Menu
I am developing an application that resides on a public host but whose source I must keep in a Git repository behind a corporate firewall. I'm getting very tired of the slowness of deploying via scp (copying the whole repository and shipping it over SSH on each deploy) and would like to have the remote host simply do a git pull to update. The problem is that the firewall prohibits incoming SSH connections.
Would it be possible for me to set up an SSH tunnel from my computer to the deployment computer and use my repository as the source for the git pull? After all, git is distributed, so my copy is just as valid a repository as the central one. If this is possible, what would the tunnel command and the Capistrano configuration be?
I think the tunnel will look something like
ssh -R something:deployserver.com:something [email protected]
754
To create a reverse SSH tunnel, the machine in question first needs to open an SSH connection beyond the firewall and then include a -R tunnel at the remote machine's connection port. On the man page, SSH -R description is: -R [bind_address:]port:host:hostport.
SSH is a secure connection between a client and server over which commands can be executed on the server. As long as the two devices can see each other on the internet the SSH connection can also be made from the server to the client. This is however often blocked by firewalls and NATs.
Remote port forwarding (reverse tunneling) Also often called SSH reverse tunneling, remote port forwarding redirects the remote server's port to the localhost's port. When remote port forwarding is used, at first, the client connects to the server with SSH.
-R tells the remote ssh to listen for connections, and that the local ssh should connect to the real destination.
Net::SSH implements remote forwarding. I have looked over all Capistrano's source code and couldn't see any references to it in the current release. None the less, that doesn't stop you from establishing remote forwarding before you deploy with Capistrano.
What you'll want to do is set the :local_repository and :repository paths individually. :local_repository is referenced locally to determine which commit will be used for the deployment before the connection is initiated. That leaves :repository for the remote server to pull from after the connection has been initiated. This is where you can specify the path to the repository behind the firewall.
# deploy.rb
set :local_repository, "ssh://git@serverbehindfirewall/path/to/project.git"
set :repository, "ssh://git@localhost:9000/path/to/project.git"
Before you deploy, be sure to establish the remote forward. You'll need to repeat this for each server you deploy to.
$ ssh -R 9000:serverbehindfirewall:22 [email protected]
# CTRL + C + A (Screen) or ⌘ + T (Terminal.app) to open new tab
$ cap HOSTFILTER=deployserver.com deploy # HOSTFILTER reduces set to specified host. Only useful if you have multiple servers.
Using Net::SSH this could easily be turned into a task which is executed before anything else providing greater flexibility when deploying to multiple servers.
Lastly, given you've been using scp, you might want to set deploy_via, :remote_cache which keeps a copy of the repository on the remote server. This greatly decreases your deployment time reduces the chance of corruption.
186
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
