Have you ever had to connect to an SSH server that is behind some sort of firewall? Sometimes clients protect their networks with VPNs, or allow only certain IP addresses to connect to their servers. Luckily, SSH makes connecting to these systems simple by allowing us to "proxy" through any command, even another SSH connection!
Take the following example:
Typically, if you wanted to connect to one of the web servers in that diagram, you would first type
ssh user@secure, type in your password, and then type
ssh user@web1. This 2 - 5 second delay isn't too bad when you only need to connect once-in-a-while, but try
rsync-ing some files between your laptop and web1, or deploying your application using
By configuring SSH to use a proxy command, we can make the connection to web1 in one fell swoop. On the command-line it would look something like this
ssh -o ProxyCommand="ssh user@secure nc %h %p 2>/dev/null" user@web1.
Or, in your
~/.ssh/config file you can add an alias for your web server:
Host web1 Hostname web1 ProxyCommand ssh user@secure nc %h %p 2>/dev/null
The meat of this configuration is the
ProxyCommand directive. It uses netcat to connect to web1, essentially creating a tunnel for connecting to the web1 server. Now, any time you run
ssh web1 it will be as if you have a direct connection to the server.
Note: If you don't have SSH keys setup, you will be asked for a password twice: once to establish the proxy connection, and again for the actual login to web1.
I've been using this trick for a while to circumvent firewalls and networking rules. Hopefully you can add it to your bag of tricks too!
<a href="http://thenounproject.com/noun/laptop/#icon-No114" target="blank">Laptop</a> from The Noun Project
<a href="http://thenounproject.com/noun/internet/#icon-No3067" target="blank">Internet</a> designed by <a href="http://thenounproject.com/fernando.yellow" target="blank">Fernando Vasconcelos</a> from The Noun Project
<a href="http://thenounproject.com/noun/servers/#icon-No3149" target="blank">Servers</a> designed by <a href="http://thenounproject.com/danielcampos15" target="_blank">Daniel Campos</a> from The Noun Project