Tunnel over HTTPS

Question

At my workplace, the traffic blocker/firewall has been getting progressively worse. I can\'t connect to my home machine on port 22, and lack of ssh access makes me sad. I was

Answer 1

Find out why the company has such a restrictive policy. It might be for a good reason.

If you still find that you want to bypass the policy, you could write a small proxy that will listen on your server on port 443 and then, depending on the request, will forward the traffic either to your web server or to the SSH daemon. There are two catches though.

1. To determine whether it's an HTTPS request or an SSH request, you need to try to read some data with a (small) timeout, this is because TLS/SSL handshakes start with the client sending some data, whereas the SSH handshake starts with the server sending some data. The timeout has to be big enough to delays in delivering the initial data from the client in the TLS/SSL handshake, so it'll make establishing SSH connections slower.

2. If the HTTP proxy in your company is smart, it'll actually eavesdrop on the expected TLS/SSL "handshake" when you CONNECT to port 443, and, when it detects that it's not an TLS/SSL handshake, it might terminate the SSH connection attempt. To address that, you could wrap the SSH daemon into an TLS/SSL tunnel (e.g., stunnel), but they you'll need to differentiate requests based on the TLS/SSL version in your client request to determine whether to route the TLS/SSL connection to the web server or to the TLS/SSL-tunneled SSH daemon.

Answer 2

Could you set up a middle man?

Run a small/free/cheap instance in the cloud listening on 443 for SSH, then though that cloud instance tunnel to your home box on your favorite port - 22 or whatever.

It'll add some latency I'm sure, but it solves the problem of leaving the original home setup intact.

Answer 3

See:

SSH Through or Over Proxy

http://daniel.haxx.se/docs/sshproxy.html

http://www.agroman.net/corkscrew/

Answer 4

So, then, give proxifier a try (- it supports HTTP Proxy Server)!

http://www.proxifier.com/documentation/intro.htm

Answer 5

Since apache has no problem whatsoever with CONNECT when no SSL is involved, I turn off SSL features and I use stunnel to serve an https version of my site. This does not require any recompilation, and allows your site to serve https normally. So far, the cleanest workaround I know.

See http://chm.duquesne.free.fr/blog/?p=281 for details.

Answer 6

You should be able to use iptables to forward ssh traffic from your work machines to ssh while all other machines attaching to your home server on port 443 get the Apache server.

Try a rule like this:

iptables -t nat -A PREROUTING -p tcp -s 111.111.111.111 --dport 433 -j REDIRECT --to-port 22

Where 111.111.111.111 is your office computer's ip address.

That all assumes you're running Linux >= 2.4, which you should be by now. It's been out for almost a decade.

Documentation for iptables is at http://www.netfilter.org.