Proxy SSH through NGINX

Question

I need to proxy SSH through NGINX through the same domain. I have one proxy setup on port 80, working fine. But I need port 22 to be proxied to the same server.

Original Configuration:

    upstream web {
        least_conn;
        server 10.0.0.4;
}

server {
        access_log /var/log/nginx/web.com combined;
        index index.html index.htm index.php;

        server_name www.web.com web.com;

        location /{
        proxy_pass http://web;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
}

}

I have a configuration for port 22 like this:

stream {

        upstream ssh {
                server 10.0.0.17:22;
        }

        server {
                listen 22;
                server_name gitlab.web.com;
                proxy_pass ssh;
        }

}

When I connect to the domain it tries to connect the nginx server not 10.0.0.17.

it could be that nginx does not even listen to port 22. why? because SSH already listen on that port. did you disabled ssh daemon fully? and ran netstat -ntlp ? to check if nginx is listening on port 22? — Farhan, Dec 29 '19 at 14:32
Also, if is has SELinux enabled then the web server may not listen to port 22. — Ned64, Apr 02 '20 at 18:48
Please explain "When I connect to the domain it tries to connect the nginx server not 10.0.0.17." — symcbean, Jun 15 '23 at 08:55

score 1 · Answer 1 · answered May 09 '21 at 12:07

1

For SSH proxy through Nginx, use a different port other than port 22 for the SSH server

# use a different port for SSH client if Ngnix uses
# port 22
Port 8022

Or if you want to stay port 22 to SSH server, you may need to configure your Nginx config to use another port

stream {
    upstream ssh {
            server 10.0.0.17:22;
    }

    server {
            listen 8022;
            server_name gitlab.web.com;
            proxy_pass ssh;
    }


}

If you configured that way, your GitLab CE/EE users might need to do these instead:

# unless you blocked port 22, users who do Git-over-SSH need to configure
# stuff on their clients instead of doing this.
ssh git@gitlab.web.com -p 8022

answered May 09 '21 at 12:07

Andrei Jiroh Eugenio Halili

11

And how do you access the VM (EC2 in AWS in my case) if you cannot connect trough SSH? – AlexAcc Aug 11 '22 at 09:20
I mean, once you start Nginx, the port 22 is blocked and impossible to connect by for SSH, so there is no access to the VM. – AlexAcc Aug 11 '22 at 13:42
Changing the port sshd listens on will ado the trick. Have Nginx listen on port 22, and have sshd listen on port 222 for example. – Minecraftchest1 Nov 08 '23 at 12:30

Proxy SSH through NGINX

1 Answers1