I am trying to figure out how ssh
port forwarding works. I'm very puzzled as to the different problems I am seeing.
First, a basic example: ssh -L 8080:www.ubuntuforums.org:80 localhost
. After logging into my local machine, navigating to localhost:8080
in Chrome gets me to http://www.canonical.com/
. If I navigate directly to http://www.ubuntuforums.org/
in my Chrome, I instead end up at http://ubuntuforums.org/
. What is going on here? Why do I not end up at ubuntuforums.org
but instead www.canonical.com
?
Second, changing the website and port: ssh -L 8888:learnlayout.com:80 localhost
. Navigating to http://localhost:8888
in Chrome I just hang forever. wget http://localhost:8888
gives me the following index.html
:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Transmission Forward</title>
<script type="text/javascript">
window.location = "http://24.218.24.189:8080/"
</script>
</head>
<body>
<p>Stand By...</p>
</body>
</html>
Is ssh
not handling redirects correctly or something when I point to it in my browser?
Third, ssh -L 8888:imgur.com:80 localhost
. In my browser I get the following error: Fastly error: unknown domain: localhost. Please check that this domain has been added to a service.
. wget localhost:8888
gives me:
--2016-05-07 16:36:47-- http://localhost:8887/
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:8888... connected.
HTTP request sent, awaiting response... 500 Domain Not Found
2016-05-07 16:36:47 ERROR 500: Domain Not Found.
This diversity of errors is really befuddling me. Is there anything obvious about ssh
tunneling I am missing? Should these be working and maybe my network or router is up to something?
SSH Port Forwarding If the user of an SSH client that has been granted SSH access to a server on the other side of a firewall is allowed to enable local port forwarding, they open the possibility that an attacker can gain access to systems and devices which might otherwise not be accessible.
Also known as dynamic tunneling, or SSH SOCKS5 proxy, dynamic port forwarding allows you to specify a connect port that will forward every incoming traffic to the remote server dynamically.
SSH tunneling, or SSH port forwarding, is a method of transporting arbitrary data over an encrypted SSH connection. SSH tunnels allow connections made to a local port (that is, to a port on your own desktop) to be forwarded to a remote machine via a secure channel.
You are using SSH to establish a secure connection between two systems, authenticating the user to the remote endpoint and then setting up a tunnel inside that connection so that all connections to a specific port on your local machine are sent - through the tunnel - to a different host and port
Using a browser or tool like wget
you are making HTTP request to your local machine and port. Whatever response you get from that endpoint is interpreted by the originating tool according to the HTTP specification.
When you make HTTP requests the responses you get are not what you expect. If you try to access example.org
on your local machine as localhost:8888
thanks to an SSH tunnel, you are not getting the actual page as if you were browsing example.org
directly.
Most pages/sites are domain-aware. That means that its functionality is tightly tied to the domain on which they are configured to serve.
In your examples there are an assortment of scenarios. Websites forcing a particular URL to access them, a website redirection using javascript and even a webserver that does not know what site to serve based off that URL. The explanation is the same for all of them: they are not prepared to be accessed with an URL different than what they consider the standard URL.
In my experience, the domain with which a site will be accessed is something one can assume. Some configurations can be made to enforce a particular version of that domain (like adding or removing www
), but hardly anything else. Such configuration can be made in the webserver - or caching layer in front of it - or the application itself (WordPress has a setting for its domain that it will enforce on its own). The exception are applications that can be accessed with multiple DNSs and most web frameworks have a way to support that scenario, but they mostly need a backend configuration to determine the list of domains they will serve.
For browsing the web from a different connection or using a tunnel: use an HTTP proxy. In particular, SSH's option -d PORT
will create a SOCKS proxy that you can configure in most HTTP tools to tunnel connections.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With