splitting tcp traffic to multiple recipients on the backend?

Kevin Martin asked:

let’s assume that i have a domain name of kevin.com and I have multiple servers that sit behind nginx. Load balancing http traffic is easy with nginx but can I split traffic received on a particular port on the nginx server and route that traffic to different servers on the backend? For example, if I have a.kevin.com, b.kevin.com, and c.kevin.com that all resolve to a single public ip address and all listen on port 2022 and I want to be able to connect to ssh instances running on 3 different servers on the backend, can that be done with nginx? Can I ssh to a.kevin.com:2022 and have it forwarded to the machine on port 22, b.kevin.com:2022 ->, and c.kevin.com:2022 -> I assume that nginx would have to be able to somehow parse the hostname that was being connected to externally. Thanks.

My answer:

There is no way for the server to know what hostname you want; this is not part of the ssh protocol.

The best solution for this is to use IPv6 to connect to each of your servers. In this case you don’t need to do any goofy forwarding of ports at all or any other sort of workaround. You just connect directly (subject of course to firewalling) as it was meant to be, and you have a happy day.

In the legacy IPv4 world the usual workaround for this problem is a bastion host, a server which has both a global IPv4 address and a private IPv4 address on your network. You ssh to that host first, and then ssh to the host you really want to reach. The OpenSSH ssh command even has a command line option -J which streamlines this process a bit.

In order to do this with IPv4 port forwarding, you would need to forward a separate port for each distinct server.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.