The Dev Blog

Using SwitchTower with an ssh forwarding firewall

Posted by Guy Naor Sat, 04 Mar 2006 00:59:00 GMT

I really like switchtower and the ease it brings to rails deployment. Suddenly deployment is just as easy as rails development. This is especially true for the multi-server deployment I'm working on.

But there was one small problem. My firewall doesn't give ANY direct access to the internal machines. All connections are NATed into the internal machines. This includes even ssh connections, which are NATed from different ports into different machines. So to the outside they all look like the same server (for example deploy.famundo.com), but a collection of ports redirect ssh connections to specific internal machines. For example: deploy.famundo.com:22222 => app1:22, deploy.famundo.com:22223 => web1:22. This clashes with the way switchtower works, as it expects ssh to be running on one specific port. Even using the ssh_options[:port] in deploy.rb will use the same port for all servers.

To solve this, I added support in switchtower for assigning an optional specific port to each server. If non is given, the default will be used. Assigning different ports is very easy:

role :db, "app1" # Will use port 22
role :app, "deploy.famundo.com:2224"
role :web, "deploy.famundo.com:2223"

The change is a simple addition to switchtower/lib/switchtower/ssh.rb (in svn diff format):

--- ssh.rb      (revision 3755)
+++ ssh.rb      (working copy)
@@ -23,6 +23,11 @@
       methods = [ %w(publickey hostbased), %w(password keyboard-interactive) ]
       password_value = nil

+      # If the server has a port assigned to it (www.sample.com:2222), use it, and clean the server name
+      if server =~ /(.+):(\d{1,5})/
+        server, port  = $1, $2
+      end
+
       begin
         ssh_options = { :username => config.user,
                         :password => password_value,

Now I can use switchtower, and still keep my firewall setup! Sweet!

I'll post a ticket with this patch to the rail trac.