Tunnel SSH through HTTPS connection

Your company does not allow you to use ssh through the company firewall and only http and https is allowed? And you are enforced to use the company proxy?

No problem, we will prepare haproxy that it can handle http, https, and a tunneled SSH in a https tunnel on the same IP address, so it is completely invisible the company firewall/proxy.

We have to add the configuration to the frontend definition:

    user root
frontend www-https
    tcp-request inspect-delay 5s
    tcp-request content accept if HTTP
    acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30
    use_backend ssh if client_attempts_ssh

Now we define the backend to handle that requests:

backend ssh
    mode tcp
    option tcplog
    source usesrc clientip
    server ssh
    timeout server 8h

The IP is the IP the SSH client is listening, replace it with an internal IP.

Now we need putty (tested with version 0.67) and socat (tested with version 2.0.0-b9) to build up the connection.

Set the following options:

Tab Field Value
Session Hostname The hostname you would like to connect if the tunnel is up
Session Port 22
Session Connection type SSH
Session Saved Session <a name you prefer>
Connection - Data Auto-login username SSH username
Connection - Proxy Proxy type Local
Connection - Proxy Proxy hostname Hostname of your company proxy
Connection - Proxy Port Portname of your company proxy
Connection - Proxy Username Username to authenticate against the proxy
Connection - Proxy Password Password for the proxy connection
Connection - Proxy Telnet Command <path-socat>\socat STDIO „OPENSSL,verify=1,cn=%host,cafile=<path-socat>/le.pem | PROXY:%host:%port,proxyauth=%user:%pass | TCP:%proxyhost:%proxyport“

Make sure you click in tab Session on Save after you filled in all options you need.

Make sure you store the public CA key you use to sign your private key under <path-socat>\le.pem. I use lets encrypt, you can get the required certificates to ensure you really connect to your computer from their websites. We need at first the certificate for DST Root CA X3 and then the Let’s Encrypt Authority X3 (Signed by ISRG Root X1). Put both keys into the le.pem, it will look like:


This will ensure that we always connect to our computer and will ensure that the company proxy cannot by in middle to inspect the traffic. If socat cannot verify the connection it could be that your company proxy is trying to decrypt https. You have to decide then if you want this.

Now you can use plink, putty, psc to connect to your host. Make sure you use as hostname the session name you defined in the Session tab under „Saved Sessions“.

freebsd/haproxy.txt · Zuletzt geändert: 2017/07/04 13:22 (Externe Bearbeitung)