These are instructions for allowing SSH access to hosts on an internal network via a public-facing HTTP proxy.
Configure Apache2 proxy
Here is the fundamental configuration components needed to establish a proxy. This assumes the apache2 proxy modules are already enabled.
<Proxy> Order deny,allow Deny from all </Proxy> ProxyRequests On AllowConnect 22 <ProxyMatch host\.internal> Order deny,allow Allow from all </ProxyMatch>
Additional to this, you should have a normal site definition (for snooping visitors), and add security (host-based, or user-based) to the ProxyMatch stanza.
Note: The proxy configuration needs to go into the default virtualhost (i.e. the one which would be used when you access your server via IP address.
Client Configuration
Requires the proxytunnel program.
Proxytunnel configuration
Test the proxy is set up ok and you can access internal hosts:
proxytunnel -p my.proxy.fqdn.com:80 -d host.internal:22
You should get something like:
Via my.proxy.fqdn.com:80 -> internal.host:22 SSH-2.0-OpenSSH_5.1p1 Debian-5
Configure SSH
In ~/.ssh/config, add an entry for all internal hosts:
host *.internal ProxyCommand proxytunnel -p my.proxy.fqdn.com:80 -d %h:22 ServerAliveInterval 60
The last command keeps the SSH session alive and prevents HTTP timeout.
You should now be able to SSH to your internal host:
ssh