Good day. The task is as follows - there is a server with a white IP on which the ssh-server is spinning, for example, called server.net, a single port is open on it, for example 10030, how to organize the ability to forward reverse tunnels from several clients to this single port. There is no problem with one client "ssh -f -N -R 10030: localhost: 80 user@server.net", but if there are two clients, then ssh informs you that the port is busy and does not allow you to open the tunnel. The question is how to avoid this limitation, are there any such methods?

  • 3
    And what effect you want to achieve. You forward the server port to the client. Those. after this operation, when someone connects to port 10030 of the server, then his traffic through the tunnel is transferred to the client on port 80. Suppose that you managed to do what you are doing and the second client connected the tunnel. Then, in the case of a connection to server port 10030, to which of the 2 clients does he have to transfer this connection? - Mike
  • On the contrary, I am forwarding port 80 of the client to port 10030 of the server. When someone enters the server on port 10030, he receives traffic from port 80 of the client, that is, it connects to the local server, which is deployed on the client. The task of separating traffic from several clients has not been solved yet, I am going step by step. In short, the goal is the following, there are clients (servers are running on them), there is one server that must provide access to the client’s server remotely. The problem is that the servers on the clients are local, that is, in most cases they do not have white IPs and are hidden behind the router. - Artem Nov.
  • one
    Well, where it is being forwarded, I think we just disagree in terminology :) The other is important, you say "When someone enters the server on port 10030, he receives traffic from port 80 of the client." And then the question arises: from the 80 port of which client should he receive traffic, how does ssh hanging on 10030 understand to whom to send traffic? Actually, because ssh is just a stupid tunnel and it cannot understand by the contents of the traffic where to send it and it requires a separate port for each client to understand this ... How does the end user connecting to 10030 specify which client he needs? - Mike
  • I do not pretend to the best solution, if there are other ways I am ready to listen :) The idea is to redirect the traffic of each client to subdomains and send the end user to the subdomain - Artyom
  • Here, great. So there is the usual http and for different machines (clients) they have to go by the domain name, they write the имя.поддомена:10030 in the browser. имя.поддомена:10030 ? (well, as you intended) - Mike

1 answer 1

if, as it turned out in the discussion, you need to “dissolve into different directions” http-traffic , then it is more logical to use some http-proxy server (for example, nginx ).

which, depending on the host: http header , will redirect the client's http request to the computer you specify.

Clients with their http servers can forward tunnels to unique local ports on the server. and nginx will proxy connections to these local ports.

An indicative example of a nginx configuration for the domain.name domain and the local port 2001:

 server { server_name domain.name; location / { proxy_pass http://127.0.0.1:2001; ... }
  • I'm afraid the problem is a bit more complicated there, their servers do not have their own real ip and then collect them on the proxy server. But your link is useful, because, for example, I did not know the settings for nginx, and he would need it anyway. Although there was something about the subdomains said, you may need to proxying by domain names - Mike
  • clients can forward tunnels to unique local server ports. and nginx will proxy connections to these local ports. you may need proxying by domain names - by dns-names http-proxy usually distinguishes connections, and this or that section in the configuration “works”. - aleksandr barakin
  • Yes, that is what I meant by "a little harder." Just in that article there is a redirect to the location, does it also imply the domain name? If yes, then no problem, if it does not now turn out that for some monstrous task conditions they cannot use more than 1 port. I just would understand this scheme if they used port 80, so that users wouldn’t have to even specify a port ... - Mike
  • it was just the first link on the site where the proxy_pass directive is mentioned . for illustration only. Of course, the configuration in this case will be different. what is better to ask a separate question. - aleksandr barakin
  • I already looked in the direction of nginx, before asking a question here, I shoveled a lot of information and did not find a solution to my problem. As I wrote earlier, only one port is available, not counting the standard ones. If I could use a set of different ports, there would be no problem. On the clients, the port would be forwarded, and the server would simply direct to this unique port and that's it. - Artem