I don't believe name-based SSH is something that will be possible given how the protocol works.
Here are some alternatives.
You could do is setup the host that answers for port 22 to act as a gateway. Then you can configure the ssh server to forward requests to the inside based on the key. SSH Gateway example with keys
You could adjust your client to use that host as a proxy. That is, it would ssh to the gateway host, and then make use that host to make a connection to the internal host. SSH proxy with client configuration.
You could also setup a simple http proxy on the edge. Then use that to allow incoming connections. SSH via HTTP proxy.
Obviously with all the above, making sure you properly configure and lock down the gateway is pretty important.
I don't know of a way for apache or lighttpd to use a SOCKS proxy, but I think this is still doable with just ssh and a web server.
There are three servers.
- your.server
- gateway.server
- web.server
your.server cannot access websites on web.server or ssh to web.server. From your.server you can ssh to gateway.server. From gateway.server you can access websites on web.server.
First, set up ssh such that when a previously unused port (say, 3000) is accessed the traffic is sent via ssh to gateway.server and then via a normal connection to port 80 (or whatever the relevant port is) on web.server.
[your.server]$ ssh -fnL 3000:web.server:80 gateway.server
Second, configure the proxy in apache.
<VirtualHost *:80>
ServerName your.server
ProxyPass /some_path http://localhost:3000
ProxyPassReverse /some_path http://localhost:3000
ProxyPassReverseCookieDomain web.server your.server
ProxyPassReverseCookiePath / /some_path
</VirtualHost>
Now, you should be able to access http://your.server/some_path and get content from http://web.server. You may be done, or another step may be necessary.
The potential flaw in this setup is that the Host header will be set to localhost when apache on your.server connects to web.server. If web.server host multiple sites and uses the Host header to decide what site to return, this won't work. I don't know of a way to have apache's mod_proxy change the Host header to something that isn't either the host that the request was made to (your.server) or the host of the backend server (which thanks to our ssh tunnel is localhost). A hack to work around this would be to edit the hosts file on your.server so that the domain names for the sites on web.server actually point to your.server. Let's say there are two sites you want to access, site1.web.server and site2.web.server. In /etc/hosts you would put
127.0.0.1 site1.web.server site2.web.server
and your apache configuration would change to
<VirtualHost *:80>
ServerName your.server
ProxyPass /some_path http://site1.web.server:3000
ProxyPassReverse /some_path http://site1.web.server:3000
ProxyPassReverseCookieDomain site1.web.server your.server
ProxyPassReverseCookiePath / /some_path
ProxyPass /another_path http://site2.web.server:3000
ProxyPassReverse /another_path http://site2.web.server:3000
ProxyPassReverseCookieDomain site2.web.server your.server
ProxyPassReverseCookiePath / /another_path
</VirtualHost>
To secure access to your reverse proxy, look at Apache's authentication howto.
Best Answer
You should open ssh tunnel from your computer to server in data center. Let's name this as "server1". If you are using openssh, you can just run
This will open connection from your computer at port 8080 to server, port 8080, skipping firewall in between. Assuming your apache is listening on port 8080. Port forward format is listening IP:local port:remote address:remote port. Of course for single server you can use also
Please note that localhost in -L parameter is relative to server1. In the other words, server is seeing connections coming from localhost, when in fact those are coming from your computer over ssh connection.
You also need parameter
in server's ssh configuration (typically /etc/ssh/sshd_config).
After this, others can connect to your computer on port 8080 to get connection via Apache Reverse Proxy. If you need general proxy (so users can choose address, not just specific addresses in Apache configuration) you should install squid on server1 and use ssh tunnel to squid port.