Connecting to Github and EC2 Through a Proxy on Port 80 or 443

Today we’ll cover how to connect to github and EC2 through a draconian proxy allowing only port 80 and 443. Github uses SSH, so like EC2 it can be connected to using SSH tunnelling. This article is based on a blog post by tachang[1], which needed some additional explanation and changes to work behind my proxy. I will be explaining how to connect on a unix-based machine, but these settings should also work on windows (see tachang’s article for windows setup[1]).

Getting ready

You will need to install corkscrew[2] on your machine for tunneling SSH through the proxy, and git (if you don’t have it already).

You will also need superuser access on your own machine and any EC2 instance that you want to connect to.

How do it…

Once corkscrew is installed, simply edit or create ~/.ssh/config with the following:

ProxyCommand /usr/local/bin/corkscrew proxy.<yourCompany>.com 8080 %h %p

Host github.com
	User git
	Port 443
	Hostname ssh.github.com
	IdentityFile "/Users/msnider/.ssh/rsa_id"
	IdentitiesOnly yes
	TCPKeepAlive yes

Host <ec2PublicDNSForYourServer>
    Port 443
    User ubuntu
	IdentityFile "/Users/msnider/.ssh/rsa_id"
	IdentitiesOnly yes
	TCPKeepAlive yes

Changes to ~/.ssh/config happen immediately, so at this point we can check to see if github connectivity has been restored:

>ssh github.com
Hi mattsnider! You've successfully authenticated, but GitHub does not provide shell access.
Connection to ssh.github.com closed.

When outside of the proxy, SSH to your EC2 instance and update the sshd_config file (mine was located at /etc/ssh/sshd_config on ubuntu) to also listen on port 443:

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
Port 443
...

Then restart the server so that the changes take effect. Also, log into EC2 and update the DMZ of the server to allow connections on port 443. Then check to see if SSH connectivity to your server has been restored:

>ssh ubuntu@<ec2PublicDNSForYourServer>

If you are not behind the proxy you can force SSH to use port 443 for testing:

>ssh -p 443 ubuntu@<ec2PublicDNSForYourServer>

How it works…

Looking at the ~/.ssh/config, the ProxyCommand tells SSH to tunnel through a proxy when connecting to any host. Change the location of corkscrew to where yours is installed, replace the proxy server domain (don’t put http:// in front of the name) with yours, and change the proxy port 8080 to the one you connect to your proxy on. The %h and %p are special variables that will be populated by SSH dynamically (target host and port respectively).

Next the file defines all the hosts to connect to. We want to be able to connect to github.com and the EC2 public DNS for the instance. Under each Host definition the Hostname, Port, User, IdentityFile are important. The Hostname is the server DNS to connect to, if the Hostname is different from the Host; notice that the one under github.com has been changed to ssh.github.com (the github server that allows port 443). The Port is the port to connect on, and since your proxy blocks everything but 80 and 443, you need to use one of those two. The User should be changed to the user used to SSH into the server. And IdentityFile is the location of your private identify file used for SSHing to the server. I used RSA keygen[3] and have the same key on my server and github, but you can use any number of identify files and other cipher formats supported by SSH.

Lastly, for SSHing to your EC2 server, you need to modify the sshd_config file on the server. This file configures the SSH service on the server, and needs to be told to also listen to port 443. The SSH service can listen to as many ports as you want, so simply add the port 443 line under the port 22 line. I tried to just restart the SSH service, but Ubuntu wouldn’t let me, since I was logged in over SSH, so I ended up restarting the machine. Since, you cannot connect to this server when you are behind the proxy, you will need make this change outside the office. Also, port 443 is typically reserved for secure HTTP connections, so adding this port may conflict with an existing HTTP service. The best way to get around this is to have a second server (without HTTP services running) that you SSH into when at work and connect through that machine to port 22 on the machine running the webserver.

References

  1. USING GITHUB THROUGH DRACONIAN PROXIES (WINDOWS AND UNIX)
  2. Corkscrew
  3. SSH Keygen