External Proxy on GCE for Intranet Web Services by AUTOSSH

Sometimes we build a web services listen on 80/443 in the intranet for internal usage, how to expose it to the world? This article guide you to accomplish it step by step using Google Compute Engine (GCE).

Architecture

Preparation Steps

1. Create a VM on GCE (e.g., 37.42.10.18)

2. Prepare your local web server (e.g., 192.168.0.10)

3. Generate ssh key in local web server

root@192.168.0.10:/ ssh-keygen -C user
root@192.168.0.10:/ cat ~/.ssh/id_rsa.pub

4. Paste the public key to VM

Open Compute Engine and edit the VM

5. Add a firewall rule to make port 1234 opened

Open VPC Network -> Firewall

Assign the network tag to VM

6. SSH to VM and modify sshd config, and forward port 443 to 1234 since ssh tunnel cannot bind to 443 directly.

root@192.168.0.10:/ ssh user@37.42.10.18
user@37.42.10.18:/ sudo su
root@37.42.10.18:/ vim /etc/ssh/sshd_config
GatewayPorts yes
root@37.42.10.18:/ service sshd restart
root@37.42.10.18:/ socat TCP-LISTEN:443,fork,reuseaddr TCP:localhost:1234 &

7. In the local server, install and run autossh (keep in mind to use non-root to run the command)

root@192.168.0.10:/ apt install autossh
user@192.168.0.10:/ AUTOSSH_LOGFILE=~/autossh.log autossh -f -M 5678 -NR 1234:localhost:443 user@37.42.10.18

8. Now we can call the internal web server via external proxy. Good Job.

wget https://37.42.10.18/