I used the following command to create a sock5 proxy through ssh. Node that worker node is behind a NAT gateway.
tsh ssh -D 0.0.0.0:1080 root@worker
And then, i try to curl an HTTPS service inside worder’s network. i got the following
$ curl --proxy socks5://127.0.0.1:1080 -vvv -k https://172.17.1.200/ops/landing
* Trying 127.0.0.1...
* TCP_NODELAY set
* SOCKS5 communication to 172.17.1.200:443
* SOCKS5 connect to IPv4 172.17.1.200 (locally resolved)
* SOCKS5 request granted.
* Connected to 127.0.0.1 (127.0.0.1) port 1080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 172.17.1.200:443
* stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 172.17.1.200:443
I verified that the server works by curl from the worker node:
[root@worker ~]# curl -k --head https://172.17.1.200/ops/landing
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=30
Content-Length: 6465
Content-Type: text/html
Date: Thu, 24 Oct 2019 04:26:06 GMT
Etag: "5db1075e-1941"
Expires: Thu, 24 Oct 2019 04:26:36 GMT
Last-Modified: Thu, 24 Oct 2019 02:07:26 GMT
Server: nginx/1.15.12
Vary: Accept-Encoding
Any clue what could be the issue?
Attaching the debug logs here
$ tsh ssh -N --debug -D 0.0.0.0:1080 root@worker
INFO [CLIENT] [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.9yekPU9UOY/Listeners" client/api.go:2000
DEBU [KEYSTORE] Returning SSH certificate "/Users/jie/.tsh/keys/localhost/jie-cert.pub" valid until "2019-10-24 06:59:15 -0700 PDT", TLS certificate "/Users/jie/.tsh/keys/localhost/jie-x509.pem" valid until "2019-10-24 13:59:15 +0000 UTC". client/keystore.go:262
INFO [KEYAGENT] Loading key for "jie" client/keyagent.go:108
INFO [CLIENT] Connecting proxy=localhost:3023 login='root' method=0 client/api.go:1539
DEBU [KEYAGENT] Validated host localhost:3023. client/keyagent.go:280
INFO [CLIENT] Successful auth with proxy localhost:3023 client/api.go:1530
DEBU [CLIENT] Found clusters: [{"name":"docker","lastconnected":"2019-10-24T04:35:31.7576753Z","status":"online"}] client/client.go:106
INFO [CLIENT] Client= connecting to node=worker on cluster docker client/client.go:451
DEBU [KEYAGENT] Validated host worker:0@default@docker. client/keyagent.go:280
DEBU [CLIENT] Connected to node, no remote command execution was requested, blocking until context closes. client/api.go:921
DEBU [CLIENT] "SOCKS5 proxy forwarding requests to \xac\x11\x01\xc8:443." client/client.go:874
DEBU [CLIENT] "Attempting to connect proxy from 127.0.0.1:64907 to \xac\x11\x01\xc8:443." client/client.go:761
WARN [CLIENT] Failed to proxy connection: read tcp 127.0.0.1:1080->127.0.0.1:64907: use of closed network connection. client/client.go:822
DEBU [CLIENT] "Finished proxy from 127.0.0.1:64907 to \xac\x11\x01\xc8:443." client/client.go:822
WARN [CLIENT] Failed to proxy connection: read tcp 127.0.0.1:1080->127.0.0.1:64907: use of closed network connection. client/client.go:877