Here’s a hack showing how to tunnel ssh through an http-proxy server without any server-side modifications.
Why would I want this? Perhaps:
- Can’t use SSH on the standard port 22?
- Need to tunnel through a proxy server?
- Work behind a draconian firewall and can’t SSH directly?
Regardless, No problem.
Note to the reader: This post is a verbatim copy of a static page I wrote back in 2004 or so, which, largely because it’s been so referenced by Google and routinely accessed even now, I’m keeping the content around. But much of what I wrote is dated at least, and some might be just wrong now. In particular, use of
corkscrewmight be better replaced by
desproxyor similar TCP tunnels.
Build and Configure an HTTP-Proxy Application
Available from this updated corkscrew github repo.
I’ve tried other http-tunnel programs, but this is truly the easiest one I’ve found and it doesn’t require server-side applications (such as are required by
httptunnel, which is a good program otherwise). Furthermore,
corkscrewworks on every UNIX platform I’ve tried and even compiles and runs flawlessly under Cygwin on Windows.
Unpack and Compile
tar -xzvf corkscrew.tar.gz cd corkscrew ./configure make install
Presuming no errors,
corkscrewis now installed in
/usr/local/binon your machine. If you want to put it somewhere else, use the
--prefix= _path_flag to the
ProxyCommandto your SSH config file:
You may or may not have a configuration file for SSH already. It should be located in
$HOME/.ssh/configand is a simple text file. Create one if it does not exist and add lines such as these to it:
Host * ProxyCommand corkscrew _http-proxy.example.com_ 8080 %h %p
_http-proxy.example.com_with the name or address of your http proxy and possibly replacing
8080with the port on which the proxy listens, which may be 80 or even some other port. The
%pwill be replaced automatically by SSH with the actual destination host and port.
These two lines tell the SSH client to start another program (
corkscrew) to make the actual connection to the SSH server. The
Host *line says that this will be done for ALL hosts. If you wish to restrict the hosts for which this will be done, you can put a limited form of regular expression there. See the
ssh_config(5)man page for more information. If you don’t have
corkscrewin your path or have put it in a non-standard location, you may specify an absolute path to
corkscrewin that file as well.
Try it out…
_example.net_with the name of a host to which you can connect using SSH. Presumably this host will be outside your local network and therefore require the use of the proxy server. If it is not outside your local network, then the connection may fail as the proxy-server or some firewall may be configured to not redirect proxy connections back into your local network.
Either of the following two errors probably indicate an error in your
~/.ssh/configfile, most likely the name or port of the proxy server.
ssh_exchange_identification: Connection closed by remote host _[ OR ]_ ssh: connection to host example.net port 22: Connection timed out
Congratulations - you are using an http-proxy server with SSH. Anything you can do with SSH you should now be able to do through the proxy server, including tunneling of other ports or even ppp.
Authenticated proxy connections
Some proxy servers require authentication. In this case, you can add
authentication credentials to the
Host * ProxyCommand corkscrew _http-proxy.example.com_ 8080 %h %p ~/.ssh/proxyauth
~/.ssh/proxyauth file, put your proxy login and password like this:
Corkscrew should now happily use that authentication information and tunnel
your connection through the proxy.