2006-12-13

SSH through Apache Proxy

If you want to connect you to your beloved SSH server, but you are stick behind a proxy which has only ftp, http, and https open, then you can install proxytunnel. It is a super tool :)

1) You will need apache on port 80 to "proxy" your SSH connection. 2) Create an "easy-to-run" ssh client. I assume you know how to install Apache webserver... so go open/create your VirtualHost.

For Apache you will need the modules mod_proxy (splitted into two files in the httpd tarball: mod_proxy.c and proxy_util.c) and mod_proxy_connect (to allow SSL connections). I use the Apache2 Debian package, so all this stuff is really simple.

Apache configuration example:

NameVirtualHost nameserver_or_ip:80
<VirtualHost nameserver_or_ip:80>
ProxyRequests on
ProxyVia on
AllowCONNECT 22 5554 # by default SSH listens
# on 22, but you can also
# make it listen on a secret
# port for example like 5554;
<Proxy *>
Order deny,allow
Deny from all # By default reject everyone
Allow from localhost
Allow from the_fixed_ip_of_your_university
</Proxy>
ProxyPass /debian http://ftp.fr.debian.org/debian/
# A useless example of ProxyPass to show how
# to be able to connect to the debian ftp since
# http://your_host/debian/

Redirect / http://www.somewhere.com/
</VirtualHost>

Restart your server.

Now edit ~/.ssh/config and get inspired from the next lines:

Host proxy
DynamicForward 1080
ProxyCommand proxytunnel -v -p localhost:81 -r myhost:80 -d localhost:13375
ServerAliveInterval 30

-v is verbose, -p is the proxy to use (the one of your university for example), -r is the remote proxy (your Apache server), and -d is the SSH server to connect to. Note that if your SSH server is on the same as Apache, you can connect to localhost. However I prefer to put the DNS of my server so the message "Last login from" is less ambiguous.

Save this file and exit. Now you can type `ssh proxy' to connect through the hell of proxies.

Screenshot of an SSH connection through a local Apache proxy through a remote Apache proxy:

lapt0p[100]:~% ssh local
localhost is 127.0.0.1
Connected to localhost:81
Tunneling to myhost:80 (remote proxy)
Connect string sent to Proxy: 'CONNECT myhost:80 HTTP/1.0
Proxy-Connection: Keep-Alive

'
DEBUG: recv: 'HTTP/1.0 200 Connection Established
'DEBUG: recv: 'Proxy-agent: Apache/2.0.55 (Ubuntu)
'DEBUG: recv: '
'Tunneling to localhost:13375 (destination)
DEBUG: Send: 'CONNECT localhost:13375 HTTP/1.0
Proxy-Connection: Keep-Alive

'
DEBUG: recv: 'HTTP/1.0 200 Connection Established
'DEBUG: recv: 'Proxy-agent: Apache/2.2.3 (Debian)
'DEBUG: recv: '
'Starting tunnel
Linux myhost 2.6.15-1-amd64-generic #2 Mon Mar 20 10:43:41 UTC 2006 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 13 21:19:24 2006 from localhost
myhost/ssh[45]:~%

10 comments:

  1. Check out "corkscrew"

    It's less painful than working with apache for something as simple as this.

    ReplyDelete
  2. hey. its a long time ago but i still get the error that the CONNECT is not allowed in my apache (HTTP return code: 405 Method Not Allowed).

    i have the same config as you and mod_proxy and mod_proxy_connect are installed!

    do you have an idea why my apache is still saying "not allowed" ?

    thx :)

    ReplyDelete
  3. As stated, it means the CONNECT method is not supported, this method is always used when establishing connections on HTTPS websites, but it's hard to give you a hint to fix this. Plus I didn't install proxytunnel and Apache over a year. I guess you are on your own.

    ReplyDelete
  4. Your work is very simple art of work its really a helpful.
    1337x UK proxy

    ReplyDelete
  5. On the off chance that you need promotion free surfing, you should pay for membership.change ip address to mexico

    ReplyDelete
  6. A proxy is a halfway server that advances data between to focuses. A proxy resembles a center man.https://novavpn.com/blog/yify/

    ReplyDelete
  7. just what most individuals' desire. However, most of which have no idea of the inner thoughts and multi-step means of purchasing a fresh home click here

    ReplyDelete
  8. Assume paid for with the help of center, have discovered modern society; believed that protect on your playlists, you could potentially know most of the hassle; assumed ones step quit, much more is unable to drive; Imagine I would like adore, merely the caress. visita il sito

    ReplyDelete
  9. Excellent .. Amazing .. I’ll bookmark your blog and take the feeds also…I’m happy to find so many useful info here in the post, we need work out more techniques in this regard, thanks for sharing.  allertaprivacy.it

    ReplyDelete
  10. In the event that you are as yet unfit to interface with the Contivity VPN Switch, open a Command Prompt and take a stab at pinging the Contivity VPN Switch utilizing the host name or address that you determined in the Destination field.
    https://www.router-reset.com/can-isp-see-vpn/

    ReplyDelete