This dynamic HTTP proxy tunnels your HTTP requests through SSH connections using public key authentication. The intention to develop this program is the requirement of polling Prometheus exporters through SSH.
A proxy request looks like this:
GET http://<jumphost>/<destination-host>/<destination-path> HTTP/1.1
You can override the SSH username by using HTTP Basic Auth.
After installation (see below), start the proxy on localhost:8000
:
$ http-over-ssh -listen 127.0.0.1:8000
For a full list of options run http-over-ssh -help
.
Assuming this proxy runs on the same machine as Prometheus on localhost:8080
and you want to scrape to remote hosts running prometheus exporters on localhost:9100
,
simply add to your scrape configs:
- job_name: 'node-exporter'
proxy_url: http://localhost:8080/
metrics_path: /localhost:9100/metrics
relabel_configs:
- source_labels: ['__address__', '__metrics_path__']
regex: '(.+):\d+;/localhost:(\d+)/.*'
replacement: '$1:$2'
target_label: 'instance'
static_configs:
- targets:
- www.example.com:22
- mail.example.com:22
To restrict an SSH key to only forward connections to localhost:9100
, append to the ~/.ssh/authorized_keys
:
restrict,port-forwarding,permitopen="localhost:9100" ssh-ed25519 <the-key> prometheus@example.com
Prometheus metrics can be retrieved via /metrics
.
If you have the Go toolchain installed, a simple
$ go get github.com/digineo/http-over-ssh
will place a http-over-ssh
binary in $GOPATH/bin/
.
Alternatively, you may download a pre-built binary from the Github
release page and extract the binary into your $PATH
.
- clean up idle ssh connections
- support for unix sockets
MIT Licence. Copyright 2018, Digineo GmbH