Ansible use ssh tunnel for http proxy

Overview

If you need to use a web proxy on an ansible node to get to the Internet, you can use the ansible role I hacked together. I had a need for using an ad-hoc ssh tunnel to a proxy server.

So your node will need an ssh key for automatic authentication to the proxy server over ssh. The role just executes a “ssh -N -p 22 username@proxy.example.com -L 1234/localhost/1234” and sets up the environment hash which includes http_proxy and https_proxy.

Check out the role at my github page.

Code walkthrough

My roles always have incredibly basic main.ymls because I always use a subdirectory architecture.
---
- hosts: all
tasks:
- include: tasks/main.yml
handlers:
- handlers/main.yml
vars_files:
- vars/main.yml

Now the tasks/main.yml file is where half of the work occurs.
---
# File: /etc/ansible/roles/use-proxy/tasks/main.yml
- name: clear any ssh tunnel
shell: ps -ef | grep -iE -- "ss[h].*{{local_proxy_port}}" | awk '{print $2}' | xargs kill -9
ignore_errors: yes
- name: start ssh tunnel
shell: nohup ssh -N -p {{proxy_server_ssh_port}} {{proxy_server}} -L {{local_proxy_port}}/localhost/{{proxy_port}} &
notify: stop ssh tunnel

It’s pretty clear what each task is doing. The start ssh tunnel opens up an ssh connection. If it is successful, it notifies the stop ssh tunnel handler which will execute at the end of the play.

- name: stop ssh tunnel
shell: ps -ef | grep -iE -- "ss[h].*{{local_proxy_port}}" | awk '{print $2}' | xargs kill -9

The handler searches for and kills the ssh connection that is using the specified port.

The vars/main.yml file is important because you must customize it to your environment.
---
proxy_port: 3128
local_proxy_port: "{{proxy_port}}"
proxy_server: tunnel@demo.example.com
proxy_server_ssh_port: 22
proxy_env:
http_proxy: "http://localhost:{{local_proxy_port}}"
https_proxy: "http://localhost:{{local_proxy_port}}"

How you use this role in a playbook is at the beginning of the list of roles. You also need to define the environment as seen below.
---
- name: Playbook that uses an ssh tunnel for http_proxy
hosts: test
remote_user: root
environment: "{{ proxy_env | default(omit) }}"
roles:
- { role: use-proxy, when: usehttpproxy is defined and usehttpproxy|bool == true }
- example

You can run this playbook with the use-proxy role and environment as is against any hosts that need the http proxy. To minimize traffic back and forth, just comment out the use-proxy role, and run the play against the regular hosts.

References

Weblinks

  1. https://ansiblemaster.wordpress.com/2016/04/29/run-ansible-tasks-to-a-remote-server-using-a-ssh-tunnel/
  2. https://www.engadget.com/2006/03/21/how-to-ssh-tunnels-for-secure-network-access/