Skip to content

Commit f9caf05

Browse files
marcoienimarcoieni
committed
docs(bastion): improve how to login into servers
1 parent 4e0cd2c commit f9caf05

File tree

1 file changed

+27
-15
lines changed

1 file changed

+27
-15
lines changed

src/infra/docs/bastion.md

Lines changed: 27 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
# Bastion server
22

3-
* FQDN: `bastion.infra.rust-lang.org`
4-
* [Ansible playbook][ansible] to deploy this server.
5-
* [Terraform configuration][terraform] to create AWS resources.
6-
* [Instance metrics][grafana] (only available to infra team members).
3+
- FQDN: `bastion.infra.rust-lang.org`
4+
- [Ansible playbook][ansible] to deploy this server.
5+
- [Terraform configuration][terraform] to create AWS resources.
6+
- [Instance metrics][grafana] (only available to infra team members).
77

88
## Logging into servers through the bastion
99

@@ -12,20 +12,28 @@ directly to a production server with SSH. Instead, all connections must come
1212
from a small server called the "bastion", which only allows connections from a
1313
few whitelisted networks and logs any connection attempt.
1414

15-
To log into a server through the bastion you can use SSH's `-J` flag:
15+
To log into a server through the bastion, use one of the following methods:
1616

17-
```
18-
ssh -J bastion.infra.rust-lang.org servername.infra.rust-lang.org
19-
```
17+
- Use SSH's `-J` flag:
2018

21-
It's also possible to configure SSH to always jump through the bastion when
22-
connecting to a host. Add this snippet to your SSH configuration file (usually
23-
located in `~/.ssh/config`):
19+
```
20+
ssh -J <username>@bastion.infra.rust-lang.org <username>@servername.infra.rust-lang.org
21+
```
2422

25-
```
26-
Host servername.infra.rust-lang.org
27-
ProxyJump bastion.infra.rust-lang.org
28-
```
23+
- Configure your SSH client to always jump through the bastion when connecting to a host:
24+
25+
- Add this snippet to your SSH configuration file (usually located in `~/.ssh/config`):
26+
27+
```
28+
Host servername.infra.rust-lang.org
29+
ProxyJump <username>@bastion.infra.rust-lang.org
30+
```
31+
32+
- Use SSH:
33+
34+
```
35+
ssh <username>@servername.infra.rust-lang.org
36+
```
2937
3038
Please remember the bastion server only allows connections from a small list of
3139
IP addresses. Infra team members with AWS access can change the whitelist, but
@@ -71,17 +79,21 @@ When running the following commands, replace `USERNAME` and `IP_ADDRESS` with th
7179
### Updating a whitelisted IP
7280
7381
1. Run:
82+
7483
```
7584
aws ssm put-parameter --overwrite --type String --name "/prod/bastion/allowed-ips/USERNAME" --value "IP_ADDRESS/32" --region us-west-1
7685
```
86+
7787
2. [apply the Terraform configuration][terraform-apply].
7888
7989
### Removing a whitelisted IP
8090
8191
1. Run:
92+
8293
```
8394
aws ssm delete-parameter --name "/prod/bastion/allowed-ips/USERNAME" --region us-west-1
8495
```
96+
8597
2. Remove the username from the list in
8698
[`terraform/bastion/firewall.tf`][allowed-ips] (local variable
8799
`allowed_users`).

0 commit comments

Comments
 (0)