On Thu, Nov 12, 2020 at 10:02:57AM -0700, S Bob wrote:
On 11/12/20 7:50 AM, Jonathan Billings wrote:
If this is actually something you want to do with regularity, I suggest using the SSH SOCKS proxy (with the DynamicForward port), and configure Firefox to use the localhost:port as a SOCKS5 proxy. Then all traffic in firefox will be routed over the ssh connection. It won't break SNI and for the most part, everything will work in firefox as if you were connecting from the remote side of the connection.
It works with yum and dnf too, where you can use RemoteForward to set up a proxy port on the remote side, set the 'proxy' settings in the configuration, and all yum/dnf traffic will go over the established SSH connection. Why would you do this? Well, if you've got a system that's sitting inside a private, not NAT'd network and your workstation/jumphost has a VPN enabled but you don't have it enabled on the remote side, you can update a system without doing a lot of complicated network magic. Now imagine using Ansible to do this, which is already setting up SSH sessions...
Sounds interesting, can you point me to any examples / how to's to set this up?
What part? For the first part, either define 'DynamicForward 8000' in a Host section in ~/.ssh/config, or run 'ssh -D 8000 hostname' to set it with command line options. Then just set your SOCKS5 proxy settings in Firefox to localhost:8000. (I'm just using port 8000 as an example here, it can be any unused port above 1024 for regular users.)
For the second, it's largely the same thing, except you'd use 'RemoteForward 8000' or 'ssh -R 8000 hostname' with the command line, and on the remote side, set 'proxy=socks5://localhost:8000' in the yum.conf or dnf.conf, or set it on the command line with:
yum --setopt='proxy=socks5://localhost:8000' update
(replace 'yum' with 'dnf' for c8) If you are curious if it is actually doing anything, add a -v to your ssh connection and it'll send debugging information to your terminal, and you'll see each proxied connection from yum/dnf.
For ansible to use it, you'd set 'ssh_connection' in your ansible.ini to have the extra -R option, and then deploy a yum/dnf config that uses the proxy. I've found this useful for managing some systems on our campus that are on a private LAN but are routed to campus only, so they can't reach 'the world' but my computer can. I would still recommend that people run their own private mirror if they are running their own private cluster but this is useful in a pinch.