SSH dynamic port forwarding not working

I used the following command to create a sock5 proxy through ssh. Node that worker node is behind a NAT gateway.

tsh ssh -D 0.0.0.0:1080 root@worker

And then, i try to curl an HTTPS service inside worder’s network. i got the following

$  curl --proxy socks5://127.0.0.1:1080 -vvv -k https://172.17.1.200/ops/landing
*   Trying 127.0.0.1...
* TCP_NODELAY set
* SOCKS5 communication to 172.17.1.200:443
* SOCKS5 connect to IPv4 172.17.1.200 (locally resolved)
* SOCKS5 request granted.
* Connected to 127.0.0.1 (127.0.0.1) port 1080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 172.17.1.200:443 
* stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 172.17.1.200:443

I verified that the server works by curl from the worker node:

[root@worker ~]# curl -k  --head https://172.17.1.200/ops/landing
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=30
Content-Length: 6465
Content-Type: text/html
Date: Thu, 24 Oct 2019 04:26:06 GMT
Etag: "5db1075e-1941"
Expires: Thu, 24 Oct 2019 04:26:36 GMT
Last-Modified: Thu, 24 Oct 2019 02:07:26 GMT
Server: nginx/1.15.12
Vary: Accept-Encoding

Any clue what could be the issue?

Attaching the debug logs here

$ tsh ssh -N --debug -D 0.0.0.0:1080 root@worker                                                                                         
INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.9yekPU9UOY/Listeners" client/api.go:2000                                            
DEBU [KEYSTORE]  Returning SSH certificate "/Users/jie/.tsh/keys/localhost/jie-cert.pub" valid until "2019-10-24 06:59:15 -0700 PDT", TLS certificate "/Users/jie/.tsh/keys/localhost/jie-x509.pem" valid until "2019-10-24 13:59:15 +0000 UTC". client/keystore.go:262
INFO [KEYAGENT]  Loading key for "jie" client/keyagent.go:108
INFO [CLIENT]    Connecting proxy=localhost:3023 login='root' method=0 client/api.go:1539                                                                                       
DEBU [KEYAGENT]  Validated host localhost:3023. client/keyagent.go:280
INFO [CLIENT]    Successful auth with proxy localhost:3023 client/api.go:1530
DEBU [CLIENT]    Found clusters: [{"name":"docker","lastconnected":"2019-10-24T04:35:31.7576753Z","status":"online"}] client/client.go:106                                      
INFO [CLIENT]    Client= connecting to node=worker on cluster docker client/client.go:451                                                                                       
DEBU [KEYAGENT]  Validated host worker:0@default@docker. client/keyagent.go:280
DEBU [CLIENT]    Connected to node, no remote command execution was requested, blocking until context closes. client/api.go:921                                                 
DEBU [CLIENT]    "SOCKS5 proxy forwarding requests to \xac\x11\x01\xc8:443." client/client.go:874                                                                               
DEBU [CLIENT]    "Attempting to connect proxy from 127.0.0.1:64907 to \xac\x11\x01\xc8:443." client/client.go:761                                                               
WARN [CLIENT]    Failed to proxy connection: read tcp 127.0.0.1:1080->127.0.0.1:64907: use of closed network connection. client/client.go:822                                   
DEBU [CLIENT]    "Finished proxy from 127.0.0.1:64907 to \xac\x11\x01\xc8:443." client/client.go:822                                                                            
WARN [CLIENT]    Failed to proxy connection: read tcp 127.0.0.1:1080->127.0.0.1:64907: use of closed network connection. client/client.go:877

FYI, I figured out the root cause of this.

I also submitted a PR to fix this issue:

1 Like

Thanks, @jieyu! Good catch. We’ll get it reviewed.