5. Securely Manage Servers Behind a Bastion Host

In this tutorial, you’ll learn how to copy files from your local laptop to a web server running in Azure.
We’ll cover two scenarios:

1. Direct access (server has a public IP).
2. Indirect access via a bastion host (server only has a private IP).

We’ll also use a staging folder (/tmp/app) on the server to keep things clean and make updates easier.

1. Local Project Setup

On your laptop, create a folder named app/ with three files:

mkdir app
cd app

index.html

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>My Web App</title>
  <link rel="stylesheet" href="style.css">
</head>
<body>
  <h1>Hello from My Web App 🚀</h1>
  <p>This page is served from the web server!</p>
  <script src="app.js"></script>
</body>
</html>

style.css

body {
  font-family: Arial, sans-serif;
  background: #f4f4f9;
  color: #333;
  text-align: center;
  margin-top: 50px;
}

app.js

document.addEventListener("DOMContentLoaded", () => {
  const message = document.createElement("p");
  message.textContent = "✨ This text was added by app.js!";
  message.style.color = "#2c3e50";
  message.style.fontSize = "1.2em";
  message.style.marginTop = "20px";

  document.body.appendChild(message);

  // Small interaction: click anywhere to change background color
  document.body.addEventListener("click", () => {
    document.body.style.backgroundColor =
      "#" + Math.floor(Math.random()*16777215).toString(16);
  });
});

2. Copying Files with scp (Direct Access)

If your web server has a public IP, you can copy the entire app/ folder directly into /tmp/app:

scp -r app azureuser@<public_ip>:/tmp/

Then move them into the web root:

ssh azureuser@<public_ip> "sudo mv /tmp/app/* /var/www/html/"

3. Copying Files with scp via Bastion Host

If your web server only has a private IP, use a bastion host with public access:

scp -o ProxyJump=azureuser@<bastion_public_ip> -r app     azureuser@<private_ip>:/tmp/

Then move them into the web root:

ssh -A -o ProxyJump=azureuser@<bastion_public_ip> azureuser@<private_ip>     "sudo mv /tmp/app/* /var/www/html/"

4. Why Copy to /tmp/app/ First?

• The web root /var/www/html/ is owned by root, so you cannot write there directly.
• By staging files in /tmp/app/, you can upload them as your normal user.
• Then sudo mv places them in the web root in one atomic step.
• This makes it easy to update files without leaving half-finished deployments.

5. Updating Files

⚡ scp overwrites files with the same name automatically.
But using the /tmp/app/ + mv method is better because:

• You upload everything in one batch.
• You move them all at once into /var/www/html/.
• Your site stays consistent during updates.

Example:

scp -o ProxyJump=azureuser@<bastion_public_ip> -r app     azureuser@<private_ip>:/tmp/
ssh -A -o ProxyJump=azureuser@<bastion_public_ip> azureuser@<private_ip>     "sudo mv /tmp/app/* /var/www/html/"

6. Verifying Deployment

Open your browser and navigate to:

http://<server_public_ip>/

You should see your styled Hello from My Web App 🚀 page.
Check the browser console (F12 → Console) to confirm app.js is loaded.

✅ With these steps, you can deploy and update a simple static web app to your server,
whether accessed directly or through a bastion host.