SSH Tunnelling for HTTP: Does target HTTP Proxy Port have to be exposed

http-proxyPROXYsockssshssh-tunnel

An example:

I am trying to use PuTTy to create an SSH tunnel from my laptop to my server (for the purposes of this example MyServer.com:22). Port 22 is enabled on the router between MyServer.com and the Internet.

MyServer.com is running a Privoxy HTTP Proxy on the default port of 8118. Port 8118 is not enabled on the router.

When I create a tunnel from a local port on my laptop, say 3500, to MyServer.com:22, and then configure my web browser to use localhost:3500 as a Proxy, I do not get web pages appear in my web browser – instead, I get a line of text from Open SSH describing the version number of the software in the Web Browser.

I have seen (and not fully understood) references to SOCKS and the ProxyCommand keyword in the sshd_config OpenSSH file. Am I able to utilise one/both of these in order to create a tunnel to MyServer.com:22 which serves web pages, or is it absolutely neccessary that the HTTP Proxy on MyServer.com:8118 is exposed to the Internet?

Best Answer

It because you're using the local port forwarding technique:

$ ssh -L 3500:yourserver.com:22 user@yourserver.com

This command allocates a socket to listen to port 3500 on your laptop. And when you configure the browser to use localhost:3500 as a proxy, web traffic is forwarded over the secure channel, and a connection is made to yourserver.com:22, and in fact, you're telneting to the your server, it's why you get the SSH version:

SSH-2.0-OpenSSH_4.3
Protocol mismatch.

You probably want to use dynamic port forwarding instead:

$ ssh -D 3500 user@yourserver.com

This technique uses the application protocol to determine where to connect to from your server.

Don't forget to configure web browser to use SOCKS Host, not HTTP Proxy.

Related Solutions

Ssh – Why does logging out of an SSH session hang when using port-forwarding

As you expected, this happens because SSH won't exit if there are outstanding connections going through the tunnel.

If you exit your browser (and all other programs that are going through the port 9000 tunnel) then SSH should exit.

The ssh man page says:

 The session terminates when the command or shell on the remote machine exits and all X11 and TCP connections have been closed.

And I don't see any options to change that behavior, so I suspect there's nothing you can do.

How does ssh port forwarding work exactly

Your question was a little unclear to me, so I'm going to specify what I assumed and then try and help you with your problem. You are at the computer 'remote' which is SSH'ing to 'local' and this part works fine. If this is the case we no longer need to worry about router.

Continuing my assumptions, 'local' has a service running on it on port 12345 that you would like to access from 'remote' without opening additional ports on your router. What you would want to do is use the following command from 'remote':

ssh -L 1234:localhost:12345 user@router's_ip

To connect to the service you would then access it through localhost:1234.

The way the port forwarding syntax works is: {local_port}:{proxy_dest}:{proxy_port}

local_port is the port that will open on the client machine you are connecting from, to access it you would use localhost:local_port

proxy_dest is the host you would like to connect to from the perspective of the server you are SSH'ing into

proxy_port is the port on the remote system that you would like to connect to.

Best Answer

Related Solutions

Ssh – Why does logging out of an SSH session hang when using port-forwarding

How does ssh port forwarding work exactly

Related Topic