如何使通过AWS SSM转发的端口对不是从本地主机发起的连接可用?

huangapple go评论63阅读模式
英文:

How can I make ports forwarded via AWS SSM available to connections not originating from localhost?

问题

I am using AWS CLI in a Docker container to open a port forwarding session to a remote host via AWS SSM on an EC2 instance. So that I can access the port from outside of the Docker container, I am mapping it in Docker so that it is available on my own host.

The issue now is that any connection to this port from outside of the Docker container is immediately closed. My guess is that this is due to safeguards in the port forwarding session, which will allow connections to the forwarded port only from localhost. However, when I am accessing the port from my host machine, it will not show up as localhost and the connection is immediately terminated.

How can I configure the port forwarding session so that I can also create connections to this port that do not originate from localhost?

I have already had a look at the SSM document AWS-StartPortForwardingSessionToRemoteHost to see if I can modify this. However, I could not find documentation that would give me the possible values for properties.type, which I assume is the culprit for only accepting connections from localhost.

英文:

I am using AWS CLI in a Docker container to open a port forwarding session to a remote host via AWS SSM on an EC2 instance. So that I can access the port from outside of the Docker container, I am mapping it in Docker so that it is available on my own host.

The issue now is that any connection to this port from outside of the Docker container is immediately closed. My guess is that this is due to safeguards in the port forwarding session, which will allow connections to the forwarded port only from localhost. However, when I am accessing the port from my host machine, it will not show up as localhost and the connection is immediately terminated.

How can I configure the port forwarding session so that I can also create connections to this port that do not originate from localhost?

I have already had a look at the SSM document AWS-StartPortForwardingSessionToRemoteHost to see if I can modify this. However, I could not find documentation that would give me the possible values for properties.type, which I assume is the culprit for only accepting connections from localhost.


Full content of the AWS-StartPortForwardingSessionToRemoteHost SSM document:

{
  "schemaVersion": "1.0",
  "description": "Document to start port forwarding session over Session Manager to remote host",
  "sessionType": "Port",
  "parameters": {
    "portNumber": {
      "type": "String",
      "description": "(Optional) Port number of the server on the instance",
      "allowedPattern": "^([1-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$",
      "default": "80"
    },
    "localPortNumber": {
      "type": "String",
      "description": "(Optional) Port number on local machine to forward traffic to. An open port is chosen at run-time if not provided",
      "allowedPattern": "^([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$",
      "default": "0"
    },
    "host": {
      "type": "String",
      "description": "(Optional) Hostname or IP address of the destination server",
      "allowedPattern": "^[^,$^&\\(\\)!;'\"<>\\`{}\\[\\]\\|#=]{3,}$",
      "default": "localhost"
    }
  },
  "properties": {
    "portNumber": "{{ portNumber }}",
    "type": "LocalPortForwarding",
    "localPortNumber": "{{ localPortNumber }}",
    "host": "{{ host }}"
  }
}

Dockerfile:

FROM amazon/aws-cli

RUN curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm" -o "session-manager-plugin.rpm" && yum install -y ./session-manager-plugin.rpm && yum install -y telnet

Docker command:

docker run \
  --rm \
  -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN \
  -p 5432:5432 \
  -ti \
  awscli-ssm \
  ssm start-session \
    --target <my-ec2-instance-id> \
    --region <my-region> \
    --document-name AWS-StartPortForwardingSessionToRemoteHost \
    --parameters '{"host":["<my-rds-host>.rds.amazonaws.com"],"portNumber":["5432"], "localPortNumber":["5432"]}'

When running telnet localhost 5432 in the Docker container, connection remains open:

bash-4.2# telnet localhost 5432
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

When running telnet localhost 5432 from outside of the Docker container, connection is closed immediately:

chris@chris-machine:~$ telnet localhost 5432
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

答案1

得分: 1

以下是翻译好的部分:

"不是一个修复方法,但至少是一个解决方法:在Docker容器内创建一个本地隧道,从而使AWS看起来连接是来自localhost


Dockerfile:


RUN curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm" -o "session-manager-plugin.rpm" && yum install -y ./session-manager-plugin.rpm
RUN yum install -y socat

构建它:docker build . -t awscli-ssm

运行它(请注意提供给-p的不同端口):

  --rm \
  -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN \
  -p 13000:13000 \
  -ti \
  --entrypoint "" \
  awscli-ssm \
  bash -c "socat tcp-listen:13000,reuseaddr,fork tcp:localhost:5432 & \
  aws ssm start-session \
    --target <my-ec2-instance-id> \
    --region <my-region> \
    --document-name AWS-StartPortForwardingSessionToRemoteHost \
    --parameters '{"host":["<my-rds-host>.rds.amazonaws.com"],"portNumber":["5432"], "localPortNumber":["5432"]}'"

现在,您可以在容器外部的localhost:13000上访问您的连接。"

英文:

Not a fix, but at least a workaround: Create a local tunnel inside the Docker container, thereby making it look to AWS like the connection is coming from localhost.


Dockerfile:

FROM amazon/aws-cli

RUN curl &quot;https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm&quot; -o &quot;session-manager-plugin.rpm&quot; &amp;&amp; yum install -y ./session-manager-plugin.rpm
RUN yum install -y socat

Build it: docker build . -t awscli-ssm

Run it (note the different port supplied to -p):

docker run \
  --rm \
  -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN \
  -p 13000:13000 \
  -ti \
  --entrypoint &quot;&quot; \
  awscli-ssm \
  bash -c &quot;socat tcp-listen:13000,reuseaddr,fork tcp:localhost:5432 &amp; \
  aws ssm start-session \
    --target &lt;my-ec2-instance-id&gt; \
    --region &lt;my-region&gt; \
    --document-name AWS-StartPortForwardingSessionToRemoteHost \
    --parameters &#39;{\&quot;host\&quot;:[\&quot;&lt;my-rds-host&gt;.rds.amazonaws.com\&quot;],\&quot;portNumber\&quot;:[\&quot;5432\&quot;], \&quot;localPortNumber\&quot;:[\&quot;5432\&quot;]}&#39;

Your connection is now available outside of the container on localhost:13000.

huangapple
  • 本文由 发表于 2023年4月13日 23:08:28
  • 转载请务必保留本文链接:https://go.coder-hub.com/76007040.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定