SSH through HTTP proxy

These are instructions for allowing SSH access to hosts on an internal network via a public-facing HTTP proxy.

Configure Apache2 proxy

Here is the fundamental configuration components needed to establish a proxy. This assumes the apache2 proxy modules are already enabled.

    Order deny,allow
    Deny from all
ProxyRequests On
AllowConnect 22
<ProxyMatch host\.internal>
    Order deny,allow
    Allow from all

Additional to this, you should have a normal site definition (for snooping visitors), and add security (host-based, or user-based) to the ProxyMatch stanza.

Note: The proxy configuration needs to go into the default virtualhost (i.e. the one which would be used when you access your server via IP address.

Client Configuration

Requires the proxytunnel program.

Proxytunnel configuration

Test the proxy is set up ok and you can access internal hosts:

proxytunnel -p -d host.internal:22

You should get something like:

Via ->
SSH-2.0-OpenSSH_5.1p1 Debian-5

Configure SSH

In ~/.ssh/config, add an entry for all internal hosts:

host *.internal
    ProxyCommand proxytunnel -p -d %h:22
    ServerAliveInterval 60

The last command keeps the SSH session alive and prevents HTTP timeout.

You should now be able to SSH to your internal host:

Article last modified on June 14, 2014 at 12:20 pm.

Leave a Reply

Your email address will not be published.