From 383f8961bcba3692ba5554389283e5f7a976b4a1 Mon Sep 17 00:00:00 2001 From: Antonio Mika Date: Sat, 13 Feb 2021 15:55:29 -0500 Subject: [PATCH 1/2] Updated repository references and add gcloud tutorial --- .github/workflows/docker.yml | 6 +- README.md | 3 +- deploy/gcloud.md | 136 +++++++++++++++++++++++++++++++++++ 3 files changed, 140 insertions(+), 5 deletions(-) create mode 100644 deploy/gcloud.md diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 97d90dd..67a0cfa 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -5,10 +5,10 @@ on: tags: - v* branches: - - master + - main pull_request: branches: - - master + - main jobs: build: @@ -48,7 +48,7 @@ jobs: fi DATE="$(date -u +%Y-%m-%dT%H:%M:%SZ)" - REF="${BRANCH_NAME:-master}" + REF="${BRANCH_NAME:-main}" OTHER_ARGS="" OTHER_PUSH_ARGS="" diff --git a/README.md b/README.md index c236338..962f697 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ An open source serveo/ngrok alternative. ## Deploy Builds are made automatically for each commit to the repo and are pushed to Dockerhub. Builds are -tagged using a commit sha, branch name, tag, latest if released on master. +tagged using a commit sha, branch name, tag, latest if released on main. You can find a list [here](https://hub.docker.com/r/antoniomika/sish/tags). Each release builds separate `sish` binaries that can be downloaded from [here](https://github.com/antoniomika/sish/releases) for various OS/archs. @@ -224,7 +224,6 @@ need to set `--geodb` to `true`. To use sish, you need to add a wildcard DNS record that is used for multiplexed subdomains. Adding an `A` record with `*` as the subdomain to the IP address of your server is the simplest way to achieve this configuration. - ## Demo - At this time, the demo instance has been set to require auth due to abuse There is a demo service (and my private instance) currently running on `ssi.sh` that diff --git a/deploy/gcloud.md b/deploy/gcloud.md new file mode 100644 index 0000000..192d0b0 --- /dev/null +++ b/deploy/gcloud.md @@ -0,0 +1,136 @@ +# sish installation + +sish is an open source serveo/ngrok alternative that can be used to open a tunnel +to localhost that is accessible to the open internet using only SSH. sish implements +an SSH server that can handle multiplexing of HTTP(S), TCP, and TCP Aliasing +([more about this can be found in the README](https://github.com/antoniomika/sish/blob/main/README.md)) + +This tutorial will teach you how to: + +* Setup an instance in Google Cloud using the [free tier](https://cloud.google.com/free) +* Change the default SSH port +* Add and modify authentication for users +* Access sish from a remote computer + +## Project selection + +You first need to select a project to host the resources created in this tutorial. +I'd suggest creating a new project at this time where your sish instance will live. + + +## Access Google Cloud Shell + + + +## Create the instance running the container + +Here is a command to create the instance running the sish container. This will start the container +on a hardened [Container Optimized OS](https://cloud.google.com/container-optimized-os/docs) and start +the service. This is just a starting command that runs sish on port `2222`, `80`, and `443`. If you +accept the [Let's Encrypt TOS](https://letsencrypt.org/repository/), you can enable automatic SSL cert loading. +This command does *NOT* include authentication and it is up to you to properly tune these parameters based on +the documentation [here](https://github.com/antoniomika/sish#cli-flags). Make sure to update `YOURDOMAIN` +to the actual domain you own. You will also need to setup the DNS records as described below. Also feel free +to change the `--zone` used for these commands. + +```bash +gcloud compute instances create-with-container sish \ + --zone="us-central1-a" \ + --tags="sish" \ + --container-mount-host-path="host-path=/mnt/stateful_partition/sish/ssl,mount-path=/ssl" \ + --container-mount-host-path="host-path=/mnt/stateful_partition/sish/keys,mount-path=/keys" \ + --container-mount-host-path="host-path=/mnt/stateful_partition/sish/pubkeys,mount-path=/pubkeys" \ + --container-image="antoniomika/sish:latest" \ + --machine-type="f1-micro" \ + --container-arg="--domain=YOURDOMAIN" \ + --container-arg="--ssh-address=:2222" \ + --container-arg="--http-address=:80" \ + --container-arg="--https-address=:443" \ + --container-arg="--https=true" \ + --container-arg="--https-certificate-directory=/ssl" \ + --container-arg="--authentication-keys-directory=/pubkeys" \ + --container-arg="--private-key-location=/keys/ssh_key" \ + --container-arg="--bind-random-ports=false" \ + --container-arg="--bind-random-subdomains=false" \ + --container-arg="--bind-random-aliases=false" \ + --container-arg="--tcp-aliases=true" \ + --container-arg="--service-console=true" \ + --container-arg="--log-to-client=true" \ + --container-arg="--admin-console=true" \ + --container-arg="--verify-ssl=false" \ + --container-arg="--https-ondemand-certificate=false" \ + --container-arg="--https-ondemand-certificate-accept-terms=false" \ + --container-arg="--https-ondemand-certificate-email=certs@YOURDOMAIN" \ + --container-arg="--idle-connection=false" \ + --container-arg="--ping-client-timeout=2m" +``` + +## Network Setup + +### Open the firewall to allow access to all instance ports + +```bash +gcloud compute firewall-rules create allow-all-tcp-sish \ + --action="allow" \ + --direction="ingress" \ + --rules="tcp" \ + --source-ranges="0.0.0.0/0" \ + --priority="1000" \ + --target-tags="sish" +``` + +### Adding a DNS record + +Get the external IP address of your machine and create two DNS records + +* An `A` record for YOURDOMAIN pointing it to the output below +* An `A` record for *.YOURDOMAIN pointing it to the output below + +```bash +gcloud compute instances describe sish \ + --zone="us-central1-a" \ + --format='get(networkInterfaces[0].accessConfigs[0].natIP)' +``` + +## Using sish + +### Try using SSH to connect to the sish service + +```bash +ssh -p 2222 -R foo:80:httpbin.org:80 YOURDOMAIN +``` + +### Access the address sish gave you + +```bash +curl -vvv http://foo.YOURDOMAIN/anything +``` + +## Advanced usage + +### Login into your new machine + +```bash +gcloud compute ssh sish --zone="us-central1-a" +``` + +### Adding SSH keys for when you enable auth + +```bash +echo "ssh_public_key_here" >> /mnt/stateful_partition/sish/pubkeys/your_user.keys +``` + +## Tear it down + +### First the instance + +```bash +gcloud compute instances delete sish \ + --zone="us-central1-a" +``` + +### Then the firewall rule + +```bash +gcloud compute firewall-rules delete allow-all-tcp-sish +``` From 216d0ae534280891a849059b6668084ffcda273c Mon Sep 17 00:00:00 2001 From: Antonio Mika Date: Sat, 13 Feb 2021 16:19:58 -0500 Subject: [PATCH 2/2] Add deploy button --- README.md | 8 ++++++++ deploy/gcloud.md | 1 - 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 962f697..953d42f 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,14 @@ the letsencrypt files in /etc/letsencrypt, _not_ ./letsencrypt. I use these files in my deployment of `ssi.sh` and have included them here for consistency. +## Google Cloud Platform + +There is a tutorial for creating an instance in Google Cloud Platform +with sish fully setup that can be found [here](https://github.com/antoniomika/sish/blob/main/deploy/gcloud.md). +It can be accessed through [Google Cloud Shell](https://cloud.google.com/shell). + +[![Open in Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://ssh.cloud.google.com/cloudshell/editor?shellonly=true&cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fantoniomika%2Fsish&cloudshell_git_branch=main&cloudshell_tutorial=deploy%2Fgcloud.md) + ## How it works SSH can normally forward local and remote ports. This service implements diff --git a/deploy/gcloud.md b/deploy/gcloud.md index 192d0b0..b12d6eb 100644 --- a/deploy/gcloud.md +++ b/deploy/gcloud.md @@ -8,7 +8,6 @@ an SSH server that can handle multiplexing of HTTP(S), TCP, and TCP Aliasing This tutorial will teach you how to: * Setup an instance in Google Cloud using the [free tier](https://cloud.google.com/free) -* Change the default SSH port * Add and modify authentication for users * Access sish from a remote computer