Friday, January 28, 2011

SSH over HTTP(S)

I have an apache server at work.com that only allows incoming HTTP and HTTPS requests over the usual port 80 and 443. These are the only ports that are open on the network.

I would like to be able to SSH in to the server when I am at home, but IT refuses to open port 22.

Is there a way to configure apache to accept SSH traffic at the address ssh.work.com and forward it to sshd on port 80?

From serverfault delivarator

  • see this guide on using corkscrew

    From brad clawsie

  • There's sslh for this purpose.

    delivarator : This did the trick and was super easy to set up. The only thing I needed to do was tell apache to listen on a different port since sslh binds to 443. Thanks!
    From joschi

  • If you need shell access, you should just get it from your organization and not have to do weird stuff to get it.

    That being said, you can install webshell or anyterm and accomplish what you need, but do get your normal shell access or you might get into trouble. The webshell trick is nice for when you need to have a shell at your home machine from one of those proxied networks we all know.

    From natxo asenjo

  • Firstly, if you're going to try to run ssh on a non-standard port to defeat your local IT policies (wrong-headed as I feel they are), it's normal to use 443 rather than 80. This is because http is often proxied by organisations; this proxying is often done transparently, so it can be difficult to tell if it's happening. HTTPS, by contrast, being end-to-end encrypted, is usually impossible to proxy, so most organisations either don't bother, or have a proxy configured as a simple pass-through. This makes TCP/443 a safer choice for a non-standard ssh than TCP/80. Joschi's suggestion of sslh, i notice, is designed to co-exist with https rather than http.

    That said, ssh doesn't to the best of my knowledge support any kind of virtual host name support, so using ssh.work.com isn't going to work if that resolves to an IP address which is already running a real apache listener on TCP/443. If, however, you have a public IP address that you can spare for just this purpose on your work machine, you can configure sshd to run on port 443 with

    Port 443

    in sshd_config, and then just point a remote ssh client at your ip address with the -p 443 flag.

    If you can't spare an ip address for that, then sslh is your man.

    From MadHatter
Posted by Mu Cat at 5:11 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)