27

Can I reroute the https traffic (of an svn repository) via ssh-tunnel.

The problem is that the the services that use https don't work if I just create one tunnel for listening with e.g.:

ssh -L 12345:server.com:443 localhost

Do I have to do something else? The aim is to tunnel https://PROJECT.googlecode.com/svn/ where PROJECT is the project name.

Juha
  • 661

4 Answers4

18

HTTPS connection can be redirected via SSH port forwarding - however the SSL/TLS certificate validation will fail in such cases as the host name does not match:

You are connecting to https://localhost:12345 but the server certificate contains the name server.com.

Instead of directly forwarding the HTTPS connection I would run an HTTP(s)/SOCKS proxy on the remote computer you are opening the SSH connection to. Then set-up the program you want to tunnel to use this proxy through port forwarding. This would be a clean solution.

Update: It seems like SVN can use HTTP proxies but not SOCKS proxies. If want to do so you need an additional "socksifier" on your local system. See Serverfault.com: How can I set proxy for subversion with ssh tunnel?

Community
  • 1
Robert
  • 8,055
4

To be able to work around the certificate DNS mismatch issue while accessing the remote server with SSH tunnel, I did the following:

  1. Configure an SSH tunnel in putty so that local port 443 forwards traffic to the remote server (L443 : <remote.server.com>:443 )
  2. Update C:\Windows\System32\drivers\etc\hosts file to add an entry such as 127.0.0.1 <remote.server.com>
  3. If you are using HTTP proxy server (for example if you are working from a corporate proxy), then bypass the <remote.server.com> host from system proxy
  4. Now you can access the remote server URL with https://<remote.server.com>
Kunal Patil
  • 141
2

For Linux one could just SSH dynamic port forwarding

Localhost ssh -fND 1234 user-name@remote-ip-address-A

Remote host ssh -fNL 12345:remote-ip-address-B:443 remote-ip-address-A

Open Firefox install FoxyProxy and set it up as shown in the screengrab. FoxyProxy settings

In Firefox click the FoxyProxy icon and select the proxy connection you just made. In the URL bar type https://127.0.0.1.

Additionally you could just bypass this whole thing and just use sshuttle. Using sshuttle's -H argument causes it to update your local /etc/hosts file as new remote hostnames are found. You will need this so that certificates will work properly.

sshuttle -H -vr user-name@remote-ip-address-A remote-net/ip-address-B
Ned Konz
  • 139
BryanC
  • 21
1

Juha Palomäki's comment helped me.

My scenario is as follows:

server-i-want-to-get-to.com is only accessible via a certain list of IP addresses, my home network is not allowed, but the outgoing IP address of my-server.com (a server I control) is allowed.

So, I want to get to https://server-i-want-get-to.com/, using the outgoing IP address from me@my-server.com

On my laptop (or desktop), I add an entry to /etc/hosts

sudo vi /etc/hosts

127.0.0.1 server-i-want-get-to.com

Now, I ssh in to myserver.com, and use dig to find out the IP address of server-i-want-to-get-to.com

dig server-i-want-to-get-to.com

... and now from the ANSWER SECTION I know the IP address XX.XX.XX.XX

From the terminal on my laptop, establish an ssh tunnel

... pick a port not already in use, 8686 is just an example ...

ssh -L 8686:XX.XX.XX.XX:443 me@my-server.com

Now, I can go to https://server-i-want-to-get-to.com:8686/ in my browser.

Thanks to the /etc/hosts entry, there is no SSL Certificate error.

... it might be necessary to clear browser cache, or start with a fresh browser ...

mcaleaa
  • 181
  • 2
  • 4