Connecting to Github and EC2 Through a Proxy on Port 80 or 443

Today we’ll cover how to connect to github and EC2 through a draconian proxy allowing only port 80 and 443. Github uses SSH, so like EC2 it can be connected to using SSH tunnelling. This article is based on a blog post by tachang[1], which needed some additional explanation and changes to work behind my proxy. I will be explaining how to connect on a unix-based machine, but these settings should also work on windows (see tachang’s article for windows setup[1]).

Getting ready

You will need to install corkscrew[2] on your machine for tunneling SSH through the proxy, and git (if you don’t have it already).

You will also need superuser access on your own machine and any EC2 instance that you want to connect to.

How do it…

Once corkscrew is installed, simply edit or create ~/.ssh/config with the following:

ProxyCommand /usr/local/bin/corkscrew proxy.<yourCompany>.com 8080 %h %p

	User git
	Port 443
	IdentityFile "/Users/msnider/.ssh/rsa_id"
	IdentitiesOnly yes
	TCPKeepAlive yes

Host <ec2PublicDNSForYourServer>
    Port 443
    User ubuntu
	IdentityFile "/Users/msnider/.ssh/rsa_id"
	IdentitiesOnly yes
	TCPKeepAlive yes

Changes to ~/.ssh/config happen immediately, so at this point we can check to see if github connectivity has been restored:

Hi mattsnider! You've successfully authenticated, but GitHub does not provide shell access.
Connection to closed.

When outside of the proxy, SSH to your EC2 instance and update the sshd_config file (mine was located at /etc/ssh/sshd_config on ubuntu) to also listen on port 443:

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
Port 443

Then restart the server so that the changes take effect. Also, log into EC2 and update the DMZ of the server to allow connections on port 443. Then check to see if SSH connectivity to your server has been restored:

>ssh ubuntu@<ec2PublicDNSForYourServer>

If you are not behind the proxy you can force SSH to use port 443 for testing:

>ssh -p 443 ubuntu@<ec2PublicDNSForYourServer>

How it works…

Looking at the ~/.ssh/config, the ProxyCommand tells SSH to tunnel through a proxy when connecting to any host. Change the location of corkscrew to where yours is installed, replace the proxy server domain (don’t put http:// in front of the name) with yours, and change the proxy port 8080 to the one you connect to your proxy on. The %h and %p are special variables that will be populated by SSH dynamically (target host and port respectively).

Next the file defines all the hosts to connect to. We want to be able to connect to and the EC2 public DNS for the instance. Under each Host definition the Hostname, Port, User, IdentityFile are important. The Hostname is the server DNS to connect to, if the Hostname is different from the Host; notice that the one under has been changed to (the github server that allows port 443). The Port is the port to connect on, and since your proxy blocks everything but 80 and 443, you need to use one of those two. The User should be changed to the user used to SSH into the server. And IdentityFile is the location of your private identify file used for SSHing to the server. I used RSA keygen[3] and have the same key on my server and github, but you can use any number of identify files and other cipher formats supported by SSH.

Lastly, for SSHing to your EC2 server, you need to modify the sshd_config file on the server. This file configures the SSH service on the server, and needs to be told to also listen to port 443. The SSH service can listen to as many ports as you want, so simply add the port 443 line under the port 22 line. I tried to just restart the SSH service, but Ubuntu wouldn’t let me, since I was logged in over SSH, so I ended up restarting the machine. Since, you cannot connect to this server when you are behind the proxy, you will need make this change outside the office. Also, port 443 is typically reserved for secure HTTP connections, so adding this port may conflict with an existing HTTP service. The best way to get around this is to have a second server (without HTTP services running) that you SSH into when at work and connect through that machine to port 22 on the machine running the webserver.


  2. Corkscrew
  3. SSH Keygen

Getting Started With Node-JS

I attended the Node-JS Camp this past week and had a lot of fun talking with the developers, and familiarizing myself with the awesomeness of Node-JS. Node-JS is a powerful version of JavaScript that allows for server-side scripting and running light-weight web servers. The best part is, if you know client-side JavaScript, you know the basics of server-side JavaScript, and only need to learn how to import and use the built in libraries. Todays ...

Script for Easy MySQL Migrations

This is a bit of code I wrote to handle MySQL migration scripts for my projects. This was inspired by the South project for Django, which was not meeting my needs (especially on non-Django projects), but had some good ideas. To use the script, create a directory and put all your migration scripts in it, then execute the script.

How do it…

Create a migration directory and fill it with files ...

Using Python to Setup a Simple Server

For we are trying to setup continous deployment. Our first attempt to make it work was to leverage the post web hooks provided by our repository manager. For webhooks you need to have a URL that is not powered by any service you wish to restart. Originally, I setup this URL using various off-the-shelf webservers, but they all seemed overkill for what I wanted to do. Instead I leveraged built in features of ...

Strong Server-Side Parameter Validation

Most web applications require the end-user to submit form data to the server, whether through a tradition web form or via AJAX. Anytime a server receives a request with parameters, the server-side code should assume that the request is malicious. At the very least a developer should ensure that SQL and/or JavaScript code is not injected. However, a developer should know what the acceptable values are for a parameter and be able to validate against ...

Cross Domain AJAX Using A Proxy

The web is full of people stating that you cannot make an XMLHttpRequest (or the Microsoft equivalent) for another domain. However, this is only a half truth, because you can with a proxy server. JavaScript strictly prohibits making an XMLHttpRequest directly to another domain, but you can always forward a remote request through a proxy service running on your own domain. Here is the script that I use:

Example 1: PHP Proxy Script

<?php ...

Server-Driven Constants

On the web today, it is commonplace to use JavaScript to communicate with the server (think AJAX or manipulating window.location). This means that there will be parameters that are the same on the server- as in the client-side code. As your code grows there will be more parameters and occasional name changes, resulting in parameter management increasingly wasting your time and/or causing errors. As a result it is considered best practices to manage these parameters ...

Server Logs Filled with Invalid Chunk Ignored Errors

Something a little different today. Have you ever look through your server-side logs and seen the following error everywhere:

"Parameters - Parameters: Invalid chunk ignored"
If your requests are improperly formatted, then this error will flood your logs. Although not critical, this can be severally frustrating as it bloats your log files, taking up precious disk space and making them ever more unreadable. As usual with logs, this message is nearly meaningless and doesnt explain ...

Session Driven Back Buttons

One of the biggest issues I encountered while refactoring my projects to work without the need of JavaScript, is directing the user back to the page they were previously on. This is especially important for form submission and canceling. I look around the web and mostly saw comments directing programmers to use JavaScript to handle back. However, the point of the exercise is to not require JavaScript for anything. I then spent some time looking ...