Home > Uncategorized > Tunneling ssh over an http proxy

Tunneling ssh over an http proxy

Let’s say you want to ssh from your work.com PC to home.com using the proxy.work.com HTTP(S) proxy. If the work.com admins are lenient, you can use ProxyTunnel as described here and be done. If they’re more aggressive, they can block you because the protocol exchange will go something like this:

Your work.com PC says:

  • CONNECT home.com:22 HTTP/1.0
  • Proxy-Connection: Keep-Alive

home.com responds with:

  • SSH-2.0-OpenSSH …

At this point proxy.work.com is able to see that you’re trying to tunnel SSH and can block the connection.

Another option is to tunnel over HTTPS instead of HTTP. Apache however doesn’t currently (Feb. 2010) support this option. You can read more about it here and perhaps use one of the patches mentioned there to add that feature to your server.

If you don’t want to patch the web server, there’s an alternative option that involves Stunnel. That’s what this post is about.

With stunnel in place, the protocol exchange will go something like this:

work.com:

  • CONNECT home.com:70 HTTP/1.0
  • Proxy-Connection: Keep-Alive

home.com responds with:

  • HTTP/1.0 200 Connection Established

At this point stunnel takes over and hides the SSH protocol handshake letting you pass through the proxy without a hassle.

There are two ways to accomplish this. The first way requires you to open another port in your home.com firewall and allow connections to stunnel from outside. The second way uses your Apache server as a second proxy.

Categories: Uncategorized Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.