Access SSH server via HTTP proxy

16/10/2006, 17h13

Hi,
My company doesn't allow any kind of connection to outside. The only
way you can have access to the internet is thru the company's HTTP
proxy. Other traffic (DNS included) is prohibited.
I have learned that you can access ssh server via http proxy. But when
I set it up in PUTTY (under Connection -> Proxy tab) looks like the
HTTP proxy detects I am trying to connect to SSH server. Thus it throws
service not allowed exception (error 403).
But if I try to change the port # of ssh server setting for PUTTY from
22 to 80 it throws this exception:
503: service unavailable.

So I wonder if I change my SSH server port to 8080 for example, will it
work for me?

Thanks guys

16/10/2006, 17h50

Doug wrote:
> Hi,
> My company doesn't allow any kind of connection to outside. The only
> way you can have access to the internet is thru the company's HTTP
> proxy. Other traffic (DNS included) is prohibited.
> I have learned that you can access ssh server via http proxy. But when
> I set it up in PUTTY (under Connection -> Proxy tab) looks like the
> HTTP proxy detects I am trying to connect to SSH server. Thus it throws
> service not allowed exception (error 403).
> But if I try to change the port # of ssh server setting for PUTTY from
> 22 to 80 it throws this exception:
> 503: service unavailable.
>
> So I wonder if I change my SSH server port to 8080 for example, will it
> work for me?
>
> Thanks guys
>

In order to access the web from work, do you have to enter the proxy
server's info into your browser's configuration? If not you may be
hitting a firewall restriction and not a proxy server issue at all. If
this is the case you just need to run your ssh server on a port that is
not blocked by the firewall and configure putty to connect to it
directly on that non-standard port. A few that would likely work are 80
(http), 443 (https), 8080-8089 (typical proxy server port #'s).

16/10/2006, 17h52

Thanks for your response.
yes, I do have to enter the proxy hostname and port in my browser.
As i indicated earlier, no traffic is allowed except traffic go thru
the proxy (after filtering and inspect I guess)

Thanks

Chuck wrote:
> Doug wrote:
> > Hi,
> > My company doesn't allow any kind of connection to outside. The only
> > way you can have access to the internet is thru the company's HTTP
> > proxy. Other traffic (DNS included) is prohibited.
> > I have learned that you can access ssh server via http proxy. But when
> > I set it up in PUTTY (under Connection -> Proxy tab) looks like the
> > HTTP proxy detects I am trying to connect to SSH server. Thus it throws
> > service not allowed exception (error 403).
> > But if I try to change the port # of ssh server setting for PUTTY from
> > 22 to 80 it throws this exception:
> > 503: service unavailable.
> >
> > So I wonder if I change my SSH server port to 8080 for example, will it
> > work for me?
> >
> > Thanks guys
> >
>
> In order to access the web from work, do you have to enter the proxy
> server's info into your browser's configuration? If not you may be
> hitting a firewall restriction and not a proxy server issue at all. If
> this is the case you just need to run your ssh server on a port that is
> not blocked by the firewall and configure putty to connect to it
> directly on that non-standard port. A few that would likely work are 80
> (http), 443 (https), 8080-8089 (typical proxy server port #'s).

16/10/2006, 18h15

"Doug" <dmly.usa@gmail.com> writes:

> Hi,
> My company doesn't allow any kind of connection to outside. The only
> way you can have access to the internet is thru the company's HTTP
> proxy. Other traffic (DNS included) is prohibited.
> I have learned that you can access ssh server via http proxy. But when
> I set it up in PUTTY (under Connection -> Proxy tab) looks like the
> HTTP proxy detects I am trying to connect to SSH server. Thus it throws
> service not allowed exception (error 403).
> But if I try to change the port # of ssh server setting for PUTTY from
> 22 to 80 it throws this exception:
> 503: service unavailable.
>
> So I wonder if I change my SSH server port to 8080 for example, will it
> work for me?

If you change your SSH server to listen on 443 you'll probably be
golden.

--
Todd H.
http://www.toddh.net/

16/10/2006, 19h48

Todd H. wrote:
> "Doug" <dmly.usa@gmail.com> writes:
>
> If you change your SSH server to listen on 443 you'll probably be
> golden.

most likely it will not.... or at least, this just half of the job.

An http-proxy can be made to just pass the packets to another machine
with the "connect"-method. (just telnet to your http-proxy port and
enter "connect rem.ote.mach.ine port")

In a lot of setup (including my own) the connect-method is only allowed
to port 443, so your ssh-server should listen on that port.

But you still need a software which connects to the http-proxy and
tells it to pass this connection along using the connect-method.

There's one: http://zippo.taiyo.co.jp/~gotoh/ssh/connect.html
I use it for exactly this job under Linux. connect.c can be compiled
for Windows too, but I don't know wheter you can make putty using this
connect-command. I have no Windows machine here to test this, but maybe
in 13 hours.

Cheers,
Armin

16/10/2006, 21h39

But that is you are using openSSH.
I understand that Putty already has HTTP proxy connect build in.
I hope my understading is correct.
doug

On Oct 16, 1:48 pm, "hasenhei" <hasen...@gmail.com> wrote:
> Todd H. wrote:
> > "Doug" <dmly....@gmail.com> writes:
>
> > If you change your SSH server to listen on 443 you'll probably be
> > golden.most likely it will not.... or at least, this just half of the job.
>
> An http-proxy can be made to just pass the packets to another machine
> with the "connect"-method. (just telnet to your http-proxy port and
> enter "connect rem.ote.mach.ine port")
>
> In a lot of setup (including my own) the connect-method is only allowed
> to port 443, so your ssh-server should listen on that port.
>
> But you still need a software which connects to the http-proxy and
> tells it to pass this connection along using the connect-method.
>
> There's one:http://zippo.taiyo.co.jp/~gotoh/ssh/connect.html
> I use it for exactly this job under Linux. connect.c can be compiled
> for Windows too, but I don't know wheter you can make putty using this
> connect-command. I have no Windows machine here to test this, but maybe
> in 13 hours.
>
> Cheers,
> Armin

17/10/2006, 09h44

Doug wrote:
> But that is you are using openSSH.
> I understand that Putty already has HTTP proxy connect build in.
> I hope my understading is correct.

Doug, your understanding is absolutely correct :-)

I just didn't know that putty has this functionality built-in. I just
tested configuring proxy in putty on a windows-machine now, and it
worked fine.

Doug wrote :

But when
> I set it up in PUTTY (under Connection -> Proxy tab) looks like the
> HTTP proxy detects I am trying to connect to SSH server. Thus it throws
> service not allowed exception (error 403).

Right, this is what I meant when saying "In a lot of setup (including
my own) the connect-method is only allowed to port 443,".

The proxy-server of your company does not allow the connect-method to
port 22.

> But if I try to change the port # of ssh server setting for PUTTY from
> 22 to 80 it throws this exception:
> 503: service unavailable.

Yes, because there's no ssh-server (not even anything at all)
responding on port 80 on the machine you try to connect to.

I think the solution to your problem was already given by Todd H. in
his previous message.

You should configure your ssh-server to listen on port 443 (maybe 80
would do too here, but 443 is better).
Of course you need to tell putty to connect to port 443 then. I just
tested this here, and it worked fine.

Cheers,
Armin

PS: Be careful with firewall-piercing if your work-contract does not
allow such habits.
Of course this ssh-connection shows up in the proxy-log.

19/10/2006, 06h24

Just an update.
I did what what Todd told and it is working fine.
Thanks Todd, you the man
hasenhei wrote:
> Doug wrote:
> > But that is you are using openSSH.
> > I understand that Putty already has HTTP proxy connect build in.
> > I hope my understading is correct.
>
> Doug, your understanding is absolutely correct :-)
>
> I just didn't know that putty has this functionality built-in. I just
> tested configuring proxy in putty on a windows-machine now, and it
> worked fine.
>
> Doug wrote :
>
> But when
> > I set it up in PUTTY (under Connection -> Proxy tab) looks like the
> > HTTP proxy detects I am trying to connect to SSH server. Thus it throws
> > service not allowed exception (error 403).
>
> Right, this is what I meant when saying "In a lot of setup (including
> my own) the connect-method is only allowed to port 443,".
>
> The proxy-server of your company does not allow the connect-method to
> port 22.
>
> > But if I try to change the port # of ssh server setting for PUTTY from
> > 22 to 80 it throws this exception:
> > 503: service unavailable.
>
> Yes, because there's no ssh-server (not even anything at all)
> responding on port 80 on the machine you try to connect to.
>
> I think the solution to your problem was already given by Todd H. in
> his previous message.
>
> You should configure your ssh-server to listen on port 443 (maybe 80
> would do too here, but 443 is better).
> Of course you need to tell putty to connect to port 443 then. I just
> tested this here, and it worked fine.
>
> Cheers,
> Armin
>
> PS: Be careful with firewall-piercing if your work-contract does not
> allow such habits.
> Of course this ssh-connection shows up in the proxy-log.

16/10/2006, 17h13	#1
Doug Messages: n/a Hébergeur:	Access SSH server via HTTP proxy Hi, My company doesn't allow any kind of connection to outside. The only way you can have access to the internet is thru the company's HTTP proxy. Other traffic (DNS included) is prohibited. I have learned that you can access ssh server via http proxy. But when I set it up in PUTTY (under Connection -> Proxy tab) looks like the HTTP proxy detects I am trying to connect to SSH server. Thus it throws service not allowed exception (error 403). But if I try to change the port # of ssh server setting for PUTTY from 22 to 80 it throws this exception: 503: service unavailable. So I wonder if I change my SSH server port to 8080 for example, will it work for me? Thanks guys

16/10/2006, 17h50	#2
Chuck Messages: n/a Hébergeur:	Re: Access SSH server via HTTP proxy Doug wrote: > Hi, > My company doesn't allow any kind of connection to outside. The only > way you can have access to the internet is thru the company's HTTP > proxy. Other traffic (DNS included) is prohibited. > I have learned that you can access ssh server via http proxy. But when > I set it up in PUTTY (under Connection -> Proxy tab) looks like the > HTTP proxy detects I am trying to connect to SSH server. Thus it throws > service not allowed exception (error 403). > But if I try to change the port # of ssh server setting for PUTTY from > 22 to 80 it throws this exception: > 503: service unavailable. > > So I wonder if I change my SSH server port to 8080 for example, will it > work for me? > > Thanks guys > In order to access the web from work, do you have to enter the proxy server's info into your browser's configuration? If not you may be hitting a firewall restriction and not a proxy server issue at all. If this is the case you just need to run your ssh server on a port that is not blocked by the firewall and configure putty to connect to it directly on that non-standard port. A few that would likely work are 80 (http), 443 (https), 8080-8089 (typical proxy server port #'s).

16/10/2006, 17h52	#3
Doug Messages: n/a Hébergeur:	Re: Access SSH server via HTTP proxy Thanks for your response. yes, I do have to enter the proxy hostname and port in my browser. As i indicated earlier, no traffic is allowed except traffic go thru the proxy (after filtering and inspect I guess) Thanks Chuck wrote: > Doug wrote: > > Hi, > > My company doesn't allow any kind of connection to outside. The only > > way you can have access to the internet is thru the company's HTTP > > proxy. Other traffic (DNS included) is prohibited. > > I have learned that you can access ssh server via http proxy. But when > > I set it up in PUTTY (under Connection -> Proxy tab) looks like the > > HTTP proxy detects I am trying to connect to SSH server. Thus it throws > > service not allowed exception (error 403). > > But if I try to change the port # of ssh server setting for PUTTY from > > 22 to 80 it throws this exception: > > 503: service unavailable. > > > > So I wonder if I change my SSH server port to 8080 for example, will it > > work for me? > > > > Thanks guys > > > > In order to access the web from work, do you have to enter the proxy > server's info into your browser's configuration? If not you may be > hitting a firewall restriction and not a proxy server issue at all. If > this is the case you just need to run your ssh server on a port that is > not blocked by the firewall and configure putty to connect to it > directly on that non-standard port. A few that would likely work are 80 > (http), 443 (https), 8080-8089 (typical proxy server port #'s).

16/10/2006, 18h15	#4
Todd H. Messages: n/a Hébergeur:	Re: Access SSH server via HTTP proxy "Doug" <dmly.usa@gmail.com> writes: > Hi, > My company doesn't allow any kind of connection to outside. The only > way you can have access to the internet is thru the company's HTTP > proxy. Other traffic (DNS included) is prohibited. > I have learned that you can access ssh server via http proxy. But when > I set it up in PUTTY (under Connection -> Proxy tab) looks like the > HTTP proxy detects I am trying to connect to SSH server. Thus it throws > service not allowed exception (error 403). > But if I try to change the port # of ssh server setting for PUTTY from > 22 to 80 it throws this exception: > 503: service unavailable. > > So I wonder if I change my SSH server port to 8080 for example, will it > work for me? If you change your SSH server to listen on 443 you'll probably be golden. -- Todd H. http://www.toddh.net/

16/10/2006, 19h48	#5
hasenhei Messages: n/a Hébergeur:	Re: Access SSH server via HTTP proxy Todd H. wrote: > "Doug" <dmly.usa@gmail.com> writes: > > If you change your SSH server to listen on 443 you'll probably be > golden. most likely it will not.... or at least, this just half of the job. An http-proxy can be made to just pass the packets to another machine with the "connect"-method. (just telnet to your http-proxy port and enter "connect rem.ote.mach.ine port") In a lot of setup (including my own) the connect-method is only allowed to port 443, so your ssh-server should listen on that port. But you still need a software which connects to the http-proxy and tells it to pass this connection along using the connect-method. There's one: http://zippo.taiyo.co.jp/~gotoh/ssh/connect.html I use it for exactly this job under Linux. connect.c can be compiled for Windows too, but I don't know wheter you can make putty using this connect-command. I have no Windows machine here to test this, but maybe in 13 hours. Cheers, Armin

16/10/2006, 21h39	#6
Doug Messages: n/a Hébergeur:	Re: Access SSH server via HTTP proxy But that is you are using openSSH. I understand that Putty already has HTTP proxy connect build in. I hope my understading is correct. doug On Oct 16, 1:48 pm, "hasenhei" <hasen...@gmail.com> wrote: > Todd H. wrote: > > "Doug" <dmly....@gmail.com> writes: > > > If you change your SSH server to listen on 443 you'll probably be > > golden.most likely it will not.... or at least, this just half of the job. > > An http-proxy can be made to just pass the packets to another machine > with the "connect"-method. (just telnet to your http-proxy port and > enter "connect rem.ote.mach.ine port") > > In a lot of setup (including my own) the connect-method is only allowed > to port 443, so your ssh-server should listen on that port. > > But you still need a software which connects to the http-proxy and > tells it to pass this connection along using the connect-method. > > There's one:http://zippo.taiyo.co.jp/~gotoh/ssh/connect.html > I use it for exactly this job under Linux. connect.c can be compiled > for Windows too, but I don't know wheter you can make putty using this > connect-command. I have no Windows machine here to test this, but maybe > in 13 hours. > > Cheers, > Armin

17/10/2006, 09h44	#7
hasenhei Messages: n/a Hébergeur:	Re: Access SSH server via HTTP proxy Doug wrote: > But that is you are using openSSH. > I understand that Putty already has HTTP proxy connect build in. > I hope my understading is correct. Doug, your understanding is absolutely correct :-) I just didn't know that putty has this functionality built-in. I just tested configuring proxy in putty on a windows-machine now, and it worked fine. Doug wrote : But when > I set it up in PUTTY (under Connection -> Proxy tab) looks like the > HTTP proxy detects I am trying to connect to SSH server. Thus it throws > service not allowed exception (error 403). Right, this is what I meant when saying "In a lot of setup (including my own) the connect-method is only allowed to port 443,". The proxy-server of your company does not allow the connect-method to port 22. > But if I try to change the port # of ssh server setting for PUTTY from > 22 to 80 it throws this exception: > 503: service unavailable. Yes, because there's no ssh-server (not even anything at all) responding on port 80 on the machine you try to connect to. I think the solution to your problem was already given by Todd H. in his previous message. You should configure your ssh-server to listen on port 443 (maybe 80 would do too here, but 443 is better). Of course you need to tell putty to connect to port 443 then. I just tested this here, and it worked fine. Cheers, Armin PS: Be careful with firewall-piercing if your work-contract does not allow such habits. Of course this ssh-connection shows up in the proxy-log.

19/10/2006, 06h24	#8
Doug Messages: n/a Hébergeur:	Re: Access SSH server via HTTP proxy Just an update. I did what what Todd told and it is working fine. Thanks Todd, you the man hasenhei wrote: > Doug wrote: > > But that is you are using openSSH. > > I understand that Putty already has HTTP proxy connect build in. > > I hope my understading is correct. > > Doug, your understanding is absolutely correct :-) > > I just didn't know that putty has this functionality built-in. I just > tested configuring proxy in putty on a windows-machine now, and it > worked fine. > > Doug wrote : > > But when > > I set it up in PUTTY (under Connection -> Proxy tab) looks like the > > HTTP proxy detects I am trying to connect to SSH server. Thus it throws > > service not allowed exception (error 403). > > Right, this is what I meant when saying "In a lot of setup (including > my own) the connect-method is only allowed to port 443,". > > The proxy-server of your company does not allow the connect-method to > port 22. > > > But if I try to change the port # of ssh server setting for PUTTY from > > 22 to 80 it throws this exception: > > 503: service unavailable. > > Yes, because there's no ssh-server (not even anything at all) > responding on port 80 on the machine you try to connect to. > > I think the solution to your problem was already given by Todd H. in > his previous message. > > You should configure your ssh-server to listen on port 443 (maybe 80 > would do too here, but 443 is better). > Of course you need to tell putty to connect to port 443 then. I just > tested this here, and it worked fine. > > Cheers, > Armin > > PS: Be careful with firewall-piercing if your work-contract does not > allow such habits. > Of course this ssh-connection shows up in the proxy-log.

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email