Re: OT: Dealing with a hosting company with it's head up it's rear end
Dave Cottlehuber
dch at skunkwerks.at
Mon Aug 17 08:51:18 UTC 2020
> "[Insert client name here], we do not allow RDP or SSH into our datacenter.
Get them to give you an additional ipv6 subnet and run ssh on port 80 or whatever only on that. You only need 1 bastion goat to get through using ssh ProxyCommand.
Or if that’s not possible run haproxy or similar in front of whatever http(s) traffic is allowed, and use tcp detection to redirect actual ssh traffic to ssh while letting the rest through.
https://coolaj86.com/articles/adventures-in-haproxy-tcp-tls-https-ssh-openvpn/
https://blog.chmd.fr/ssh-over-ssl-episode-4-a-haproxy-based-configuration.html
https://github.com/yrutschle/sslh
I’m all until next week but if you want a hand figuring this out remind me offline on Monday.
If they allow udp traffic then consider sticking ZeroTier or wireguard in and using that. Both are free and don’t need ‘dangerous tcp’...
I prefer using haproxy as we use it everywhere but the basic idea (port share, detect traffic type, proxy tcp) has multiple solutions.
> So how do we/the client tell the hosting company they are full of sh*t (the
> client has a 3 year contract with a pay in full to break clause with them
> which would be over $100k to break)
This is what account managers are good for.
Get your customer’s account manager to talk with their account manager and explain that you’ll pull the plug and lawyer up, if std unix ssh isn’t allowed and point out that google and aws support it. They always cave. Make sure your acct manager is prepped on the tech first.
how did anybody manage to set these boxes up? It must have been painful.
Dave
More information about the freebsd-questions
mailing list