Exposing Remote Services via SSH Using autossh

Introduction to autossh

autossh is an SSH proxy client that monitors and automatically restarts SSH proxy services, ensuring the stability of tunnel connections.

Key Terminology

Term	Description
local	Local Docker container (environment where the autossh process runs)
target	The endpoint and destination of the tunnel, i.e., the location of the service you ultimately want to access
remote	The "middleman" or "proxy server" for tunnel transmission, through which you indirectly access the target service
source	Your initial endpoint, which can access the proxy server but cannot directly reach the remote service

Docker Compose Configuration Example

Below is an example of a reverse proxy configuration (using -L local port forwarding mode):

services:
  proxy_server:
    image: jnovack/autossh
    container_name: proxy_server
    restart: always
    environment:
      # IP address to bind to
      - SSH_BIND_IP=0.0.0.0
      # Remote SSH username
      - SSH_REMOTE_USER=user
      # Domain name or IP of the proxy server
      - SSH_REMOTE_HOST=x.x.x.x
      # SSH port of the proxy server
      - SSH_REMOTE_PORT=22
      # Address of the target service (from the proxy server's perspective)
      - SSH_TARGET_HOST=localhost
      # Port of the target service
      - SSH_TARGET_PORT=8000
      # Tunnel entry port (locally listened port)
      - SSH_TUNNEL_PORT=8000
      # Tunnel mode (-L for local forwarding)
      - SSH_MODE=-L

Core Environment Variables

Connection Configuration

Variable	Default	Description
SSH_REMOTE_USER	root	Remote SSH login username
SSH_REMOTE_HOST	localhost	Remote SSH server address (proxy server)
SSH_REMOTE_PORT	22	Remote SSH server port
SSH_TUNNEL_PORT	random >32768	Tunnel entry port; the listening location depends on SSH_MODE
SSH_TARGET_HOST	-	Final target service address (resolved from the proxy server)
SSH_TARGET_PORT	-	Final target service port
SSH_BIND_IP	mode‑dependent	IP address to bind: for -R mode it's the remote address; for -L mode defaults to 127.0.0.1, can be set to 0.0.0.0 to allow all

Security and Connection Keep‑alive

Variable	Default	Description
SSH_STRICT_HOST_IP_CHECK	True	Whether to check the host IP address, preventing man‑in‑the‑middle risks due to dynamic IP changes
SSH_KEY_FILE	-	Path to SSH private key file; when using Docker secrets, can be set to /run/secrets/<secret-name>
SSH_SERVER_ALIVE_INTERVAL	-	Keep‑alive interval (seconds); sends heartbeat packets when no data is transmitted
SSH_SERVER_ALIVE_COUNT_MAX	3	Maximum number of heartbeat failures; after exceeding, disconnect and reconnect. Set to 0 to disable
SSH_OPTIONS	-	Additional SSH command line options, e.g., -o StreamLocalBindUnlink=yes to recreate Unix sockets

Detailed Explanation of SSH_MODE

Mode	Description	Equivalent SSH Command Example
R	Remote port forwarding (default): forwards traffic from a port on the proxy server to a local service	ssh -R 9000:localhost:3000 user@remote_server
L	Local port forwarding: forwards traffic from a locally listened port through the proxy server to a remote target service	ssh -L 3000:target_server:9000 user@remote_server

• -R mode: Access <proxy_IP>:<SSH_TUNNEL_PORT> on the proxy server; traffic is forwarded to <SSH_TARGET_HOST>:<SSH_TARGET_PORT> locally.
• -L mode: Access <SSH_BIND_IP>:<SSH_TUNNEL_PORT> locally; traffic is forwarded via the proxy server to <SSH_TARGET_HOST>:<SSH_TARGET_PORT>.

Additional Mounts

Mount Path	Description	Docker Mount Example
/id_rsa	SSH private key file for password‑less login to the proxy server	-v /path/to/id_rsa:/id_rsa
/known_hosts	Known hosts file to skip first‑time connection confirmation or pin host fingerprints	-v /path/to/known_hosts:/known_hosts