Home > Uncategorized > Tunneling ssh – option 2

Tunneling ssh – option 2

See the previous post for an explanation of what we’re trying to accomplish.

This is a diagram of what the setup looks like. The numbers shown are the TCP ports used by the various components.

SSH through Apache and Stunnel

SSH through Apache and Stunnel

In the Apache config file:

<VirtualHost *:80>
        ServerName home.com

        ProxyRequests on
        AllowCONNECT 70
        ProxyVia on
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
</VirtualHost>
Enable the proxy connect module in Apache. On Ubuntu you just have to have the following symbolic links in /etc/apache2/mods-enabled:
proxy.conf -> ../mods-available/proxy.conf
proxy_connect.load -> ../mods-available/proxy_connect.load
proxy_http.load -> ../mods-available/proxy_http.load
proxy.load -> ../mods-available/proxy.load
Configure Stunnel on the server the same way as for option 1. On the client PC, this is the proxytunnel command line you'll need to use:
C:\>proxytunnel.exe -p proxy.work.com:1080 -d home.com:70 -r home.com:80 -a 71
Configure the work.com stunnel:
sslVersion = SSLv3

; Use it for client mode
client = yes

[apache-ssh]
accept	= 32
connect	= 71

Restart apache and stunnel on the server side.

On the client side:

  1. Start proxytunnel using the command shown above.
  2. Start stunnel. If the stunnel.conf file is in the default location, no command line arguments are needed. If not, pass the config line as a command line argument to stunnel.
  3. Start the ssh clinet and connect to 127.0.0.1:32

Here’s what’s going on:

  • The ssh client connects to port 32 on the localhost
  • Stunnel is listening on port 32 on the localhost, so it receives that connection and sends it on to port 71 also on the localhost
  • ProxyTunnel is listening on port 71, so it takes that connection from Stunnel and sends it to home.com:80 through proxy.work.com:8080
  • The Apache server running at home.com:80 receives a CONNECT request for home.com:70, so it forwards the connection to that destination.
  • Stunnel is listening on port 70 at home.com and when it receives the connection from Apache, it sends it to port 22 on home.com
  • Finally, sshd is listening on home.com:22 so it receives the connection from Stunnel, allowing the user to log in

This is even less efficient than the first option, but has the advantage of not requiring another service to be exposed directly to the internet through the firewall.

Categories: Uncategorized Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.