Hi! We're Dan and Jay. We're a two person team with a passion for open source products. We created Server Side Up to help share what we learn.
- 📖 Blog - get the latest guides and free courses on all things web/mobile development.
- 🙋 Community - get friendly help from our community members.
- 🤵♂️ Get Professional Help - get guaranteed responses within next business day.
- 💻 GitHub - check out our other open source projects
- 📫 Newsletter - skip the algorithms and get quality content right to your inbox
- 🐥 Twitter - you can also follow Dan and Jay
- ❤️ Sponsor Us - please consider sponsoring us so we can create more helpful resources
This is a super simple SSHD container based on Ubuntu 20.04. It works great if you need to create a secure tunnel into your cluster.
It does one thing very well:
- It's a hardened SSH server (perfect for encrypted tunnels into your cluster)
- Set authorized keys via the
AUTHORIZED_KEYSenvironment variable - Set authorized IP addresses via the
ALLOWED_IPSenvironment variable - It automatically generates the SSH host keys and will persist if you provide a volume
- It's based off of S6 Overlay, giving you a ton of flexibility
- It also includes the
pingtool for troubleshooting connections - It's automatically updated via Github actions
All variables are documented here:
| 🔀 Variable Name | 📚 Description | #️⃣ Default Value |
|---|---|---|
| PUID | User ID the SSH user should run as. | 9999 |
| PGID | Group ID the SSH user should run as. | 9999 |
| SSH_USER | Username for the SSH user that other users will connect into as. | tunnel |
| SSH_GROUP | Group name used for our SSH user. | tunnelgroup |
| SSH_USER_HOME | Home location of the SSH user. | /home/tunnel |
| SSH_PORT | Listening port for SSH server (on container only. You'll still need to publish this port). | 2222 |
| SSH_HOST_KEY_DIR | Location of where the SSH host keys should be stored. | /etc/ssh/ssh_host_keys/ |
| AUTHORIZED_KEYS | 🚨 Required to be set by you. Content of your authorized keys file (see below) | |
| ALLOWED_IPS | 🚨 Required to be set by you. Content of allowed IP addresses (see below) |
You can provide multiple keys by loading the contents of a file into an environment variable.
AUTHORIZED_KEYS="$(cat .ssh/my_many_ssh_public_keys_in_one_file.txt)"
Set this in the same context of AllowUsersThis example shows a few scenarios you can do:
ALLOWED_IPS="AllowUsers *@192.168.1.0/24 *@172.16.0.1 *@10.0.*.1"
You can see that I am forwarding 12345 to 2222.
docker run --rm --name=ssh --network=web -p 12345:2222 localhost/ssh
This means I would connect with:
ssh -p 12345 [email protected]
Here's a perfect example how you can use it with MariaDB. This allows you to use Sequel Pro or TablePlus to connect securely into your database server 🥳
version: '3.7'
services:
mariadb:
# Use the official MariaDB image
image: mariadb:10.5
# Always restart the container
restart: always
# Join it to our "web-public" Docker container
networks:
- web-public
# Set the MySQL Password via env variable
environment:
MYSQL_ROOT_PASSWORD: "myrootpassword"
# Set Docker Swarm settings to make sure this only runs on a manager in the node
deploy:
mode: global
placement:
constraints:
# Make the MariaDB service run only on the node with this label
# as the node with it has the volume for the certificates
- node.role==manager
volumes:
# Add volume for all database files
- database_data:/var/lib/mysql
# Add volume for custom configurations
- custom_conf:/etc/mysql/conf.d
ssh:
# Use the Docker-SSH image from Server Side Up
image: serversideup/docker-ssh
#Publish the 12345 port to the 2222 port on the container
ports:
- target: 2222
published: 12345
mode: host
# Set the Authorized Keys of who can connect
environment:
AUTHORIZED_KEYS: >
"# Start Keys
ssh-ed25519 1234567890abcdefghijklmnoqrstuvwxyz user-a
ssh-ed25519 abcdefghijklmnoqrstuvwxyz1234567890 user-b
# End Keys"
# Lock down the access to certain IP addresses
ALLOWED_IPS: "AllowUsers [email protected]"
restart: unless-stopped
networks:
- web-public
volumes:
database_data:
custom_conf:
networks:
web-public:
external: trueSince there are a lot of dependencies on these images, please understand that it can make it complicated on merging your pull request.
We'd love to have your help, but it might be best to explain your intentions first before contributing.
If you find a critical security flaw, please open an issue or learn more about our responsible disclosure policy.