Use ssh reverse connection to access the intranet host (example uses autossh tunnel to achieve mysql synchronization)

1. Prepare knowledge

What is autossh?

Suppose there are two hosts: Host A is the external network, and host
B is the internal network. Generally speaking, the external network host A cannot directly connect to the internal network host B. At this time, if the host A wants to control the host B through ssh, usually the says have

 

Two methods:

1. Port mapping:

Map the ssh port of host B to the external network ip of B, of course, this must be achieved by setting a firewall

2. Reverse connection of ssh:

Host B connects to host A through ssh, and opens a port on host A for listening. At this time, if the A host is connected to this port of the machine, the control of the B host can be realized.

ssh -NfR 1111:localhost:2222 user1@external network host A -p 22

 

2222 is the listening port opened by host A in host B, and 1111 is the local port of host A. At this time, the port 2222 for accessing host B is mapped to port 1111 of host A. This is also called remote port mapping.

This reverse connection is useful, but is unstable and disconnects frequently. Every time you disconnect, you must re-execute the above command. If you want to automatically execute this command when you disconnect, you need Autossh to complete it.

 

Why use ssh to complete the master-slave synchronization of mysql?
As in the above situation, an intranet host must be the master and slave to synchronize with an extranet host.

 

2. Implementation steps

 

2.1 Generate keys

Log in to the intranet host B and execute the following command to generate the ssh key, press Enter all the way

ssh-keygen -t rsa

 

2.2 Upload key

Upload the pub file generated by intranet host B to host A

ssh-copy-id -i .ssh/id_rsa.pub user@external network host A

 

Or scp the id_rsa.pud file and execute

cat id_rsa.pub >> ~/.ssh/authorized_keys

 

2.3 Enable Certificate

Edit /etc/ssh/sshd_config on host A and uncomment the following three lines:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

 

2.4 Test login

At this time, host B sshs to host A on the external network and uses the certificate to log in without entering a password.

 

2.5 Install the software

  The above autossh is used here. Intranet host B needs to install autossh, but host A does not need to install autossh.

wget http://www.harding.motd.ca/autossh/autossh-1.4c.tgz
tar -xf autossh-1.4c.tgz
cd autossh-1.4c
./configure
make install

 

2.6 Port Mapping

Use autossh on the internal network host B to map the 13306 port of the local machine to the 3306 port of the external network host A

autossh -M 20522 -f -N -L 13306:localhost:3306 user@external network host A

 

2.7 mysql synchronization

At this time, you can use the local port 13306 to synchronize the MySQL server.

How to configure master-slave synchronization on MySQL server, please refer to:

http://www.52os.net/mysql-server-replication-config.html

 

Reference documentation

http://www.cnblogs.com/eshizhan/archive/2012/07/16/2592902.html

 

The use of SSH reverse connection

1. What is a reverse connection?
Reverse connection means that host A (controlled end) actively connects to host B (controlling end), and establishes a remote connection between host A and host B. Through this connection, host B can actively send some requests to host A.

 

2. Why does host A need to actively connect to host B?
This is because host A is in the local area network. If no port mapping is performed on host A, host A is invisible to host B. If host B sends a connection request to host A, the request is unreachable. And host B has its own independent IP, which is visible to host A and can directly request a connection from host B.

 

3. The process of SSH reverse connection The
method is that host A actively connects to host B, and host B responds to the connection request of host A, and a remote connection is established between them. Then host B creates another local connection locally, redirects it to the remote connection just established by host A and host B, and then the operations on this local connection will be fed back to the remote connection. The whole process is similar to the DUP of the file, which establishes a connection channel between host A and host B. At this time, for host B, host A is already visible.

The connection process is as follows:
3.1. The ssh client of host A sends a request to the sshd server of host B to establish a remote connection.
3.2. The host B sshd server creates a mapping between local connections and remote connections (reverse connection channel).
3.3. The host B ssh client sends a request to the connection channel of the host B sshd server to establish a connection between the host B ssh and the host A sshd.
After the connection is complete, the form that host A is visible to host B is the local connection that exists on host B.

 

4. Why do you need to map a local connection to a remote connection on host B?
The reverse connection is the CS architecture, but the controlled end actively requests the connection from the control end to establish the connection between them. The traditional CS method can solve the connection problem between host A and host B, but the connection method between host A and host B is not flexible, and what can be done between the two can only be stipulated by the protocol during CS. matter. After the connection mapping of host A is established on host B, for host B, host A is no longer the invisible host in the LAN, and host A is already a visible host with host B, which eliminates the need for LAN and host B. WAN hindrance. The remote connection established between host A and host B is the channel between host A and host B - the "network cable".

 

5. Use of SSH reverse connection

A problem encountered in the process of use is that when a request is initiated on host A, a password needs to be entered. If I'm at home, it's impossible to run to the office to enter the password. So use the ssh public key method and write a script to solve it. The script is as follows:

#!/bin/bash
while true;do
RET=`ps ax | grep "ssh -f -N -R 10000:localhost:22" | grep -v "grep"`
if [ "$RET" = "" ]; then
echo "restart ssh server"
ssh -f -N -R 10000:localhost:22 username@公网IP

be
sleep 10
done

 

The role of the script is to monitor the reverse connection service, restart it when it is abnormally interrupted, and after using the SSH public key, there is no need to go to the company to enter the password
. :-)

 

 

More references:

1. https://www.52os.net/articles/use-autossh-tunnel-to-auto-reconnect-for-mysql-replication.html
2. http://zhangrui90.blog.51cto.com/942051/559647
3. http://b.liuctic.com/2013/12/ssh%E6%AD%A3%E5%90%91%E5%8F%8D%E5%90%91%E8%BF%9E%E6%8E%A5%E7%9A%84%E5%BC%BA%E5%A4%A7%E5%8A%9F%E8%83%BD%E4%BB%A5%E5%8F%8Aautossh%E3%80%90%E8%BD%AC%E8%BD%BD%E4%B8%A4%E7%AF%87%E3%80%91/
4. http://www.sudops.com/autossh-make-your-ssh-always-connected.html
5. http://www.oschina.net/translate/automatically-restart-ssh-sessions-and-tunnels-using-autossh
6. http://my.oschina.net/abcfy2/blog/177094

 

Transfer from: use ssh reverse connection to access the intranet host (example uses autossh tunnel to achieve mysql synchronization)