scp data from server behind proxy / firewall / dmz



ps: I do not write often, because i am awful lazy doing it.

This morning i realized  i have some data on old host (behind firewall) and is gonna be wiped by the hosting provider if not backed up soon.

Blockers,

  1.  old.host  cannot talk to new.host as it is behind the proxy server .
  2.  proxy.host  is owned by  old hosting provider 
  3.  i need to make  new.host talk to old.host via proxy.host .
Our Imaginary server names 
old server : old.host 
behind a proxy server : proxy.host
new host : new.host


Possible Solution: 

  +-----------------+       +----------------+         +--------------------+       +--------------+
  |                 |       | internet       |         |                    |       |     old.host |
  |                 |       |                |         |                    |       |              |
  |new.host         +       |                |         |                                           |
  |                 |2.     |                | data    |                   +----+----> 22          |
  |             4447<--+---------------------------------<----- 22<-+      || 3.    +--------------+
  |                 |       +----------------+         |    4.      |      ||
  |                 |                                  |            |data  ||
  |                 |  1.                              |            +------+|
  |             +------------------------------------------>4446            |
  |                 |                                  |                    |
  |                 |                                  |                    |
  +-----------------+                                  +--------------------+


So i requested the old hosting provider to let me connect to their proxy server  for the purpose and they were kind enough to give me a random port for the activity 4446 , now i could do following from new host , and can connect fine to proxy.host and from their to old.host.

new.host] ssh -p 4446 proxy.host
proxy.host] ssh  old.host
old.host]
To be able to copy data i need to create an ssh tunnel which can allow the new.host talk to the old.host via proxy.host machine

About SSH Tunneling - it is a simple way to create a secure connection among two hosts where the communication remains encrypted , ssh tunneling is also referred as port forwarding because we basically make an ssh connection to the destination host and tell it to send all traffic  to source on the port that we requested .
In this situation another twist is  traffic that needs to be sent from old.host to proxy.host  is going to happen on default ssh port 22( remember proxy.host can talk to old.host on port 22 by default), however data traffic from proxy.host  to new.host will be sent on port 4447 as we need ( well it could be anything above 1024.... why not ports below 1024?.. that's a food for thought for You.. Reader!, for now i am happy with 4447).

on new.host , run following command,
new.host] ssh -f -N -L 4447:old.host:22 proxy.host -p 4446
-f   : allows us to take the command to background, once we feed password to it
-N : we are requesting a shell for our ssh session, if we omit -N we are making an anonymous connection to the remote server and this activity is not logged in last or utmp, but that's totally a different thread , you may read this http://www.semicomplete.com/articles/ssh-security/ if you are thrilled, i am not :)
-L : we are telling {bind_address_port:host:hostport} that we will listen port 4447 for all incoming traffic from old.host which is proxied via proxy.host on port 4446

Now we have a working connection, to test simply hit localhost on port 4447 from new.host
new.host ] ssh localhost -p 4447
old.host ]
Wow we are in old.host, hit ctrl+D  or logout and simply copy the data like below
new.host] scp -rP 4447 localhost:/home/tools/ /opt/backup/
this will  copy tools directory from old.host:/home/ to new.host:/oprt/backup .
Another scenario -  if i need to copy data from old.host new.backup.host ( imagine new.host and new.backup.host part of same subnet) well 
 new.host] scp -rP 4447 localhost:/home/tools/  new.backup.host:/opt/backup/
Few notes:
  1. I am not being prompted for password on connecting because i have my private/public keypair setup among all 3 hosts.
  2. I did not know how to scp data from host behind proxy to another remote server/or to origin and i did not find the solution on on first three google search pages, so i am writing it.
  3. I would love to improve if you may throw in a comment or two.

 
 
 




Comments

Popular posts from this blog

How to add command alias in linux

How to find execution time of any command or script