I hate going to businesses who offer "free wifi" but then block port 22. Also I've noticed that Comcast blocks port 22 at some places I've visited. I used to get around it by running ssh over port 443 - but more recently businesses have been blocking that as well and when you ask why - their IT department has no idea. It's ridiculous and a major problem when it blocks access to git repositories, etc. Fortunately setting up ssh over SSL is easy with HaProxy.
In order to run SSH over SSL you have to run HaProxy in tcp mode instead of http mode. If you are familiar with Apache this is like IP_Based Virtual Hosts instead of Name_Based Virtual Hosts. One host per IP.\
Step 1: Configuring the HaProxy Server
You tell HaProxy to determine HTTP vs SSL by looking for ssh or HTTP traffic and use that to trigger which back end to use.
----simplified haproxy.cfg file ----------------
global
mode tcp
frontend https443
bind *:443 ssl crt /etc/ssl/DOMAIN/DOMAIN.pem
mode tcp
default_backend https443
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30
use_backend ssh if !HTTP
use_backend ssh if client_attempts_ssh
use_backend https443 if HTTP
backend https443
server webserver01 IP_ADDRESS_OF_WEBHOST:443 ssl check verify none
mode http
option httplog
option http-server-close
option forwardfor
http-request add-header X-Forwarded-Proto https if { ssl_fc }
#Direct SSH to localhost
backend ssh
mode tcp
option tcplog
server ssh 127.0.0.1:22
timeout server 2h
Step 2: Configuring the client config file
Put this in the ~/.ssh/config file
Host SERVERNAME
ProxyCommand openssl s_client -connect SERVERNAME443 -quiet
Step 3: Connecting from your client
Just connect normally but the config file will setup the connection for you
ssh SERVERNAME
- Log in to post comments