftp port in the config to 2022.