Proxy access to cluster

This page document how to access web services on private hosts.

Presently, there is no VPN access to Wikimedia Foundation's production cluster. Cloud VPS does not provide this either.

The below example will expose a web service from analytics1001.eqiad.wmnet:8088 at your localhost as https://localhost:9088.

ssh -N bast1002.wikimedia.org -L 9088:analytics1001.eqiad.wmnet:8088

The management network being restricted to the cluster management hosts (cumin1002.eqiad.wmnet, cumin2002.codfw.wmnet), you can reach hosts with for example:

ssh -L 8000:scs-eqsin.mgmt.eqsin.wmnet:443 cumin1001.eqiad.wmnet

Pointing then your web browser to:

https://localhost:8000, will actually show you (in this example) https://scs-eqsin.mgmt.eqsin.wmnet

If you need to reach an http port (eg. 80), don't forget to use http://localhost:8000 instead and for example :80 in the ssh command.

The preferred method by Ops for accessing the web interfaces on private nodes is via the -D option of SSH in combination with FoxyProxy.

This document will outline how to setup this method of access. This method uses Firefox and the FoxyProxy addon linked above.

1. Install FireFox and FoxyProxy.
2. Setup an ssh -D session for the cluster(s) you need access to. (Repeat this as needed.)

   screen
   ssh cumin1001.eqiad.wmnet -D 8080 #cumin hosts have full mgmt vlan access
   # Ctrl+a c (creates new screen window)
   # Ctrl+a d (disconnects you from the screen session, allowing you to close or otherwise use terminal)
   

3. Now when you load up the url patterns in the FoxyProxy settings, it will direct those URLs via your SSH tunnel to the correct cluster over the specified ports.
4. Please note that if you use OS X, you may want to 'exec ssh-agent bash' in your terminal screen sessions before adding your ssh key to ensure they are independently keyed and not shared across sessions.

Patterns to route to localhost:8080:

*.wmnet
10.*

• Production shell access#SSH configuration