0

I'm trying to setup a nginx egress proxy so that all the SSH connections to a specific group of hosts (*.example.com) go through the proxy. I have a local DNS server, where I resolve such hosts to the proxy ip address. I've looked at the nginx stream docs, but it looks like that is more for load balancing, which is different. What I'm trying to do is just pass the SSH connection to the an upstream host that matches the original host name. As an example:

ssh bob@somerandomhost.example.com ---> egress proxy receives the request and verifies it's whitelisted ---> passes connection to public upstream host.

rcdsystems
  • 111
  • 4
  • This doesn't sound possible as stated as DNS happens first and nginx will only see IP address. nginx would then have to do a reverse lookup to see what name the IP resolves back to. Also: please use example.com, .net, or .org as an example domain name, it exists for that exact purpose. – virullius Oct 30 '19 at 18:15

1 Answers1

1

This cannot be done with nginx. Unlike http protocol, the ssh protocol doesn't transmit internally "what hostname did the client specify". The server only knows the bare IP address the client wanted.

Your business case is probably best addressed with teleport.

kubanczyk
  • 13,812
  • 5
  • 41
  • 55