Cloudflare真是个大善人啊,各种免费的好东西
如果我们得到一个容器,然后想ssh进入容器进行操作,该如何做呢?
基于以下场景:免费拿到一个openclaw类型的容器,然后怎么把容器中的服务透出来呢?(比如免费的模型)首先要透一个ssh出来,能进入容器进行各种操作,做法如下:
一、建立CF的tunnel
CF菜单 Protect & Connect –> Zero Trust,注意,这一步需要建立Team,然后绑信用卡,最好是没钱的Bybit卡,生成一个 Zero Trust Free的Plan
然后去Networks–>Connectors
新建个tunnel
建好的tunnel呢,需要执行cloudflared的一个命令,这样通道就建立了
/usr/local/bin/cloudflared tunnel run --token ${TUNNEL_TOKEN}
那最好把它做成一个服务
#!/bin/bash
set -e
# ── 配置 ──
TUNNEL_TOKEN="aaabbbcccddd"
# ── cloudflared ──
curl -sL "https://ghfast.top/https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64" -o /usr/local/bin/cloudflared
chmod +x /usr/local/bin/cloudflared
cat > /etc/systemd/system/cloudflared.service <<EOF
[Unit]
Description=Cloudflare Tunnel
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/local/bin/cloudflared tunnel run --token ${TUNNEL_TOKEN}
Restart=always
RestartSec=5
User=root
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now cloudflared
二、安装Dropbear sshd的服务
第二步我们需要安装最轻量级的sshd服务
#!/bin/bash
# ===== 1. 下载并解压 dropbear 二进制 =====
mkdir -p /root/.local/bin /root/.local/lib /root/.ssh
if [ ! -x /root/.local/bin/dropbear ]; then
curl -sSL 'http://deb.debian.org/debian/pool/main/d/dropbear/dropbear-bin_2022.83-1+deb12u3_amd64.deb' -o /tmp/dropbear.deb
dpkg-deb -x /tmp/dropbear.deb /tmp/dropbear-extract
cp /tmp/dropbear-extract/usr/sbin/dropbear /root/.local/bin/dropbear
cp /tmp/dropbear-extract/usr/bin/dropbearkey /root/.local/bin/dropbearkey
cp /tmp/dropbear-extract/usr/bin/dbclient /root/.local/bin/dbclient 2>/dev/null || true
chmod +x /root/.local/bin/dropbear /root/.local/bin/dropbearkey
rm -rf /tmp/dropbear.deb /tmp/dropbear-extract
fi
# ===== 2. 下载并解压依赖库 =====
if [ ! -f /root/.local/lib/libtomcrypt.so.1 ]; then
curl -sSL 'http://deb.debian.org/debian/pool/main/libt/libtommath/libtommath1_1.2.0-6_amd64.deb' -o /tmp/libtommath1.deb
curl -sSL 'http://deb.debian.org/debian/pool/main/libt/libtomcrypt/libtomcrypt1_1.18.2-6_amd64.deb' -o /tmp/libtomcrypt1.deb
dpkg-deb -x /tmp/libtommath1.deb /tmp/libtommath1-extract
dpkg-deb -x /tmp/libtomcrypt1.deb /tmp/libtomcrypt1-extract
cp /tmp/libtommath1-extract/usr/lib/x86_64-linux-gnu/libtommath.so.1.2.0 /root/.local/lib/
cp /tmp/libtomcrypt1-extract/usr/lib/x86_64-linux-gnu/libtomcrypt.so.1.0.1 /root/.local/lib/
cd /root/.local/lib/ && ln -sf libtommath.so.1.2.0 libtommath.so.1
cd /root/.local/lib/ && ln -sf libtomcrypt.so.1.0.1 libtomcrypt.so.1
rm -rf /tmp/libtommath1.deb /tmp/libtomcrypt1.deb /tmp/libtommath1-extract /tmp/libtomcrypt1-extract
fi
# ===== 3. 生成主机密钥 =====
if [ ! -f /root/.ssh/dropbear_ed25519_host_key ]; then
LD_LIBRARY_PATH=/root/.local/lib /root/.local/bin/dropbearkey -t ed25519 -f /root/.ssh/dropbear_ed25519_host_key
fi
if [ ! -f /root/.ssh/dropbear_rsa_host_key ]; then
LD_LIBRARY_PATH=/root/.local/lib /root/.local/bin/dropbearkey -t rsa -f /root/.ssh/dropbear_rsa_host_key
fi
# ===== 4. 生成用户密钥(无密码)并配置 authorized_keys =====
if [ ! -f /root/.ssh/id_ed25519 ]; then
ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ''
fi
cat /root/.ssh/id_ed25519.pub > /root/.ssh/authorized_keys
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys
chmod 600 /root/.ssh/id_ed25519
同样也做成服务
[Unit]
Description=dropbear Tunnel
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/root/.local/bin/dropbear -F -E -R -p 22 -r /root/.ssh/dropbear_ed25519_host_key -r /root/.ssh/dropbear_rsa_host_key
Environment="LD_LIBRARY_PATH="/root/.local/lib"
Restart=always
RestartSec=5
User=root
[Install]
WantedBy=multi-user.target
三、配置CF tunnel
配置路由,Published application routes
其实就是配置一个qclaw.aaa.bbb的域名,然后ssh转发到localhost:22
四、ssh连接
这一点也非常重要,看起来22端口是被反代出来了,但是仅存在于CF的网络中,并不在公网,所以从公网连还需要通过CF搭桥
# .ssh/config
Host qclaw.aaa.bbb.ccc
HostName qclaw.aaa.bbb.ccc
User root
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
# 连接也必须指定特定方式:
ssh -i /root/.ssh/key -o HostKeyAlgorithms=ssh-ed25519 root@qclaw.aaa.bbb.ccc