Skip to content

Instantly share code, notes, and snippets.

@vondraussen

vondraussen/ssh_https_tunnel.md

Last active October 28, 2024 09:08
Show Gist options
  • Save vondraussen/ebf0b33e0210cf35fb895b44f7b7e10c to your computer and use it in GitHub Desktop.
Save vondraussen/ebf0b33e0210cf35fb895b44f7b7e10c to your computer and use it in GitHub Desktop.
Download ZIP
SSH through HTTPS tunnel via Openssl and Traefik
Raw
ssh_https_tunnel.md

How to setup ssh through https tunnel

... via OpenSSL and Traefik

A HTTPS tunnel for SSH (Secure Shell) is a useful tool for accessing a remote server in a secure manner when the connection is limited or restricted by a firewall or network security measures. It provides a secure way to bypass these restrictions and access the remote server securely over the internet. The HTTPS protocol, which is used to secure web traffic, is utilized to create a secure connection to the remote server. The data transmitted over this connection is encrypted and protected from eavesdropping, tampering, and other forms of cyber attacks. This makes it ideal for situations where the data being transmitted is sensitive or confidential, and it is necessary to ensure that it remains protected while in transit.

Additionally, it is worth mentioning that many companies block the default SSH port (port 22) as a security measure to prevent unauthorized access to their servers. In such cases, using an HTTPS tunnel for SSH can provide a way to access the remote server despite the port being blocked. By encapsulating the SSH traffic within an HTTPS connection, the firewall or network security measures will be bypassed and access to the remote server will be granted. This makes the HTTPS tunnel for SSH a useful tool for those who need to access remote servers in a secure manner, even when access is restricted.

Prerequisites

  • a server reachable via the public internet (this will be the ssh target in this howto)
  • a client with openssl and a ssh client installed

Server

In this example the server is reachable via your.example.com and I'm using docker in conjunction with Traefik on that server. The server already hosts some websites so docker and Traefik where already in place. Openssh is running on port 22. Traefik will strip the https part and forwards tcp to ssh port 22.

docker-compose.yml

version: '2'

services:
  traefik:
    image: traefik:v2.3
    container_name: traefik
    restart: always
    ports:
      - 80:80
      - 443:443
    networks:
      - web
    extra_hosts:
      - "host.docker.internal:host-gateway"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${PWD}/acme.json:/acme.json
      - ${PWD}/config:/config
    command:
      - "--providers.file.directory=/config"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.webs.address=:443"
      - "--certificatesresolvers.le.acme.httpchallenge=true"
      - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
      - "[email protected]"
      - "--certificatesresolvers.le.acme.storage=/acme.json"

networks:
  web:
    external: true

config/traefik.yml

---
tcp:
  routers:
    opensshRouter:
      entryPoints:
        - webs
      service: opensshService
      tls:
        certResolver: le
      rule: HostSNI(`your.example.com`)
  services:
    opensshService:
      loadBalancer:
        servers:
          - address: host.docker.internal:22

Client

In this example the client is a PC part of a corporate network with a Firewall which restricts outgoing traffic to port 22. It also does package inspection and the proxy connect method didn't work for me. A proxy server is running on the client 127.0.0.1:3128 which connects to the corporate http proxy.

create or edit ~/.ssh/config

Host example
  User yourUsername
  # IdentityFile ~/.ssh/id_ed25529
  ProxyCommand openssl s_client -proxy 127.0.0.1:3128 -connect your.example.com:443 -quiet

Usage

You can use ssh/scp as usual.

ssh example
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment