

Proxy dispatcher for https and ssh - pouloum
http://tong.ijenko.net/2011/03/proxy-dispatcher-for-httpssl-and-ssh/
proxy dispatcher for https and ssh in few lines of perl
======
mooism2
See also sslh. (Or sshl, I forget which way round it goes.) Which claims some
ssh clients are eager (sending a greeting without waiting for the ssh server
greeting).

I was once unable to connect to my sshd on port 443 when I was using the free
wifi in a pub. The firewall appeared to be blocking the connection: presumably
it was checking whether the connection was really ssl or not.

------
bejot
haproxy configuration :

defaults timeout connect 5s timeout client 50s timeout server 20s

listen ssl :443 tcp-request inspect-delay 2s acl is_ssl req_ssl_ver 2:3.1 tcp-
request content accept if is_ssl use_backend ssh if !is_ssl server www-ssl
:444 timeout client 2h

backend ssh mode tcp server ssh :22 timeout server 2h

------
cabacon
If you don't need the https, you can just use proxy connect, per
[http://benctechnicalblog.blogspot.com/2011/03/ssh-over-
conne...](http://benctechnicalblog.blogspot.com/2011/03/ssh-over-connect-over-
port-80.html)

You can use this to get ssh from places that only let you use the regular
80/443 ports.

------
edambauskas
The same in 23 lines of C (+ netcat and inetd):
<http://old.homeip.net/martin/ssh-https.html>

~~~
zeptomax
23 lines of C but launching one external program for each connection... Not
very efficient... :-)

------
lmz
Something similar, written in C is sslh[1].

[1]: <http://www.rutschle.net/tech/sslh.shtml>

------
HerraBRE
PageKite can be used for similar tricks:
<http://pagekite.net/wiki/Floss/TechnicalManual/#ipr> and
<http://pagekite.net/wiki/Howto/SshOverPageKite/>

------
peterwwillis
A neat way to hide your SSH port, but not very practical (scanners will just
wait a little while to see if the SSH banner gets pumped out). You want
something that speaks HTTP so it'll get through transparent proxies of
corporations and wifi paywalls, which would be proxytunnel combined with a
server-side configuration of whatever your favorite http proxy/server is. Even
if your corporate environment forces NTLMv2 proxy authentication, you can
chain cntlm and proxytunnel to their proxy and still tunnel out, and nobody is
the wiser. (<http://dag.wieers.com/howto/ssh-http-tunneling/>)

