Reverse proxy SSH using NGINX. (Subdomains to Docker containers running SSH)

TDLR: x.a.se:22 and y.a.se:22 should accept and lead to machine x and machine y respectively. NGINX just coordinates traffic by reverse proxying.

Hi there awesome community, Oscar from Sweden here.

Current setup

I have a host machine that accepts a.se, let's call the host machine A. So ssh [email protected] leads to the SSH-service at port 22 on machine A. Machine A run docker containers: machine B and some other machines, lets focus on one container at a time.

Desired usage

I want this to happen:

  1. The user Bob operating machine B does not have access to machine A since the user is not trusted.
  2. User Bob connects to b.a.se:22 with SSH and gets a shell at machine B.

The problem

I don't know how to configure this. I think I'm looking for a reverse proxy of SSH. All my other endpoints are reversed proxied using NGINX since that is what I'm best at, so I'm looking into ngx_stream_proxy_module which can basically reverse proxy any TCP connections. The thing is that i cant wrap my head around how NGINX stream proxy should be able to distinguish between a.se, b.a.se and let's say n.a.se where n is any string.

If you have any questions regarding my setup or the question itself, please add a comment and i will add an edit to this question. Thanks in advance, any help and insight is much appreciated.

Note: The host machine runs Debian 11 and I have full access. I prefer Docker as a container manager and NGINX to route network traffic.

Note: I've added links to some of the most basic resources, this is not to poke fun of potential helpers, it's too aid in helping others who read this thread in the future asking the same question as I do now.


One can connect to the container by using host A as the jump host. However, this requires a user-account on host A for this purpose.

One can limit the jump host account so that there is no access to the server itself.

The limitation can be done in host A sshd_config.

Match user bob
    X11Forwarding no
    AllowTcpForwarding
    ForceCommand ssh bob@<container>

After setting this up, one can:

  1. ssh [email protected]
  2. Give host system password
  3. SSH daemon will force execute the SSH command to the container
  4. Give container password

One could also create a keypair on the host in bob account that would be used for authenticating to the container. Then the second password wouldn't be needed.