External Proxy on GCE for Intranet Web Services by AUTOSSH
Published in
2 min readApr 22, 2022
Sometimes we build a web services listen on 80/443 in the intranet for internal usage, how to expose it to the world? This article guide you to accomplish it step by step using Google Compute Engine (GCE).
Architecture
Preparation Steps
1. Create a VM on GCE (e.g., 37.42.10.18)
2. Prepare your local web server (e.g., 192.168.0.10)
3. Generate ssh key in local web server
root@192.168.0.10:/ ssh-keygen -C user
root@192.168.0.10:/ cat ~/.ssh/id_rsa.pub
4. Paste the public key to VM
Open Compute Engine
and edit the VM
5. Add a firewall rule to make port 1234 opened
Open VPC Network
-> Firewall
Assign the network tag to VM
6. SSH to VM and modify sshd config, and forward port 443 to 1234 since ssh tunnel cannot bind to 443 directly.
root@192.168.0.10:/ ssh user@37.42.10.18
user@37.42.10.18:/ sudo su
root@37.42.10.18:/ vim /etc/ssh/sshd_configGatewayPorts yesroot@37.42.10.18:/ service sshd restart
root@37.42.10.18:/ socat TCP-LISTEN:443,fork,reuseaddr TCP:localhost:1234 &
7. In the local server, install and run autossh (keep in mind to use non-root to run the command)
root@192.168.0.10:/ apt install autosshuser@192.168.0.10:/ AUTOSSH_LOGFILE=~/autossh.log autossh -f -M 5678 -NR 1234:localhost:443 user@37.42.10.18
8. Now we can call the internal web server via external proxy. Good Job.
wget https://37.42.10.18/