Date: Mon, 17 Aug 2020 10:50:54 +0200 From: "Dave Cottlehuber" <dch@skunkwerks.at> To: freebsd-questions <freebsd-questions@freebsd.org>, "Aryeh Friedman" <aryeh.friedman@gmail.com> Subject: =?UTF-8?Q?Re:_OT:_Dealing_with_a_hosting_company_with_it's_head_up_it's_?= =?UTF-8?Q?rear_end?= Message-ID: <0060287c-5912-428a-9186-023167c3cebc@www.fastmail.com> In-Reply-To: <CAGBxaXmg0DGSEYtWBZcbmQbqc2vZFtpHrmW68txBck0nKJak=w@mail.gmail.com> References: <CAGBxaXmg0DGSEYtWBZcbmQbqc2vZFtpHrmW68txBck0nKJak=w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> "[Insert client name here], we do not allow RDP or SSH into our datace= nter. Get them to give you an additional ipv6 subnet and run ssh on port 80 or= whatever only on that. You only need 1 bastion goat to get through usin= g ssh ProxyCommand. Or if that=E2=80=99s not possible run haproxy or similar in front of wha= tever http(s) traffic is allowed, and use tcp detection to redirect actu= al ssh traffic to ssh while letting the rest through. https://coolaj86.com/articles/adventures-in-haproxy-tcp-tls-https-ssh-op= envpn/ https://blog.chmd.fr/ssh-over-ssl-episode-4-a-haproxy-based-configuratio= n.html https://github.com/yrutschle/sslh I=E2=80=99m all until next week but if you want a hand figuring this out= remind me offline on Monday. If they allow udp traffic then consider sticking ZeroTier or wireguard i= n and using that. Both are free and don=E2=80=99t need =E2=80=98dangerou= s tcp=E2=80=99... I prefer using haproxy as we use it everywhere but the basic idea (port = share, detect traffic type, proxy tcp) has multiple solutions. > So how do we/the client tell the hosting company they are full of sh*t= (the > client has a 3 year contract with a pay in full to break clause with t= hem > which would be over $100k to break) This is what account managers are good for.=20 Get your customer=E2=80=99s account manager to talk with their account m= anager and explain that you=E2=80=99ll pull the plug and lawyer up, if = std unix ssh isn=E2=80=99t allowed and point out that google and aws sup= port it. They always cave. Make sure your acct manager is prepped on the= tech first. how did anybody manage to set these boxes up? It must have been painful.= Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0060287c-5912-428a-9186-023167c3cebc>