I hate going to businesses who offer "free wifi" but then block port 22. Also I've noticed that Comcast blocks port 22 at some places I've visited. I used to get around it by running ssh over port 443 - but more recently businesses have been blocking that as well and when you ask why - their IT department has no idea. It's ridiculous and a major problem when it blocks access to git repositories, etc. Fortunately setting up ssh over SSL is easy with HaProxy.
In order to run SSH over SSL you have to run HaProxy in tcp mode instead of http mode. If you are familiar with Apache this is like IP_Based Virtual Hosts instead of Name_Based Virtual Hosts. One host per IP.\
Step 1: Configuring the HaProxy Server
You tell HaProxy to determine HTTP vs SSL by looking for ssh or HTTP traffic and use that to trigger which back end to use.
----simplified haproxy.cfg file ----------------
global mode tcp frontend https443 bind *:443 ssl crt /etc/ssl/DOMAIN/DOMAIN.pem mode tcp default_backend https443 tcp-request inspect-delay 5s tcp-request content accept if HTTP acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30 use_backend ssh if !HTTP use_backend ssh if client_attempts_ssh use_backend https443 if HTTP backend https443 server webserver01 IP_ADDRESS_OF_WEBHOST:443 ssl check verify none mode http option httplog option http-server-close option forwardfor http-request add-header X-Forwarded-Proto https if { ssl_fc } #Direct SSH to localhost backend ssh mode tcp option tcplog server ssh 127.0.0.1:22 timeout server 2h
Step 2: Configuring the client config file
Put this in the ~/.ssh/config file
Host SERVERNAME ProxyCommand openssl s_client -connect SERVERNAME443 -quiet
Step 3: Connecting from your client
Just connect normally but the config file will setup the connection for you
ssh SERVERNAME
- Log in to post comments