vincentkong.com

A couple of days ago my office implemented a new firewall which block almost all incoming and outgoing traffic, including SSH which prevented me from accessing my Linux server. The only thing that was accessible was the internet through a HTTP proxy which implemented filtering capabilties and required credentials. Fortunately, with this I’m able to create a tunnel and encapulate a SSH connection into HTTP.

To create a HTTP tunnel I chose to use the GNU HTTP Tunnel software which does the work to encapsulate TCP into HTTP requests. For the Windows platform a binary version is also available

Setting up the tunnel

On the home computer (server):

Install the GNU HTTP Tunnel with the following command:

$ apt-get install httptunnel

Start the HTTP Tunnel server:

$ hts --forward-port localhost:22 8080

Here the HTTP Tunnel server receives HTTP requests through port 8080, decapsulates and re-assembles the ssh stream and forwards it to port 22, the SSH server.

On the office computer (client):

Start the HTTP Tunnel client:

$ htc --forward-port 900 --proxy OfficeProxy:8080 HomeComputer:8080

Here the HTTP Tunnel client listens on port 900 for a ssh stream, as well it establishes a TCP connection which can pass data back and forth to the home computer through the HTTP proxy.

If the proxy requires authentication, add --proxy-authorization username:password to the htc command line.

Finally to establish a SSH connection run the following:

$ ssh username@localhost:900

For information: Punching holes into firewalls

The mod_proxy module implements a proxy/gateway for Apache. It implements proxying capability for several different protocols and are divided into additional modules: mod_proxy_http, mod_proxy_ftp, mod_proxy_ajp, mod_proxy_balancer, and mod_proxy_connect.

Apache can be configured in both a forward and reverse proxy mode. Only reverse proxy will be discussed in this section.

A reverse proxy is a gateway for servers, and enables one web server to provide content from another transparently.

Note: A reverse proxy is activated using the ProxyPass directive. It is not necessary to turn ProxyRequests on in order to configure a reverse proxy.

Setting Up Reverse Proxy

Enable the mod_proxy module

$ a2enmod proxy

Enable the mod_proxy_http module if you are going to proxy to a http protocol

$ a2enmod proxy_http

Add the following to the /etc/apache2/httpd.conf or a virtual host site in /etc/apache2/sites-available:

ProxyRequests Off
<Proxy *>
    Order deny,allow
    Allow from all
</Proxy>

ProxyPreserveHost on
ProxyPass /foo http://foo.example.com/bar
ProxyPassReverse /foo http://foo.example.com/bar

For more information on mod_proxy refer to the Apache documentation at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html