TEXT 56

proxy2ssh allows you to ssh over a web proxy

Guest on 25th April 2022 12:07:25 PM

proxy2ssh allows you to ssh over a web proxy using only GET/POST
(not CONNECT) requests.
Background:
I've been using the http proxy CONNECT method for years to ssh through
http proxies. In the early days I used to run a script from the local
inetd server that would connect to the proxy server and sent the
necessary preamble to connect to my home machine. Something like this:
#!/bin/bash
HOST=myserver.com
PROXY=proxy.acme.com
PROXY_PORT=8080
(
echo -en "CONNECT ${HOST}:443 HTTP/1.1\n"
echo -en "Host: ${HOST}:443\n"
echo -en "\r\n"
cat
) | (
nc ${PROXY} ${PROXY_PORT}
) | (
head -3 >/dev/null # eat unwanted proxy http headers
cat
)
Then I'd ssh -p 2222 localhost and the script would connect me to my
home machine through the http proxy.
These days it's even easier; openssh's ssh client has an option
-oProxyCommand that will let you run the proxy script directly from ssh
(instead of having to run it from inetd):
ssh -oProxyCommand=proxy.sh user@host
There are actually several programs for doing this now. proxytunnel,
ssh-https-tunnel, corkscrew and probably many others. None of them really
do anything different than the above shell script. They all use CONNECT.
On some proxies CONNECT just isn't available or is restricted to a
limited number of whitelisted hosts and ports. The ports problem is
usually easy to overcome by making sshd listen on port 443 (as I did for
the old shell script above). If CONNECT is enabled at all it will
normally be allowed for 443 as that is the https port which is the
reason d'etre for CONNECT in the first place. Normally regular HTTP
GET/POST are less restricted and can often connect to pretty much
anywhere.

Raw Paste

proxy2ssh allows you to ssh over a web proxy using only GET/POST (not CONNECT) requests. Background: I've been using the http proxy CONNECT method for years to ssh through http proxies. In the early days I used to run a script from the local inetd server that would connect to the proxy server and sent the necessary preamble to connect to my home machine. Something like this: #!/bin/bash HOST=myserver.com PROXY=proxy.acme.com PROXY_PORT=8080 ( echo -en "CONNECT ${HOST}:443 HTTP/1.1\n" echo -en "Host: ${HOST}:443\n" echo -en "\r\n" cat ) | ( nc ${PROXY} ${PROXY_PORT} ) | ( head -3 >/dev/null # eat unwanted proxy http headers cat ) Then I'd ssh -p 2222 localhost and the script would connect me to my home machine through the http proxy. These days it's even easier; openssh's ssh client has an option -oProxyCommand that will let you run the proxy script directly from ssh (instead of having to run it from inetd): ssh -oProxyCommand=proxy.sh user@host There are actually several programs for doing this now. proxytunnel, ssh-https-tunnel, corkscrew and probably many others. None of them really do anything different than the above shell script. They all use CONNECT. On some proxies CONNECT just isn't available or is restricted to a limited number of whitelisted hosts and ports. The ports problem is usually easy to overcome by making sshd listen on port 443 (as I did for the old shell script above). If CONNECT is enabled at all it will normally be allowed for 443 as that is the https port which is the reason d'etre for CONNECT in the first place. Normally regular HTTP GET/POST are less restricted and can often connect to pretty much anywhere.

Login or Register to edit or fork this paste. It's free.