Reverse Proxying

It is possible to use OpenSSH to reverse proxy to HGKeeper's SSH server. There are a number of reasons you may want to do this. You don't want to expose HGKeeper to your network or the internet, you want to use your existing OpenSSH server so you don't need to specify a different port, or maybe you have another reason we can't think of right now.

Once you have setup either a standalone or standalone container instance you can proxy it through an OpenSSH server in a few steps.


For this to work, you will need to specify the --external-hostname argument via the command line or its environment variable counter part. If you're running on a port other than 22222 you'll need to do the same with --external-port.

You will also need curl installed on the machine running the OpenSSH Server.

Create The hg User

You can name this user whatever you like, but for the sake of simplicity, we will just be using hg here. We are also going to create an hg group to keep to make sure file permissions remain tight. For most Linux/BSD distributions, you can create the hg user and group with the following commands:

sudo groupadd --system hg
sudo useradd --home-dir /var/lib/hg --create-home --system --gid hg

This is the username that you will need to specify when connecting to the OpenSSH Server and is how we will configure the server to tell it how to serve Mercurial repositories.

SSH Known Hosts

Before we update the OpenSSH Server to do the remote proxy, we need to store the HGKeeper's public host keys in our hg users known_hosts file. The easiest way to do this is to open a shell as the hg user and use ssh-keyscan to acquire the keys.

You can use the following commands to accomplish this. Make sure to swap in the proper values for <external-hostname> and <external-port> for your environment.

sudo su hg
ssh-keyscan -H <external-hostname> -p <external-port> | tee -a ~/.ssh/known_hosts

Configuring OpenSSH Server

Configuring OpenSSH Server is very straight forward. All we need to do is drop the following snippet into /etc/ssh/sshd_config. Of course, if you customized the hg username you will have to adjust the snippet.

You may be able to use /etc/ssh/sshd_config.d/hgkeeper.conf but in our testing on Debian unstable we were unable to get it working properly. If you have some pointers here, we'd love to hear them!

In the following snippet, be sure to replace <external-hostname>, <external-post>, and the hg user with the proper values for your environment.

Match User hg
    AuthorizedKeysCommand /usr/bin/curl -q --get --data-urlencode "pubkey=%t %k" http://<external-hostname>:<external-http-port>/hgk/authorized_keys
    AuthorizedKeysCommandUser hg
    PasswordAuthentication no

Open you've saved the file, you will need to reload OpenSSH Server. This is usually done via sudo service ssh reload but will vary based on your operating system.


You should now be able to clone the hgkeeper administration repository through your existing OpenSSH Server. You can use the following command to verify that everything has been setup correctly.

hg clone ssh://

If the repository cloned, you are good to go!

If that didn't work, be sure to check the logs from your OpenSSH Server as well as your HGKeeper instance, and be sure to double check your configuration.