Skip to main content

I hate going to businesses who offer "free wifi" but then block port 22. Also I've noticed that Comcast blocks port 22 at some places I've visited.  I used to get around it by running ssh over port 443 - but more recently businesses have been blocking that as well and when you ask why - their IT department has no idea. It's ridiculous and a major problem when it blocks access to git repositories, etc. Fortunately setting up ssh over SSL is easy with HaProxy.

In order to run SSH over SSL you have to run HaProxy in tcp mode instead of http mode. If you are familiar with Apache this is like IP_Based Virtual Hosts instead of Name_Based Virtual Hosts. One host per IP.\

Step 1: Configuring the HaProxy Server

 

You tell HaProxy to determine HTTP vs SSL by looking for ssh or HTTP traffic and use that to trigger which back end to use.

----simplified haproxy.cfg file ----------------

global
       mode tcp

frontend https443
        bind *:443 ssl crt /etc/ssl/DOMAIN/DOMAIN.pem
        mode tcp
        default_backend https443
        tcp-request inspect-delay 5s
        tcp-request content accept if HTTP

        acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30

        use_backend ssh if !HTTP
        use_backend ssh if client_attempts_ssh
        use_backend https443 if HTTP

backend https443
        server webserver01 IP_ADDRESS_OF_WEBHOST:443 ssl check verify none
        mode http
        option httplog
        option http-server-close
        option forwardfor
        http-request add-header X-Forwarded-Proto https if { ssl_fc }

#Direct SSH to localhost
backend ssh
        mode tcp
        option tcplog
        server ssh 127.0.0.1:22
        timeout server 2h

 

Step 2: Configuring the client config file

Put this in the ~/.ssh/config file

Host SERVERNAME
    ProxyCommand openssl s_client -connect SERVERNAME443 -quiet

Step 3: Connecting from your client

Just connect normally but the config file will setup the connection for you

 

ssh SERVERNAME