For local development, we use the Symfony binary which allows us to both use regular host names such as example.wip (work in progress), as well as a TLS certificate so we can use HTTPS. Very awesome.
After setup, you just need to add a proxy pac file to your browser/OS which has this very simple rule:
// Proxy local development
if (dnsDomainIs(host, '.wip')) {
return 'PROXY 127.0.0.1:7080';
}
One of our clients has some of their web servers under IP lockdown, and now that I’m working from home, safe-listing my home IP is technically possible, they just don’t really like to do that to home IPs which comes from a DHCP pool. I get it.
VPN is the obvious choice, however, due to a bug in UniFI and/or strongSwan, when connecting two users on the same remote network to our VPN, only the first can every succeed and the second person ends up in a limbo, and since my wife and I both work at the same office and need to VPN, that’s not an option. Luckily for us, I can just setup a site-to-site VPN and bridge the two networks. That’s been going great for the past several years until now.
Since we are remodeling our office, we’re back to working from home again. (I’m not really sure how many times we’ve done this now. Lockdown was #1. Literally the day we returned to the office Lumen went down, so we all went back home again, that was #2. I think over the past 2 years I’ve sent employees home 3 or 4 times because of Lumen outages.)
My temporary fix has been to hotspot my laptop and then VPN over that. That works, but has been a pain. But now I’m back to my desktop which doesn’t have Wi-Fi. I could get an adapter, but I really need to live on this connection and a hotspot isn’t going to cut it.
Enter the proxies
My first fix was to install a virtual machine on my Synology so that I could install Ubuntu and ultimately the Squid proxy. That was all pretty straightforward, and I set my computer to proxy through that server on port 3128 and it just worked. Yay!
Except.
Now my Symfony proxy was broken.
Well, back to that setup script, looks like I just needed to modify it to route local dev through one proxy, and then other traffic through the corporate one. While doing that I also realized that I could only send a subset of traffic through it, too, instead of all of my HTTP/HTTP traffic.
function FindProxyForURL (url, host) {
// Proxy local development
if (dnsDomainIs(host, '.wip')) {
return 'PROXY 127.0.0.1:7080';
}
// Run certain domains through corporate proxy
if (dnsDomainIs(host, "xyz.example.com") || dnsDomainIs(host, "abc.example.com")) {
return 'PROXY 192.168.1.28:3128';
}
return 'DIRECT';
}
Then I just installed a quick webserver on the proxy machine, put that file out on it and set my computer to use that for a setup script. Yay again!
SSH proxy
The next step is tunneling SSH traffic.
During the Ubuntu installation I of course turned on OpenSSH in order to administer the server, and out of the box it can tunnel SSH traffic. On the command line you can just issue a command such as:
ssh -J [email protected] [email protected]
I’ve got two problems related to that command however:
- First, I have different keys for my local machine and my client machine, so I need to provide multiple identify files
- Second, I need to jump from my home, to the office, and then on to the client, so I need multiple hops
Enter the ~/.ssh/config
file.
I generally don’t use this file that much. Nothing against it, just never had much of a need. I know the hosts I’m connecting to, and either I’ve got a set of known keys I use, or I just add -i
when I SSH to specify.
But this file actually solves both of my problems because I can specify IdentityFile
for each host, as well as ProxyJump
to identify the server that needs to be connected to first.
So a sample file might look like:
Host corporate-jump-server
HostName 192.168.1.28
User my-user-account
IdentityFile ~/.ssh/id_ed25519
Host client-jump-server
ProxyJump corporate-jump-server
HostName 3.3.256.256
User remote-user-123
IdentityFile ~/.ssh/client-key.pem
Host client-server
ProxyJump client-jump-server
HostName 5.5.256.256
User remote-user-456
IdentityFile ~/.ssh/client-key-2.pem
Then to get to 5.5.256.256
I just run ssh client-server
and all of the jumps are taken care of for me.
Ignoring the actual Ubuntu installation itself, I spent more time writing this blog post than setting up those proxies. Very quick and easy, and I didn’t need to mess with my own computer that much so that when we go back to the office I don’t have to spend a bunch of time undoing things.