Multi-proxying¶
If you connect to your machines via an intermediary, then you will need to include a Proxy host in your SSH configuration.
This guide expands on the Basic SSH Proxying guide to demonstrate how multiple proxies - i.e. a chain of proxies - may be configured.
Example configuration¶
The networks.yml configuration below defines three inventories: one containing a public-facing proxy server, the second a proxy server installed intra-network (and accessible only from the first), whilst the third inventory defines servers reachable by proxying via both proxy servers.
---
wbz:
type: collection
description: WBZ gcp estate
network:
type: gcp
project: wbznet
zone: europe-west1-b
:authentication_scheme: service_account
service_account_credentials: service-account.json
service_scopes:
- https://www.googleapis.com/auth/compute.readonly
- https://www.googleapis.com/auth/cloud-platform
wbz:public_proxies:
type: inventory
description: public ssh proxies
override_identifier: "prod_net_(.+)"
network:
filters: status:running AND labels.function=bastion AND labels.environment=prod-net
wbz:private_proxies:
type: inventory
description: private ssh proxies
override_identifier: "prod_net_(.+)"
network:
filters: status:running AND labels.function=internal-bastion AND labels.environment=prod-net
ssh_settings:
proxy:
- host_lookup: by_bcome_namespace
namespace: public_proxies:bastion
wbz:servers:
type: inventory
description: Servers accessible via two proxy hops
network:
filters: status:running AND labels.environment=prod-net AND NOT (labels.function=bastion OR labels.function=internal-bastion)
override_identifier: "prod_net_(.+)"
ssh_settings:
proxy:
- host_lookup: by_bcome_namespace
namespace: public_proxies:bastion
- host_lookup: by_bcome_namespace
namespace: private_proxies:internal_jump
My local user is guillaume
, and I have ssh keys added to my agent.
Note
The proxy
block in your ssh_settings
is an array of proxies: you may define as many as you like.
Routes¶
Bcome’s routes
command will result in the following for the above configuration:
▐▆ Ssh connection routes wbz
│
├───╸ server
│ namespace: wbz:public_proxies:bastion
│ ip address 104.155.101.98
│ user guillaume
│
└───╸ proxy [1]
bcome node wbz:public_proxies:bastion
host 104.155.101.98
user guillaume
└───╸ proxy [2]
bcome node wbz:private_proxies:internal_jump
host 10.0.33.2
user guillaume
├───╸ server
│ namespace: wbz:servers:puppet
│ ip address 10.0.0.10
│ user guillaume
│
└───╸ server
namespace: wbz:servers:wbzsite_app_sq6v
ip address 10.0.0.2
user guillaume
The AsciiCast below demonstrates my configuration:
Note
To replay this Asciicast in your own terminal, install the asciinema
package from https://asciinema.org/, and then enter the following in your terminal:
asciinema play https://asciinema.org/a/nPKMiZ6fyum56kHAWswg6ywXO
See the Bcome documentation for more detailed & alternative proxy configuration options: SSH Proxy Attributes Configuration.