Firewall – Running multiple services on Port 443, Tunnel SSH over HTTPS

firewallhttpslighttpdssh-tunnel

Situation:
I want to tunnel SSH sessions through HTTPS. I have a very restrictive firewall/proxy which only allows HTTP, FTP and HTTPS traffic.

What works:
Setting up a tunnel through the proxy to a remote linux box that has a sshd listening at port 443

The problem:
I have to have a web server (lighty) running at port 443. HTTPS traffic to other ports is forbidden by the proxy.

Ideas so far:
Set up a virtual host and proxy all incoming requests to localhost: (e.g. 22)

$HTTP["host"] == "tunnel.mylinux.box" {                                         
    proxy.server = (                                                            
        "" => (("host" => "127.0.0.1", "port" => 22))                           
    )                                                                           
}

Unfortunately this won't work. Am i doing something wrong, or is there a reason, that this won't work?

Best Answer

You can do the trick using some Perl:

sslh - Switch incoming connection between SSH and SSL/HTTPS servers

nginx.conf

#lets assume your IP address is 89.89.89.89 and also that you want nginx to listen on port 7000 and your app is running on port 3000

server {
    listen 7000 ssl;
 
    ssl_certificate /path/to/ssl_certificate.cer;
    ssl_certificate_key /path/to/ssl_certificate_key.key;
    ssl_client_certificate /path/to/ssl_client_certificate.cer;

    error_page 497 301 =307 https://89.89.89.89:7000$request_uri;

    location / {
        proxy_pass http://89.89.89.89:3000/;

        proxy_pass_header Server;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Protocol $scheme;
    }
}

However if a client makes a request via any other method except a GET, that request will be turned into a GET. Thus to preserve the request method that the client came in via; we use error processing redirects as shown in nginx docs on error_page

And thats why we use the 301 =307 redirect.

Using the nginx.conf file shown here, we are able to have http and https listen in on the same port

Windows – Using an SSH tunnel to browse the web

There are two parts to getting this to work, so I'll address them seperately.

Connecting to your Server:

As you've mentioned that all you can talk to is a proxy on 443 and 80, you'll need to tunnel your SSH connection out through the proxy. You do that by telling Putty to use the proxy server to connect. Under the 'proxy' menu. Select HTTP and then enter the details for the corporate proxy.

From your post, it seems like you've got the connection working fine.

Configure Putty to Create a SOCKS proxy on the local machine

Both putty and OpenSSH support opening a SOCKS proxy. For OpenSSH you'd use:

ssh -D <port>

And then point your browser at that port. In putty you create a 'dynamic' port forward. You'll find it under the Tunnels menu. Enter your desired listening port and then enter anything you like as a destination (it gets ignored for dynamic forwards). You can then point your browsers proxy settings at that localhost:<port> and it should work.

For more information, the relevant part of the putty documentation is at http://tartarus.org/~simon/putty-snapshots/htmldoc/Chapter3.html#using-port-forwarding.

As others have posted you may not want to circumvent the corporate filtering though as it's not something you may want to explain :).

Best Answer

Related Solutions

Nginx – Handling http and https requests using a single port with nginx

nginx.conf

Windows – Using an SSH tunnel to browse the web

Related Topic