27

At my workplace, the traffic blocker/firewall has been getting progressively worse. I can't connect to my home machine on port 22, and lack of ssh access makes me sad. I was previously able to use SSH by moving it to port 5050, but I think some recent filters now treat this traffic as IM and redirect it through another proxy, maybe. That's my best guess; in any case, my ssh connections now terminate before I get to log in.

These days I've been using Ajaxterm over HTTPS, as port 443 is still unmolested, but this is far from ideal. (Sucky terminal emulation, lack of port forwarding, my browser leaks memory at an amazing rate...) I tried setting up mod_proxy_connect on top of mod_ssl, with the idea that I could send a CONNECT localhost:22 HTTP/1.1 request through HTTPS, and then I'd be all set. Sadly, this seems to not work; the HTTPS connection works, up until I finish sending my request; then SSL craps out. It appears as though mod_proxy_connect takes over the whole connection instead of continuing to pipe through mod_ssl, confusing the heck out of the HTTPS client.

Is there a way to get this to work? I don't want to do this over plain HTTP, for several reasons:

  • Leaving a big fat open proxy like that just stinks
  • A big fat open proxy is not good over HTTPS either, but with authentication required it feels fine to me
  • HTTP goes through a proxy -- I'm not too concerned about my traffic being sniffed, as it's ssh that'll be going "plaintext" through the tunnel -- but it's a lot more likely to be mangled than HTTPS, which fundamentally cannot be proxied

Requirements:

  • Must work over port 443, without disturbing other HTTPS traffic (i.e. I can't just put the ssh server on port 443, because I would no longer be able to serve pages over HTTPS)
  • I have or can write a simple port forwarder client that runs under Windows (or Cygwin)

Edit

DAG: Tunnelling SSH over HTTP(S) has been pointed out to me, but it doesn't help: at the end of the article, they mention Bug 29744 - CONNECT does not work over existing SSL connection preventing tunnelling over HTTPS, exactly the problem I was running into. At this point, I am probably looking at some CGI script, but I don't want to list that as a requirement if there's better solutions available.

ephemient
  • 198,619
  • 38
  • 280
  • 391
  • 2
    The biggest reason is that the VPN software our company uses has a Windows-only client, so I can't work from home (5 out of 5 boxes are running Linux, and I don't want the hassle of virtual Windows). I used to run ssh with a reverse tunnel for remote desktop, but that's now broken. – ephemient Oct 08 '08 at 04:54
  • [comment box too short, I forgot to finish] and they don't like anybody running any unapproved VPNs, even though they know people WebEx in and out regularly... *shrug* sysadmins, can't live with them, can't live without them. – ephemient Oct 08 '08 at 05:12
  • This has been made less important by the fact that there exists a branch of vpnc that supports Nortel VPN, so I no longer need my own custom back door. I still feel uncomfortable relying on vpnc-nortel, though; it used to have issues with the same setup, and I don't know enough to be able to fix it if it breaks in the future... – ephemient May 21 '09 at 04:44
  • A quick solution for this is [webshell](http://www-personal.umich.edu/~mressl/webshell/), which I use avidly. – Tim Post Feb 04 '11 at 17:44
  • Apache Bug 29744 has been fixed in release 2.4. There is also a patch for 2.2.22 that I applied to my Ubuntu 14.04 LTS build, deploying only mod_proxy_connect.so. – Mark Feb 24 '16 at 04:25
  • proxytunnel fails, but a truly horrible `(echo -ne "CONNECT localhost:22 HTTP 1.1\r\nHost: proxy.fqdn\r\nProxy-Connection: Keep-Alive\r\n\r\n" && cat) | openssl s_client -quiet -connect proxy.fqdn:443` worked for me as the OpenSSH ProxyCommand – Mark Feb 24 '16 at 04:42

13 Answers13

9

Find out why the company has such a restrictive policy. It might be for a good reason.

If you still find that you want to bypass the policy, you could write a small proxy that will listen on your server on port 443 and then, depending on the request, will forward the traffic either to your web server or to the SSH daemon. There are two catches though.

  1. To determine whether it's an HTTPS request or an SSH request, you need to try to read some data with a (small) timeout, this is because TLS/SSL handshakes start with the client sending some data, whereas the SSH handshake starts with the server sending some data. The timeout has to be big enough to delays in delivering the initial data from the client in the TLS/SSL handshake, so it'll make establishing SSH connections slower.

  2. If the HTTP proxy in your company is smart, it'll actually eavesdrop on the expected TLS/SSL "handshake" when you CONNECT to port 443, and, when it detects that it's not an TLS/SSL handshake, it might terminate the SSH connection attempt. To address that, you could wrap the SSH daemon into an TLS/SSL tunnel (e.g., stunnel), but then you'll need to differentiate requests based on the TLS/SSL version in your client request to determine whether to route the TLS/SSL connection to the web server or to the TLS/SSL-tunneled SSH daemon.

smartexpert
  • 2,625
  • 3
  • 24
  • 41
Alexander
  • 9,302
  • 2
  • 26
  • 22
  • It's a hack, but it's less messy than all the other options I see. Thanks for the details, they'll save me a lot of time! – ephemient Oct 09 '08 at 00:40
  • 3
    I've found http://www.rutschle.net/tech/sslh.shtml recently, which is an implementation of this idea. Unfortunately it seems that the firewall injects RST packets into an SSH connection even when it's running on port 443... – ephemient May 21 '09 at 04:41
7

You should be able to use iptables to forward ssh traffic from your work machines to ssh while all other machines attaching to your home server on port 443 get the Apache server.

Try a rule like this:

iptables -t nat -A PREROUTING -p tcp -s 111.111.111.111 --dport 443 -j REDIRECT --to-port 22

Where 111.111.111.111 is your office computer's ip address.

That all assumes you're running Linux >= 2.4, which you should be by now. It's been out for almost a decade.

Documentation for iptables is at http://www.netfilter.org.

Manjula
  • 4,961
  • 3
  • 28
  • 41
Brian
  • 8,454
  • 5
  • 27
  • 30
6

Set up OpenVPN 2.1 server at home, use port 443 (if you set up your home any HTTPS service at port 443, trigger OpenVPN's port-share option to handle both OpenVPN and HTTPS transactions at port 443; this feature is only available to non-Windows OS)

Then, set up your OpenVPN client on your laptop in road-warrior mode to access the OpenVPN server at home. You will be able to call home or anywhere you like within a secure VPN network you've created with OpenVPN. It is no longer required to use SSH for this purpose.

2

I'm really sorry for being the Devil's advocate here, but if they are blocking ports at your work, its likely because they don't want people breaching security.

Now if you get permission to open a tunnel from your boss, that's fine, but IF something happens, ANYTHING, and they figure out you have a tunnel, I can almost assure you, you'll become the scapegoat. So if I were you I'd not be opening tunnels at work if they are setting up firewalls against it.

Robert Gould
  • 68,773
  • 61
  • 187
  • 272
2

How about using 2 IP adresses on your machine?

Bind apache/https on one IP_1:443 and your sshd on the other IP_2:443?

Huibert Gill
  • 723
  • 5
  • 8
  • It would be nice to be multi-homed :D Unfortunately, there's only one uplink to my home machine, and the ISP doesn't hand out multiple IPs. – ephemient Oct 08 '08 at 12:57
2

Could you set up a middle man?

Run a small/free/cheap instance in the cloud listening on 443 for SSH, then though that cloud instance tunnel to your home box on your favorite port - 22 or whatever.

It'll add some latency I'm sure, but it solves the problem of leaving the original home setup intact.

Timothy Jones
  • 21,495
  • 6
  • 60
  • 90
11855589966
  • 21
  • 1
1

I think you'll have to find a port that you're not using currently that you can get out on, and listen on that. 443 is the obvious candidate, but you say that's not possible. What about mail (25, 110, 143), telnet (23), ftp (21), DNS (53), or even whois (43)?

Harley Holcombe
  • 175,848
  • 15
  • 70
  • 63
  • 5050 was the only port I found that wasn't blocked by my ISP (they don't like open mail relays (25) and they probably have reasons for the others) and wasn't blocked by the firewall at work (who needs anything other than HTTP?). – ephemient Oct 08 '08 at 04:57
  • How annoying would it be to server your HTTPS stuff on another port? Running the SSH server on port 443 is how I've done it in the past, but then I wasn't serving anything else (or rather, I was serving a lot more, but it was all tunneled). – Harley Holcombe Oct 08 '08 at 05:07
  • It would not be annoying to me personally, but I'm not the only one using my home server. I could probably coordinate such a transition, but that's more of a last resort option. – ephemient Oct 08 '08 at 05:10
  • Another even-more-last-resort option might be to compile your own apache. There's a patch on that bugzilla page that solves your problem. The bug has been open for 4 years, not sure when it will get attention. Looking closer, there's some mod_proxy.so binaries that might be worth a look too. – Harley Holcombe Oct 08 '08 at 05:19
  • The comments about the patch worry about possible memory leaks. Tackling Apache's bucket brigade design can be tough. – ephemient Oct 08 '08 at 14:14
1

Proxy tunnel may be your answer

http://proxytunnel.sourceforge.net/

lets say my ssh server is host.domain.tld and my works proxy server is 10.2.4.37

I would add this to my local ssh config

Host host.domain.tld ProxyCommand /usr/local/bin/proxytunnel -q -p 10.2.4.37:3128 -d %h:%p ProtocolKeepAlives 30

Zoredache
  • 37,543
  • 7
  • 45
  • 61
  • Our HTTP proxy is transparent, I've got no idea where on the network it is. Usually they only allow CONNECT to certain specific ports, too. – ephemient Oct 08 '08 at 12:54
  • Run a trace route to find your gateway, then go to what if my ip to see if they match. If they don't the next step is to check responses and look within our proxy settings for the address – Don-Pierre Halfaway Aug 14 '21 at 18:57
1

See:

SSH Through or Over Proxy

http://daniel.haxx.se/docs/sshproxy.html

http://www.agroman.net/corkscrew/

  • Nope, can't: company uses a transparent proxy, not an explicit one that you can send CONNECTs to, and besides, the question states that I need to be able to continue running HTTPS on port 443 instead of having it be taken over by sshd. – ephemient Mar 03 '09 at 16:14
1

Since apache has no problem whatsoever with CONNECT when no SSL is involved, I turn off SSL features and I use stunnel to serve an https version of my site. This does not require any recompilation, and allows your site to serve https normally. So far, the cleanest workaround I know.

See http://chm.duquesne.free.fr/blog/?p=281 for details.

user48678
  • 2,382
  • 3
  • 24
  • 30
0

I managed to bypass my company's firewall using the following design via AjaxTerm, it works for me.

PC on company network --> company's proxy via https --> INTERNET --> My home Apache reverse proxy server on SSL + .htpasswd protection --> AjaxTerm Server(From here on ward, I can SSH to any other servers ).

Still not the perfect world... would be good if I can can tunneling to my home network via HTTPS.

Vincent P
  • 761
  • 1
  • 5
  • 6
0

Must work over port 443, without disturbing other HTTPS traffic (i.e. I can't just put the ssh server on port 443, because I would no longer be able to serve pages over HTTPS)

Is it possible to bind your HTTPS server to a different port? Depending on what it's used for, you may even be able to get around the problem of not being able to directly access it from work by just SSHing home and then using lynx from there.

Cebjyre
  • 6,552
  • 3
  • 32
  • 57
  • Read the question harder. The problem is that I can't ssh home, and I can't disturb the HTTPS server that others are using. – ephemient Oct 09 '08 at 00:37
  • I read the question fine, but I don't know your situation. It may (or may not) be feasible for you to move HTTPS to a different port and give these other users the new details. HTTPS on 10443 would presumably not get through your work firewall, but since you could SSH on port 443, lynx is an option – Cebjyre Oct 14 '08 at 21:58
0

So, then, give proxifier a try (- it supports HTTP Proxy Server)!

http://www.proxifier.com/documentation/intro.htm