Project

General

Profile

[Solved] ssh over https tunnel

Added by archimede over 3 years ago

I have a Linux box which runs a lighttpd and a sshd server. I would like to configure lighttpd to forward ssh connections disguised in an http tunnel to sshd.

I found instructions of how to do this with Apache [[http://dag.wiee.rs/howto/ssh-http-tunneling/]]

Is there a way to do the sam thing with lighttpd? I found in the documentation [[http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModWStunnel]]
but I am not sure how to proceed and if it is the same thing.

The part I find most confusing is the following:

In the Apache example, it uses the line
<ProxyMatch machine1.yourdomain.com>
which assign a sub domain to the forwarding.

In the lighttpd example it uses the line
$HTTP["url"] =~ "^/websocksify"
which seems to assign a web page to the forwarding. But then, I am not sure how to pass this info in the proxytunnel command line.

Thanks


Replies (8)

RE: ssh over https tunnel - Added by gstrauss over 3 years ago

Is there a way to do the sam [sic] thing with lighttpd?

Not currently. lighttpd does not currently support HTTP CONNECT method.

As to ModWStunnel, the "WS" is short for "websockets", not "ssh"

http://dag.wiee.rs/howto/ssh-http-tunneling/ is old and contains some out-dated information.
More recent notes how to do this with Apache can be found at https://nurdletech.com/linux-notes/ssh/via-http.html

RE: [Solved] ssh over https tunnel - Added by gstrauss over 3 years ago

I added a small change to lighttpd git master for basic CONNECT support to a pre-configured target, e.g.

server.modules += ( "mod_proxy" )
proxy.server = ( "127.0.0.1:22" => ( ( "host" => "127.0.0.1", "port" => "22" ) ) )
proxy.header = ( "connect" => "enable" )

RE: [Solved] ssh over https tunnel - Added by archimede over 3 years ago

Thanks for the clarifications. Could you please elaborate on the usage of the change just added to git master?

For interest if future readers of this thread, worth mentioning I found another suggestion on how this can be done via multiplexing using on the server a pipe of stunnel and sslh:
[[http://www.rutschle.net/tech/sslh/README.html]]

RE: [Solved] ssh over https tunnel - Added by gstrauss over 3 years ago

Could you please elaborate on the usage of the change just added to git master?

(git commit 3770df23)

Please read up about the HTTP method "CONNECT" in your favorite search engine, then read Docs_ModProxy, and then ask a more specific question.

RE: [Solved] ssh over https tunnel - Added by trulyliu@gmail.com over 3 years ago

gstrauss wrote:

I added a small change to lighttpd git master for basic CONNECT support to a pre-configured target, e.g.
[...]

I build the latest master code. bd32f67046c3d8ccfd5d99d800a0c1538bfefd94
use the same configure

server.modules += ( "mod_proxy" )
proxy.server = ( "127.0.0.1:22" => ( ( "host" => "127.0.0.1", "port" => "22" ) ) )
proxy.header = ( "connect" => "enable" )


server.modules = (
    "mod_proxy",
    "mod_rewrite",
     "mod_redirect",
     "mod_alias",
     "mod_access",
    "mod_webdav",
    "mod_auth",
    "mod_authn_file",
    "mod_status",
    "mod_simple_vhost",
    "mod_compress",
    "mod_usertrack",
    "mod_expire",
    "mod_rrdtool",
#    "mod_accesslog",
    "mod_openssl" 
    )

Got following errors:

 2018-02-22 16:56:13: (request.c.445) fd: 14 request-len: 105 \nCONNECT 127.0.0.1:22 HTTP/1.1\r\nConnecttion: Keep-Alive\r\nHost: 127.0.0.1\r\nProxy-Connection: Keep-Alive\r\n\r\n 
2018-02-22 16:56:13: (request.c.645) request-URI parse error -> 400 for: 127.0.0.1:22 
2018-02-22 16:56:13: (response.c.122) Response-Header: \nHTTP/1.1 400 Bad Request\r\nContent-Type: text/html\r\nContent-Length: 349\r\nConnection: close\r\nDate: Thu, 22 Feb 2018 08:56:13 GMT\r\nServer: lighttpd\r\n\r\

RE: [Solved] ssh over https tunnel - Added by gstrauss over 3 years ago

Try this with lighttpd git master:

--- a/src/request.c
+++ b/src/request.c
@@ -636,6 +636,7 @@ int http_request_parse(server *srv, connection *con) {

                                        buffer_copy_string_len(con->request.uri, nuri, proto - nuri - 1);
                                } else if (!http_header_strict
+                                          || HTTP_METHOD_CONNECT == con->request.http_method
                                           || (HTTP_METHOD_OPTIONS == con->request.http_method && uri[0] == '*' && uri[1] == '\0')) {
                                        /* everything looks good so far */
                                        buffer_copy_string_len(con->request.uri, uri, proto - uri - 1);

RE: [Solved] ssh over https tunnel - Added by trulyliu@gmail.com over 3 years ago

gstrauss wrote:

Try this with lighttpd git master:
[...]

It works with this patch.
Thanks.

Could you provide more configuration examples?

RE: [Solved] ssh over https tunnel - Added by gstrauss over 3 years ago

Could you provide more configuration examples?

Really? Change 22 to 999 to allow CONNECT to 127.0.0.1:999

server.modules += ( "mod_proxy" )
proxy.server = ( "127.0.0.1:22" => ( ( "host" => "127.0.0.1", "port" => "22" ) ) )
proxy.server+= ( "127.0.0.1:999"=> ( ( "host" => "127.0.0.1", "port" => "999") ) )
proxy.header = ( "connect" => "enable" )
    (1-8/8)