SSH Tunnelling With Alibaba Cloud To Expose A Local Environment
What we want to solve with this tutorial?
The problem we want to solve with this article is a very recurrent one. That one that appears when you are developing a website in your local machine, but your client wants to see the progress as you work.
The classic approach is to start an ECS instance as staging environment where you setup a web server and push the code from time to time. The problem of doing things in that way is that you lose a lot of time configuring the server, the push and pull scripts and keeping the databases in sync. All of that to get a not-always-identical website because the nature of the situation.
At the end of this post, you will be able to have your own “preview” Reverse SSH server where the contents of it are going to be identical and fully synchronised with your local machine, as it effectively serves the content from your computer. I know it sounds difficult, but the level of knowledge you need is very low, as we cooked everything for you first. We will use “serveo” for the server, and this running on a Pouch container.
Ok, so what is SSH Tunnelling?
Also called “SSH port forwarding“, SSH Tunnelling lets you, according to its creators, “transport arbitrary networking data over an encrypted SSH connection“. In our case, this means that we are going to forward the port 80 of the Pouch container running our application to the port 80 of the preview server, letting a third party to browse the website hosted in our local environment through an ECS instance in Alibaba Cloud. And all of this using an encrypted connection to avoid unwanted onlookers.
By default, an SSH Tunnel will only let you forward one port at a time, limiting to only 1 the amount of websites you can forward. But there is a high chance that you want to use the preview server to tunnel several websites from your local machine at the same time. This is possible thanks to the use of “serveo“, an SSH server that, in combination with SSH Tunnelling, lets you create dynamic subdomains exposing your local servers by using only 1 port. Is like mixing a reverse proxy and SSH forwarding.
Let’s suppose you own the domain “example.com“. By using this solution you could create a tunnel exposing a Pouch container making it viewable at, say, “cool-shop.example.com“. Pretty neat I’d say.
Pouch Container?
PouchContainer is a container engine created by Alibaba in 2011 (back then it was known as T4). Back then, T4 was based on LXC to function, but when Docker came popular some years later, Alibaba introduced Docker’s image technology into T4’s architecture to make it much stronger. This meant that, from that moment, Pouch was compatible with Docker images and OCI compliant.
Pouch, well-tested at Alibaba’s enormous data centres and put through lots of stress with their colossal transaction volume, is now publicly available since Alibaba made it open source on October 2017. That means that your team can be quickly benefited by just adopting it. Pouch Container claims to have a stronger isolation, so if you are running containers to support financial transactions, I’d recommend you to move from Docker to Pouch.
Launch an ECS instance
The way you go on this step is completely up to you. If you want to setup the ECS in a pure DevOps way, I recommend you to have a look to this article about Setting up an ECS with Terraform in Alibaba Cloud, where we guide you. If you want to go using the console, then follow the official instructions about Creating an ECS Instance.
For the setup, you would be fine for most cases with a 1 vCPU / 1GB ECS. If, otherwise, you expect to use this server in a corporation environment, I suggest you to launch a 2 vCPU / 4GB instance.
Configure your domain name DNS
As mentioned above, the way this package works is assigning a dynamic subdomain to whichever domain to point to the server. Let’s use “example.org” for this. So our job will consist in pointing to our ECS instance “*.example.org“.
A Records
For this to work you don’t need to manage the DNS of the domain with Alibaba Cloud, but it’s recommended as the DNS console makes things much easier when dealing with record updating and integrating with the API. Here you just need to create a CNAME record at “*” pointing to “example.org” or, if the server lives under a different IP, an A record pointing to it.
Install Pouch Container
There are very complete tutorials on how to install Pouch Container, so here I’ll assume you have some understanding about Linux and you are running either Debian, Ubuntu or anything based on them.
Copy and paste the below code to install Pouch Container:
apt-get install lxcfs curl git apt-transport-https ca-certificates software-properties-common \
&& curl –fsSL https://mirrors.aliyun.com/opsx/pouch/linux/debian/[email protected] | apt-key add – \
&& add-apt-repository "deb https://mirrors.aliyun.com/opsx/pouch/linux/debian/ pouch stable" \
&& apt-get update && apt-get install pouch \
&& service pouch start
Run the server
Because Pouch was made to be easy to use and respects all container standards, this one-liner should be enough to start our Reverse SSH Server, be sure to open ports 80, 443, 1337 and 22 in the security groups, this wont work otherwise:
pouch run -d -p 80:80 -p 443:443 --name sshr -e SERVICE="example.org" roura/topo:server
Forward a local website
Now that we have the server running on our ECS instance and hooked to a domain, we just need to start forwarding local traffic to it. This can be done using a the standard reverse connection by running the following script:
ssh -R topo.example.org:80:localhost:80 -p 1337 -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -o StrictHostKeyChecking=no -o TCPKeepAlive=yes example.org
This will automatically start a Virtual Host on “topo.example.org” tunneling traffic to your localhost port 80. You are happy, client is happy, everyone is happy. If you have another service running locally you just need to assign a new Virtual Host subdomain and repeat the above script just by changing the relevant parts.
To make things easier I created also a Docker Image called “roura/topo:client” that runs the above command automatically and is useful to forward multiple containers running locally to their respective Virtual Hosts.
Conclusion
By now you should be able to show off in front of that client with your shiny website completely in sync!I hope this tutorial was useful! Also you should understand a bit better the container solution from Alibaba, Pouch Container. Good luck!
Original article: SSH Tunnelling With Alibaba Cloud To Expose A Local Environment.