Creating the Secure Tunnel
Our EC2 instance is all set up, but it’s not a proxy yet. We can turn it into a proxy by running the following command with the amazonaws.com address replaced by the server’s DNS name:
| | $ ssh -R *:5900:localhost:22 -i ~/.ssh/amazon.pem |
| | > [email protected] -N |
The -R option tells the ssh command to create a reverse tunnel (that is, the traffic received by the proxy will be forwarded to the machine that ran the ssh command). The *:5900:localhost:22 argument, which is passed to the -R flag, instructs the command to map port 5900 on the proxy to port 22 on localhost (that is, the computer from which we ran the ssh command). We’ve chosen to use 5900 because it is a common port for tools like VNC, but it will work equally well for SSH and tmux.
The -i ~/.ssh/amazon.pem [email protected] option is the standard way of connecting to an EC2 instance using the pem file we downloaded earlier. Finally, the -N option tells the command not to bring up a terminal session for the remote machine (the EC2 instance). We could also add -f if we want it to run in the background.
Now we can connect an SSH client to the EC2 proxy just as if we were connecting directly to the host machine. Let’s simulate this by connecting with two users, bill and ted. You can create these accounts, or follow along with any two users on your machine.
First, hide the terminal that’s running the reverse proxy. Then open a second terminal, switch to the ted user, and start a tmux session like this:
| | ted@localhost$ tmux -S /var/tmux/pair |
Now open a third terminal, switch to the bill user, and execute the following command. When prompted, use the password for bill on localhost instead of the password for ec2-0-0-0-0.compute-1.amazonaws.com:
| | bill@localhost$ ssh -p 5900 ec2-0-0-0-0.compute-1.amazonaws.com |
| | The authenticity of host '[ec2-0-0-0-0.compute-1.amazonaws.com]:5900 ... |
| | RSA key fingerprint is 96:af:b5:c3:d2:61:95:fc:b1:5a:85:32:09:a6:9c:a2. |
| | Are you sure you want to continue connecting (yes/no)? yes |
| | Warning: Permanently added '[ec2-0-0-0-0.compute-1.amazonaws.com]:5900 ... |
| | Password: |
| | bill@localhost$ |
We’ve created an SSH session through the proxy on port 5900, which will be forwarded to the host machine. We don’t need to use the pem file as before because we’re not actually connecting to the EC2 instance. Instead, we are connecting to localhost, and the credentials for bill will be sufficient.
Now that we’ve created our loopback SSH session (via the proxy), we can use tmux as we did in Chapter 2, Collaborating with Text Only. Run this command:
| | bill@localhost$ tmux -S /var/tmux/pair attach |
A new tmux session will open and mirror the session in ted’s terminal—just as it did in the previous chapter—but the traffic will be tunneled through the EC2 instance.
The beauty of this setup is that it no longer matters where we are. As long as you and your pairing partner can both reach the EC2 instance, you can share a tmux session. But we can use the reverse proxy for more than just tmux. We can use it for transferring a single file with SCP, allowing a remote browser to view a web application running locally, or even sharing our entire screen.
Before we move on, close the tmux sessions but leave the tunnel running. We’ll use it to route web traffic from one pairing partner through the network of the other partner.