Great question! Let's start by breaking down why your initial approach won't work: local port forwarding (the -L flag you're using) is controlled entirely by the client. The SSH server on your EC2 instance has no built-in way to modify or override the client's forwarding rules—those rules live on your local machine, not the remote server. That's why you couldn't find relevant settings in sshd_config.

But there's a simple, clean workaround using a lightweight TCP proxy on your EC2 instance. Here's how to set it up:

Step 1: Adjust Your Client's SSH Tunnel #

First, update your local SSH command to forward port 1993 to a fixed "proxy port" on EC2 (we'll use 8000 as an example):

ssh -L 1993:localhost:8000 ec2-user@your-ec2-instance-ip

You only need to do this once—from now on, your client will always point to port 8000 on EC2, and the proxy will handle the dynamic backend switch.

Step 2: Set Up a TCP Proxy on EC2 #

We'll use socat (a versatile networking tool) to create a proxy that automatically switches between port 9999 and 10000 based on availability.

1. Install socat on your EC2 instance:

   # For Amazon Linux/RHEL
   sudo yum install socat -y
   # For Ubuntu/Debian
   sudo apt install socat -y
   

2. Create a monitoring script (save it as /home/ec2-user/dynamic-proxy.sh):

   #!/bin/bash
   PROXY_PORT=8000
   TARGET_PRIMARY=9999
   TARGET_FALLBACK=10000
   
   while true; do
       # Check if primary port is reachable
       if nc -z localhost $TARGET_PRIMARY; then
           ACTIVE_TARGET=$TARGET_PRIMARY
       else
           ACTIVE_TARGET=$TARGET_FALLBACK
       fi
   
       # Kill any existing socat process for this proxy
       pkill -f "socat TCP-LISTEN:$PROXY_PORT,fork TCP:localhost:$ACTIVE_TARGET" 2>/dev/null
   
       # Start the new proxy
       socat TCP-LISTEN:$PROXY_PORT,fork,reuseaddr TCP:localhost:$ACTIVE_TARGET &
       echo "Proxy switched to target port $ACTIVE_TARGET"
   
       # Check port status every 10 seconds
       sleep 10
   done
   

3. Make the script executable:

   chmod +x /home/ec2-user/dynamic-proxy.sh
   

4. Set it to run automatically on boot using systemd (so it survives reboots):

   • Create a systemd service file: /etc/systemd/system/dynamic-proxy.service

     [Unit]
     Description=Dynamic TCP Proxy for SSH Tunnel
     After=network.target
     
     [Service]
     User=ec2-user
     ExecStart=/home/ec2-user/dynamic-proxy.sh
     Restart=always
     
     [Install]
     WantedBy=multi-user.target
     

   • Enable and start the service:

     sudo systemctl daemon-reload
     sudo systemctl enable dynamic-proxy.service
     sudo systemctl start dynamic-proxy.service
     

How It Works #

• Your client forwards local port 1993 to EC2's port 8000 (fixed, never changes).
• The EC2 proxy monitors ports 9999 and 10000. If 9999 is occupied, it automatically routes traffic from port 8000 to 10000.
• Your client never needs to modify its SSH command or know about the backend port change—everything happens transparently on the EC2 side.

Alternative: Use Nginx as a TCP Proxy #

If you prefer a more robust solution (with built-in health checks), you can configure Nginx to act as the TCP proxy:

1. Enable the Nginx TCP module (most modern packages include it by default).
2. Add this to your Nginx config (e.g., /etc/nginx/nginx.conf):

   stream {
       upstream backend {
           server localhost:9999 max_fails=3 fail_timeout=10s;
           server localhost:10000 backup;
       }
   
       server {
           listen 8000;
           proxy_pass backend;
       }
   }
   

3. Restart Nginx: sudo systemctl restart nginx

This setup will automatically send traffic to 10000 if 9999 is unresponsive for 10 seconds (after 3 failed checks).

内容的提问来源于stack exchange，提问作者picki23