Back
Secure Shell Linux

/ 2 min read

Secure Shell Tunneling

Last Updated:

SSH Tunneling

Recently I had a small project where I had a single production EC2 instance on which I needed to monitor containers. My goto solution in this case would be to spin up a portainer agent on the production instances and connect to it from a monitoring host running portainer, through which I would then access the portainer web UI.

This is all well and good, however I did not want to setup the additional infrastructure for such a small project and decided to run portainer directly on the production host. This could be a nono in many cases, however I felt my specific situation justified the issues of running portainer on a production instance. The only remaining issue for me was how am I going to access the portainer web UI securely?

Exposing the portainer web UI publically is not ideal since it opens a large attack vector. You could use a secure single sign on to help secure it, but I felt that that was still not good enough.

So I got thinking and thought well, I alreadyh have access to my production instances through SSH which uses a specific key, so that is about as secure as it gets, is there any way I could leverage that connection to access portainer?

Enter SSH tunneling. I discovered I could use ssh to create a tunnel which intercepts traffic to my local localhost and routes it through the SSH connection to my remote production instance. Once there, I want the traffic to redirect to the remote’s localhost, and specifically port 9443, which is portainer’s port in my case.

Ran locally on my development machine:

ssh -L 9443:localhost:9443 user@123.123.123.123

This will open a tunnel to the remote machine 123.123.123.123 and will redirect all traffic from my localhost:9443 (represented by the first 9443) to my remote’s localhost:9443 (represented by the remaining localhost:9443).

Now all I had to do was visit localhost:9443 locally, and I am able to connect to my remote portainer web UI through SSH, without exposing portainer to the public any more than the remote instance is already exposed with SSH anyway. Quite handy!