Your company does not allow you to use ssh through the company firewall and only http and https is allowed? And you are enforced to use the company proxy?
No problem, we will prepare haproxy that it can handle http, https, and a tunneled SSH in a https tunnel on the same IP address, so it is completely invisible the company firewall/proxy.
We have to add the configuration to the frontend definition:
global ... user root ... frontend www-https ... tcp-request inspect-delay 5s tcp-request content accept if HTTP acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30 use_backend ssh if client_attempts_ssh ...
Now we define the backend to handle that requests:
backend ssh mode tcp option tcplog source 0.0.0.0 usesrc clientip server ssh 192.168.200.6:22 timeout server 8h
The IP 192.168.200.6 is the IP the SSH client is listening, replace it with an internal IP.
Set the following options:
|Session||Hostname||The hostname you would like to connect if the tunnel is up|
|Session||Saved Session||<a name you prefer>|
|Connection - Data||Auto-login username||SSH username|
|Connection - Proxy||Proxy type||Local|
|Connection - Proxy||Proxy hostname||Hostname of your company proxy|
|Connection - Proxy||Port||Portname of your company proxy|
|Connection - Proxy||Username||Username to authenticate against the proxy|
|Connection - Proxy||Password||Password for the proxy connection|
|Connection - Proxy||Telnet Command||<path-socat>\socat STDIO „OPENSSL,verify=1,cn=%host,cafile=<path-socat>/le.pem | PROXY:%host:%port,proxyauth=%user:%pass | TCP:%proxyhost:%proxyport“|
Make sure you click in tab Session on Save after you filled in all options you need.
Make sure you store the public CA key you use to sign your private key under <path-socat>\le.pem. I use lets encrypt, you can get the required certificates to ensure you really connect to your computer from their websites. We need at first the certificate for DST Root CA X3 and then the Let’s Encrypt Authority X3 (Signed by ISRG Root X1). Put both keys into the le.pem, it will look like:
-----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ ... Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw ... rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt -----END CERTIFICATE-----
This will ensure that we always connect to our computer and will ensure that the company proxy cannot by in middle to inspect the traffic. If socat cannot verify the connection it could be that your company proxy is trying to decrypt https. You have to decide then if you want this.
Now you can use plink, putty, psc to connect to your host. Make sure you use as hostname the session name you defined in the Session tab under „Saved Sessions“.