0

There are three computers in play. All linux computers.

Laptop: My work-laptop, running linux and can pretty much do anything with it. Can set it up so that it is reachable from the internet

RootServer (RS): This server is behind a firewall and a lot of different systems, only access to it is through a web-interface, which gives me a crappy implemented web-terminal. It does however have full access to the internet, and I even have root access here.

Webserver (WS): Serving a few webpages on port 80, 8000, 8001, 443 and some other ports. No other access to this machine except the webpages. I do not know the specifics in the firewall settings, but the RS machine can access the web-pages here.

So the problem here is that I need some way to access the webpages on WS, as if I was on the same network as RS, all from my Laptop which cannot connect directly to RS. However RS can connect to WS and my laptop.

I was thinking there should be some kind of SSH magic that would enable me to do something like this:

(surfing the webpages) Laptop <-- RS --> WS (hosting the webpages)

does anyone know how?

Kristoffer
  • 101

1 Answers1

0

Analysis

The crucial part of SSH magic you need is described here: How to create a SOCKS proxy with ssh. In terms of my answer there, there are two scenarios:

    • Laptop=A=B
    • RS=C
    • WS=D
    • Laptop=A
    • RS=B=C
    • WS=D

In the first case you need to access RS from the Laptop via SSH (B -> C). In the second case you need to open a listening port on RS, so the Laptop can connect to it (A -> B).

Since RS is "behind a firewall and a lot of different systems" and "only access to it is through a web-interface", I assume your "root access here" is not enough to make some port (SSH or not) publicly accessible. So you most likely need to create a tunnel that will allow your Laptop to reach RS.

No matter which scenario you choose, the requirements are the same:

  • SSH server on the Laptop able to accept connections from RS.
  • SSH client on RS able to reach the Laptop.
  • SSH server on RS able to accept connections from RS itself to RS itself.
  • A browser on the Laptop able to use SOCKS.

Additionally scenario 1 requires an SSH client on the Laptop. This requirement is probably trivial.

I think if one scenario is going to work then the other one will also work.

Scenario 1

  1. Create a tunnel, so you can ssh from the Laptop to RS later:

    # on RS
ssh -R 7722:localhost:22 Laptopuser@Laptop

    Here 7722 is an arbitrary port. You may not be able to bind to ports with numbers lower than 1024. 22 is the port of the SSH server on RS (adjust if necessary).

  2. ssh to RS with dynamic port forwarding (SOCKS proxy):

    # on the Laptop
ssh -p 7722 -D 7780 RSuser@localhost

    7780 is an arbitrary port.

  3. Set a browser on the Laptop up, so it uses localhost:7780 as SOCKS proxy. To reach WS, use URLs as if the browser was on RS.

Note other users of your Laptop (e.g. users connected via SSH) can use localhost:7780 to reach WS as well.

Scenario 2

  1. Prepare dynamic port forwarding (SOCKS proxy):

    # on RS
ssh -D 7781 RSuser@localhost

    Here 7781 is an arbitrary port. You may not be able to bind to ports with numbers lower than 1024.

  2. Create a tunnel to the proxy:

    # on RS
ssh -R 7780:localhost:7781 Laptopuser@Laptop

    7780 is an arbitrary port. I used different numbers (7780 and 7781) to show they can be different; but they can also be the same, in this case it doesn't matter.

  3. Set a browser on the Laptop up, so it uses localhost:7780 as SOCKS proxy. To reach WS, use URLs as if the browser was on RS.

Note other users of RS can use localhost:7781 as their SOCKS proxy. It may make little difference since they can probably reach WS anyway. Or it may make a huge difference because they will use connections from RS to WS initiated by the proxy running under your user (RSuser) and the user may matter.

Similarly other users of your Laptop (e.g. users connected via SSH) can use localhost:7780 to reach WS as well.

Notes

Kamil Maciorowski
  • 81,893