Actually, I did manage after all
First, the SSH server had to
listen on port 443. It wouldn't work on port 21, even though FTP is allowed through the proxy.
Next, as I already had HTTPS working on port 443, I installed SSLH
. Now, port 443 is for both HTTPS and SSH. I checked: https:/…, WebDav, and SyncPlaces
all still work reliably, as well as plain SSH from the server's LAN.
Finally, an SSH proxy allows the connection. I did several tests with .ssh/config, mostly with success:
— “ProxyCommand proxytunnel -p HTTP_PROXY:8080 -P PX_LOG:PX_PASS -d %h:%p”: what I ended up using.
— “ProxyCommand proxytunnel -N -p HTTP_PROXY:8080 -P PX_LOG:PX_PASS -d %h:%p” is more secure but did not work for some reason (seems to be a conflict with SSLH).
— “ProxyCommand proxytunnel -p localhost:3128 -d %h:%p” did
work however (using CNTLM on localhost:3128), and achieves the same security.
— “ProxyCommand corkscrew localhost 3128 %h %p” is another working solution.
proxytunnel has a feature that corkscrew has not: the possibility to add HTTP headers, such as “User-Agent: Mozilla/…”.
My .ssh/config file now looks like this:
ProxyCommand proxytunnel -v -p HTTP_PROXY:8080 -P PX_LOG:PX_PASS -d %h:%p
[yves@MY_CLIENT ~]$ ssh MY_SERVER
Local proxy HTTP_PROXY resolves to 1xx.xxx.xxx.xxx
Connected to HTTP_PROXY:8080 (local proxy)
Tunneling to MY_SERVER:443 (destination)
Communication with local proxy:
-> CONNECT MY_SERVER:443 HTTP/1.0
-> Proxy-Authorization: Basic BASIcBASicBAsicBasI=
-> Proxy-Connection: Keep-Alive
<- HTTP/1.0 200 Connection established
Linux MY_SERVER 2.6.nn-n-486 #1 … UTC 2009 i686
All's not perfect but that's already fine, since I was able to tunnel port 143 and thus read IMAP mail on MY_CLIENT.