Merge pull request #14 from Dstack-TEE/ssh-over-tproxy

amiller · web-flow · commit 4e2326b2c081 · 2025-02-14T23:59:59.000-06:00
Add example ssh-over-tproxy
diff --git a/ssh-over-tproxy/README.md b/ssh-over-tproxy/README.md
@@ -0,0 +1,30 @@
+# SSH Over TPROXY Example
+
+This guide illustrates how to set up an SSH server within a tapp and access it using a public tproxy endpoint.
+
+## Installation Steps
+
+1. **Deploy the Docker Compose File**  
+   Start by deploying the provided `docker-compose.yaml` on Dstack or Phala Cloud. Adjust the workload section as needed, and remember to set the root password using the `ROOT_PW` environment variable.
+
+2. **Install `httpsconnect`**  
+   Ensure that the `httpsconnect` executable is in your system's `PATH`. For instance, you can run:
+   ```
+   chmod +x httpsconnect && sudo cp httpsconnect /usr/local/bin/
+   ```
+
+3. **Configure Your SSH Client**  
+   Add the following configuration block to your `~/.ssh/config` file:
+   ```
+   Host my-tapp
+       HostName localhost
+       Port 1022
+       ProxyCommand httpsconnect --proxy <app-id>-8080.<tproxy-serv-domain> -u user -p pass %h %p
+   ```
+   Be sure to replace `<app-id>` with your tapp's application ID and `<tproxy-serv-domain>` with your tproxy server's domain.
+
+4. **Connect via SSH command**  
+   Finally, initiate the connection by running:
+   ```
+   ssh root@my-tapp
+   ```
diff --git a/ssh-over-tproxy/docker-compose.yaml b/ssh-over-tproxy/docker-compose.yaml
@@ -0,0 +1,36 @@
+services:
+  ssh-server:
+    build:
+      context: .
+      dockerfile_inline: |
+        FROM ubuntu:latest
+        RUN apt-get update && apt-get install -y openssh-server sudo
+        RUN mkdir /run/sshd
+        RUN echo 'root:${ROOT_PW}' | chpasswd
+        RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
+        RUN sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config
+        RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
+        RUN sed -i 's/#Port 22/Port 1022/' /etc/ssh/sshd_config
+        EXPOSE 1022
+        CMD ["/usr/sbin/sshd", "-D"]
+    restart: unless-stopped
+    privileged: true
+    network_mode: host
+    volumes:
+      - /:/host/
+      - /var/run/tappd.sock:/var/run/tappd.sock
+      - /var/run/docker.sock:/var/run/docker.sock
+  https-proxy:
+    build:
+      context: .
+      dockerfile_inline: |
+        FROM alpine:latest
+        RUN apk add --no-cache wget unzip
+        RUN wget https://github.com/jthomperoo/simple-proxy/releases/download/v1.3.0/simple-proxy_linux_amd64.zip
+        RUN unzip -d simple-proxy simple-proxy_linux_amd64.zip
+        RUN cp simple-proxy/simple-proxy /usr/bin/simple-proxy
+        RUN rm -r simple-proxy/ simple-proxy_linux_amd64.zip
+        CMD ["simple-proxy", "-port", "8080", "-basic-auth", "user:pass"]
+    network_mode: host
+  workload:
+    image: nginx
diff --git a/ssh-over-tproxy/httpsconnect b/ssh-over-tproxy/httpsconnect
@@ -0,0 +1,105 @@
+#!/usr/bin/env python3
+
+import sys
+import socket
+import ssl
+import argparse
+import base64
+import select
+
+def create_proxy_tunnel(proxy_host, proxy_port, target_host, target_port, proxy_username=None, proxy_password=None, verify_ssl=True):
+    # Create SSL context
+    ssl_context = ssl.create_default_context()
+    if not verify_ssl:
+        ssl_context.check_hostname = False
+        ssl_context.verify_mode = ssl.CERT_NONE
+
+    # Create initial socket
+    sock = socket.create_connection((proxy_host, proxy_port))
+
+    # Wrap socket with SSL
+    ssl_sock = ssl_context.wrap_socket(sock, server_hostname=proxy_host)
+
+    # Prepare proxy authorization if credentials are provided
+    auth_header = ""
+    if proxy_username and proxy_password:
+        auth = f"{proxy_username}:{proxy_password}"
+        auth_bytes = base64.b64encode(auth.encode()).decode()
+        auth_header = f"Proxy-Authorization: Basic {auth_bytes}\r\n"
+
+    # Send CONNECT request
+    connect_request = (
+        f"CONNECT {target_host}:{target_port} HTTP/1.1\r\n"
+        f"Host: {target_host}:{target_port}\r\n"
+        f"{auth_header}"
+        "Proxy-Connection: Keep-Alive\r\n"
+        "\r\n"
+    )
+
+    ssl_sock.send(connect_request.encode())
+
+    # Read response
+    response = ""
+    while "\r\n\r\n" not in response:
+        response += ssl_sock.recv(1).decode()
+
+    # Check if connection was successful
+    status_line = response.split("\r\n")[0]
+    if not status_line.startswith("HTTP/1.1 200"):
+        raise Exception(f"Proxy connection failed: {status_line}")
+
+    return ssl_sock
+
+def main():
+    parser = argparse.ArgumentParser(description='SSH ProxyCommand for HTTPS proxy')
+    parser.add_argument('--proxy', required=True, help='Proxy address (host:port)')
+    parser.add_argument('-u', '--username', help='Proxy username')
+    parser.add_argument('-p', '--password', help='Proxy password')
+    parser.add_argument('--no-verify-ssl', action='store_true', help='Disable SSL verification')
+    parser.add_argument('target_host', help='Target SSH host')
+    parser.add_argument('target_port', type=int, help='Target SSH port')
+
+    args = parser.parse_args()
+
+    # Parse proxy address
+    proxy_host, proxy_port = args.proxy.split(':')
+    proxy_port = int(proxy_port)
+
+    try:
+        # Create tunnel
+        tunnel_socket = create_proxy_tunnel(
+            proxy_host,
+            proxy_port,
+            args.target_host,
+            args.target_port,
+            args.username,
+            args.password,
+            not args.no_verify_ssl
+        )
+
+        # Forward data between stdin/stdout and the tunnel
+        while True:
+            r, w, e = select.select([sys.stdin, tunnel_socket], [], [])
+
+            if tunnel_socket in r:
+                data = tunnel_socket.recv(4096)
+                if not data:
+                    break
+                sys.stdout.buffer.write(data)
+                sys.stdout.buffer.flush()
+
+            if sys.stdin in r:
+                data = sys.stdin.buffer.read1(4096)
+                if not data:
+                    break
+                tunnel_socket.sendall(data)
+
+    except Exception as e:
+        sys.stderr.write(f"Error: {str(e)}\n")
+        sys.exit(1)
+    finally:
+        if 'tunnel_socket' in locals():
+            tunnel_socket.close()
+
+if __name__ == "__main__":
+    main()
