The Lost Notebook

ssh (6)


VaultPress SSH/SFTP access for WordPress site behind AWS load balancer

I recently worked on migrating a large WordPress site from a dedicated server to AWS following the reference architecture as outlined in https://github.com/aws-samples/aws-refarch-wordpress

One of the upsides of this architecture is that the site is entirely behind the load balancer and the instances running the web server are never accessible from the internet (not even via ssh or http). So any updates to the site need to be deployed using Systems Manager. I will post about that later … However due to this restriction, VaultPress is only able to access the site (for backups) over https, which causes extra load on the web instances.

To fix that, we need to allow VaultPress SSH access directly to the web instances (at least to 1 of them). And the only way in via SSH is through a bastion instance.

On this bastion instance, I installed Nginx with the following configuration in /etc/nginx/nginx.conf 

stream {
        server {
                listen 1234;
                proxy_pass 10.0.1.12:22;
        }
}

where 10.0.1.12 is the internal IP of one web instances behind the load balancer.

At this stage (after reloading Nginx), I added the vaultpress user to the web instances and set their SSH public key in the .ssh/authorized_keys for that user.

Testing the connection works, all green on the VaultPress site. The SSH and the SFTP connection should work properly. To test manually, I added my own public key and connected to: 

ssh -l vaultpress -p 1234 bastion.mydomain.com

Since the IPs may change in case there’s an auto scaling event, I added a cron job that runs every 5 minutes on the bastion and updates the nginx configuration to point to one of the web instances internal IPs. A simplistic version looks like this: 

#!/bin/bash
IP="$(list-ips.sh | awk '{ print $1 }')"
sed -i -E "s/proxy_pass (.+):22/proxy_pass ${IP}:22/" /etc/nginx/nginx.conf
nginx -t && service nginx reload

You can also use CloudWatch Events to add a rule, that runs when AutoScaling happens. Pointing that to a Lambda function that calls Systems Manager to change the IP in Nginx. Here’s a reference for that https://docs.aws.amazon.com/autoscaling/ec2/userguide/cloud-watch-events.html#create-lambda-function

Oh, and don’t forget to lock down the bastion instance. In my case, I set the Security group in the EC2 console to allow only the following: 

Type: Custom TCP Rule
Protocol: TCP
Port Range: 1234
Source: 192.0.64.0/18
Description: VaultPress SSH Access

Similar Posts:



packet_write_wait: Connection to xxx port 22: Broken pipe

SSH connections started dropping left and right a few days ago. I thought at first it was a problem with my connection, our DSL connection in Beirut, Lebanon is getting a lot better this last year. But it still had its quirks now and then and I blamed the wires and bad weather.

But it happened again the second day and the third, and it was becoming really annoying with jobs killed in the middle of execution when I forget to start a screen.

Long story short, it seems that some settings were removed or reset after an upgrade in Ubuntu on my home machine. This is what I added in /etc/ssh/ssh_config (not sshd_config!)

Host *
     ServerAliveInterval 30
     ServerAliveCountMax 5

And that’s it!

If you don’t want to edit the system-wide configuration, you can always edit ~/.ssh/config with the same for similar effect.

Similar Posts:



Tweaking GitLab Setup

What?

GitLab is your own GitHub and more (or less). They have pretty good introduction on the home page, so I won’t repeat that here.

The recommended installation method for GitLab is using the Omnibus package. Head to the downloads page and follow the instructions. You should have a GitLab setup in no time, who needs GitHub! oh well, many many people…

Now to the tweaks.

Why?

If you’re like me trying to hide the ports on your server from the bots and prying eyes, they you would have SSH on a different port and your other services all bound to localhost and facing the Internet bravely from behind a proxy server. I use Apache on my personal server, it’s pretty robust and gets the job done.

So let’s say SSH is on port 2022, and apache is taking firm hold on ports 80 and 443. So GitLab’s NGINX should take port 8088.

And the domain you’re using for gitlab is not the machine’s hostname, so hostname is ‘host4339.moodeef.com’ and gitlab’s URL is ‘gitlab.deeb.me’

How?

Edit the “/etc/gitlab/gitlab.rb” file with the following changes/additions:

gitlab_rails['gitlab_host'] = 'gitlab.deeb.me'
gitlab_rails['gitlab_ssh_host'] = 'gitlab.deeb.me'
gitlab_rails['gitlab_port'] = 8088
gitlab_rails['gitlab_email_from'] = 'git-no-reply@deeb.me'
gitlab_rails['gitlab_support_email'] = 'git-no-reply@deeb.me'
gitlab_rails['gitlab_shell_ssh_port'] = 2022
external_url = 'https://gitlab.deeb.me'

Then run gitlab-ctl reconfigure and see how it goes from there.

If things seem to be too complicated, you can always get a subscription option with full support from the GitLab folks. Or hire me to fix it for you!

Similar Posts:



Apache Reverse Proxy + SSH Reverse Tunnel

Disclaimer: This setup is just a bit crazy, and I wouldn’t recommend it for a production site. Works for me.
I needed to allow some clients to test a web app I’m working on. But I didn’t want to deploy the code to a server for now for different reasons (mainly memory constraints). So the solution was to setup a reverse proxy using apache to my local machine. Check out the code after the break

Similar Posts:



Suspend Ubuntu Desktop

Simple command line: pm-suspend
An interesting alternative would be: pm-suspend-hybrid

Similar Posts:



Quick SSH Tunnel using Putty

Two easy steps to create a tunnel from a remote server port to your localhost. It’s handy if you’re trying to connect to a mysql, jboss, etc. installation bound to localhost only (for better security. Check out the screenshots after the break

Similar Posts:




The Lost Notebook, 2023. Theme Material for Coders