SSH Tunneling


#1

Hello,

Using SSH and a web browser, I want to securely connect to a webpage under www.example.com, which I own. I understand this can also be accomplished with the Secure Server option (via SSL/HTTPS) but I am not interested in that option.

For example, a login page will eventually exist at www.example.com/login.html. The connection between my home computer and that login page should be encrypted so that my username/password are not sent as clear text.

Is this the correct SSH command to accomplish this task?

then in a web browser: http://localhost:8888/

If that is the correct command, SSH is returning this error when going to http://localhost:8888/ in a web browser:

I tried several variations of that command and each returns the same error:


ssh -L 8888:localhost:80 me@www.example.com
http://localhost:8888/

ssh -L 8888:127.0.0.1:80 me@www.example.com
http://127.0.0.1:8888/

ssh -L 8888:localhost:80 me@example.com
http://localhost:8888/

ssh -L 8888:127.0.0.1:80 me@example.com
http://127.0.0.1:8888/

I can successfully plain-old-SSH in from behind a home router and using Mac OS X 10.6.4 with firewall enabled.

Any recommendations on how to make this work? Does Dreamhost not support this feature?

Thanks!


#2

Update:

I noticed that the SSH server IP is different from the web server IP. For example:

sshserver.dreamhost.com
IP: 55.66.77.88

www.example.com
IP: 11.22.33.44

In fact, when I SSH into www.example.com it is actually logging into sshserver.dreamhost.com instead. Therefore, the previous SSH command I was using was failing probably because the SSH server and web server have different IP addresses (as mentioned above):

then in a web browser: http://localhost:8888/

With this new information, I tried this command instead:

then in a web browser: http://localhost:8080/

The web browser returns this message:

[quote]Site Temporarily Unavailable
We apologize for the inconvenience. Please contact the webmaster/ tech support immediately to have them rectify this.
error id: “bad_httpd_conf” [/quote]

No complaints by SSH this time, though. Smells like I’m getting closer! Thoughts?

Thanks!


#3

When you try to open http://localhost:8080/ in a web browser, the browser will only send the “localhost” host name to the remote server, so it won’t know which domain on the server you’re trying to view (so it gives you the bad_httpd_conf error). I believe you will need to use SSH SOCKS mode (using the -D flag) to make this work correctly.


#4

Thank you for the reply! So, you recommend using this command instead?

Which I translate into “all traffic on localhost port 8080 is sent through the secure tunnel, to sshserver.dreamhost.com, and then to a destination”.

Then in a web browser, do: http://www.example.com ?

A couple questions:

1.) The web browser would need to be configured to use port 8080 before going to http://www.example.com, correct? I see that Firefox has an option to specify a SOCKS host. This means all web traffic is now sent through the tunnel?

2.) When my data is directed from the SSH server to www.example.com it is in clear text, correct? If so, does the data stay within the DreamHost data center or does it go out to the internet and then to www.example.com? My website is hosted with DreamHost.

Thanks!


#5

[quote]Which I translate into “all traffic on localhost port 8080 is sent through the secure tunnel, to sshserver.dreamhost.com, and then to a destination”.

Then in a web browser, do: http://www.example.com ?[/quote]

Yes.

  1. Correct. This may prevent you from accessing sites and/or services other than your own sites, so you’ll need to turn off the SOCKS proxy when you aren’t actively using it. There’s a way to make this work more cleanly using a PAC (Proxy Access Configuration) file, but it’s kind of involved.

  2. Correct; that traffic is necessarily in clear text. However, it never touches the network at all (it’s routed internally within your server), so the fact that it’s in the clear is only really of academic interest.