Tunneling SSH over HTTPS with Apache 2.4 and virtual hosts

Usually SSH uses port 22 to connect to the host. But sometimes there are reasons to hide the SSH connection and use port 443 instead.

Apache is able to tunnel the SSH connection over HTTPS. If you search for it, you find a lot of examples how to do it and even more posts where it is not working. The same happened to me: I had a lot of problems and needed over two days to get it working correctly.

As an additional difficulty I would like to use this with putty from Windows.

I already have set up my apache 2.4 with SSL based virtual hosts.

In the first step I add an additional virtual host named tunnel and obtain my SSL host certificate for  for this virtual host. I configured the virtual host for using the certificate and deliver some web pages to test the certificate configuration.

If this works correct the configuration could be changed to allow the SSH proxying. It is necessary to enable the mod proxy and proxy_connect. Into the virtual host configuration this snippet should be inserted:

1 ProxyRequests On 2 ProxyPreserveHost Off 3 AllowCONNECT 22 4 5 <Proxy *> 6 Order deny,allow 7 Deny from all 8 </Proxy> 9 <Proxy tunnel.bmaehr.com> 10 Order deny,allow 11 Allow from all 12 </Proxy>

Now we need the client side. I decided to use use proxytunnel and downloaded the version 1.9.0 for windows. I tried may many times with different apache configurations and command lines for proxytunnel with no success. Often I got the message “HTTP return code: 405 Method Not Allowed” with the message “Allow: GET,HEAD,POST,OPTIONS,TRACE” similar to this.

In fact the problem was quite simple: The 1.9.0 Windows version of proxytunnel is from 2008. And it doesn’t support SNI. So every connect didn’t connect to tunnel.bmaehr.com – instead the connection was to www.bmaehr.com.

I decided to built a new version of proxytunnel for windows with the latest sources. They are available at github.

There where at least two people providing a patch for proxytunnel to support SNI. Unfortunately no one added their path to the source. I was able to find one of the patches here and include it myself.

I compiled proxytunnel according this blog using just the command make. The needed libs are in the directory cygwin/bin if you download openssl. You can get my compiled version here and the libs here.

Then I was able to try to connect to my server once more. The command is

1 proxytunnel -E -p tunnel.bmaehr.com:443 -d tunnel.bmaehr.com:22 -v

I first tried with the argument –d like it is suggested in many examples. But this is  not working, because apache is complaining about “Hostname tunnel.bmaehr.com provided via SNI and hostname provided via HTTP are different”. Perhaps there a setting to ignore this problem and doing a local connect.

When the connection was successful I started to configure putty to use with proxytunnel like described here.

But I was not able to get a connection with putty. Finally I found the problem: There is an error (look at the “new line” character)

in the proxytunnel line. It should be

1 proxytunnel -q -p proxy.local.net:8080 -r ssh.yourdomain.com:443 -d %host:%port -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)"\n

instead of

1 proxytunnel -q -p proxy.local.net:8080 -r ssh.yourdomain.com:443 -d %host:%port -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)\n"

Finally my setup and putty configuration is working!

Leave a Reply