Connecting Coolify to Servers Behind a Gateway

[nuxwin]

Good morning,

@andrasbacsai I'm posting this here so other people can know how to proceed if they need to. ;)

In our infrastructure, some servers are not accessible through the WAN, and our Coolify instance is hosted outside their LAN. To access servers that are not directly reachable, we need to pass through an intermediate server, referred to as the gateway.

It is possible to configure Coolify to access these servers as follows:

1. Configure SSH on the Server Hosting Coolify

On the server hosting Coolify, create the .ssh directory and a .ssh/config file for the Coolify webuser user:

# Create the SSH directory and config file
mkdir -p /data/coolify/.ssh

# Tree structure of the .ssh directory
tree .ssh/
.ssh/
└── config

# Check the permissions of the `.ssh` directory and file
ls -la .ssh/
total 12
drwx------  2 9999 9999 4096 Sep 21 16:22 .
drwx------ 13 9999 root 4096 Sep 21 15:30 ..
-rw-------  1 9999 9999  355 Sep 21 16:15 config

2. Edit the SSH Configuration File

In the .ssh/config file, add the following content:

# The gateway server
Host gateway-server
  Hostname <hostname_gateway_server>
  Port 22
  User <TheUser>
  IdentityFile ~/storage/app/ssh/keys/<the_private_key_generated_by_coolify>
  IdentitiesOnly yes

# The target server (the server you want to add to Coolify)
Host target-server
  Hostname <hostname_target_server>
  ProxyJump gateway-server
  IdentitiesOnly yes

Note: Replace <hostname_gateway_server>, <hostname_target_server>, <TheUser>, and <the_private_key_generated_by_coolify> with your actual values.

3. Mount the .ssh Directory in Coolify's Container

Create a custom Docker Compose file to mount the .ssh directory into the webuser home directory within Coolify:

# Example of the custom docker-compose file
cat /data/coolify/source/docker-compose.custom.yml 

services:
  coolify:
    volumes:
      - /data/coolify/.ssh:/var/www/html/.ssh

4. Apply the Configuration

After configuring the SSH and Docker Compose setup, apply the changes by running the upgrade.sh script:

cd /data/coolify/source
./upgrade.sh

Now, Coolify should be able to connect to the target server through the gateway.

5. Additional Configuration for Non-Root Users

If you are using an unprivileged (non-root) user to access the target server, ensure the user has passwordless sudo privileges by adding the following in /etc/sudoers.d/<username> on the target server:

sudo cat /etc/sudoers.d/<username>

<username> ALL=(ALL) NOPASSWD: ALL

Conclusion

This setup should allow Coolify to access servers behind a gateway via SSH tunneling, while also handling non-root user access on the target server. Follow these steps, replacing placeholder values with your actual configuration details, and you should be set.

Hope this helps!

[nuxwin]

Update: In latest Coolify image, www-data homedir is now /home/www-data rather than /var/www/html