Tunnel SSH through HTTPS connection
Your company does not allow you to use ssh through the company firewall and only http and https is allowed? And you are enforced to use the company proxy?
No problem, we will prepare haproxy that it can handle http, https, and a tunneled SSH in a https tunnel on the same IP address, so it is completely invisible the company firewall/proxy.
We have to add the configuration to the frontend definition:
global
...
user root
...
frontend www-https
...
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30
use_backend ssh if client_attempts_ssh
...Now we define the backend to handle that requests:
backend ssh
mode tcp
option tcplog
source 0.0.0.0 usesrc clientip
server ssh 192.168.200.6:22
timeout server 8hThe IP 192.168.200.6 is the IP the SSH client is listening, replace it with an internal IP.
Now we need Putty (tested with version 0.67) and socat (tested with version 2.0.0-b9) to build up the connection.
Set the following options:
| Tab | Field | Value |
|---|---|---|
| Session | Hostname | The hostname you would like to connect if the tunnel is up |
| Session | Port | 22 |
| Session | Connection type | SSH |
| Session | Saved Session | |
| Connection - Data | Auto-login username | SSH username |
| Connection - Proxy | Proxy type | Local |
| Connection - Proxy | Proxy hostname | Hostname of your company proxy |
| Connection - Proxy | Port | Portname of your company proxy |
| Connection - Proxy | Username | Username to authenticate against the proxy |
| Connection - Proxy | Password | Password for the proxy connection |
| Connection - Proxy | Telnet Command | <path-socat>\socat STDIO "OPENSSL,verify=1,cn=%host,cafile=<path-socat>/le.pem | PROXY:%host:%port,proxyauth=%user:%pass | TCP:%proxyhost:%proxyport" |
| Connection - Proxy | Telnet Command without proxy | <path-socat>\socat STDIO „OPENSSL,verify=1,cn=%host,cafile=<path-socat>/le.pem | TCP:%host:%port |
Make sure you click in tab Session on Save after you filled in all options you need.
Make sure you store the public CA key you use to sign your private key under \le.pem. I use lets encrypt, you can get the required certificates to ensure you really connect to your computer from their websites. Certificates can be downloaded here: https://letsencrypt.org/certificates/
We need at first the certificate for ISRG Root X1 - Self-signed and then the ISRG Root X1 Cross signed (Signed by DST CA X3) . Put both keys into the le.pem, it will look like:
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
...
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
...
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----This will ensure that we always connect to our computer and will ensure that the company proxy cannot by in middle to inspect the traffic. If socat cannot verify the connection it could be that your company proxy is trying to decrypt https. You have to decide then if you want this.
Now you can use plink, putty, psc to connect to your host. Make sure you use as hostname the session name you defined in the Session tab under “Saved Sessions”.
| Oct 03 | Poudriere | 9 min read |
| Jul 05 | Install FreeBSD | 2 min read |
| Apr 29 | ZFS | 35 min read |
| Apr 15 | Update FreeBSD | 3 min read |
| Dec 05 | Postfix with Dovecot2 and Virtualdomain with Mysql | 31 min read |