Tunneling SSH through Restrictive HTTS Proxy

In one of past articles I’ve described how to use HTTP CONNECT method to tunnel other protocols through a proxy.  It worked for me for various protocols ( mainly email access IMAP, SMTP),  but recently it stopped working for SSH protocol. After some investigation I’ve found  that proxy is checking  what protocol it is tunnelling through and expects it to be SSL/TLS.  If it is anything else, proxy closes connection with an error.  It still worked for mail protocols,  because they were already wrapped in SSL. But to be still able to use SSH through proxy some more sophisticated setup was needed –  tunnelling SSH through SSL protocol, which is then tunnelled via HTTPS proxy ( HTTP CONNECT method).  Below I describe a setup,  which works for me.

 Tools used

All tools could be installed from Ubuntu/Debian repositories via apt-get.

stunnel4 –   is a program that can wrap/unwrap any connection into/from SSL protocol
openssl – SSL utilities and SSL client
proxytunnel –  utility to tunnel connection through HTTPS proxy

 Sever Setup

On SSH server we have to install stunnel4 and openssl and configure it to accept SSL on some port and forward then unencrypted connection to local SSH server:

sudo apt-get install stunnel4
#generate key - we are not interested very much in security so can use rather minimal settings
openssl req -newkey rsa:1024 -sha1 -days 3650 -keyout stunnel.key -nodes -x509 -out stunnel.crt
cat stunnel.crt stunnel.key > stunnel.pem
sudo cp stunnel.pem /etc/stunnel/
#enable stunnel - set ENABLED=1
sudo nano /etc/default/stunnel4
#edit configuration - see below
sudo nano /etc/stunnel/stunnel.conf
#and start stunnel server
sudo service stunnel4 start

Here is configuration file stunnel.conf:

pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem
accept =
connect =

On Client Behind Proxy

We need to install proxytunnel here. Then following command will connect us to remote SSH server via HTTPS proxy:

ssh -o "ProxyCommand /usr/bin/proxytunnel -v -p proxy_host:port -d ssh_server_host:2222 -e" user@ssh_server_host

And we can add proxy configuration to ~/.ssh/config:

Host ssh_server_host
       ProxyCommand /usr/bin/proxytunnel -v -p proxy_host:port -d ssh_server_host:2222 -e

And then connect easily just with short ssh command:

ssh user@ssh_server_host

Possible Improvements

This article describes how to use haproxy to serve both HTTPS and SSH (tunneled in SSL) on same port, e.g. 443 – so service will look like normal secure web site.

Leave a Reply

Your email address will not be published. Required fields are marked *