Self-hosted SSH Proxy

From Allegro Packets Product Wiki
(Redirected from Self-hosted SSH proxy)
Jump to navigation Jump to search

SSH Port Forwarding

The Allegro Network Multimeter can be configured to to use SSH Port Forwarding to allow remote access to the device behind a NAT. The Multimeter will create a tunnel to an SSH endpoint and will open a listening port on the SSH server. This port can now be used to send HTTPS requests to the Multimeter.

Preparing the SSH server

Create a user

The user on the SSH server does not need any special rights and does not need a login shell. Example:

$> useradd -m -s /usr/sbin/nologin mmremote

Allow SSH access via public key

The Allegro Network Multimeter uses SSH public key authentication to log in to the SSH server. The public key can be found in the SSH public key field in the SSH Port Forwarding settings dialogue.

$> mkdir /home/mmremote/.ssh
$> chown mmremote: /home/mmremote/.ssh
$> nano /etc/mmremote/.ssh/authorized_keys

Paste the line into the file and save/close the file. There are two options to access the Multimeter:

Option 1: No proxy

Advantage:

  • no additional software required.

Disadvantage:

  • no port < 1024 (as non-root user).
  • Default HTTPS port 443 is not possible.

The SSH server can be configured to allow only local listening ports. This has to be changed to allow listening on any subnet.

Edit the SSH configuration file /etc/ssh/sshd_config and activate the following line:

GatewayPorts clientspecified

Save and close the configuration file and restart the SSH service.

Option 2: With HTTPS proxy

Advantage:

  • uses default HTTPS port 443.
  • uses several filter mechanisms provided by the proxy software.
  • uses the same SSH server as proxy for several Multimeters through SNI routing.

Disadvantage:

  • additional configuration required.

The following block shows a sample configuration for the nginx proxy server:

server {
        listen 443 ssl;
        listen [::]:443 ssl;

        server_name allegro-mm-1234.mm-remote.company.com;

        ssl_certificate /etc/letsencrypt/live/allegro-mm-1234.mm-remote.company.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/allegro-mm-1234.mm-remote.company.com/privkey.pem;

        location / {
                     proxy_pass        https://localhost:55443; # 55443 =configured listen port on multimeter
                    }
        client_max_body_size 200M; # for firmware uploads
}
server {
       listen 80;
       listen [::]:80;
        
       server_name allegro-mm-1234.mm-remote.company.com;

       return 301 https://$host$request_uri;
}

Forwarding to the Allegro Network Multimeter uses the configured server name. In this example, requests to allegro-mm-1234.mm-remote.company.com will be forwarded to the Multimeter. This requires that the hostname is resolved by the DNS server. This can be solved by a wildcard DNS CNAME entry to point at the SSH server.

Configuration of the Multimeter

In the configuration dialogue, insert the parameters to access the SSH server. For example:

  • SSH Host: mm-remote.company.com
  • SSH Port: 22
  • SSH User: mmremote
  • Listening HTTPS Port on SSH Host: 55443

The settings have to match the above configuration. Every Multimeter requires a separate HTTPS listening port.. If the SSH user is not root, no port below 1024 is possible. Otherwise, an error message will appear when trying to connect.