Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Tunnel over HTTPS

Tags:

ssh

proxy

https

apache

tunnel

At my workplace, the traffic blocker/firewall has been getting progressively worse. I can't connect to my home machine on port 22, and lack of ssh access makes me sad. I was previously able to use SSH by moving it to port 5050, but I think some recent filters now treat this traffic as IM and redirect it through another proxy, maybe. That's my best guess; in any case, my ssh connections now terminate before I get to log in.

These days I've been using Ajaxterm over HTTPS, as port 443 is still unmolested, but this is far from ideal. (Sucky terminal emulation, lack of port forwarding, my browser leaks memory at an amazing rate...) I tried setting up mod_proxy_connect on top of mod_ssl, with the idea that I could send a CONNECT localhost:22 HTTP/1.1 request through HTTPS, and then I'd be all set. Sadly, this seems to not work; the HTTPS connection works, up until I finish sending my request; then SSL craps out. It appears as though mod_proxy_connect takes over the whole connection instead of continuing to pipe through mod_ssl, confusing the heck out of the HTTPS client.

Is there a way to get this to work? I don't want to do this over plain HTTP, for several reasons:

  • Leaving a big fat open proxy like that just stinks
  • A big fat open proxy is not good over HTTPS either, but with authentication required it feels fine to me
  • HTTP goes through a proxy -- I'm not too concerned about my traffic being sniffed, as it's ssh that'll be going "plaintext" through the tunnel -- but it's a lot more likely to be mangled than HTTPS, which fundamentally cannot be proxied

Requirements:

  • Must work over port 443, without disturbing other HTTPS traffic (i.e. I can't just put the ssh server on port 443, because I would no longer be able to serve pages over HTTPS)
  • I have or can write a simple port forwarder client that runs under Windows (or Cygwin)

Edit

DAG: Tunnelling SSH over HTTP(S) has been pointed out to me, but it doesn't help: at the end of the article, they mention Bug 29744 - CONNECT does not work over existing SSL connection preventing tunnelling over HTTPS, exactly the problem I was running into. At this point, I am probably looking at some CGI script, but I don't want to list that as a requirement if there's better solutions available.

like image 445
ephemient Avatar asked Oct 08 '08 04:10

ephemient

People also ask

Does https use tunneling?

Working of SSL Tunneling A tunneling request CONNECT is made by the client on port 443 for HTTPS. This request is sent to the proxy server automatically for the HTTPS request. The CONNECT request is used by the RFC 2616 to establish a tunnel. The proxy server receives the tunneling request on the port 8080.

What is HTTP Connect Tunnel?

The HTTP CONNECT method starts two-way communications with the requested resource. It can be used to open a tunnel. For example, the CONNECT method can be used to access websites that use SSL (HTTPS). The client asks an HTTP Proxy server to tunnel the TCP connection to the desired destination.

What is SSL tunneling?

SSL tunneling is a lower-level activity that does not affect the application level (HTTPS). SSL tunneling is just as secure as SSL without proxying. The existence of the proxy in between does not in any way compromise security or reduce the functionality of SSL.

2 Answers

Find out why the company has such a restrictive policy. It might be for a good reason.

If you still find that you want to bypass the policy, you could write a small proxy that will listen on your server on port 443 and then, depending on the request, will forward the traffic either to your web server or to the SSH daemon. There are two catches though.

  1. To determine whether it's an HTTPS request or an SSH request, you need to try to read some data with a (small) timeout, this is because TLS/SSL handshakes start with the client sending some data, whereas the SSH handshake starts with the server sending some data. The timeout has to be big enough to delays in delivering the initial data from the client in the TLS/SSL handshake, so it'll make establishing SSH connections slower.

  2. If the HTTP proxy in your company is smart, it'll actually eavesdrop on the expected TLS/SSL "handshake" when you CONNECT to port 443, and, when it detects that it's not an TLS/SSL handshake, it might terminate the SSH connection attempt. To address that, you could wrap the SSH daemon into an TLS/SSL tunnel (e.g., stunnel), but they you'll need to differentiate requests based on the TLS/SSL version in your client request to determine whether to route the TLS/SSL connection to the web server or to the TLS/SSL-tunneled SSH daemon.

like image 165
Alexander Avatar answered Oct 05 '22 08:10

Alexander

You should be able to use iptables to forward ssh traffic from your work machines to ssh while all other machines attaching to your home server on port 443 get the Apache server.

Try a rule like this:

iptables -t nat -A PREROUTING -p tcp -s 111.111.111.111 --dport 433 -j REDIRECT --to-port 22

Where 111.111.111.111 is your office computer's ip address.

That all assumes you're running Linux >= 2.4, which you should be by now. It's been out for almost a decade.

Documentation for iptables is at http://www.netfilter.org.

like image 33
Brian Avatar answered Oct 05 '22 08:10

Brian
Sign in to Comment

Related questions

SetEnv APPLICATION_ENV development - .htaccess interacting with Zend Framework?
We're sorry, but something went wrong. - with Rails, Apache, Passenger
Apache webserver error on startup [closed]
configuring virtual host and localhost redirecting to the xampp folder
403 error on Apache for a laravel project, after upgrade to Ubuntu 13.10
Are colons allowed in URLs?
How do I hide directories in Apache, specifically source-control?
Set RewriteBase to the current folder path dynamically
How do I set up a Sinatra app under Apache with Passenger?
Configure apache on elastic beanstalk
error running apache after xampp install
Multiple RewriteConditions: How to chain them before a set of rules?
Write Privileges - localhost - Mac OSX
revert 'php artisan serve' command in laravel
XAMPP on Win7 too slow
Apache won't run in xampp
How to check mod_headers and mod_expires modules enabled in apache
Permissions Issue with Laravel on CentOS
What is the advantage of storing schema in avro?
Serve another(standalone) page or static file in website built with react

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!