HAProxy

Oct 4, 2021
3 min read
Jun 30, 2023 16:33 EEST

Tunnel SSH through HTTPS connection

Your company does not allow you to use ssh through the company firewall and only http and https is allowed? And you are enforced to use the company proxy?

No problem, we will prepare haproxy that it can handle http, https, and a tunneled SSH in a https tunnel on the same IP address, so it is completely invisible the company firewall/proxy.

We have to add the configuration to the frontend definition:

global
    ...
    user root
    ...

frontend www-https
    ...
    tcp-request inspect-delay 5s
    tcp-request content accept if HTTP
    
    acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30
    use_backend ssh if client_attempts_ssh
    ...

Now we define the backend to handle that requests:

backend ssh
    mode tcp
    option tcplog
    source 0.0.0.0 usesrc clientip
    server ssh 192.168.200.6:22
    timeout server 8h

The IP 192.168.200.6 is the IP the SSH client is listening, replace it with an internal IP.

Now we need Putty (tested with version 0.67) and socat (tested with version 2.0.0-b9) to build up the connection.

Set the following options:

Tab Field Value
Session Hostname The hostname you would like to connect if the tunnel is up
Session Port 22
Session Connection type SSH
Session Saved Session
Connection - Data Auto-login username SSH username
Connection - Proxy Proxy type Local
Connection - Proxy Proxy hostname Hostname of your company proxy
Connection - Proxy Port Portname of your company proxy
Connection - Proxy Username Username to authenticate against the proxy
Connection - Proxy Password Password for the proxy connection
Connection - Proxy Telnet Command <path-socat>\socat STDIO "OPENSSL,verify=1,cn=%host,cafile=<path-socat>/le.pem | PROXY:%host:%port,proxyauth=%user:%pass | TCP:%proxyhost:%proxyport"
Connection - Proxy Telnet Command without proxy <path-socat>\socat STDIO „OPENSSL,verify=1,cn=%host,cafile=<path-socat>/le.pem | TCP:%host:%port

Make sure you click in tab Session on Save after you filled in all options you need.

Make sure you store the public CA key you use to sign your private key under \le.pem. I use lets encrypt, you can get the required certificates to ensure you really connect to your computer from their websites. Certificates can be downloaded here: https://letsencrypt.org/certificates/

We need at first the certificate for ISRG Root X1 - Self-signed and then the ISRG Root X1 Cross signed (Signed by DST CA X3) . Put both keys into the le.pem, it will look like:

-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
...
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
...
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

This will ensure that we always connect to our computer and will ensure that the company proxy cannot by in middle to inspect the traffic. If socat cannot verify the connection it could be that your company proxy is trying to decrypt https. You have to decide then if you want this.

Now you can use plink, putty, psc to connect to your host. Make sure you use as hostname the session name you defined in the Session tab under “Saved Sessions”.


Related Posts