Use local ssh port-forwarding from docker

Question

So, I'm calling a web-site (e.g https://ipinfo.io/ip) from dockerfile. Also I want to pass this traffic from ssh local port-forward tunnel.

so what I did,

1. create ssh tunnel

sudo ssh -N -L 0.0.0.0:443:ipinfo.io:443  [email protected]

2. add ipinfo in /etc/hosts

127.0.0.1 ipinfo.io

3. create a Dockerfile like

FROM alpine


RUN apk add curl 

RUN curl https://ipinfo.io/ip

so what happened ipinfo.io could resolve in loopback, but doesn't go through ssh tunnel. How could I call ipinfo.io from docker, so that it goes through ssh tunnel?

P.S: I'm using macOS High Sierra

Answer 1

Here are the things I did to get it working:

1. Used IP address of ipinfo.io instead of using the hostname in the ssh command

sudo ssh -g -N -L 0.0.0.0:443:216.239.38.21:443 [email protected]

2. Used the below Dockerfile:

FROM alpine


RUN apk add curl
RUN cat /etc/hosts

RUN curl -v https://ipinfo.io/ip

3. Performed build using the below command, where I mapped ipinfo.io to an IP my local machine (in this case the IP of virtual interface for docker):

docker build --add-host ipinfo.io:172.17.0.1 -t test:0.0.1 .

4. Sample output:

Step 3/4 : RUN cat /etc/hosts
 ---> Running in b7384b27c1a5
127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.1      ipinfo.io
172.17.0.2      b7384b27c1a5
Removing intermediate container b7384b27c1a5
 ---> 2a8b062984b8
Step 4/4 : RUN curl -v https://ipinfo.io/ip
 ---> Running in 0fa2c413ab2c
Trying 172.17.0.1:443...
* TCP_NODELAY set
* Connected to ipinfo.io (172.17.0.1) port 443 (#0)
...
> GET /ip HTTP/2
> Host: ipinfo.io
> User-Agent: curl/7.66.0
> Accept: */*
>
...
< HTTP/2 200
< date: Fri, 20 Mar 2020 15:27:12 GMT
< content-type: text/html; charset=utf-8
< content-length: 14
< access-control-allow-origin: *
< x-frame-options: DENY
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< referrer-policy: strict-origin-when-cross-origin
< via: 1.1 google
<
37.42.143.111
...

I think there might be a need to enable GatewayPorts in the sshd_config and restarting the sshd for this to work.