0

We are a web hosting company. We have 4 Servers which are running OpenVZ on top of CentOS. Each of the server has around 50 containers running on top of it.

We are planning to provide ssh root access to some of the customers (around 50). All of these 50 users will be developing and hosting modules of a single website. For eg. there is a website xyz.com Now there will be a module xyz.com/module1 This module1 will be hosted by different developers and hosted on different containers. Similarly there will be other modules developed by different developers and hosted on other containers. The problem is that these containers are running behind a NAT firewall. There is a public I.P for xyz.com.

We do not want to do port forwarding as it will open unnecessary ports in the Firewall.

We were thinking of forwarding all the ssh requests to xyz.com to a single container (ssh-temp) and then allowing ssh to other containers from ssh-temp container only. But this approach is not feasible as the users will be having root access to their containers and can modify the firewall rules.

Is there any better approach to perform this task. I was thinking of having a scheme where a user could run a command such as:

ssh user@module1.xyz.com

The user would then be redirected to that particular module. How can I achieve such a scheme?

Thanks

Edit: I do realize that providing root access to containers within a network is a bad idea but for now this is a compulsion and not a choice.

Naruto Uzumaki
  • 309
  • 1
  • 3
  • 9

1 Answers1

1

Maybe something like an SSH Gateway is what you're looking for?

The SSH gateway works by forcing a ssh to another host as a particular username, based on the ssh key. The assumption is that there is a gateway box between the internal hosts and the internet, that has ssh running on it. - http://quark.humbug.org.au/publications/ssh/ssh-tricks.html

This question is related: Is there a name based virtual host SSH reverse proxy?

Community
  • 1
SamR.
  • 341
  • 1
  • 2