英文:
How can I make ports forwarded via AWS SSM available to connections not originating from localhost?
问题
I am using AWS CLI in a Docker container to open a port forwarding session to a remote host via AWS SSM on an EC2 instance. So that I can access the port from outside of the Docker container, I am mapping it in Docker so that it is available on my own host.
The issue now is that any connection to this port from outside of the Docker container is immediately closed. My guess is that this is due to safeguards in the port forwarding session, which will allow connections to the forwarded port only from localhost
. However, when I am accessing the port from my host machine, it will not show up as localhost
and the connection is immediately terminated.
How can I configure the port forwarding session so that I can also create connections to this port that do not originate from localhost
?
I have already had a look at the SSM document AWS-StartPortForwardingSessionToRemoteHost
to see if I can modify this. However, I could not find documentation that would give me the possible values for properties.type
, which I assume is the culprit for only accepting connections from localhost
.
英文:
I am using AWS CLI in a Docker container to open a port forwarding session to a remote host via AWS SSM on an EC2 instance. So that I can access the port from outside of the Docker container, I am mapping it in Docker so that it is available on my own host.
The issue now is that any connection to this port from outside of the Docker container is immediately closed. My guess is that this is due to safeguards in the port forwarding session, which will allow connections to the forwarded port only from localhost
. However, when I am accessing the port from my host machine, it will not show up as localhost
and the connection is immediately terminated.
How can I configure the port forwarding session so that I can also create connections to this port that do not originate from localhost
?
I have already had a look at the SSM document AWS-StartPortForwardingSessionToRemoteHost
to see if I can modify this. However, I could not find documentation that would give me the possible values for properties.type
, which I assume is the culprit for only accepting connections from localhost
.
Full content of the AWS-StartPortForwardingSessionToRemoteHost
SSM document:
{
"schemaVersion": "1.0",
"description": "Document to start port forwarding session over Session Manager to remote host",
"sessionType": "Port",
"parameters": {
"portNumber": {
"type": "String",
"description": "(Optional) Port number of the server on the instance",
"allowedPattern": "^([1-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$",
"default": "80"
},
"localPortNumber": {
"type": "String",
"description": "(Optional) Port number on local machine to forward traffic to. An open port is chosen at run-time if not provided",
"allowedPattern": "^([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$",
"default": "0"
},
"host": {
"type": "String",
"description": "(Optional) Hostname or IP address of the destination server",
"allowedPattern": "^[^,$^&\\(\\)!;'\"<>\\`{}\\[\\]\\|#=]{3,}$",
"default": "localhost"
}
},
"properties": {
"portNumber": "{{ portNumber }}",
"type": "LocalPortForwarding",
"localPortNumber": "{{ localPortNumber }}",
"host": "{{ host }}"
}
}
Dockerfile
:
FROM amazon/aws-cli
RUN curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm" -o "session-manager-plugin.rpm" && yum install -y ./session-manager-plugin.rpm && yum install -y telnet
Docker command:
docker run \
--rm \
-e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN \
-p 5432:5432 \
-ti \
awscli-ssm \
ssm start-session \
--target <my-ec2-instance-id> \
--region <my-region> \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters '{"host":["<my-rds-host>.rds.amazonaws.com"],"portNumber":["5432"], "localPortNumber":["5432"]}'
When running telnet localhost 5432
in the Docker container, connection remains open:
bash-4.2# telnet localhost 5432
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
When running telnet localhost 5432
from outside of the Docker container, connection is closed immediately:
chris@chris-machine:~$ telnet localhost 5432
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
答案1
得分: 1
以下是翻译好的部分:
"不是一个修复方法,但至少是一个解决方法:在Docker容器内创建一个本地隧道,从而使AWS看起来连接是来自localhost
。
Dockerfile
:
RUN curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm" -o "session-manager-plugin.rpm" && yum install -y ./session-manager-plugin.rpm
RUN yum install -y socat
构建它:docker build . -t awscli-ssm
运行它(请注意提供给-p
的不同端口):
--rm \
-e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN \
-p 13000:13000 \
-ti \
--entrypoint "" \
awscli-ssm \
bash -c "socat tcp-listen:13000,reuseaddr,fork tcp:localhost:5432 & \
aws ssm start-session \
--target <my-ec2-instance-id> \
--region <my-region> \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters '{"host":["<my-rds-host>.rds.amazonaws.com"],"portNumber":["5432"], "localPortNumber":["5432"]}'"
现在,您可以在容器外部的localhost:13000
上访问您的连接。"
英文:
Not a fix, but at least a workaround: Create a local tunnel inside the Docker container, thereby making it look to AWS like the connection is coming from localhost
.
Dockerfile
:
FROM amazon/aws-cli
RUN curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm" -o "session-manager-plugin.rpm" && yum install -y ./session-manager-plugin.rpm
RUN yum install -y socat
Build it: docker build . -t awscli-ssm
Run it (note the different port supplied to -p
):
docker run \
--rm \
-e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN \
-p 13000:13000 \
-ti \
--entrypoint "" \
awscli-ssm \
bash -c "socat tcp-listen:13000,reuseaddr,fork tcp:localhost:5432 & \
aws ssm start-session \
--target <my-ec2-instance-id> \
--region <my-region> \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters '{\"host\":[\"<my-rds-host>.rds.amazonaws.com\"],\"portNumber\":[\"5432\"], \"localPortNumber\":[\"5432\"]}'
Your connection is now available outside of the container on localhost:13000
.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论