Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
morpheuskafka 6 hours ago

They are saying they want to directly SSH into a VM/container based on the web hostname it serves. But that's not how the HTTP traffic flows either. With only one routable IP for the host, all traffic on a port shared by VMs has to go to a server on the host first (unless you route based on port or source IP with iptnbles, but that is not hostname based).

The HTTP traffic goes to a server (a reverse proxy, say nginx) on the host, which then reads it and proxies it to the correct VM. The client can't ever send TCP packets directly to the VM, HTTP or otherwise. That doesn't just magically happen because HTTP has a Host header, only because nginx is on the host.

What they want is a reverse proxy for SSH, and doesn't SSH already have that via jump/bastion hosts? I feel like this could be implement with a shell alias, so that:

ssh user@vm1.box1.tld becomes: ssh -j jumpusr@box1.tld user@vm1

And just make jumpusr have no host permissions and shell set to only allow ssh.

geocar 5 hours ago | parent | next [-]

> The HTTP traffic goes to a server (a reverse proxy, say nginx) on the host, which then reads it and proxies it to the correct VM.

That's one implementation. Another implementation is the proxy looks at the SNI information in the ClientHello and can choose the correct backend using that information _without_ decrypting anything.

Encrypted SNI and ECH requires some coordination, but still doesn't require decryption/trust by the proxy/jumpbox which might be really important if you have a large number of otherwise independent services behind the single address.

lmm 6 hours ago | parent | prev | next [-]

The point is that they want the simple UX of "ssh vm1.box1.tld" takes you to the same machine that browsing to vm1.box1.tld takes you to, without requiring their users to set any additional configuration.

bfivyvysj 3 hours ago | parent [-]

You can have that already? It's just dns. Are you saying different vms share the same box1 ip? Well then yeah, you want a reverse proxy on some shared ip.

dwedge 3 hours ago | parent [-]

> Well then yeah, you want a reverse proxy on some shared ip.

At that point you run into the problem that SSH doesn't have a host header and write this blog post.

bfivyvysj an hour ago | parent [-]

Yeah, ftp has the same issue depending on implementation.

dwedge 4 minutes ago | parent [-]

Most host/port services have the same issue, even https used to have it and it's the reason SNI was introduced. But if by implementation you mean sftp, then of course - it uses Ssh

Dylan16807 6 hours ago | parent | prev | next [-]

If jump host shell aliases were a valid option, then setting a port would be a much easier valid option.

TZubiri 5 hours ago | parent | prev [-]

>They are saying they want to directly SSH into a VM/container based on the web hostname it serves. But that's not how the HTTP traffic flows either.

> Proceeds to explain how the HTTP traffic flows based on the hostname.

If you wanted to flex on your knowledge of the subject you could have just lead the whole explanation with

>"I know all about this, here's how it works."

Also

>"What they want is a reverse proxy for SSH"

They already did this, I'm much more impressed by the original article that actually implemented it than by your comment "correcting them" and suggesting a solution.