SSH proxying via Apache

Posted by Thanh Hai Tran on Thursday, December 07, 2006 / Labels: , , , ,
Been working out of a customer site in the past few weeks and their firewall is a bit finicky. One day it would let me ssh into my office fine and the next day it would just kick me out right after the initial handshake. It doesn't actually refuse the connection at the onset. It would connect and then immediately drop the connection. Their IT guys tried to tell me it's my server, not their firewall that was the culprit. Hey, I'm an IT guy too, buddy! (amongst other things). If I can connect fine from my home network and two other guys can also connect from their home, I'm no Sherlock but something tells me it ain't my server. As improbable as it may be, because I know you think your firewall is perfect and that you haven't made any change to it that might cause this. My friend, I'd hate to tell you this but, it's your firewall! ;-)

Right. Next time, you try telling your customer's IT guy that his network firewall is faulty. See if that will get you anywhere.

Oh well. At least this gave me the chance to look into enabling our web server to allow SSH proxying. Found a useful article here: Tunneling SSH over HTTP(S).

This is essentially what you need to add to your httpd.conf on the Appache server:


# HTTP Proxy for SSH
AllowCONNECT 22
ProxyVia On
<ProxyMatch (192.168.1.1)> # Internal IP of your SSH server
   Order deny,allow
   Deny from all
   ### External (customer) sites allowed to connect
   Allow from 199.243.1.61
   Allow from 74.100.102.21
</ProxyMatch>

Then, to connect from the remote site, configure your PuTTY Connection host name to 192.168.1.1 (the internal IP address of your SSH server), set Connection>>Proxy setting to use HTTP proxy, enter in the public hostname and port of your Apache server.
That's it. Painless.

A slight diversion from real work, but this will come in handy the next time I'm at a customer site that blocks out all ports except port 80. I need my network to follow me everywhere I go. I'm effectively crippled without it.

Unless...I wonder, what would happen if the customer's network itself uses a proxy server to get out to the Internet...
Oh well. Not my problem to worry about right now. Will deal with it when I run into it.

1 comments:

Anonymous said...

Hi Mr Hai,

Thanks for your post! I can ssh via http now :-)

cheers,

-Rilson

Monday, February 18, 2008 at 2:08:00 PM EST

Post a Comment