4

I've restricted some part of the sites just to localhost access for security reasons. In order to access them i would make a ssh tunnel like this ssh -L 8080:localhost:80 username@server.com and set the local browser at my pc to proxy 127.0.0.1:8080

Well I guess i'm missing something because nothing loads in the local browser and in the terminal at the server side it says channel 3: open failed: connect failed: Connection refused every time i tried to load something at the local pc

firewall was off at the time of trying this

user240891
  • 45
  • 1
  • 1
  • 5
  • My feeling is that ought to work; I've just tested it and it does, for me. That makes me wonder if your server is really set up as you think; can we see the output of `telnet localhost 80` on the server? – MadHatter Jan 06 '15 at 12:56
  • Hang on, did you say you set your local browser to **proxy** `127.0.0.1:8080`? If so, that'll never work, try unsetting the proxy and pointing the browser at the **page** `http://localhost:8080`. – MadHatter Jan 06 '15 at 12:57
  • Yes but localhost:8080 will load just the server IP and I want to load specific site (one of many) on that server as if I'm on the server. – user240891 Jan 07 '15 at 10:18
  • Yes but localhost:8080 will load just the server IP and I want to load specific site (one of many) on that server as if I'm on the server. – user240891 Jan 07 '15 at 10:18
  • Mess with your local `/etc/hosts` file (or OS equivalent) to map the hostnames in question to `127.0.0.1`. – MadHatter Jan 07 '15 at 11:40
  • I guess you've misunderstood my goal since this will just make when i enter the site domain on the local pc to load the server's IP. – user240891 Jan 07 '15 at 18:05
  • I'm sorry, I can't parse that objection. I thought you wanted the client to browse to name-virtual-host-based sites hosted on server (but accessible only from server:localhost) via the ssh tunnel? – MadHatter Jan 07 '15 at 19:33
  • Yes, exactly. Then I guess I haven't understood you. Did you mean me to edit the /etc/hosts on the server side? – user240891 Jan 08 '15 at 09:22
  • This discussion's got the point where I feel it's too long for comments, so I've summarised in an answer. I hope that explains things; if it doesn't, **please continue this in comments on the answer**. – MadHatter Jan 08 '15 at 10:35

2 Answers2

0

ssh does not create a proxy setup if you do port forwarding.

So either direct the browser directly to http://localhost:8080 or create a hosts entry for "server.com" pointing to localhost.

If you change the browser setting to use a prox on port 8080, then the ssh portforward has to forward a proxy port not a webserver port. Installing squid on server.com will give you a proxy there. Or setup the proxy inside apache. Proxies bring of course a whole lot more security issues so best is to not set one up if you don't absolutely need to.

Gunstick
  • 101
  • 1
  • Yes but http://localhost:8080 will load just the server IP and I want to load specific site (one of many) on that server as if I'm on the server. – user240891 Jan 06 '15 at 20:13
  • your sentence does not make sense. I guess you use the wrong terms to describe what you do or what happens. "localhost:8080 loads the server IP" does not make sense. Reformulate differently. – Gunstick Feb 24 '15 at 08:56
0

As has been discussed, ssh -L 8080:localhost:80 username@server.com doesn't start a magic proxy server on the client side, it simply forwards client port 8080 to server port 80. You need to get the client web browser to connect to client port 8080, which as others and myself have said involves pointing your client web browser at http://localhost:8080/.

Your new problem is that the server is running a number of name-based virtual hosts, and you don't get the right host served to you when you don't request it from the server in the URL, which is reasonable enough.

The simplest workround is to tell your client to access the site by name, but to get the OS to lie to the browser about what IP address that host resolves to. Let us suppose that you want to access hosts vsite1.example.com and vsite2.example.org, which are both being served on port 80 on server, via the SSH tunnel we have already set up.

Edit your client-side /etc/hosts file to tell your OS that those hostnames resolve to 127.0.0.1, with entries such as

127.0.0.1     localhost localhost.localdomain vsite1.example.com vsite2.example.org

I believe there are corresponding hacks for Windows, but I don't know what they are, as I never use it.

Now you can point the client browser at http://vsite1.example.com:8080/, the client OS will tell the browser that's on localhost, the URL will point the browser to localhost port 8080, ssh will conduct the packets sub rosa to server port 80, and client browser will ask server's web server for the right vhost.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • Thank you for the great explanation! It's great and make sense! I had no idea that the browser will forward correctly the site domain and request it from the server. Thought it would be just the same as typing localhost:8080 in the browser. However, it now gets to the cloudflare protection page which says the site in question is down, but that is probably something related to cloudflare since the server is not accessing it locally but from itself but seems that it goes through cloudflare. Anyway, i'll experiment some more. Thank you so much! – user240891 Jan 08 '15 at 14:43