proxy tunnel connection schema

SSH connect through a HTTPS proxy

If you’re on a shielded network which only allows HTTP connections to the internet and you need to connect to a SSH destination, proxytunnel can be a useful tool.

Setup

Configure the SSH client

~/.ssh/config

# Configure an alias
Host proxy-target
    # Hostname and port the proxy should forward the traffic to
    Hostname 192.168.1.2
    Port 22
    # Forward the SSH traffic via a proxy incl. proxy authentication
    ProxyCommand proxytunnel --encrypt-proxy --proxy=proxytunnel.example.com:443 --proxyauth=PROXY_USERNAME:PROXY_PASSWORD --dest=%h:%p --header="User-Agent: user-agent"

Install required software on client side:

sudo apt-get install -y proxytunnel

Provide a proxy server by Apache httpd

/etc/apache2/sites-available/proxytunnel.conf

<VirtualHost proxytunnel:443>
    Servername proxytunnel.example.com
    DocumentRoot /var/www/null

    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCompression off
    SSLHonorCipherOrder On
    SSLCipherSuite 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256

    SSLCertificateFile /etc/apache2/proxytunnel.example.com.crt
    SSLCertificateKeyFile /etc/apache2/proxytunnel.example.com.key

    ProxyRequests On
    AllowCONNECT 22
    ProxyVia On

    <Proxy "*">
        Require all denied
    </Proxy>

    <Proxy "192.168.1.2:22">
        AuthType basic
        AuthName "proxytunnel"
        AuthBasicProvider file
        AuthUserFile /etc/apache2/htpasswd
        Require user PROXY_USERNAME
    </Proxy>
</VirtualHost>
htpasswd -B /etc/apache2/htpasswd PROXY_USERNAME

a2enmod proxy proxy_connect
a2ensite proxytunnel
apachectl -t && systemctl reload apache2

How to use

ssh proxy-target

References