gnezim/flights_web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
flights_web/deployment/systemd/flights-tim-tunnel.service
T
gnezim 03eeddfbf8 CI/CD pipeline: ssh -L tunnel for TIM API + manual Jenkins trigger 
Two design pivots discovered during Phase B prerequisites:

Routing: Replace static-route + NAT plan with persistent ssh -L tunnel
from pve-201 to webzavod (deployment/systemd/flights-tim-tunnel.service).
nginx proxies /api/ and /map/api/ to https://127.0.0.1:8443 with SNI/Host
overrides so cert validation still targets the real hostname. No webzavod
kernel changes (no ip_forward/MASQUERADE), no /etc/hosts pin needed.

Workflow B: Drop Jenkins trigger/poll automation (operator lacks Jenkins
job-configure access and user API token access). release.yml now stops
after MR merge with a Telegram message containing the Jenkins job URL.
release-verify.yml (new, workflow_dispatch only) runs the customer-URL
e2e suite once the operator has triggered Jenkins manually and it has
completed.

Other:
- SSR loopback port 8081 -> 3002 (8081 was taken by openwebui on pve-201)
- notify-telegram.sh skips cleanly when TG secrets unset (was: hard-fail)
- README + spec addendum cover the new prereqs and removed steps
2026-04-27 11:58:39 +03:00

45 lines
1.5 KiB
Desktop File
Raw Permalink Blame History

# SSH local-forward tunnel: pve-201 -> webzavod -> flights.test.aeroflot.ru:443.
#
# nginx on pve-201 proxies /api/ and /map/api/ to https://127.0.0.1:8443. This
# unit forwards 8443 over SSH to webzavod (192.168.88.58), which terminates the
# corp VPN (ppp0). The customer WAF whitelists webzavod's egress IP, so requests
# arriving via this tunnel reach the real backend instead of the WAF interstitial.
#
# Webzavod's authorized_keys entry restricts this key to:
# command="exit 1",no-pty,no-X11-forwarding,no-agent-forwarding,no-user-rc,
# permitopen="flights.test.aeroflot.ru:443"
#
# Install:
# sudo cp deployment/systemd/flights-tim-tunnel.service /etc/systemd/system/
# sudo systemctl daemon-reload
# sudo systemctl enable --now flights-tim-tunnel.service
#
# Verify:
# ss -ltn | grep ':8443\b'
# curl -k --resolve flights.test.aeroflot.ru:8443:127.0.0.1 \
# -o /dev/null -w '%{http_code}\n' \
# https://flights.test.aeroflot.ru:8443/swagger/index.html # expect 401
[Unit]
Description=SSH tunnel pve-201->webzavod for flights.test.aeroflot.ru:443
Documentation=https://git.gnerim.ru/gnezim/Aeroflot.Flights.Web
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
User=gnezim
ExecStart=/usr/bin/ssh -N \
-o BatchMode=yes \
-o ExitOnForwardFailure=yes \
-o ServerAliveInterval=30 \
-o ServerAliveCountMax=3 \
-o StrictHostKeyChecking=accept-new \
-L 127.0.0.1:8443:flights.test.aeroflot.ru:443 \
gnezim@192.168.88.58
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink