From a30644696d7db48a9201c108a99d2e7c160a05a6 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Fri, 24 May 2024 13:57:38 +0000 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=20aws=20tunnel=20=E6=96=B9?= =?UTF-8?q?=E6=A1=88?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- 开发机隧道方案.md | 218 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 174 insertions(+), 44 deletions(-) diff --git a/开发机隧道方案.md b/开发机隧道方案.md index acbfd51..0daf51d 100644 --- a/开发机隧道方案.md +++ b/开发机隧道方案.md @@ -2,57 +2,187 @@ ## 网络拓扑图 - A: 用户 -- B: 中间服务器 -- C: 开发服务器 +- B: 跳板机 +- C: 目标机器 -连接: **A->B<-C** +连接: **A<-->B<-->C** -说明: 用户A连接B,开发服务器C连接B,B在内部将A转发到C. +说明: 用户A通过跳板机B连接目标C -结论: 因为从外部无法观测到A至C的连接, 所以此方案可用于隐藏用户A连接C的记录 +- 传统方案劣势: 传统跳板机B, 一般是个人使用, 从外部可以观测出只有A,C在连接B, 所以可以推断出A连接C +- 方案优势: 使用的第三方跳板机B会有非常多的连接, 因此无法从外部观测到A到C的连接 +- 方案缺点: 跳板机提供商会有A到C的记录 -## 基于vscode server的隧道方案 -其中B为微软提供 +## 连接方案 -### 部署vscode server -```bash -# 开启linger 用户退出以后, 服务也不会停止 -sudo loginctl enable-linger $USER -wget https://vscode.download.prss.microsoft.com/dbazure/download/stable/dc96b837cf6bb4af9cd736aa3af08cf8279f7685/vscode_cli_alpine_x64_cli.tar.gz -tar -xzf vscode_cli_alpine_x64_cli.tar.gz +先安装vscode [官方网站](https://code.visualstudio.com/) -./code tunnel service install -# 执行命令后, 需要选择用什么账号登录, 此次选择用Microsoft Account -## 输出如下 -# ? How would you like to log in to Visual Studio Code? › -# ❯ Microsoft Account -# GitHub Account -## 选择以后, 输出如下 -# ✔ How would you like to log in to Visual Studio Code? · Microsoft Account -# To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code I96RAVZDD to authenticate. -## 在浏览中打开上面的链接, 输入code. 然后登录微软账号, 就可以把此隧道, 绑定到微软账号. -## 看到如下输出, 部署就成功了 -# * -# * Visual Studio Code Server -# * -# * By using the software, you agree to -# * the Visual Studio Code Server License Terms (https://aka.ms/vscode-server-license) and -# * the Microsoft Privacy Statement (https://privacy.microsoft.com/en-US/privacystatement). -# * -# [2024-05-21 10:21:24] info Successfully registered service... -# [2024-05-21 10:21:24] info Successfully enabled unit files... -# [2024-05-21 10:21:24] info Tunnel service successfully started -# [2024-05-21 10:21:24] info Tip: run `sudo loginctl enable-linger $USER` to ensure the service stays running after you disconnect. -# Service successfully installed! You can use `code tunnel service log` to monitor it, and `code tunnel service uninstall` to remove it. +### vscode server tunnel 连接 + +**需求: 部署了code tunnel的微软或Github账号** + +1. 安装[remote - tunnel](https://marketplace.visualstudio.com/items?itemName=ms-vscode.remote-server) 插件 + +1. 安装完插件后, 左侧栏会出现相应的`远程资源管理器` -> `远程(隧道/SSH)` -> `Tunnels` -> `登陆到向Microsoft注册的隧道 ➡️`(点击箭头) -> 接下来跳转到网页登录账号即可 +1. 登录完后, 就可以在Tunnels下,看到对应的隧道 + +### aws ssh tunnel 连接 +**需求: 配置过的IAM的`Access Key ID`,`Secret Access Key`和`region name`** + +1. 在主机上安装 AWS CLI [下载链接](https://docs.aws.amazon.com/zh_cn/cli/latest/userguide/getting-started-install.html) +以及 session-manager 插件[下载地址](https://docs.aws.amazon.com/zh_cn/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html) + +1. 配置aws cli账号 + + 需要配置以下4行内容, 需要关心的是 Key ID , Access Key 以及region name:`ap-east-1`. + + ```sh + aws configure + # 以下为输出样例 + # AWS Access Key ID [****************XXXX]: + # AWS Secret Access Key [****************YYYY]: + # Default region name [ap-east-1]: + # Default output format [None]: + ``` + +1. 配置 sshconfig [参考文档](https://docs.aws.amazon.com/zh_cn/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html) + + ```t + # file .ssh/config + # windows + host i-* mi-* + ProxyCommand aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p + + # unix like + host i-* mi-* + ProxyCommand aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p' + ``` + +1. 安装 vscode 插件 [remote ssh](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-ssh) + +1. 可选 移除remote tunnel + + 因为tunnel加载很慢, 所以可以删除remote tunnel 插件来提升vscode打开速度 + + 注意: 需要先移除所有remote系列插件, 再安装对应的插件 + +## 部署方案 +### A. 部署基于amazon session manager隧道方案 +其中B为亚马逊提供 + + +可选功能分为S3日志, 和 CloudWatch日志, 如果使用的话,则需要提前创建. + +#### 0. Session Manager 配置项 [说明文档](https://aws.amazon.com/cn/blogs/china/session-manager-register-ec2/) + + 额外配置日志, 以下对ssh连接不生效. 但是可以用来记录生产及其他敏感环境 + +AWS Systems Manager > Session Manager > Preferences > Edit + +1. 勾选 `Enable maximum session duration`, 输入 1440, 一天. +2. 勾选 `Enable Run As support for Linux instances`, 输入 ubuntu . +3. (可选) 勾选 `CloudWatch logging`, 开启CloudWatch日志 +4. (可选) 勾选 `Send session logs to S3`, 填入创建的s3 bucket name. + +#### 1. 创建 IAM Role, 使得 System Manager 可以访问 EC2 资源 [参考文档](https://docs.aws.amazon.com/zh_cn/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html) + +ssh最小 policy for EC2 +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ssmmessages:CreateControlChannel", + "ssmmessages:CreateDataChannel", + "ssmmessages:OpenControlChannel", + "ssmmessages:OpenDataChannel", + "ssm:UpdateInstanceInformation" + ], + "Resource": "*" + } + ] +} ``` -### 连接 vscode server -1. 先安装vscode, [官方网站](https://code.visualstudio.com/) -2. 安装[remote - tunnel](https://marketplace.visualstudio.com/items?itemName=ms-vscode.remote-server) 插件 +#### 2. 创建 IAM 用户, 并创建对应的 Policy, 指定该用户能访问的EC2 [参考文档](https://docs.aws.amazon.com/zh_cn/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html) -3. 安装完插件后, 左侧栏会出现相应的`远程资源管理器` -> `远程(隧道/SSH)` -> `Tunnels` -> `登陆到向Microsoft注册的隧道 ➡️`(点击箭头) -> 接下来跳转到网页登录账号即可 -4. 登录完后, 就可以在Tunnels下,看到对应的隧道 -4. 接下来,就与S5H, WSL等非本地开发流程一样了 +ssh最小 policy for IAM User +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ssm:StartSession" + ], + "Resource": [ + "arn:aws:ec2:*:*:instance/{instance_id}", + "arn:aws:ssm:*:*:document/AWS-StartSSHSession" + ], + "Condition": { + "BoolIfExists": { + "ssm:SessionDocumentAccessCheck": "true" + } + } + } + ] +} +``` -## 基于amazon session manager的隧道方案 -其中B为亚马逊提供 +#### 3. 安装 或者 更新 EC2 上的 SSM-agent [参考文档](https://docs.aws.amazon.com/zh_cn/systems-manager/latest/userguide/ssm-agent.html) +```bash +# 默认情况下,SSM Agent 安装在 Ubuntu Server 22.04 LTS、20.04、18.04 和 16.04 LTS 64 位 AMIs(带标识符 20180627)或更高版本上。 +# 如果您需要在本地服务器上安装 SSM Agent或者需要重新安装代理,您可以使用以下脚本。您无需为下载指定 URL,因为 snap 命令会自动从 Snap 应用商店 https://snapcraft.io 下载代理。 +# 安装 +sudo snap install amazon-ssm-agent --classic + +# 运行以下命令确定 SSM Agent是否在运行。 +sudo snap list amazon-ssm-agent + +# 如果上一条命令返回 amazon-ssm-agent is stopped、inactive 或 disabled,则运行以下命令将启动服务。 +sudo snap start amazon-ssm-agent + +# 检查代理的状态。 +sudo snap services amazon-ssm-agent +``` + + + +### B. 基于vscode server的隧道方案 +其中B为微软提供 + +1. 部署vscode server根据部署的机器选择对应的CLI [下载地址](https://code.visualstudio.com/Download) + ```bash + # 开启linger 用户退出以后, 服务也不会停止 + sudo loginctl enable-linger $USER + # 下载 linux x64 的 CLI + wget https://vscode.download.prss.microsoft.com/dbazure/download/stable/dc96b837cf6bb4af9cd736aa3af08cf8279f7685/vscode_cli_alpine_x64_cli.tar.gz + tar -xzf vscode_cli_alpine_x64_cli.tar.gz + + ./code tunnel service install + # 执行命令后, 需要选择用什么账号登录, 此次选择用Microsoft Account + ## 输出如下 + # ? How would you like to log in to Visual Studio Code? › + # ❯ Microsoft Account + # GitHub Account + ## 选择以后, 输出如下 + # ✔ How would you like to log in to Visual Studio Code? · Microsoft Account + # To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code I96RAVZDD to authenticate. + ## 在浏览中打开上面的链接, 输入code. 然后登录微软账号, 就可以把此隧道, 绑定到微软账号. + ## 看到如下输出, 部署就成功了 + # * + # * Visual Studio Code Server + # * + # * By using the software, you agree to + # * the Visual Studio Code Server License Terms (https://aka.ms/vscode-server-license) and + # * the Microsoft Privacy Statement (https://privacy.microsoft.com/en-US/privacystatement). + # * + # [2024-05-21 10:21:24] info Successfully registered service... + # [2024-05-21 10:21:24] info Successfully enabled unit files... + # [2024-05-21 10:21:24] info Tunnel service successfully started + # [2024-05-21 10:21:24] info Tip: run `sudo loginctl enable-linger $USER` to ensure the service stays running after you disconnect. + # Service successfully installed! You can use `code tunnel service log` to monitor it, and `code tunnel service uninstall` to remove it. + ``` \ No newline at end of file