These are instructions for allowing SSH access to hosts on an internal network via a public-facing HTTP proxy. Much of this is based on instructions from here which should be referred to for more in-depth details.

Here is the fundamental configuration components needed to establish a proxy. This assumes the apache2 proxy modules are already enabled.

<Proxy *>

Order deny,allow

Deny from all

</Proxy>

ProxyRequests On

AllowConnect 22

<ProxyMatch host\.internal>

Order deny,allow

Allow from all

</ProxyMatch>

Additional to this, you should have a normal site definition (for snooping visitors), and add security (host-based, or user-based) to the ProxyMatch stanza.

Note: The proxy configuration needs to go into the default virtualhost (i.e. the one which would be used when you access your server via IP address.

Requires the proxytunnel program.

Test the proxy is set up ok and you can access internal hosts:

proxytunnel -p my.proxy.fqdn.com:80 -d host.internal:22

You should get something like:

Via my.proxy.fqdn.com:80 -> internal.host:22

SSH-2.0-OpenSSH_5.1p1 Debian-5

In ~/.ssh/config, add an entry for all internal hosts:

host *.internal

ProxyCommand proxytunnel -p my.proxy.fqdn.com:80 -d %h:22

ServerAliveInterval 60

The last command keeps the SSH session alive and prevents HTTP timeout.

You should now be able to SSH to your internal host:

ssh user@host.internal