How to use ssh over http or https?I am failing to clone a git repo when behind a proxyHave SSH on port 80 or 443 while webserver (nginx) is running on these portsWhy can't I use ssh?How to setup password-less ssh with RSA keysSquid configuration for web applicationUnable to force passphraseless ssh authentication while port forwardingUnable to SSH into Puppy Linux, even though SSHD is runningReverse AutoSSH working, but the proxied LISTEN ports fail randomlySSH server also runs OpenVPN client - Inbound SSH times outTemporary DNS resolve to local ip (for temporary http redirect)Help with connecting to SSH server over internetHow to cleanup SSH reverse tunnel socket after connection closed?SSH through HTTP proxy with corkscrew
New order #4: World
Why can't I see bouncing of a switch on an oscilloscope?
Accidentally leaked the solution to an assignment, what to do now? (I'm the prof)
Why CLRS example on residual networks does not follows its formula?
Can you lasso down a wizard who is using the Levitate spell?
Why has Russell's definition of numbers using equivalence classes been finally abandoned? ( If it has actually been abandoned).
A Journey Through Space and Time
The use of multiple foreign keys on same column in SQL Server
Example of a relative pronoun
Why Is Death Allowed In the Matrix?
Banach space and Hilbert space topology
Is it possible to make sharp wind that can cut stuff from afar?
My colleague's body is amazing
How to report a triplet of septets in NMR tabulation?
Extreme, but not acceptable situation and I can't start the work tomorrow morning
A newer friend of my brother's gave him a load of baseball cards that are supposedly extremely valuable. Is this a scam?
Calculus Optimization - Point on graph closest to given point
How do I create uniquely male characters?
Is there really no realistic way for a skeleton monster to move around without magic?
I see my dog run
Motorized valve interfering with button?
What do you call something that goes against the spirit of the law, but is legal when interpreting the law to the letter?
A function which translates a sentence to title-case
How old can references or sources in a thesis be?
How to use ssh over http or https?
I am failing to clone a git repo when behind a proxyHave SSH on port 80 or 443 while webserver (nginx) is running on these portsWhy can't I use ssh?How to setup password-less ssh with RSA keysSquid configuration for web applicationUnable to force passphraseless ssh authentication while port forwardingUnable to SSH into Puppy Linux, even though SSHD is runningReverse AutoSSH working, but the proxied LISTEN ports fail randomlySSH server also runs OpenVPN client - Inbound SSH times outTemporary DNS resolve to local ip (for temporary http redirect)Help with connecting to SSH server over internetHow to cleanup SSH reverse tunnel socket after connection closed?SSH through HTTP proxy with corkscrew
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I have a linux fedora21 client laptop behind a corporate firewall (which lets through http and https ports but not ssh 22) and I have a linux fedora21 server at home behind my own router.
Browsing with https works when I specify my home server's public IP address (because I configured my home router)
Is it possible to ssh (remote shell) to my home server over the http/s port?
I saw a tool called corkscrew. would that help?
opensshd and httpd run on the home server. What else would need configuration?
sshd http-proxy
edited Jul 21 '17 at 7:47
dr01
16.3k115275
asked Mar 16 '15 at 13:25
MMMMMM
300134
|
show 4 more comments
I have a linux fedora21 client laptop behind a corporate firewall (which lets through http and https ports but not ssh 22) and I have a linux fedora21 server at home behind my own router.
Browsing with https works when I specify my home server's public IP address (because I configured my home router)
Is it possible to ssh (remote shell) to my home server over the http/s port?
I saw a tool called corkscrew. would that help?
opensshd and httpd run on the home server. What else would need configuration?
sshd http-proxy
edited Jul 21 '17 at 7:47
dr01
16.3k115275
asked Mar 16 '15 at 13:25
MMMMMM
300134
1
put your sshd at home to listen on port 443, but you should disable port 443 on your home httpd.
– taliezin
Mar 16 '15 at 13:30
I can't quite though that. I need httpd(s) for git pushed as well. so I gotta have a httpd listening on 443.
– MMM
Mar 16 '15 at 13:43
try httptunnel - yum install httptunnel http://www.nocrew.org/software/httptunnel.html, or as you mentioned in your question: corkscrew.
– taliezin
Mar 16 '15 at 13:46
Either way, sshd would listen to 22, and httpd to 80/443 and httptunnel or corkscrew would forward traffic httpd receives to sshd ?
– MMM
Mar 16 '15 at 16:50
Yes. It don't have to change ports of your services.
– taliezin
Mar 16 '15 at 18:16
|
show 4 more comments
I have a linux fedora21 client laptop behind a corporate firewall (which lets through http and https ports but not ssh 22) and I have a linux fedora21 server at home behind my own router.
Browsing with https works when I specify my home server's public IP address (because I configured my home router)
Is it possible to ssh (remote shell) to my home server over the http/s port?
I saw a tool called corkscrew. would that help?
opensshd and httpd run on the home server. What else would need configuration?
sshd http-proxy
edited Jul 21 '17 at 7:47
dr01
16.3k115275
asked Mar 16 '15 at 13:25
MMMMMM
300134
I have a linux fedora21 client laptop behind a corporate firewall (which lets through http and https ports but not ssh 22) and I have a linux fedora21 server at home behind my own router.
Browsing with https works when I specify my home server's public IP address (because I configured my home router)
Is it possible to ssh (remote shell) to my home server over the http/s port?
I saw a tool called corkscrew. would that help?
opensshd and httpd run on the home server. What else would need configuration?
sshd http-proxy
sshd http-proxy
edited Jul 21 '17 at 7:47
dr01
16.3k115275
asked Mar 16 '15 at 13:25
MMMMMM
300134
edited Jul 21 '17 at 7:47
dr01
16.3k115275
asked Mar 16 '15 at 13:25
MMMMMM
300134
edited Jul 21 '17 at 7:47
dr01
16.3k115275
edited Jul 21 '17 at 7:47
dr01
16.3k115275
edited Jul 21 '17 at 7:47
dr01
16.3k115275
16.3k115275
asked Mar 16 '15 at 13:25
MMMMMM
300134
asked Mar 16 '15 at 13:25
MMMMMM
300134
asked Mar 16 '15 at 13:25
MMMMMM
300134
300134
1
put your sshd at home to listen on port 443, but you should disable port 443 on your home httpd.
– taliezin
Mar 16 '15 at 13:30
I can't quite though that. I need httpd(s) for git pushed as well. so I gotta have a httpd listening on 443.
– MMM
Mar 16 '15 at 13:43
try httptunnel - yum install httptunnel http://www.nocrew.org/software/httptunnel.html, or as you mentioned in your question: corkscrew.
– taliezin
Mar 16 '15 at 13:46
Either way, sshd would listen to 22, and httpd to 80/443 and httptunnel or corkscrew would forward traffic httpd receives to sshd ?
– MMM
Mar 16 '15 at 16:50
Yes. It don't have to change ports of your services.
– taliezin
Mar 16 '15 at 18:16
|
show 4 more comments
1
put your sshd at home to listen on port 443, but you should disable port 443 on your home httpd.
– taliezin
Mar 16 '15 at 13:30
I can't quite though that. I need httpd(s) for git pushed as well. so I gotta have a httpd listening on 443.
– MMM
Mar 16 '15 at 13:43
try httptunnel - yum install httptunnel http://www.nocrew.org/software/httptunnel.html, or as you mentioned in your question: corkscrew.
– taliezin
Mar 16 '15 at 13:46
Either way, sshd would listen to 22, and httpd to 80/443 and httptunnel or corkscrew would forward traffic httpd receives to sshd ?
– MMM
Mar 16 '15 at 16:50
Yes. It don't have to change ports of your services.
– taliezin
Mar 16 '15 at 18:16
1
1
put your sshd at home to listen on port 443, but you should disable port 443 on your home httpd.
– taliezin
Mar 16 '15 at 13:30
put your sshd at home to listen on port 443, but you should disable port 443 on your home httpd.
– taliezin
Mar 16 '15 at 13:30
I can't quite though that. I need httpd(s) for git pushed as well. so I gotta have a httpd listening on 443.
– MMM
Mar 16 '15 at 13:43
I can't quite though that. I need httpd(s) for git pushed as well. so I gotta have a httpd listening on 443.
– MMM
Mar 16 '15 at 13:43
try httptunnel - yum install httptunnel http://www.nocrew.org/software/httptunnel.html, or as you mentioned in your question: corkscrew.
– taliezin
Mar 16 '15 at 13:46
try httptunnel - yum install httptunnel http://www.nocrew.org/software/httptunnel.html, or as you mentioned in your question: corkscrew.
– taliezin
Mar 16 '15 at 13:46
Either way, sshd would listen to 22, and httpd to 80/443 and httptunnel or corkscrew would forward traffic httpd receives to sshd ?
– MMM
Mar 16 '15 at 16:50
Either way, sshd would listen to 22, and httpd to 80/443 and httptunnel or corkscrew would forward traffic httpd receives to sshd ?
– MMM
Mar 16 '15 at 16:50
Yes. It don't have to change ports of your services.
– taliezin
Mar 16 '15 at 18:16
Yes. It don't have to change ports of your services.
– taliezin
Mar 16 '15 at 18:16
|
show 4 more comments
2 Answers
2
active
oldest
votes
What is possible depends on what the firewall allows.
If the firewall allows arbitrary traffic on port 443
Some firewalls take the simple way out and allow anything on port 443. If that's the case, the easiest way to reach your home server is to make it listen to SSH connections on port 443. If your machine is directly connected to the Internet, simply add Port 443 to /etc/ssh/sshd_config or /etc/sshd_config just below the line that says Port 22. If your machine is behind a router/firewall that redirects incoming connections, make it redirect incoming connections to port 443 to your server's port 22 with something like
iptables -t nat -I PREROUTING -p tcp -i wan0 --dport 443 -j DNAT --to-destination 10.1.2.3:22
where wan0 is the WAN interface on your router and 10.1.2.3 is your server's IP address on your home network.
If you want to allow your home server to listen both to HTTPS connections and SSH connections on port 443, it's possible — SSH and HTTPS traffic can easily be distinguished (in SSH, the server talks first, whereas in HTTP and HTTPS, the client talks first). See http://blog.stalkr.net/2012/02/sshhttps-multiplexing-with-sshttp.html and http://wrouesnel.github.io/articles/Setting%20up%20sshttp/ for tutorials on how to set this up with sshttp, and also Have SSH on port 80 or 443 while webserver (nginx) is running on these ports
If you have a web proxy that allows CONNECT tunnelling
Some firewalls block all outgoing connections, but allow browsing the web via a proxy that allows the HTTP CONNECT method to effectively pierce a hole in the firewall. The CONNECT method may be restricted to certain ports, so you may need to combine this with listening on port 443 as above.
To make SSH go via the proxy, you can use a tool like corkscrew. In your ~/.ssh/config, add a ProxyCommand line like the one below, if your web proxy is http://web-proxy.work.example.com:3128:
Host home
HostName mmm.dyndns.example.net
ProxyCommand corkscrew web-proxy.work.example.com 3128 %h %p
Wrapping SSH in HTTP(S)
Some firewalls don't allow SSH traffic, even on port 443. To cope with these, you need to disguise or tunnel SSH into something that the firewall lets through. See http://dag.wiee.rs/howto/ssh-http-tunneling/ for a tutorial on doing this with proxytunnel.
edited Apr 13 '17 at 12:36
Community♦
1
answered Mar 17 '15 at 0:49
GillesGilles
546k12911111625
the 443 trick did it! I was surprised this works :) - any sysadmin sight why this seems to be the case with most firewalls?
– AK_
Dec 13 '16 at 16:28
@AK_ Because although it's possible for a firewall to distinguish TLS from SSH, it's an additional configuration step and costs more in performance, for no real benefit when it comes to outgoing connections (since anything could be tunnelled in TLS anyway).
– Gilles
Dec 13 '16 at 16:31
@Gilles, Are there even proxy servers that block HTTPS yet allow HTTP CONNECT HTTPS?
– Pacerier
Oct 27 '17 at 18:20
1
@Pacerier Many of them. It's not that the proxy blocks HTTPS — a proxy doesn't block connections that bypass the proxy — it's that direct connections are blocked, but the proxy allows CONNECT with any traffic provided that it's to port 443. There's no real way to filter HTTPS anyway, short of root of trust injection and certificate rewriting which is a very bad idea.
– Gilles
Oct 27 '17 at 19:30
add a comment |
you can try another way, set up a web server, which can ssh your server,
https://github.com/huashengdun/webssh
answered 2 days ago
gaozhidfgaozhidf
1011
New contributor
gaozhidf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f190490%2fhow-to-use-ssh-over-http-or-https%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
What is possible depends on what the firewall allows.
If the firewall allows arbitrary traffic on port 443
Some firewalls take the simple way out and allow anything on port 443. If that's the case, the easiest way to reach your home server is to make it listen to SSH connections on port 443. If your machine is directly connected to the Internet, simply add Port 443 to /etc/ssh/sshd_config or /etc/sshd_config just below the line that says Port 22. If your machine is behind a router/firewall that redirects incoming connections, make it redirect incoming connections to port 443 to your server's port 22 with something like
iptables -t nat -I PREROUTING -p tcp -i wan0 --dport 443 -j DNAT --to-destination 10.1.2.3:22
where wan0 is the WAN interface on your router and 10.1.2.3 is your server's IP address on your home network.
If you want to allow your home server to listen both to HTTPS connections and SSH connections on port 443, it's possible — SSH and HTTPS traffic can easily be distinguished (in SSH, the server talks first, whereas in HTTP and HTTPS, the client talks first). See http://blog.stalkr.net/2012/02/sshhttps-multiplexing-with-sshttp.html and http://wrouesnel.github.io/articles/Setting%20up%20sshttp/ for tutorials on how to set this up with sshttp, and also Have SSH on port 80 or 443 while webserver (nginx) is running on these ports
If you have a web proxy that allows CONNECT tunnelling
Some firewalls block all outgoing connections, but allow browsing the web via a proxy that allows the HTTP CONNECT method to effectively pierce a hole in the firewall. The CONNECT method may be restricted to certain ports, so you may need to combine this with listening on port 443 as above.
To make SSH go via the proxy, you can use a tool like corkscrew. In your ~/.ssh/config, add a ProxyCommand line like the one below, if your web proxy is http://web-proxy.work.example.com:3128:
Host home
HostName mmm.dyndns.example.net
ProxyCommand corkscrew web-proxy.work.example.com 3128 %h %p
Wrapping SSH in HTTP(S)
Some firewalls don't allow SSH traffic, even on port 443. To cope with these, you need to disguise or tunnel SSH into something that the firewall lets through. See http://dag.wiee.rs/howto/ssh-http-tunneling/ for a tutorial on doing this with proxytunnel.
edited Apr 13 '17 at 12:36
Community♦
1
answered Mar 17 '15 at 0:49
GillesGilles
546k12911111625
the 443 trick did it! I was surprised this works :) - any sysadmin sight why this seems to be the case with most firewalls?
– AK_
Dec 13 '16 at 16:28
@AK_ Because although it's possible for a firewall to distinguish TLS from SSH, it's an additional configuration step and costs more in performance, for no real benefit when it comes to outgoing connections (since anything could be tunnelled in TLS anyway).
– Gilles
Dec 13 '16 at 16:31
@Gilles, Are there even proxy servers that block HTTPS yet allow HTTP CONNECT HTTPS?
– Pacerier
Oct 27 '17 at 18:20
1
@Pacerier Many of them. It's not that the proxy blocks HTTPS — a proxy doesn't block connections that bypass the proxy — it's that direct connections are blocked, but the proxy allows CONNECT with any traffic provided that it's to port 443. There's no real way to filter HTTPS anyway, short of root of trust injection and certificate rewriting which is a very bad idea.
– Gilles
Oct 27 '17 at 19:30
add a comment |
What is possible depends on what the firewall allows.
If the firewall allows arbitrary traffic on port 443
Some firewalls take the simple way out and allow anything on port 443. If that's the case, the easiest way to reach your home server is to make it listen to SSH connections on port 443. If your machine is directly connected to the Internet, simply add Port 443 to /etc/ssh/sshd_config or /etc/sshd_config just below the line that says Port 22. If your machine is behind a router/firewall that redirects incoming connections, make it redirect incoming connections to port 443 to your server's port 22 with something like
iptables -t nat -I PREROUTING -p tcp -i wan0 --dport 443 -j DNAT --to-destination 10.1.2.3:22
where wan0 is the WAN interface on your router and 10.1.2.3 is your server's IP address on your home network.
If you want to allow your home server to listen both to HTTPS connections and SSH connections on port 443, it's possible — SSH and HTTPS traffic can easily be distinguished (in SSH, the server talks first, whereas in HTTP and HTTPS, the client talks first). See http://blog.stalkr.net/2012/02/sshhttps-multiplexing-with-sshttp.html and http://wrouesnel.github.io/articles/Setting%20up%20sshttp/ for tutorials on how to set this up with sshttp, and also Have SSH on port 80 or 443 while webserver (nginx) is running on these ports
If you have a web proxy that allows CONNECT tunnelling
Some firewalls block all outgoing connections, but allow browsing the web via a proxy that allows the HTTP CONNECT method to effectively pierce a hole in the firewall. The CONNECT method may be restricted to certain ports, so you may need to combine this with listening on port 443 as above.
To make SSH go via the proxy, you can use a tool like corkscrew. In your ~/.ssh/config, add a ProxyCommand line like the one below, if your web proxy is http://web-proxy.work.example.com:3128:
Host home
HostName mmm.dyndns.example.net
ProxyCommand corkscrew web-proxy.work.example.com 3128 %h %p
Wrapping SSH in HTTP(S)
Some firewalls don't allow SSH traffic, even on port 443. To cope with these, you need to disguise or tunnel SSH into something that the firewall lets through. See http://dag.wiee.rs/howto/ssh-http-tunneling/ for a tutorial on doing this with proxytunnel.
edited Apr 13 '17 at 12:36
Community♦
1
answered Mar 17 '15 at 0:49
GillesGilles
546k12911111625
the 443 trick did it! I was surprised this works :) - any sysadmin sight why this seems to be the case with most firewalls?
– AK_
Dec 13 '16 at 16:28
@AK_ Because although it's possible for a firewall to distinguish TLS from SSH, it's an additional configuration step and costs more in performance, for no real benefit when it comes to outgoing connections (since anything could be tunnelled in TLS anyway).
– Gilles
Dec 13 '16 at 16:31
@Gilles, Are there even proxy servers that block HTTPS yet allow HTTP CONNECT HTTPS?
– Pacerier
Oct 27 '17 at 18:20
1
@Pacerier Many of them. It's not that the proxy blocks HTTPS — a proxy doesn't block connections that bypass the proxy — it's that direct connections are blocked, but the proxy allows CONNECT with any traffic provided that it's to port 443. There's no real way to filter HTTPS anyway, short of root of trust injection and certificate rewriting which is a very bad idea.
– Gilles
Oct 27 '17 at 19:30
add a comment |
What is possible depends on what the firewall allows.
If the firewall allows arbitrary traffic on port 443
Some firewalls take the simple way out and allow anything on port 443. If that's the case, the easiest way to reach your home server is to make it listen to SSH connections on port 443. If your machine is directly connected to the Internet, simply add Port 443 to /etc/ssh/sshd_config or /etc/sshd_config just below the line that says Port 22. If your machine is behind a router/firewall that redirects incoming connections, make it redirect incoming connections to port 443 to your server's port 22 with something like
iptables -t nat -I PREROUTING -p tcp -i wan0 --dport 443 -j DNAT --to-destination 10.1.2.3:22
where wan0 is the WAN interface on your router and 10.1.2.3 is your server's IP address on your home network.
If you want to allow your home server to listen both to HTTPS connections and SSH connections on port 443, it's possible — SSH and HTTPS traffic can easily be distinguished (in SSH, the server talks first, whereas in HTTP and HTTPS, the client talks first). See http://blog.stalkr.net/2012/02/sshhttps-multiplexing-with-sshttp.html and http://wrouesnel.github.io/articles/Setting%20up%20sshttp/ for tutorials on how to set this up with sshttp, and also Have SSH on port 80 or 443 while webserver (nginx) is running on these ports
If you have a web proxy that allows CONNECT tunnelling
Some firewalls block all outgoing connections, but allow browsing the web via a proxy that allows the HTTP CONNECT method to effectively pierce a hole in the firewall. The CONNECT method may be restricted to certain ports, so you may need to combine this with listening on port 443 as above.
To make SSH go via the proxy, you can use a tool like corkscrew. In your ~/.ssh/config, add a ProxyCommand line like the one below, if your web proxy is http://web-proxy.work.example.com:3128:
Host home
HostName mmm.dyndns.example.net
ProxyCommand corkscrew web-proxy.work.example.com 3128 %h %p
Wrapping SSH in HTTP(S)
Some firewalls don't allow SSH traffic, even on port 443. To cope with these, you need to disguise or tunnel SSH into something that the firewall lets through. See http://dag.wiee.rs/howto/ssh-http-tunneling/ for a tutorial on doing this with proxytunnel.
edited Apr 13 '17 at 12:36
Community♦
1
answered Mar 17 '15 at 0:49
GillesGilles
546k12911111625
What is possible depends on what the firewall allows.
If the firewall allows arbitrary traffic on port 443
Some firewalls take the simple way out and allow anything on port 443. If that's the case, the easiest way to reach your home server is to make it listen to SSH connections on port 443. If your machine is directly connected to the Internet, simply add Port 443 to /etc/ssh/sshd_config or /etc/sshd_config just below the line that says Port 22. If your machine is behind a router/firewall that redirects incoming connections, make it redirect incoming connections to port 443 to your server's port 22 with something like
iptables -t nat -I PREROUTING -p tcp -i wan0 --dport 443 -j DNAT --to-destination 10.1.2.3:22
where wan0 is the WAN interface on your router and 10.1.2.3 is your server's IP address on your home network.
If you want to allow your home server to listen both to HTTPS connections and SSH connections on port 443, it's possible — SSH and HTTPS traffic can easily be distinguished (in SSH, the server talks first, whereas in HTTP and HTTPS, the client talks first). See http://blog.stalkr.net/2012/02/sshhttps-multiplexing-with-sshttp.html and http://wrouesnel.github.io/articles/Setting%20up%20sshttp/ for tutorials on how to set this up with sshttp, and also Have SSH on port 80 or 443 while webserver (nginx) is running on these ports
If you have a web proxy that allows CONNECT tunnelling
Some firewalls block all outgoing connections, but allow browsing the web via a proxy that allows the HTTP CONNECT method to effectively pierce a hole in the firewall. The CONNECT method may be restricted to certain ports, so you may need to combine this with listening on port 443 as above.
To make SSH go via the proxy, you can use a tool like corkscrew. In your ~/.ssh/config, add a ProxyCommand line like the one below, if your web proxy is http://web-proxy.work.example.com:3128:
Host home
HostName mmm.dyndns.example.net
ProxyCommand corkscrew web-proxy.work.example.com 3128 %h %p
Wrapping SSH in HTTP(S)
Some firewalls don't allow SSH traffic, even on port 443. To cope with these, you need to disguise or tunnel SSH into something that the firewall lets through. See http://dag.wiee.rs/howto/ssh-http-tunneling/ for a tutorial on doing this with proxytunnel.
edited Apr 13 '17 at 12:36
Community♦
1
answered Mar 17 '15 at 0:49
GillesGilles
546k12911111625
edited Apr 13 '17 at 12:36
Community♦
1
edited Apr 13 '17 at 12:36
Community♦
1
edited Apr 13 '17 at 12:36
Community♦
1
1
answered Mar 17 '15 at 0:49
GillesGilles
546k12911111625
answered Mar 17 '15 at 0:49
GillesGilles
546k12911111625
answered Mar 17 '15 at 0:49
GillesGilles
546k12911111625
546k12911111625
the 443 trick did it! I was surprised this works :) - any sysadmin sight why this seems to be the case with most firewalls?
– AK_
Dec 13 '16 at 16:28
@AK_ Because although it's possible for a firewall to distinguish TLS from SSH, it's an additional configuration step and costs more in performance, for no real benefit when it comes to outgoing connections (since anything could be tunnelled in TLS anyway).
– Gilles
Dec 13 '16 at 16:31
@Gilles, Are there even proxy servers that block HTTPS yet allow HTTP CONNECT HTTPS?
– Pacerier
Oct 27 '17 at 18:20
1
@Pacerier Many of them. It's not that the proxy blocks HTTPS — a proxy doesn't block connections that bypass the proxy — it's that direct connections are blocked, but the proxy allows CONNECT with any traffic provided that it's to port 443. There's no real way to filter HTTPS anyway, short of root of trust injection and certificate rewriting which is a very bad idea.
– Gilles
Oct 27 '17 at 19:30
add a comment |
the 443 trick did it! I was surprised this works :) - any sysadmin sight why this seems to be the case with most firewalls?
– AK_
Dec 13 '16 at 16:28
@AK_ Because although it's possible for a firewall to distinguish TLS from SSH, it's an additional configuration step and costs more in performance, for no real benefit when it comes to outgoing connections (since anything could be tunnelled in TLS anyway).
– Gilles
Dec 13 '16 at 16:31
@Gilles, Are there even proxy servers that block HTTPS yet allow HTTP CONNECT HTTPS?
– Pacerier
Oct 27 '17 at 18:20
1
@Pacerier Many of them. It's not that the proxy blocks HTTPS — a proxy doesn't block connections that bypass the proxy — it's that direct connections are blocked, but the proxy allows CONNECT with any traffic provided that it's to port 443. There's no real way to filter HTTPS anyway, short of root of trust injection and certificate rewriting which is a very bad idea.
– Gilles
Oct 27 '17 at 19:30
the 443 trick did it! I was surprised this works :) - any sysadmin sight why this seems to be the case with most firewalls?
– AK_
Dec 13 '16 at 16:28
the 443 trick did it! I was surprised this works :) - any sysadmin sight why this seems to be the case with most firewalls?
– AK_
Dec 13 '16 at 16:28
@AK_ Because although it's possible for a firewall to distinguish TLS from SSH, it's an additional configuration step and costs more in performance, for no real benefit when it comes to outgoing connections (since anything could be tunnelled in TLS anyway).
– Gilles
Dec 13 '16 at 16:31
@AK_ Because although it's possible for a firewall to distinguish TLS from SSH, it's an additional configuration step and costs more in performance, for no real benefit when it comes to outgoing connections (since anything could be tunnelled in TLS anyway).
– Gilles
Dec 13 '16 at 16:31
@Gilles, Are there even proxy servers that block HTTPS yet allow HTTP CONNECT HTTPS?
– Pacerier
Oct 27 '17 at 18:20
@Gilles, Are there even proxy servers that block HTTPS yet allow HTTP CONNECT HTTPS?
– Pacerier
Oct 27 '17 at 18:20
1
1
@Pacerier Many of them. It's not that the proxy blocks HTTPS — a proxy doesn't block connections that bypass the proxy — it's that direct connections are blocked, but the proxy allows CONNECT with any traffic provided that it's to port 443. There's no real way to filter HTTPS anyway, short of root of trust injection and certificate rewriting which is a very bad idea.
– Gilles
Oct 27 '17 at 19:30
@Pacerier Many of them. It's not that the proxy blocks HTTPS — a proxy doesn't block connections that bypass the proxy — it's that direct connections are blocked, but the proxy allows CONNECT with any traffic provided that it's to port 443. There's no real way to filter HTTPS anyway, short of root of trust injection and certificate rewriting which is a very bad idea.
– Gilles
Oct 27 '17 at 19:30
add a comment |
you can try another way, set up a web server, which can ssh your server,
https://github.com/huashengdun/webssh
answered 2 days ago
gaozhidfgaozhidf
1011
New contributor
gaozhidf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
you can try another way, set up a web server, which can ssh your server,
https://github.com/huashengdun/webssh
answered 2 days ago
gaozhidfgaozhidf
1011
New contributor
gaozhidf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
you can try another way, set up a web server, which can ssh your server,
https://github.com/huashengdun/webssh
answered 2 days ago
gaozhidfgaozhidf
1011
New contributor
gaozhidf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
you can try another way, set up a web server, which can ssh your server,
https://github.com/huashengdun/webssh
answered 2 days ago
gaozhidfgaozhidf
1011
New contributor
gaozhidf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 2 days ago
gaozhidfgaozhidf
1011
New contributor
gaozhidf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 2 days ago
gaozhidfgaozhidf
1011
answered 2 days ago
gaozhidfgaozhidf
1011
1011
New contributor
gaozhidf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
gaozhidf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
gaozhidf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f190490%2fhow-to-use-ssh-over-http-or-https%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
put your sshd at home to listen on port 443, but you should disable port 443 on your home httpd.
– taliezin
Mar 16 '15 at 13:30
I can't quite though that. I need httpd(s) for git pushed as well. so I gotta have a httpd listening on 443.
– MMM
Mar 16 '15 at 13:43
try httptunnel - yum install httptunnel http://www.nocrew.org/software/httptunnel.html, or as you mentioned in your question: corkscrew.
– taliezin
Mar 16 '15 at 13:46
Either way, sshd would listen to 22, and httpd to 80/443 and httptunnel or corkscrew would forward traffic httpd receives to sshd ?
– MMM
Mar 16 '15 at 16:50
Yes. It don't have to change ports of your services.
– taliezin
Mar 16 '15 at 18:16