
SSH Tunneling through web filters - r11t
http://www.s-anand.net/blog/ssh-tunneling-through-web-filters/
======
pieter
At the end of the article, the author suggests to look at proxytunnel and
<http://dag.wieers.com/howto/ssh-http-tunneling> if you want to do this under
Linux.

I just want to point out that this last option does a lot more than what the
article does: it actually encapsulates the ssh session in HTTPS requests, so
it'll work even if your firewall does layer-7 filtering. The article just runs
sshd on port 443 and connects to that.

------
ShabbyDoo
>Would anyone on HN work at a company that filters http?

I'm consulting for one now. For the most part, they filter porn and borderline
porn. However, they also filter Facebook (but not LinkedIn!), YouTube, and a
few other things mainstream sites.

Circumvention certainly isn't that hard, but it also likely violates some
company policy. I connected my Droid to their Exchange servers and got a
nastygram from IT security (albeit a few weeks later).

Ironically, the risk isn't just that I would get caught - the first time would
be a hand slap unless they wanted a reason to get rid of me. The corporate
culture is so focused on conformity and compliance that it would be absolutely
shocking to others that I would have even considered such a thing. And, this
affects perceptions of trustworthiness. [No, I do not like any of this!]

------
ShabbyDoo
Given that Google App Engine gives away the first 5M requests/month for free
and allows outgoing HTTP requests, would it be possible to build a proxy with
it? Let's say I built a SOCKS client for Windows which delegated requests to a
small AppEngine app via HTTPS. The server-side would simply make the request
on the client's behalf and return the result. Would this work? I suspect
latency would be much worse than the EC2/SSH option, but it would be more
convenient. I could use something like FoxyProxy to only use the AppEngine
hack for sites which required it.

~~~
jaxn
There are quite a few of these. Check out
<http://code.google.com/p/downy/source/browse/#hg/proxy>

I know this because the building where my office is has filters setup on the
internet (I don't pay the bill, so who am I to complain). Because of the
AppEngine proxies, they block all appspot.com domains.

The crappy part is that I have a couple of projects hosted on AppEngine, so in
order to access those I have to run a reverse tunnel to get around their
filters. (Making this thread circular).

I use this for my proxy (and set a system wide SOCKS proxy on OSX): ssh -CfgN
-D 9999 myserver.com

------
koevet
The bank I have been working for the last 12 months was also blocking 443
traffic (except to few "safe" ssl sites). Tunnelling on 443 was impossible.

~~~
mhansen
What's the reasoning behind that? Do they want to intercept all
communications, and encryption would get in the way of that?

~~~
blasdel
It's not too hard to MITM HTTPS traffic in a corporate setting -- you run your
own internal root CA that approves the same cert for all domains, and add its
public key to the browsers on all of the company's computers. Then instead of
running a normal socks proxy, you just route all external IPs to a gateway box
that proxies on 80 and 443.

I've seen this proxy method used at a company before, but I'm pretty sure they
just passed through the https traffic instead of fucking with the certs. I'll
have to check the next time I'm on-site...

------
poutine
In China I found that using a UDP based OpenVPN to Slicehost was higher
performing than the TCP on top of TCP issues that you get with SSH Tunneling
when there's packet loss.

There's even some pretty decent desktop clients for OpenVPN, see Viscosity for
OSX.

This is assuming you have the ports open (the Great Firewall of China does
HTTP inspection but not port blocking).

------
adrinavarro
A VPS (Slicehost anyone?) should do the same, and it's way less expensive than
EC2. You just have to set up everything from a non-filtered connection (at
home! ..hey, you can even build this in a home server!).

Anyway, if you can use a SOCKS proxy, it should work for almost every
application supporting any kind of proxy (but not using the 443/SSL port).

------
dryicerx
Good writeup, ssh tunnels are something I can’t live without…

Step 9 can be skipped completely if no proxy is needed to be configured.

Also don’t forget, doing all of this still sends the DNS requests in the clear
to the usual/old dns server and not through EC2. If the DNS server is also
meant to filter and redirect, this can be an issue. To go around that, in
firefox you can go to about:config and set network.proxy.socks_remote_dns =
true

And for linux folks... you don't need any tools or any more special config...
just run the ssh command with switch -D <SOCKS_PORT_NUMBER> and configure
firefox or your browser to use that.

------
imack
Has anyone on HN actually worked for a company that filters internet traffic?
_Would_ anyone on HN work at a company that filters http? I've always thought
that if a company could effectively block internet traffic with a filter on a
proxy then the problem wasn't that employees were wasting time surfing; the
problem was that they were hiring employees incapable of getting around it.

~~~
tezza
Yep.

Financial Services in London filter/block a lot.

They also disable DNS lookups, and so only browser lookups and specially coded
wget have resolution capability.

No: Gmail, Yahoo! Mail, Hotmail, Betfair, Twitter, Facebook

~~~
ig1
It's generally done for compliance reasons, banks are covered by fairly strict
regulations which require communication audit logs. Similarly most personal
brokerage websites and gambling websites are blocked to prevent insider
trading, obviously it's not going to stop someone who's determined to break
the law, but banks have to be able to show they've taken reasonable measures
to prevent it.

------
colbyolson
I use my slice for this stuff. On a mac, just add the localhost:<someport> to
the 'network preferences > SOCKS proxies' and then do:

    
    
        ssh -D <someport> user@slicehost.com

------
kogir
For $60/mo you can get a Sprint MiFi, and have mobile broadband access
anywhere there's coverage. I know, this doesn't work for everyone, but
compared to a $57/mo EC2 instance, I think it's a win in many cases.

~~~
mcantelon
A $20/month VPS would likely do the job well enough.

------
joezydeco
Wow! 8 cents an hour! Thats...um....$57 a month. Oh.

Can you schedule EC2 instances for certain times of the day, or is it an all
on or nothing thing?

~~~
streety
You can shut it down and start it up whenever you like. Billing is by the hour
so it is perfectly possible to just have it running when you need it and have
it shut down for the rest of the time.

------
j_lagof
It works with anything but Google chrome.. I just learned that it doesn't
support SOCKS proxy :/

~~~
est
Chrome doesn't support DNS query via SOCKS5 (aka
network.proxy.socks_remote_dns in firefox), but support SOCKS5

    
    
        chrome.exe --proxy-server=socks5://127.0.0.1:8008
    

credits: <http://code.google.com/p/chromium/issues/detail?id=29914>

------
hannibalhorn
it's pretty common for vpn providers like witopia or acevpn to provide access
via tcp 443 to get through these same firewalls and it's a whole lot simpler,
not to mention more cost effective.

------
bugtrace
You Can use Myentunnel

