Latest Updates

SSH through HTTP proxy

May 19, 2010

These are instructions for allowing SSH access to hosts on an internal network via a public-facing HTTP proxy.

Configure Apache2 proxy

Here is the fundamental configuration components needed to establish a proxy. This assumes the apache2 proxy modules are already enabled.

<Proxy>
    Order deny,allow
    Deny from all
</Proxy>
ProxyRequests On
AllowConnect 22
<ProxyMatch host\.internal>
    Order deny,allow
    Allow from all
</ProxyMatch>

Additional to this, you should have a normal site definition (for snooping visitors), and add security (host-based, or user-based) to the ProxyMatch stanza.

Note: The proxy configuration needs to go into the default virtualhost (i.e. the one which would be used when you access your server via IP address.

Client Configuration

Requires the proxytunnel program.

Proxytunnel configuration

Test the proxy is set up ok and you can access internal hosts:

proxytunnel -p my.proxy.fqdn.com:80 -d host.internal:22

You should get something like:

Via my.proxy.fqdn.com:80 -> internal.host:22
SSH-2.0-OpenSSH_5.1p1 Debian-5

Configure SSH

In ~/.ssh/config, add an entry for all internal hosts:

host *.internal
    ProxyCommand proxytunnel -p my.proxy.fqdn.com:80 -d %h:22
    ServerAliveInterval 60

The last command keeps the SSH session alive and prevents HTTP timeout.

You should now be able to SSH to your internal host:

ssh
Article last modified on June 14, 2014 at 12:20 pm.

Leave a Reply

Your email address will not be published.

Menu