I'm installing Phabricator on AWS and the usual proxy/web/database setup works for HTTP/S. Now I want to add SSH access to the repos. How can I configure SSH access to the repositories? My usage is small and I'd rather not create complex or obscure setups.
If the elastic IP is associated with the proxy server, the proxy would have to proxy SSH requests to Phabricator. Will a SOCKS proxy work? Is there an easy way (i.e. package) to have a socks proxy connect to the web server whenever either one is rebooted?
Without the SOCKS proxy, it seems the alternative is to put the everything on one server, except the database of course. This means the web server (running Phabricator) will need to be in the public VPS with an elastic IP associated with it. That way HTTPS and SSH can connect to the same hostname.
Are there alternatives? Is my only option to setup everything on one server?
This is accomplished with IP and port forwarding. My initial search for port forwarding was overwhelmed by port forwarding in routers and firewalls.
Add the following to /etc/sysctl.d/50-ip_forward.conf. This works on openSUSE Leap and CentOS.
# Enable IP_FOWARD
net.ipv4.ip_forward = 1
Apply the file with sysctl.
sudo sysctl -p /etc/sysctl.d/50-ip_forward.conf
Then forward the SSH port and test. If you lose access to the server, reboot it from the AWS console. I already changed the admin port to another port before making this change. It's easier for me to add the Port to my ~/.ssh/config than it is for users to specify a different port in their git client.
sudo firewall-cmd --zone external --add-forward-port port=22:proto=tcp:toaddr=1.2.3.4
If everything checks out, make the change permanent.
sudo firewall-cmd --zone external --add-forward-port port=22:proto=tcp:toaddr=1.2.3.4 --permanent
Don't forget to add the necessary ports in the AWS security group. Reboot the server to make sure everything is kept across reboots.
As an added bonus let's turn the proxy into a NAT instance! The external zone already has masquerade enabled but is not used. Assign the eth0 interface to the external zone.
sudo firewall-cmd --zone external --add-interface eth0
In your VPC, add a default route for 0.0.0.0/0 with a target of the instance above to the private subnet. Now test internet connectivity from an internal server in the private subnet. Performance isn't an issue because this route is only for server updates, not production traffic.
ping 8.8.8.8
If everything works, make the change permanent.
sudo firewall-cmd --zone external --add-interface eth0 --permanent
I like to reboot after making network/firewall changes to make sure everything is kept across reboots.