Wednesday, October 7, 2009

Tunneling SSH over HTTP

At times we need to access certain files that we left at home, it is quite possible that some environments and ISPs have strict firewall rules that can make our life miserable and tough in a sense that they have disallow the use of SSH and allows you to use HTTP proxy. “It is possible to use that HTTP proxy as a transport for SSH.”

The purpose of this article is not to advocate breaking out of your environment’s firewall if you have a policy that expressly prevents that or outbound SSH access! Unfortunately in some case it is blocked without any real reason and at times they may allow you to use SSH. In some environments, however, the explicit denial of outbound SSH is required and for that reason we should respect the policy and not override that. I am not at all advocating breaking any rules unless you have permission, exception or proper orders from the people that should provide it.
This all we can done using Corkscrew, click on it and download the source for Corkscrew. Corkscrew is an HTTP-tunneling programming that does not require server-side modifications to work. It is also cross-platform and will work on most client systems.

Steps to Configure:

1. Download it from this source, click on source

2. To build Corkscrew, simply unpack the file and write below commands in the Corkscrew directory

. /configure
or make install

3. Using Corkscrew with SSH/OpenSSH are very simple just copy the resulting corkscrew application to somewhere in your ~/.ssh/config, and add:

Host somehost


ProxyCommand /home/user/bin/corkscrew 8080 %h %p

Replace the hostname with the host you are attempting to SSH into, and replace “” with the actual HTTP proxy. You may also need to replace the port (8080) if the proxy listens on an alternate port (i.e., port 3128 in the case of Squid). OpenSSH transparently converts the %h to the hostname to connect to ( and the %p to the port to connect to (22, by default).

When this is done, we should be able to run ssh somehost and have the connection be established, just as if you were connecting directly. One thing to make sure that may be this does not work with all proxies, so it may be a little hit-and-miss, but it should work with Squid and Apache’s mod_proxy module as well as a few other popular implementations.

I hope this will be informative for you :)


nayyares said...

nice tip!

Sohail Riaz | Ghost in the Shell said...

Nice One....

I have written same months ago.... but it can be used if you have user/pass to authenticate yourself from proxy.


Sohail Akhtar said...

Thnx !