我备有无法完全解决的问题。这个问题很普遍,但我仍然无法理解我在做什么错。
根据该AWS文档:Scenario 2: VPC with Public and Private Subnets (NAT),我有自己的VPC,其中包含两个子网:私有和公共。在公共子网中,我已部署了分配了EIP的Ubuntu 16.04实例。它还具有下一个安全组入站规则:
Type Protocol Port Range Source Description
SSH TCP 22 xx.xx.xx.xx/32 Home IP
并相应地出站:
Type Protocol Port Range Source Description
SSH TCP 22 sg-xxprivatexx Security group ID for instance in private subnet
看起来不错,我可以在家里从外部ssh使用它。没问题。
在专用子网中,我已经部署了另一台具有下一个安全组(入站规则)的Ubuntu 16.04计算机:
Type Protocol Port Range Source Description
HTTP TCP 80 sg-xxpublicxxx Security Group ID for bastion instance in public subnet
SSH TCP 22 sg-xxpublicxxx -
,并且没有出站规则(实际上,它已经打开了80、443个出站端口,但是我猜这不是一个有趣的部分)。而且我仍然可以使用本营的ssh到达此虚拟机。
现在,我只想做一件简单的事情-运行ssh端口转发,这样我就可以在家用PC浏览器上运行localhost:8080,并查看我在私有实例上发布的网页。如果我从here和here(以及从here正确地理解了它,那么我必须运行以下命令:
ssh -N -v -L 8080:10.0.1.112:80 ubuntu@3.121.46.99
我想这基本上是什么意思:只需将通过IP 10.0.1.112:80的私有子网实例的流量通过我在EIP {{1}上托管的用户名localhost:8080的堡垒机VM转发到我的ubuntu }。
调试以以下行结束:
3.121.46.99几天来我一直在玩,但我仍然无法理解我做错了什么。真奇怪:我可以debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:ZyVHgnF8z5vE5gfNr1S2JDfjhdydZVTNevPRgJZ+sRA /home/matterai/.ssh/key.pem
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/matterai/.ssh/id_rsa
debug1: Trying private key: /home/matterai/.ssh/id_dsa
debug1: Trying private key: /home/matterai/.ssh/id_ecdsa
debug1: Trying private key: /home/matterai/.ssh/id_ed25519
debug1: No more authentication methods to try.
matterai@3.121.46.99: Permission denied (publickey).
(允许转发)到我的堡垒,我可以ssh -A从堡垒到我的私有实例。但是我无法建立SSH隧道来查看我的网页(将来将是mongodb)而不会出现错误。需要一些建议或指向正确的方向!谢谢。
UPD#1
那好吧。如果我使用本地计算机和堡垒进行手动转发,将会得到预期的结果。基本上,这意味着在堡垒上运行此命令:
ssh之后,在本地/家用计算机上运行命令:
ubuntu@bastion: ssh -v -N -L 5000:localhost:8000 ubuntu@10.0.1.68
当我在本地计算机上向matterai@homepc: ssh -v -N -L 5000:localhost:5000 ubuntu@3.121.46.99
发出请求时,可以看到结果页面。请问,如果有可能将这两个命令结合起来怎么办? (剧透:是的,有可能:请参见答案!)
答案 0 :(得分:1)
您似乎已正确配置了所有内容,但错误是因为它找不到用于连接的私钥。
要测试端口转发,请使用登录公共实例的ssh命令开始。
然后,采取确切的命令,然后只需添加:-L 8080:10.0.1.112:80
如果它适用于“普通” ssh,那么它将也适用于端口转发。
顺便说一句,一般而言,您永远不需要修改安全组的出站规则。默认设置允许所有出站流量。这“信任”在实例上运行的应用程序,并允许它们向外与任何地方进行通信。您只需要在希望实施高安全性环境的地方限制此类规则即可。
答案 1 :(得分:0)
好,很简单。希望我的回答对别人有帮助。
ssh -J选项来通过堡垒虚拟机进行连接:-J [user@]host[:port] Connect to the target host by first making a ssh connection to the jump host and then establishing a TCP forwarding to the ulti‐ mate destination from there. Multiple jump hops may be specified separated by comma characters. This is a shortcut to specify a ProxyJump configuration directive.
:8000 {{1从应用程序(或数据库)启动的目标虚拟机端口(:5001)到本地端口(ssh)转发流量。 }}:-L
-L [bind_address:]port:host:hostport
-L [bind_address:]port:remote_socket
-L local_socket:host:hostport
-L local_socket:remote_socket
Specifies that connections to the given TCP port or Unix socket
on the local (client) host are to be forwarded to the given host
and port, or Unix socket, on the remote side. This works by
allocating a socket to listen to either a TCP port on the local
side, optionally bound to the specified bind_address, or to a
Unix socket. Whenever a connection is made to the local port or
socket, the connection is forwarded over the secure channel, and
a connection is made to either host port hostport, or the Unix
socket remote_socket, from the remote machine.
Port forwardings can also be specified in the configuration file.
Only the superuser can forward privileged ports. IPv6 addresses
can be specified by enclosing the address in square brackets.
By default, the local port is bound in accordance with the
GatewayPorts setting. However, an explicit bind_address may be
used to bind the connection to a specific address. The
bind_address of “localhost” indicates that the listening port be
bound for local use only, while an empty address or ‘*’ indicates
that the port should be available from all interfaces.