autossh is an SSH proxy client that monitors and automatically restarts SSH proxy services, ensuring the stability of tunnel connections.
| Term | Description |
|---|
| local | Local Docker container (environment where the autossh process runs) |
| target | The endpoint and destination of the tunnel, i.e., the location of the service you ultimately want to access |
| remote | The "middleman" or "proxy server" for tunnel transmission, through which you indirectly access the target service |
| source | Your initial endpoint, which can access the proxy server but cannot directly reach the remote service |
Below is an example of a reverse proxy configuration (using -L local port forwarding mode):
services:
proxy_server:
image: jnovack/autossh
container_name: proxy_server
restart: always
environment:
# IP address to bind to
- SSH_BIND_IP=0.0.0.0
# Remote SSH username
- SSH_REMOTE_USER=user
# Domain name or IP of the proxy server
- SSH_REMOTE_HOST=x.x.x.x
# SSH port of the proxy server
- SSH_REMOTE_PORT=22
# Address of the target service (from the proxy server's perspective)
- SSH_TARGET_HOST=localhost
# Port of the target service
- SSH_TARGET_PORT=8000
# Tunnel entry port (locally listened port)
- SSH_TUNNEL_PORT=8000
# Tunnel mode (-L for local forwarding)
- SSH_MODE=-L
| Variable | Default | Description |
|---|
SSH_REMOTE_USER | root | Remote SSH login username |
SSH_REMOTE_HOST | localhost | Remote SSH server address (proxy server) |
SSH_REMOTE_PORT | 22 | Remote SSH server port |
SSH_TUNNEL_PORT | random >32768 | Tunnel entry port; the listening location depends on SSH_MODE |
SSH_TARGET_HOST | - | Final target service address (resolved from the proxy server) |
SSH_TARGET_PORT | - | Final target service port |
SSH_BIND_IP | mode‑dependent | IP address to bind: for -R mode it's the remote address; for -L mode defaults to 127.0.0.1, can be set to 0.0.0.0 to allow all |
| Variable | Default | Description |
|---|
SSH_STRICT_HOST_IP_CHECK | True | Whether to check the host IP address, preventing man‑in‑the‑middle risks due to dynamic IP changes |
SSH_KEY_FILE | - | Path to SSH private key file; when using Docker secrets, can be set to /run/secrets/<secret-name> |
SSH_SERVER_ALIVE_INTERVAL | - | Keep‑alive interval (seconds); sends heartbeat packets when no data is transmitted |
SSH_SERVER_ALIVE_COUNT_MAX | 3 | Maximum number of heartbeat failures; after exceeding, disconnect and reconnect. Set to 0 to disable |
SSH_OPTIONS | - | Additional SSH command line options, e.g., -o StreamLocalBindUnlink=yes to recreate Unix sockets |
| Mode | Description | Equivalent SSH Command Example |
|---|
R | Remote port forwarding (default): forwards traffic from a port on the proxy server to a local service | ssh -R 9000:localhost:3000 user@remote_server |
L | Local port forwarding: forwards traffic from a locally listened port through the proxy server to a remote target service | ssh -L 3000:target_server:9000 user@remote_server |
-R mode: Access <proxy_IP>:<SSH_TUNNEL_PORT> on the proxy server; traffic is forwarded to <SSH_TARGET_HOST>:<SSH_TARGET_PORT> locally.-L mode: Access <SSH_BIND_IP>:<SSH_TUNNEL_PORT> locally; traffic is forwarded via the proxy server to <SSH_TARGET_HOST>:<SSH_TARGET_PORT>.
| Mount Path | Description | Docker Mount Example |
|---|
/id_rsa | SSH private key file for password‑less login to the proxy server | -v /path/to/id_rsa:/id_rsa |
/known_hosts | Known hosts file to skip first‑time connection confirmation or pin host fingerprints | -v /path/to/known_hosts:/known_hosts |