Tuesday, 2 August 2011

SSH reverse tunnel one way connection with HTTP proxy

Wow..  the title is so long. But I think I need to title this post like that so that Google or other search engine can find it easily.

Now, let's proceed with the blog post.

Consider this scenario:
  • You need to connect to a CentOS Linux server on your customer's data center
  • The server outgoing connection is blocked by external firewall beyond your control, which means you cannot SSH to other server on the Internet
  • You need to update the software installed on the server by using Yum
  • You are connected to the CentOS Linux server by using Windows desktop and Putty
How are you going to solve the issue?

Most solution on the Internet shows the SSH reverse tunnel method with the assumption that you can SSH to external server on the Internet, and use that tunnel to forward whatever port that you want to use. That might not always be the case.

This is the solution that I have created that will show you how to solve the scenario above. It will require:
  1. Windows desktop
  2. Putty SSH client
  3. AnalogX proxy
The idea is to create port 8080 on CentOS Linux server, that will be forwarded to the Windows desktop on port 6588. AnalogX will use the port 6588 to proxy the Internet connection on the Windows desktop.

So, how to configure this stuff?

1. Configure Putty

Launch your Putty SSH client and click Session. Fill in your CentOS Linux server domain name or IP address. Make sure the port is correct.



Now, click Tunnels under SSH under Connection. Fill in the information as in the image below. Make sure you select the Remote option. Click Add.


After you click Add, your setting will be like this image.


Now, click Open, and login to the server as root. If you run the command
# netstat -nap |grep 8080

you will found out that port 8080 is available on the server and in LISTEN mode, as shown in the image below.


Left it there for a moment, while we setup the AnalogX proxy.


2. AnalogX proxy

AnalogX proxy is a freeware simple proxy software for Windows. You can download the software from its website at http://analogx.com/contents/download/Network/proxy/Freeware.htm

Install the software as normal, and launch it after installation. You will see the AnalogX proxy icon on your Windows taskbar.


Right click the icon, and click Configure. You will be shown the configuration as below. Make sure at least HTTP is ON.


With AnalogX proxy running, you have establish outgoing connection from the Linux server to your desktop by using SSH tunnel.
3. Configure Yum

Now, in order to update the software installed on the Linux server, Yum must know how to connect to the Yum repositories that contain updates.

Luckily, Yum only need to know the http proxy available, and an update can be performed easily.

To make Yum use http proxy, type this command as root

# export http_proxy=http://localhost:8080

This command will configure system-wide proxy setting for the Linux server.

When you issue the command

# yum check-update

Yum will use the http proxy connection that you have created through SSH tunnel from your Windows desktop, to the AnalogX proxy running on your desktop, to the Internet.


Conclusion
The solution that I have created above will help you to achieve your goal to update the CentOS Linux server with the latest update. This setup will also work for apt tools in Debian and Debian-derivatives

If you are using Linux desktop, you can change AnalogX proxy with 3proxy, Squid, or nginx. The SSH remote port can be configured by using simple SSH options. The details is for you to figure out ;)