This Docker image provides a workaround for sandbox port exposure limitations (see this issue for more details). SSH port forwarding (the -R and -L options) can be used either to expose a port from the sandbox or to access a service running on the Docker host from the sandbox.
Because the sandbox proxy is quite restrictive, a direct SSH connection cannot be used. Instead, the SSH traffic must be wrapped in TLS so the proxy interprets it as HTTPS traffic.
docker build -t ssh-over-tls .
docker run -d --rm -p 443:443 -p 22:2222 ssh-over-tls
Assuming you already have a sandbox running (for example, my-sandbox), follow the steps below:
- enable bypassing for localhost:443
docker sandbox network proxy my-sandbox --bypass-host localhost:443
- exec into your sandbox
docker sandbox exec -it my-sandbox /bin/bash
- install the SSH server, stunnel, and a text editor
sudo apt update
sudo apt install -y openssh-server stunnel4 neovim
- create the stunnel configuration file at
/etc/stunnel/stunnel.conf:
pid = /tmp/stunnel.pid
; do NOT verify server cert
verify = 0
[tunnel]
client = yes
protocol = connect
accept = 127.0.0.1:2222
; http proxy address
connect = host.docker.internal:3128
; final destination address (from the proxy server's perspective)
protocolHost = localhost:443
- start the SSH server and stunnel:
sudo service ssh start
stunnel
- configure reverse SSH tunneling over stunnel and the sandbox proxy
(the
useraccount has no password, so no credentials are required):
ssh -fN -R 0.0.0.0:2222:localhost:22 -p 2222 user@localhost
- set a password for the
agentaccount so it can be accessed over SSH:
sudo passwd agent
That's it, now you can connect from your host to your sandbox and configure port forwarding according to your needs:
ssh agent@localhost