2006-12-13

SSH through Apache Proxy

If you want to connect you to your beloved SSH server, but you are stick behind a proxy which has only ftp, http, and https open, then you can install proxytunnel. It is a super tool :)

1) You will need apache on port 80 to "proxy" your SSH connection. 2) Create an "easy-to-run" ssh client. I assume you know how to install Apache webserver... so go open/create your VirtualHost.

For Apache you will need the modules mod_proxy (splitted into two files in the httpd tarball: mod_proxy.c and proxy_util.c) and mod_proxy_connect (to allow SSL connections). I use the Apache2 Debian package, so all this stuff is really simple.

Apache configuration example:

NameVirtualHost nameserver_or_ip:80
<VirtualHost nameserver_or_ip:80>
ProxyRequests on
ProxyVia on
AllowCONNECT 22 5554 # by default SSH listens
# on 22, but you can also
# make it listen on a secret
# port for example like 5554;
<Proxy *>
Order deny,allow
Deny from all # By default reject everyone
Allow from localhost
Allow from the_fixed_ip_of_your_university
</Proxy>
ProxyPass /debian http://ftp.fr.debian.org/debian/
# A useless example of ProxyPass to show how
# to be able to connect to the debian ftp since
# http://your_host/debian/

Redirect / http://www.somewhere.com/
</VirtualHost>

Restart your server.

Now edit ~/.ssh/config and get inspired from the next lines:

Host proxy
DynamicForward 1080
ProxyCommand proxytunnel -v -p localhost:81 -r myhost:80 -d localhost:13375
ServerAliveInterval 30

-v is verbose, -p is the proxy to use (the one of your university for example), -r is the remote proxy (your Apache server), and -d is the SSH server to connect to. Note that if your SSH server is on the same as Apache, you can connect to localhost. However I prefer to put the DNS of my server so the message "Last login from" is less ambiguous.

Save this file and exit. Now you can type `ssh proxy' to connect through the hell of proxies.

Screenshot of an SSH connection through a local Apache proxy through a remote Apache proxy:

lapt0p[100]:~% ssh local
localhost is 127.0.0.1
Connected to localhost:81
Tunneling to myhost:80 (remote proxy)
Connect string sent to Proxy: 'CONNECT myhost:80 HTTP/1.0
Proxy-Connection: Keep-Alive

'
DEBUG: recv: 'HTTP/1.0 200 Connection Established
'DEBUG: recv: 'Proxy-agent: Apache/2.0.55 (Ubuntu)
'DEBUG: recv: '
'Tunneling to localhost:13375 (destination)
DEBUG: Send: 'CONNECT localhost:13375 HTTP/1.0
Proxy-Connection: Keep-Alive

'
DEBUG: recv: 'HTTP/1.0 200 Connection Established
'DEBUG: recv: 'Proxy-agent: Apache/2.2.3 (Debian)
'DEBUG: recv: '
'Starting tunnel
Linux myhost 2.6.15-1-amd64-generic #2 Mon Mar 20 10:43:41 UTC 2006 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 13 21:19:24 2006 from localhost
myhost/ssh[45]:~%

5 comments:

  1. Check out "corkscrew"

    It's less painful than working with apache for something as simple as this.

    ReplyDelete
  2. hey. its a long time ago but i still get the error that the CONNECT is not allowed in my apache (HTTP return code: 405 Method Not Allowed).

    i have the same config as you and mod_proxy and mod_proxy_connect are installed!

    do you have an idea why my apache is still saying "not allowed" ?

    thx :)

    ReplyDelete
  3. As stated, it means the CONNECT method is not supported, this method is always used when establishing connections on HTTPS websites, but it's hard to give you a hint to fix this. Plus I didn't install proxytunnel and Apache over a year. I guess you are on your own.

    ReplyDelete
  4. Your work is very simple art of work its really a helpful.
    1337x UK proxy

    ReplyDelete