3

I have a web daemon (listening on port 80 and 443) and a ssh daemon (listening on port 22) on the same machine.

I have a client (generating HTTP,HTTPS,SSH traffic) seating behind a proxy server (port 8080) and a firewall (only port 80 and 443 open).

I decided to use an HTTP tunnel for the SSH traffic through the proxy server and out. The problem is that the destination of that traffic is port 22 which is closed by the firewall.

I could use an HTTP tunnel with destination port 80 or 443 which is fine for the firewall but not for the destination server.

Is there any solution other than having 2 servers: 1 with the web server listening on port 80 and 443 and one with the ssh server listening on port 80 or 443 ?

Any advice would be greatly appreciated.

Laurent

Laurent Luce
  • 171
  • 1
  • 6

3 Answers3

5

I think a bit of a diagram may be in order here. You say that you've already setup an SSH over HTTP tunnel through the proxy server. Assuming you're running something on the remote server computer to handle terminating that SSH over HTTP tunnel you should be in business.

It sounds like you don't really have an SSH over HTTP proxy, if you're still trying to source connections out to the remote server, destination port 22.

Dag Wieers (of RPM repository fame) has written a HOWTO for tunneling SSH over HTTP(S). If your remote server is running Apache you should be able to pull off that configuration on your remote server.

I'm talking about doing this:

Diagram! (source: wellbury.com)

Glorfindel
  • 1,213
  • 4
  • 15
  • 22
Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Even if I use SSH over HTTP, the final destination is still port 22 which is blocked by the firewall. I cannot have sshd listening on port 80 or 443 which is already used by the web server. I would prefer not to have all the SSH traffic going to the web server first, talk about bad performance. – Laurent Luce Sep 24 '09 at 02:21
  • 1
    PS: I am using lighttpd for the web server. – Laurent Luce Sep 24 '09 at 02:22
  • My edit that I'm dropping on in a moment will include a diagram. Clearly, we're not speaking about the same topology. – Evan Anderson Sep 24 '09 at 06:06
  • 1
    Thanks for the diagram. What about if there is already a web server listening on port 443 and it cannot be used to receive SSH traffic. – Laurent Luce Sep 24 '09 at 06:57
  • The link I included in my post, from Dag Wieers, describes configuring Apache to proxy traffic to SSH. You indicated you're using lighttpd. I have no experience with lighttpd, unfortunately. Looking at the wiki for the project it would appear that there is a patch (see http://redmine.lighttpd.net/issues/2060) that will add the necessary CONNECT behaviour to lighttpd to support proxying traffic to a sshd. You could, in theory, substitute your lighttpd install in where Dag uses Apache in his HOWTO. – Evan Anderson Sep 24 '09 at 07:15
1

You'll need a second IP address to have an SSH daemon listening on port 80 or 443. The right answer, though, is to get the firewall fixed at the client end to allow appropriate traffic out. Tunneling everything over HTTP(S) is stupid, it turns the Internet into a two-port town.

womble
  • 96,255
  • 29
  • 175
  • 230
1

Try to use multiplexing with 

sslh

https://github.com/yrutschle/sslh/blob/master/README.md

junior ruby developer
  • 111
  • 4