Today we’ll cover how to connect to github and EC2 through a draconian proxy allowing only port
443. Github uses SSH, so like EC2 it can be connected to using SSH tunnelling. This article is based on a blog post by tachang, which needed some additional explanation and changes to work behind my proxy. I will be explaining how to connect on a unix-based machine, but these settings should also work on windows (see tachang’s article for windows setup).
You will need to install corkscrew on your machine for tunneling SSH through the proxy, and git (if you don’t have it already).
You will also need superuser access on your own machine and any EC2 instance that you want to connect to.
Once corkscrew is installed, simply edit or create
~/.ssh/config with the following:
ProxyCommand /usr/local/bin/corkscrew proxy.<yourCompany>.com 8080 %h %p Host github.com User git Port 443 Hostname ssh.github.com IdentityFile "/Users/msnider/.ssh/rsa_id" IdentitiesOnly yes TCPKeepAlive yes Host <ec2PublicDNSForYourServer> Port 443 User ubuntu IdentityFile "/Users/msnider/.ssh/rsa_id" IdentitiesOnly yes TCPKeepAlive yes
~/.ssh/config happen immediately, so at this point we can check to see if github connectivity has been restored:
>ssh github.com Hi mattsnider! You've successfully authenticated, but GitHub does not provide shell access. Connection to ssh.github.com closed.
When outside of the proxy, SSH to your EC2 instance and update the
sshd_config file (mine was located at
/etc/ssh/sshd_config on ubuntu) to also listen on port
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 Port 443 ...
Then restart the server so that the changes take effect. Also, log into EC2 and update the DMZ of the server to allow connections on port
443. Then check to see if SSH connectivity to your server has been restored:
If you are not behind the proxy you can force SSH to use port
443 for testing:
>ssh -p 443 ubuntu@<ec2PublicDNSForYourServer>
Looking at the
~/.ssh/config, the ProxyCommand tells SSH to tunnel through a proxy when connecting to any host. Change the location of corkscrew to where yours is installed, replace the proxy server domain (don’t put
http:// in front of the name) with yours, and change the proxy port
8080 to the one you connect to your proxy on. The
%p are special variables that will be populated by SSH dynamically (target host and port respectively).
Next the file defines all the hosts to connect to. We want to be able to connect to
github.com and the EC2 public DNS for the instance. Under each
Host definition the
IdentityFile are important. The
Hostname is the server DNS to connect to, if the
Hostname is different from the
Host; notice that the one under
github.com has been changed to
ssh.github.com (the github server that allows port
Port is the port to connect on, and since your proxy blocks everything but
443, you need to use one of those two. The
User should be changed to the user used to SSH into the server. And
IdentityFile is the location of your private identify file used for SSHing to the server. I used RSA keygen and have the same key on my server and github, but you can use any number of identify files and other cipher formats supported by SSH.
Lastly, for SSHing to your EC2 server, you need to modify the
sshd_config file on the server. This file configures the SSH service on the server, and needs to be told to also listen to port
443. The SSH service can listen to as many ports as you want, so simply add the port
443 line under the port
22 line. I tried to just restart the SSH service, but Ubuntu wouldn’t let me, since I was logged in over SSH, so I ended up restarting the machine. Since, you cannot connect to this server when you are behind the proxy, you will need make this change outside the office. Also, port
443 is typically reserved for secure HTTP connections, so adding this port may conflict with an existing HTTP service. The best way to get around this is to have a second server (without HTTP services running) that you SSH into when at work and connect through that machine to port
22 on the machine running the webserver.