SSH: Tunneling HTTP

Similar Messages

• [SOLVED] How to tunnel HTTP over SSH via SOCKS?

  This should be a simple issue to solve, but for some reason it's not working for me.
  `ssh vps` works just fine (I use authentication keys)
  I set up the tunnel with the command:
  ssh -C2TNv -D 8080 vps
  I then modify Firefox network settings:
  manual config
  http proxy: localhost, port: 8080
  use this proxy server for all protocols
  SOCKS v5
  about:config
  network.proxy.socks_remote_dns: true
  Terminal output:
  $ ssh -C2TNv -D 8080 vps
  OpenSSH_6.0p1, OpenSSL 1.0.1a 19 Apr 2012
  debug1: Reading configuration data /home/ting/.ssh/config
  debug1: /home/ting/.ssh/config line 47: Applying options for vps
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: Connecting to vps.server.com [1.1.1.1] port 22.
  debug1: Connection established.
  debug1: identity file /home/ting/.ssh/id_rsa type 1
  debug1: identity file /home/ting/.ssh/id_rsa-cert type -1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze1
  debug1: match: OpenSSH_5.5p1 Debian-6+squeeze1 pat OpenSSH_5*
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_6.0
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: server->client aes128-ctr hmac-md5 [email protected]
  debug1: kex: client->server aes128-ctr hmac-md5 [email protected]
  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  debug1: Server host key: RSA <removed>
  debug1: Host 'vps.server.com' is known and matches the RSA host key.
  debug1: Found key in /home/ting/.ssh/known_hosts:10
  debug1: ssh_rsa_verify: signature correct
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: SSH2_MSG_NEWKEYS received
  debug1: Roaming not allowed by server
  debug1: SSH2_MSG_SERVICE_REQUEST sent
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password
  debug1: Next authentication method: publickey
  debug1: Offering RSA public key: /home/ting/.ssh/id_rsa
  debug1: Server accepts key: pkalg ssh-rsa blen 279
  debug1: Enabling compression at level 6.
  debug1: Authentication succeeded (publickey).
  Authenticated to vps.server.com ([1.1.1.1]:22).
  debug1: Local connections to LOCALHOST:8080 forwarded to remote address socks:0
  debug1: Local forwarding listening on ::1 port 8080.
  debug1: channel 0: new [port listener]
  debug1: Local forwarding listening on 127.0.0.1 port 8080.
  debug1: channel 1: new [port listener]
  debug1: Requesting [email protected]
  debug1: Entering interactive session.
  I then try visiting a site using Firefox, SSH output:
  debug1: Connection to port 8080 forwarding to socks port 0 requested.
  debug1: channel 2: new [dynamic-tcpip]
  debug1: channel 2: free: dynamic-tcpip, nchannels 3
  debug1: Connection to port 8080 forwarding to socks port 0 requested.
  debug1: channel 2: new [dynamic-tcpip]
  debug1: channel 2: free: dynamic-tcpip, nchannels 3
  Despite the proxy seemingly working, visiting any site with Firefox just returns with the error "The connection was reset".
  Last edited by AncientPC (2012-04-27 06:47:39)

  I eventually figured it out from here:
  http://superuser.com/questions/417397/h … -via-socks
  It turns out my Firefox settings were wrong, only SOCKS Proxy needed to be filled in.
  For future reference, you can test your SSH tunnel by using:
  curl --socks5 127.0.0.1:8080 http://blah
  curl --proxy 127.0.0.1:8080 http://blah

• Jconsole - remote connection thru ssh-tunnel

  Hi all,
  I need to start jconsole on my windows-box and connect to a remote tomcat-server thru an ssh-tunnel.
  I have walked thru various posts and blogs, but finally couldn't get it running.
  On the linux-server, I have set the following JAVA_OPTS:
  export JAVA_OPTS='-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8888 -Dcom.sun.management.jmxremote.ssl=false -Djava.rmi.server.useLocalHostname=true -Dcom.sun.management.jmxremote.authenticate=false -Djava.rmi.server.hostname=myserver'myserver is the server-name that is resolved by the hostname-command. I also tried using localhost instead.
  On the client I run the following ssh-command to create the tunnel:
  ssh tomcat@myserver -L8888:myserver:8888 -N -vWhen I try to create a remote connection with jconsole using localhost:8888, I see the following output by ssh:
  debug1: Connection to port 8888 forwarding to myserver port 8888 requested.
  debug1: channel 1: new [direct-tcpip]
  debug1: channel 1: free: direct-tcpip: listening port 8888 for myserver port 8888, connect from 127.0.0.1 port 1618, nchannels 2It looks not too bad to me, but unfortunately, jconsole runs into a timeout after about 2 mins.
  On the server I see the following using netstat:
  tcp        0    168 myserver:ssh    mywindowsbox:3381  VERBUNDEN  
  tcp        0      0 myserver:ssh    mywindowsbox:1317  VERBUNDEN  
  tcp        0      0 myserver:44625  myserver:8888   TIME_WAIT  
  tcp        0      0 *:8888                      *:*                         LISTENIt appears to me that the tomcat-server is listening correctly on port 8888 for all incoming hosts (although localhost should be enough).
  Furthermore, it seems that the ssh-tunnel has been establised.
  Why the hell, jconsole still can't connect?

  Hiya.
  JMX connections use two ports. You need the RMI Registry and the RMI Stub. This first one you bound to port 8888, but the other one is probably still bound to a random port. You need to be able to access that one through SSH as well.
  Trouble is that the second port uses a random port and most application servers can't statically configure this one. See this article for possible solutions (be sure to read the follow ups as well) : http://blogs.sun.com/jmxetc/entry/connecting_through_firewall_using_jmx
  Cheers,
  Hugp

• Using portal admin console through an ssh tunnel?

  I'm trying to login on the portal admin over an established ssh connection:
  - profile server listen on hostname.subdomain.domain, port 8080
  - an ssh tunnel (via portforwarding through a firewall) from client port
  10000 to profile server 8080
  - connect from webbrowser to http://localhost:10000/console
  that won't work: internal server errors. If i change my hosts file:
  localhost 127.0.0.1 hostname.subdomain.domain
  it works. But this is ugly and conflicts with DNS.
  So, how can i configure the profile server to accept connections over an ssh
  tunnel? Anyone any idea?
  regards, Jordi

  Hello,
  Does any one in BEA have an answer to this. I was stumped when asked by a client. Any response will be great.
  C

• Using Workgroup Manager via SSH tunnel

  Hi all,
  I'm attempting to use the Workgroup Manager app to remotely administer a OS X Tiger Server box. The server sits inside my company's LAN behind a firewall, which only allows traffic to the server on ports 21 (ftp), 22 (ssh), 80 (http) and 311 (server admin with SSL, I believe). All services on those ports work fine.
  My research on the net indicates that the Workgroup Manager app uses port 625, but since the hardware firewall is blocking traffic on that port to the server, I'd like to create an SSH tunnel to access it. I've tried the following command on my local machine (i.e., not the server):
  $ sudo ssh -L 625:localhost:625 [email protected]
  and am able to set up the tunnel with no problem. However when I try to connect Workgroup Manager (on the local machine) to localhost, it won't let me connect. So I tried telnetting to localhost port 625 (on the local machine) to see what's up, and received the following error:
  $ telnet localhost 625
  Trying ::1...
  Connected to localhost.
  Escape character is '^]'.
  Connection closed by foreign host.
  Am I missing something? I was under the impression that the SSH tunnel would allow me to access port 625 on the server via port 22. The software firewall is disabled on both machines, so it's not that. I'm not experienced with SSH tunnelling, so I could be totally wrong about the way this is supposed to work.
  Thanks in advance!

  A quick tcpdump here indicates that Workgroup Manager uses both 311 and 625 when establishing a connection to the server. It may be the lack of port 311 tunneling that's causing your problem.
  $ sudo ssh -L 625:localhost:625 -L 311:localhost:311 [email protected]

• SSH Tunnel to other SSH servers?

  I'm not sure how this can be done, with or even without an SSH tunnel.
  Here's my scenario:
  PowerBook@Work --> Firewall --> INTERNET --> Linksys Router/Firewall with port forwarding to Mac mini home server --> Mac mini --> Other Mac clients
  Obviously I can SSH into my Mac mini server from my PowerBook at work:
  ssh [email protected]
  However, what I want to do is, to ssh to the Other Mac client on my home LAN from my Work LAN. So far I accomplish this by SSH'ing into my Mac mini server and then SSH'ing from there to my other Mac clients (which all have static 192.168.X.X addresses).
  I have tried the following and it's doesn't seem to work:
  ssh -N -p 22 [email protected] -R 2110/example.com/22
  With port 2110 forwarded from my Linksys to my Other Mac client. Doesn't work.
  I know this is one of those scenarios where I "can't see the forest through the trees". Meaning, there must be an easier way? Any help?

  Paul,
  sorry for my mistake. I forgot the "yes" in the commandline.
  I wouldn't put all the different ssh connections into aliases of my .bashrc. SSH offers the use of a config file. Put everything there. It's easier to maintain and the recommended way for ssh.
  Create a plain text file in ~/.ssh/config (for example with vi). And put the following stuff in there.
  Host nicknameforyourhost
  Hostname hostname.example.com
  User yourusername
  In Addition you might want to add one of these:
  Port 22
  Protocol 2
  Compression yes
  ForwardX11 yes
  You can even put portforwardings, reflections etc. in there.
  LocalForward 10548 127.0.0.1:548 To tunnel AFP on the server.
  LocalForward 10080 127.0.0.1:80 To tunnel to an webserver running on the host that is blocked by the firewall.
  To tunnel ServerAdmin, Workgroup Manager and Server Monitor Connections to the host (if it's running Mac OS X Server)
  LocaLForward 311 127.0.0.1:311
  LocalForward 625 127.0.0.1:625
  LocalForward 687 127.0.0.1:687
  You then connect your admin apps to localhost. This one has to be done as root, as you're forwarding privileged ports.
  To forward an http connection to the webinterface of your router through the tunnel. Provided your LAN Range is 192.168.1.0 and your router is located at 192.168.1.1.
  LocalForward 10080 192.168.1.1:80
  You then connect your browser to http://localhost:10080/ and it will go through the tunnel, and be reflected from the host you connected to via SSH directly to the router. That way you could access your routers config pages without activating remote administration which is of course a lot more secure.
  For your particular problem:
  Create one Host entry with the actual machine that you connect to.
  Host myserver
  Hostname myserver.example.com
  User yourusername
  Protocol 2
  Port 22
  Compression yes
  LocalForward 10080 192.168.1.1:80 see example with router above
  LocalForward 10022 192.168.1.100:22 to create a ssh portreflector for host 192.168.1.100
  This config will allow you to connect to your server and access your router like I described above and also create a tunnel for another ssh connection to 192.168.1.100. To access that machine, create a second config in that file just a few lines below.
  Host myothermac
  Hostname localhost
  User yourusername
  Protocol 2
  Port 10022
  To use all that you enter into your terminal:
  $ ssh myserver
  Password:
  and from a second terminal:
  $ ssh myothermac
  Password:
  You're directly taken to the othermac. You can put as many options in ther as you like. See the man page for SSH what else you can put into a config file. I hope by now is clear why not to use aliases in your .bashrc. Do some experimenting, you cannot hurt anything.
  You could also do that from a screen session or just background the first SSH session from the terminal but that would make things unnecessarily more complex for the examples given.
  Hope that helped.
  Regards MacLemon

• Using launchd to create "on demand" ssh tunnel

  Hello,
  I've setup 2 LaunchAgents in my ~/Library/LaunchAgents/ directory, in order to provide 2 apps with an ssh tunnel connectivity "on demand".
  One of the plist is like this :
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>Debug</key>
  <false/>
  <key>Disabled</key>
  <false/>
  <key>Label</key>
  <string>my.ssh.tunnel</string>
  <key>ProgramArguments</key>
  <array>
  <string>/usr/bin/ssh</string>
  <string>-l</string>
  <string>mylogin</string>
  <string>-N</string>
  <string>-L</string>
  <string>port:final-server:port</string>
  <string>mylogin@ssh-gateway</string>
  </array>
  <key>Sockets</key>
  <dict>
  <key>Listeners</key>
  <dict>
  <key>Bonjour</key>
  <false/>
  <key>SockServiceName</key>
  <string>port</string>
  <key>SockType</key>
  <string>stream</string>
  </dict>
  </dict>
  <key>StandardErrorPath</key>
  <string>/tmp/mytunnel.err</string>
  <key>StandardOutPath</key>
  <string>/tmp/mytunnel.out</string>
  <key>inetdCompatibility</key>
  <dict>
  <key>Wait</key>
  <false/>
  </dict>
  <key>onDemand</key>
  <true/>
  </dict>
  </plist>
  When I launch the application that makes a tcp request on localhost:port, the tunnel is created, this part is OK. But, the application is unable to use it. I have to quit and restart it so that it can use the ssh tunnel.
  Any idea why it behaves like this ? Any workaround ?
  PowerMac G5 2*2GHz   Mac OS X (10.4.6)  

  In fact, the idea of a wrapper script is not very appealing to me. The apps I launch use GUI. I could design an Applescript to "init" the tunnel then launch the true application, but I find it quite complicated and very unsatisfactory.
  Your telnet command succeed in activating the launchd item, but it returns nothing :
  $ echo "^]quit" | telnet localhost 1190
  Trying ::1...
  Connected to localhost.
  Escape character is '^]'.
  Connection closed by foreign host.
  $
  then, a `ps` shows the launchproxy process while it's opening the tunnel. This steps last for few seconds, the tunnel seems to be unavailable while launchproxy runs (in fact, launchproxy seems to run until the tunnel is fully established).
  The TCPKeepAlive option is not interesting in my context, I've monitored the ssh tunnel, once it's established, it won't close, even if the application supposed to be using it is not launched.
  I think my problem has no elegant solution. Such a solution could be for launchd/launchproxy to store the application queries, and to feed them into the tunnel once it is open. So, the app would just hang waiting for the tunnel to be fully established, and would get it's response after that. For now, the application hangs for ever. I have to force it to reissue it's network request so that it can reach the remote end of the tunnel.

• Error making an ssh tunnel

  I'm getting an error trying to create an ssh tunnel.
  *ssh –L 10548:localhost:548 [email protected]*
  returns
  *ssh: Error resolving hostname \342\200\223L: nodename nor servname provided, or not known*
  normal ssh works ok so the problem is with localhost. This only happens on one of my computers. the other one connects fine using the same internet connection.
  P.S. I just checked and this only happens on one user account. the rest are fine.
  Message was edited by: V.K.
  this thread is the continuation of [this one|http://discussions.apple.com/thread.jspa?messageID=7218912#7218912].
  Message was edited by: V.K.

  Very strange. I wonder what \342\200\223L means. You can create a tunnel to the same [email protected] from another account on the same client Mac?
  The localhost parameter is actually sent to the server, i.e. it means that sshd should connect port 548 on localhost. What if you put "10548:localhost:548" in quotes? Or try "*ssh –L 10548:my.computer.at.work:548 [email protected]*". You could also try moving or renaming your local ~/.ssh folder to make sure there are no local user settings that are confusing things.

• Why does my ssh tunnel drop when I switch on a system wide proxy

  The subject says pretty clearly what is puzzling me. After I establish a connection via ssh and initiate a tunnel for email access through a corporate firewall (using Apple Mail as the client and POP3 for the protocol), I find that enabling a system wide proxy (socks5, http, and https) via the same ssh tunnel causes the email to stop working. Upon switching, the http proxy (Safari) works fine -- e.g. the tunnel is healthy. This confuses me. The ssh link which hosts several tunnels is fine. I am forwarding local port 10025 and 10110 on the tunnel to a mail server behind the firewall. The socks5 proxy and http proxy are running on local ports 11080, 18080, and 18080, respectively. Why is Apple mail paying attention to the proxy settings at all? It would seem that since Apple Mail makes no attempt to connect (via the Activity window) that the link is dead, however, turning off the proxy brings the email tunnel back to normal. Wierd. Any advice? This is running on a normal 10.4 (not server), but I don't think there are any significant differences in behavior. I asked on the networking discussion, but got no response.

  Two things jump into my mind: poor WiFi signal strength on the desktop PC or a dirty OS installation on the desktop PC. I'm quite sure that this has nothing to do with the cisco VPN client itself.
  Assuming that you reach your remote workspace through the cisco VPN client it might also be that the remote part (the VPN concentrator) gets congested and drops your connection but than other employees would complain as well (can be checked with your ICT guys).
  The thing is: when you lose Internet connection on your laptop while surfing a web site and connection comes back again within no time you won't notice anything. If the same happens to a system constantly receiving encrypted packets and some are missing the VPN client will drop the connection. Completely different protocols (http/ipsec) that are differently prone to packet drops...

• Using ssh tunneling to admin OS X server on a far-away LAN

  My Mac OS X Server 10.4 box is behind a gateway (dns, dhcp, nat, ipfw) box on a LAN. My workstation (the one I will be administering from) is on a different LAN. I don't want to open holes in my firewall, but I have an account on the firewall (I am the admin). I want to use ssh tunneling to administer the server. I have successfully done this with my old webstar box (which the OSX Server is replacing).
  Is it as simple as adding a port designation when I "Add Server" to the Server Admin and Workgroup Server? example:
  localhost:8331 or localhost:8625
  (8331 is the local end of the tunnel which ends up as 331 to the OSX server, and same for 8625) The OSX server doesn't care because it see the connections from the ports that it expects. I'm just wondering about configuring the admin apps which are on a different LAN.

  How do I bring up the file shares in a GUI
  You don't.  Not with Putty or an SSH connection.  Just share a folder from the PC and access it via SMB from the Mac to access it.
  http://support.apple.com/kb/HT1568

• Stop SSH over HTTPS ?

  Hi guys,
  I have Cisco ASA-SSM-20 deployed INLINE.
  I can cut any traffic without any problems except SSHv2 over HTTP or HTTPS.
  Implementation ? - http://dag.wieers.com/howto/ssh-http-tunneling/
  Easy, you can make an HTTPS tunnel, then SSH over HTTPS and after that LOCAL PORT FORWARDING so you can get in the company from home ;)
  How I can deny souch connection ?? Any signature ? Any ideas or Cisco can't help in this case.
  Best regards,
  CD

  Interesting. In the very first data packet, I see:
  000-1.99-0000000_3.9p1
  000-2.0-0000000_3.9p1
  I expect to see something like:
  SSH-2.0-SecureCRT_5.1.3 (build 281) SecureCRT
  SSH-1.99-OpenSSH_3.9p1
  In the above session, I was using SecureCRT and connecting to an OpenSSH server.
  In your case, whatever client and server is being used appears to replace any references to SSH and the server type with zeroes...perhaps intentionally to bypass IDS/IPS? or actually, it might be a pretty clever hack to prevent others from connecting to your SSH server because I think a standard SSH client will fail to connect if versions don't match. I'll have to test that.
  In any event, look at the first data packet after the handshake and modify/build a signature based on it. You might consider a meta signature to prevent false positives. bear in mind that someone capable of changing the source and recompiling both the server and the client can set this to whatever they want:
  perhaps look for "diffie-hellman" in one signature and "ssh" in another?

• Server Admin 10.5.3, SSH Tunnel to OSX Server 10.3.9.....

  I used to connect to my 10.3.9 server using Server Admin + an SSH tunnel that forwarded tcp port 311 from my localhost to the 10.3.9 server.
  Since Software Update upgraded the Server Admin tool to 10.5.3, I've been unable to connect to my 10.3.9 server. The Tunnel works fine, but the Admin Tool won't connect to the server. (Says there's no server at the address I entered.)
  Any ideas?

  Hi
  I could be wrong but I'm surprised you can even connect let alone admin a 10.3 server with 10.5 Admin tools? See:
  http://support.apple.com/kb/HT1822
  Specifically: "Mac OS X 10.5 admin tools only work with Mac OS X Server 10.4.11 or later." and "To administer a Mac OS X 10.3 server, you can use either Mac OS X 10.3 or 10.4 admin tools."
  http://docs.info.apple.com/article.html?artnum=301254
  Tony

• SSH tunneling X to locked Windows computer.

  Hi
  I have recenty installed and configurated ssh to tunnel x. But I need a way to connect to it on a school computer and every other type of computer where I cant install softwares. The windows computers in school are all part of some sort of thin clients /server solution. And I cant post stuff on the desctop I can't reach the harddrives or any thing like that. I got a network share where I might be able to put stuff. Also I can't use a usb stick and start to software from there. So is there a possible way to ssh tunnel x to one of these computers?
  Last edited by lintz (2010-03-03 07:52:23)

  Use Putty on the windows machine. It's a simple .exe which doesn't need to be installed anywhere.
  http://www.chiark.greenend.org.uk/~sgtatham/putty/
  There are plenty of 'how to' guides for using Putty to access an ssh server and setting up and using tunnels.
  http://souptonuts.sourceforge.net/sshtips.htm
  http://jstrassburg.blogspot.com/2006/01 … th-dd.html
  etc. etc.
  It'll do what you want. I use the same to get from XP at work to home, and we have similar restrictions at work. Even better - by using x11vnc on Arch and then vncviewer on XP (also a simple .exe) I am able to bring up my Arch desktop as a remote desktop on my XP setup.
  The one thing I haven't worked out yet is how to copy files from my Arch machine to XP at work, since I am unable to setup an ssh server at work - although I can now email them to myself using the remote desktop!
  Last edited by sultanoswing (2010-03-03 08:49:30)

• Ssh tunneling made easy???

  doing the basic vnc with ssh tunneling.
  i use the linux putty client, do the blah blah, it doesn't work.
  i try wine putty, and it works.

  http://www.linux.org/docs/ldp/howto/ppp … ction.html

• Possible to ssh tunnel Bonjour traffic across different subnets?

  Hello:
  For quite some time, I have been thinking of buying a couple of iSights to enable audio/visual between two distant computers. But I really don't want to have to leave a dozen ports in my DSL modems opened up in order to use AIM or Jabber servers to iChatAV to my "usual" called parties (I can't help it, I'm paranoid - I have one ssh port open on my DSL modem at home - so most everything I do from afar -- afp (port 548), vnc( port 5900), etc., I tunnel it all over ssh).
  So, in a similar vein, what I would like to do is treat a distant computer as if it were on my local 192.168.x.x NAT subnet, in order to do a Bonjour-like iChatAV connection without having to go to through these public servers and without having to leave a dozen ports open in my firewall (or go through the drill of opening/closing ports every time I want to iChat).
  Now, if I understand this correctly, on one's local subnet, iChat AV works using Bonjour to communicate with other iChat AV users on the same subnet, which, I think, uses multicast packets. So I'm wondering if it is possible to ssh tunnel multicast traffic to a different computer like so:
  ssh -L 5297:localhost:5297 -L 5298:localhost:5298 {called.party.IP.address}
  thus being able to set up a secure point-to-point iChatAV connection?
  Anybody ever do something like this?

  Hin j.v.,
  It is possible to iChat Bonjour over a Virtual Private Network , yes.
  2:33 PM Thursday; May 4, 2006