Tunneling SSH over an HTTP-Proxy Server

Can't use SSH on the standard port 22? Need to tunnel through a proxy server? Work behind a draconian firewall and can't SSH directly? No problem. This document will hopefully show you how to tunnel through an http-proxy server without any server-side modifications.

Build and Configure an HTTP-Proxy Application

1. Get Corkscrew: available from corkscrew home page.
   I've tried other http-tunnel programs, but this is truly the easiest one I've found and it doesn't require server-side applications (such as are required by httptunnel, which is a good program otherwise). Furthermore, corkscrew works on every UNIX platform I've tried and even compiles and runs flawlessly under Cygwin on Windows.
   
2. Unpack and Compile corkscrew:
   

   tar -xzvf corkscrew.tar.gz
   # [..]
   cd corkscrew
   ./configure
   make install 

   Presuming no errors, corkscrew is now installed in /usr/local/bin on your machine. If you want to put it somewhere else, use the --prefix=path flag to the configure script.
   
3. Add ProxyCommand to your SSH config file:
   You may or may not have a configuration file for SSH already. It should be located in $HOME/.ssh/config and is a simple text file. Create one if it does not exist and add lines such as these to it:
   

   Host *
     ProxyCommand corkscrew http-proxy.example.com 8080 %h %p

   ... replacing http-proxy.example.com with the name or address of your http proxy and possibly replacing 8080 with the port on which the proxy listens, which may be 80 or even some other port. The %h and %p will be replaced automatically by SSH with the actual destination host and port.
   These two lines tell the SSH client to start another program (corkscrew) to make the actual connection to the SSH server. The Host * line says that this will be done for ALL hosts. If you wish to restrict the hosts for which this will be done, you can put a limited form of regular expression there. See the ssh_config(5) man page for more information. If you don't have corkscrew in your path or have put it in a non-standard location, you may specify an absolute path to corkscrew in that file as well.
   
4. Try it out...
   

   ssh example.net

   ... replacing example.net with the name of a host to which you can connect using SSH. Presumably this host will be outside your local network and therefore require the use of the proxy server. If it is not outside your local network, then the connection may fail as the proxy-server or some firewall may be configured to not redirect proxy connections back into your local network.
   Either of the following two errors probably indicate an error in your ~/.ssh/config file, most likely the name or port of the proxy server.
   

   ssh_exchange_identification: Connection closed by remote host
   [ OR ]
   ssh: connection to host example.net port 22: Connection timed out 

Congratulations - you are using an http-proxy server with SSH. Anything you can do with SSH you should now be able to do through the proxy server, including tunneling of other ports or even ppp.

Other Tricks with HTTP-Proxies

1. Authenticated proxy connections
   Some proxy servers require authentication. In this case, you can add authentication credentials to the ProxyCommand line:
   

   Host *
     ProxyCommand corkscrew http-proxy.example.com 8080 %h %p ~/.ssh/proxyauth

   In the ~/.ssh/proxyauth file, put your proxy login and password like this:
   

   <username>:<passwd>

   Corkscrew should now happily use that authentiaction information and tunnel your connection through the proxy.
   
2. Automatically detect proxy-server availability.
   Sometimes you might be on a portable computer and only sometimes behind that firewall or on the network with the proxy server? Note that the ProxyCommand configuration item can be just about anything you like, as long as it reads from standard-input and writes to standard-output. Using that fact, we can write a wrapper around corkscrew when the proxy tunnel is needed.
   
   1. download my ssh-proxy script and place it in your ~/.ssh directory.
   2. Change your ~/.ssh/config file to include the following:
      

      Host *
        ProxyCommand $HOME/.ssh/ssh-proxy http-proxy.example.com 8080 %h %p

      The relevant line is of course the ProxyCommand line and it looks darn similar to the previous version. All that this script does is attempt to connect directly to the destination host first, falling back to using the proxy server specified if a direct connection is not possible.
      Note that the script uses another program called netcat (sometimes just nc) to test and make direct connections. If you don't have netcat, you can look here, but any decent system, including Cygwin, should have it installed by default.
      
   3. Shorten the timeout for trying a direct connection:
      Note that the ssh-proxy script defines a default timeout (8 seconds) for testing direct connections to the remote host. If that timeout seems too long to you, you can shorten it by adding a -w <seconds> flag in the ProxyCommand line of your ~/.ssh/config file, like this:
      

      Host *
        ProxyCommand $HOME/.ssh/ssh-proxy -w 2 http-proxy.example.com 8080 %h %p

      If on the other hand, 2 seconds is too short, you can make it longer too.
      
   4. Specify the location of netcat or corkscrew:
      Just like you can specify a alternate timeout, you can use two other options to specify the name and/or location of the netcat and corkscrew programs:
      

      -n path-to-netcat/direct-connect-program
      -t path-to-corkscrew/http-tunnel-program

      One could even specify a completely different direct-connect or proxy-tunnel programs, but then you are probably going to have to modify the source as the arguments are not likely to be the same. Just look at the source.
      
      from http://mtu.net/~engstrom/ssh-through-http-proxy/
   5. ----------------------------------------------------------------------
      
      

      SSH through HTTP proxy

      This article explains how to connect to a ssh server located on the internet from a local network protected by a firewall through a HTTPS proxy.
      Requirement are :
      
   6. Your firewall has to allow HTTPS connections through a proxy
   7. You need to have root access to the server where ssh is listening

   Configure the ssh server

   The ssh daemon need to listen on 443 port. To accomplish this, just edit this file (on debian system) /etc/ssh/sshd_config and add this line :
   

   Port 443

   Then restart the daemon :
   

   sudo /etc/init.d/ssh restart

   Configure the client

   I suppose you are on a Linux system (debian for example). First you have to compile the connect binary which will help your ssh client to use proxies (HTTPS in our case). Then you have to configure your ssh client to tell him to use HTTPS proxy when he tries to connect to your ssh server.
   

   1. Install the connect software :
      • On debian system, just install the connect-proxy package :
        

        sudo apt-get install connect-proxy

      • On other Linux systems, you have to compile it :
        

        cd /tmp/
        wget http://www.meadowy.org/~gotoh/ssh/connect.c
        gcc connect.c -o connect
        sudo cp connect /usr/local/bin/ ; chmod +x /usr/local/bin/connect
        

   2. Configure your ssh client. Open or create your ~/.ssh/config file and add these lines :
      

      ## Outside of the firewall, with HTTPS proxy
      Host my-ssh-server-host.net
        ProxyCommand connect -H proxy.free.fr:3128 %h 443
      ## Inside the firewall (do not use proxy)
      Host *
         ProxyCommand connect %h %p
      

   3. Then pray and test the connection :
      

      ssh my-ssh-server-host.net
      

   SSH to another server through the tunnel

   For example to connect to in ssh github.com :
   

   Host github.com
     ProxyCommand=ssh my-ssh-server-host.net "/bin/nc -w1 %h %p"

   from http://www.zeitoun.net/articles/ssh-through-http-proxy/start 

--------------

SSH 配置使用 HTTP 代理

引言

之前一直在 Windows 下使用 Xshell 远程登录服务器的，通过 SSH 密钥认证方式登录，然后使用了 HTTP 的代理。
代理配置是在 Xshell 里面配置的。可是今天，我需要在一台 Linux 服务器上配置 SSH 通过 HTTP 代理连接到另一台服务器，
因为我要通过 SSH 协议访问公司内部的 GitLab。

什么是 Corkkscrew

Corkscrew is a tool for tunneling SSH through HTTP proxies.  
Corkscrew has been tested against several proxies requiring HTTP authentication.  
Several flaws exist as only basic authentication is currently supported.   
Digest authentication may be supported in the future.  
NTLM authentication will most likely never be supported. 

Corkscrew 是一个用于通过 HTTP 代理访问 SSH 的工具。它已经在一些需要 HTTP 认证的代理上测试过。
但现在只支持 basic 认证。Digest 认证可能在将来支持。NTLM 认证最可能永远不支持。

安装 Corkscrew

去官网下载最新源码包，然后根据 README 中提到的安装方法来安装， 经典的安装步骤：配置、编译、安装

配置 SSH 使用 Corkscrew

Crokscrew 的 README 中写得很清楚了 在~/.ssh/config中添加以下一行配置：

ProxyCommand /usr/local/bin/corkscrew <proxyhost> <proxyport> %h %p [authfile]

如果 HTTP 代理需要认证的用户名和密码，在~/.ssh下创建一个文件(如~/.ssh/myauth，这个文件对应上面的[authfile])放置用户名和密码， 格式为： 用户名:密码
然后为了安全将其权限设置为 600

Ref

Corkscrew
SSH 在 Linux下使用 HTTP/HTTPS 代理
SSH 通过代理连接服务器
用 SSH 突破公司 HTTP 代理
SSH 的 HTTP 代理设置

-----------

相关帖子：http://briteming.blogspot.com/2011/12/ssh-via-http-proxy.html