如何通过 Windows 中的 ssh 隧道将 Java Mission Control 连接到 AWS EC2 实例？

如何解决如何通过 Windows 中的 ssh 隧道将 Java Mission Control 连接到 AWS EC2 实例？

我需要一个从运行 Windows 10 的本地计算机到 AWS EC2 主机的 ssh 隧道，以便通过 Java Mission Control 监控 java 进程。为此，我遵循了无数指南，例如http://issamben.com/how-to-monitor-remote-jvm-over-ssh/。我使用的参数是所有这些指南的组合。主机上的 Java 进程使用以下 jvm 参数在 Java 8 上运行：

-XX:+UnlockCommercialFeatures
-XX:+FlightRecorder
-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=9405
-Djava.rmi.server.hostname=10.0.1.1
-Dcom.sun.management.jmxremote.rmi.port=9415
-Dcom.sun.management.jmxremote.local.only=false 
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false

我检查进程是否真的在监听 JMX 端口

nc -z localhost 9405

告诉我

Connection to localhost 9405 port [tcp/*] succeeded!

到目前为止一切顺利。现在让我们进入隧道。我正在使用 JMC 的测试连接功能来检查隧道是否正常工作：

以下命令用于建立隧道：

 ssh -l ec2-user -i .\ec2key.pem 46.123.23.231  -v -N -L localhost:9405:10.0.1.2:9405

46.123.23.231 自然是 EC2 实例的公共 IP。 10.0.1.2 是我的 VPC 中 EC2 实例的内部 IP。我可以通过 ssh 成功连接到实例，仅使用“-v”之前的命令的第一部分，或者如果我只是省略“-N”。所以我的安全组似乎根据需要进行了配置。

让我给你看看 ssh 的输出：

debug1: Reading configuration data C:\\Users\\User/.ssh/config
debug1: Connecting to 46.123.23.231 [46.123.23.231] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file .\\ec2key.pem type -1
debug1: key_load_public: No such file or directory
debug1: identity file .\\ec2key.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0,remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 46.123.23.231:22 as 'ec2-user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:fkfgiekugo2iskelgioxq9itlkcs/KVISmiofjsaFSADf
debug1: Host '46.123.23.231' is kNown and matches the ECDSA host key.
debug1: Found key in C:\\Users\\User/.ssh/kNown_hosts:7
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: .\\ec2key.pem
debug1: Authentication succeeded (publickey).
Authenticated to 46.123.23.231 ([46.123.23.231]:22).
debug1: Local connections to localhost:9405 forwarded to remote address 10.0.1.2:9405
debug1: Local forwarding listening on ::1 port 9405.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 9405.
debug1: channel 1: new [port listener]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0

点击 JMC 中的测试连接按钮产生：

debug1: Connection to port 9405 forwarding to 10.0.1.2 port 9405 requested.
debug1: channel 2: new [direct-tcpip]
debug1: channel 2: free: direct-tcpip: listening port 9405 for 10.0.1.2 port 9405,connect from 127.0.0.1 port 53929 to 127.0.0.1 port 9405,nchannels 3
debug1: Connection to port 9405 forwarding to 10.0.1.2 port 9405 requested.
debug1: channel 2: new [direct-tcpip]
debug1: channel 2: free: direct-tcpip: listening port 9405 for 10.0.1.2 port 9405,connect from 127.0.0.1 port 53931 to 127.0.0.1 port 9405,connect from 127.0.0.1 port 53934 to 127.0.0.1 port 9405,nchannels 3

并且 JMC 告诉我“无法连接”而没有任何特定的错误消息。我在主机上配置了 ssh-daemon

AllowTcpForwarding yes

我还尝试使用自定义 JMX 服务 URL：

service:jmx:rmi://localhost:9415/jndi/rmi://localhost:9405/jmxrmi

我错过了什么？

编辑：一些网站建议 jmc 使用的连接会打开一些随机端口，这就是它不能通过 frirewalls 使用的原因。所以我试图模仿这里建议的开箱即用的管理：https://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html。

所以也很成功。