tsani / jerrington.me Goto Github PK

In regards to your "Self hosted ngrok alternative" post: https://jerrington.me/posts/2019-01-29-self-hosted-ngrok.html

server {
    server_name tunnel.yourdomain;

    access_log /var/log/nginx/$host;
    
    # These three lines are new.
    listen 443 ssl;
    ssl_certificate /path/to/tls/cert/fullchain.pem;
    ssl_certificate_key /path/to/tls/cert/privkey.pem;

    location / {
	    proxy_pass http://localhost:3333/;
	    proxy_set_header X-Real-IP $remote_addr;
	    proxy_set_header Host $host;
	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
	    proxy_redirect off;
    }

    error_page 502 /50x.html;
    location = /50x.html {
	    root /usr/share/nginx/html;
    }
}

This is perhaps a bit of a naive question, but if someone connects to my publically accessible device over HTTPS (443), how is the content forwarded to my private webserver?

I understand how requests on the default http port(s) are forward to port 3333, which is picked up by the HTTP port on private server (8888).

But how does this work for HTTPS?

Is port 443 also redirected into port 3333, and then transferred to port 8888 (HTTP?) on my private device?

Do I not need to (ssh -R) bind 443 on the proxy to my private device's HTTPS port (that isn't 8888)?

I would like to be able to follow an RSS or Atom feed of your posts. Hakyll supports this out of the box: https://jaspervdj.be/hakyll/tutorials/05-snapshots-feeds.html

It'd be nice if I could hack pandoc a bit to get it to do something like

\begin{theorem}
    If $S$ is a convex set ...
\end{theorem}

translated to

<p class="theorem">
    If $S$ is a convex set ...
</p>

Then, all I need to do is add a theorem.css or some such to get properly formatted theorems.

Hey Jacob, thanks for the awesome and succinct post. I added -fNT to the ssh call to avoid the interactive session and put the process in the background.

It works well so far, but I get occasional output from ssh. They only occur sometimes when handling a request, never when it’s sitting idle (note, this is run without -f to keep its output visible):

% ssh -NT -R 3333:localhost:8080 my.host
setsockopt TCP_NODELAY: Invalid argument
setsockopt TCP_NODELAY: Invalid argument
setsockopt TCP_NODELAY: Invalid argument
setsockopt TCP_NODELAY: Invalid argument
setsockopt TCP_NODELAY: Invalid argument
setsockopt TCP_NODELAY: Invalid argument

One request with verbose logging:

debug3: receive packet: type 90
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 2 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 3333, originator 127.0.0.1 port 37732
debug1: connect_next: start for host localhost ([::1]:8080)
debug2: fd 8 setting O_NONBLOCK
debug2: fd 8 setting TCP_NODELAY
setsockopt TCP_NODELAY: Invalid argument
debug1: connect_next: connect host localhost ([::1]:8080) in progress, fd=8
debug3: fd 8 is O_NONBLOCK
debug3: fd 8 is O_NONBLOCK
debug1: channel 0: new forwarded-tcpip [127.0.0.1] (inactive timeout: 0)
debug1: confirm forwarded-tcpip
debug3: channel 0: waiting for connection
debug1: channel 0: connection failed: Connection refused
debug1: connect_next: start for host localhost ([127.0.0.1]:8080)
debug2: fd 9 setting O_NONBLOCK
debug2: fd 9 setting TCP_NODELAY
debug1: connect_next: connect host localhost ([127.0.0.1]:8080) in progress, fd=9
debug3: channel 0: waiting for connection
debug1: channel 0: connected to localhost port 8080
debug3: send packet: type 91
debug2: channel 0: read failed rfd 9 maxlen 32768: Broken pipe
debug2: channel 0: read failed
debug2: chan_shutdown_read: channel 0: (i0 o0 sock 9 wfd 9 efd -1 [closed])
debug2: channel 0: input open -> drain
debug2: channel 0: ibuf empty
debug2: channel 0: send eof
debug3: send packet: type 96
debug2: channel 0: input drain -> closed
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: chan_shutdown_write: channel 0: (i3 o1 sock 9 wfd 9 efd -1 [closed])
debug2: channel 0: output drain -> closed
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: 127.0.0.1, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 127.0.0.1 (t4 [forwarded-tcpip] r2 i3/0 o3/0 e[closed]/0 fd 9/9/-1 sock 9 cc -1 io 0x00/0x00)

Googling hasn’t turned up much. Any idea what might be causing this?

Hi Jacob. I recently read your article and I was considering using this approach. I am a bit of a noob when it comes to cloud servers, so I am curious what host you would use (the one that will be running the server for tunnel.yourdomain) or recommend using. Would Amazon Lightsail be a good pick for this?

From:

“Roll your own Ngrok with Nginx, Letsencrypt, and SSH reverse tunnelling”.

I got it working, but WP pages do not render. Normally, with something like localtunnel I have to change the URL In WP and then it works. This I could not get to work.

Hi !

I was directed from this Reddit to your article:
https://www.reddit.com/r/selfhosted/comments/ak63n3/self_hosted_ngrok_alternative/?utm_source=amp&utm_medium=&utm_content=post_body

So I am not technically proficient, but I was looking for an automated solution for multiple client devices behind firewalls ( eg home devices) running a small Linux distro with the Entware repo ( same as for Openwrt for routers.)

Do you think your script can be automated thus, along with letsencrypt certificate automation as well?

Here I am assuming devices cannot be configured manually; they all have the same Linux image with Entware repo, and thus the (bash?) script will need automation. For instance, the device to server SSH login userID/passwords for each device can be preconfigured in the server DB.

hey bud,i am really confused about server_name section in the nginx block.Do i put in any random url there or i need to buy a new domain? 🤔

It'd be nice if pandoc supported proof.sty, so that I could typeset deductions.

Hello, a couple of days ago I've discovered the ngrok solution, and consequently your article... It's a very interesting topic!
For a newbie like me it's not very easy to understand all the concepts (how the traffic it's routed, where 'tunnel.yourdomain' is defined, and so on..).

Having a basic network schematic would add some great value to your post!