1

Basically, I have a couple differant Centos7 LAMP stacks running on differant virtual machines (on xenserver) & openSSH. I also have a couple intermediate proxy authentication servers running (one for HTTP, one for SSH, one for SFTP), for security and so all of the virtual machines can run on the same ports. The HTTP proxy is working but I am having trouble setting up the SFTP proxy. I want clients to be tunneled to the appropriate VPS based on their username.

I've tried many differant ways and researched several differant things trying to get this to work with no avail.

For this example, lets assume someone tries to view vps1.com on port 80 through my external IP (12.345.678.90). First they hit the router (which port forwards them to the HTTP Proxy), and the HTTP Proxy forwards them to the correct local machine by VirtualHosts. Lets assume vps1.com has a local IP of 192.168.1.10 and vps2.com has 192.168.1.20. They are forwarded to the correct local IP and served the correct content. Great, this part works fine.

Now let's assume the webmaster for vps1.com wants to login and change his website. He will login in an SFTP client to 12.345.678.90 on port 2222 as the user johnVPS1. The router successfully port forwards him to the SFTP proxy (at 192.168.1.7) Now the SFTP proxy should tunnel or forward him to the correct VPS so he can edit his website, but he will not have access to anything else.

                          External IP 12.345.678.90
                                   Router
             ---------------------------------------------
                   /                              \
       Port 80    /                                \  Port 2222
                 /                                  \ 
                /                                    \
         HTTP Proxy                                  SFTP Proxy
           /     \                                    /     \
vps1.com  /       \  vps2.com              johnVPS1  /       \  billVPS2
         /         \                                /         \ 
192.168.1.10:80    192.168.1.20:80   192.168.1.10:2222   192.168.1.20:2222

Some things I've tried so far ---

  • Setting the user's ChrootDirectory on the SFTP proxy server to a SSHFS mounted directory of the appropriate server
  • Setting the user's ChrootDirectory on the SFTP proxy server to a directory that is a symlink to the mounted directory.
  • On the proxy server... ssh -R 2222:192.168.1.10:2222 (This just gives me the SFTP help menu, I guess I'm messing something up)
  • On the proxy server... ssh -L 2222:localhost:2222 root@192.168.1.10 -p 2222 (This opened up a SSH to 192.168.1.10 but does not seem to forward when I log in remotely)
  • Using Match User in /etc/ssh/sshd_config with PermitOpen 192.168.1.10:2222
  • Changed GatewayPorts to yes

Please, can somebody lead me on the right track? Am I going about this all wrong, or was I close and just missing something? I've spent the last few days trying to figure this out, I would greatly appreciate if someone could point me on the right track!

myf4ult
  • 11
  • 2

0 Answers0