Sunday, September 19, 2010

Tunneling SSH over HTTP(S)

This document explains how to set up an Apache server and SSH client to allow tunneling SSH over HTTP(S). This can be useful on restricted networks that either firewall everything except HTTP traffic (tcp/80,tcp/443) or require users to use a local (HTTP) proxy.
A lot of people asked why doing it like this if you can just make sshd listen on port 443. Well, that might work if your environment is not hardened like I have seen at several companies, but this setup has a few advantages.
You can proxy to anywhere (see the Proxy directive in Apache) based on names
You can proxy to any port you like (see the AllowCONNECT directive in Apache)
It works even when there is a layer-7 protocol firewall
If you enable proxytunnel ssl support, it is indistinguishable from real SSL traffic
You can come up with nice hostnames like 'downloads.yourdomain.com' and 'pictures.yourdomain.com' and for normal users these will look like normal websites when visited.
There are many possibilities for doing authentication further along the path
You can do proxy-bouncing to the n-th degree to mask where you're coming from or going to (however this requires more changes to proxytunnel, currently I only added support for one remote proxy)
You do not have to dedicate an IP-address for sshd, you can still run an HTTPS site
Read more: DAG