Connect with SSH through a proxy
I have no real idea what I’m doing here so please bear that in mind if you can help me! I am trying to connect to my virtual server through a proxy but I can’t connect, it just hangs. I’m assuming this is because it’s not getting through our proxy. I have tried exactly the same thing at home and it works perfectly. I’m on OSX using Terminal to connect. Can anyone advise me how I can get through the proxy with SSH?
You should be asking this in either ServerFault or SuperUser. Plus, you’ll get a much better response.
For those try to use netcat: **you need to use the openbsd package. netcat-openbsd ** linuxquestions.org/questions/linux-newbie-8/…
The netcat have different implementation on Mac/Linux/openbsd , please notice the difference between their parameters and copy-paste one for your own version!
16 Answers 16
Here’s how to do Richard Christensen’s answer as a one-liner, no file editing required (replace capitalized with your own settings, PROXYPORT is frequently 80):
ssh USER@FINAL_DEST -o "ProxyCommand=nc -X connect -x PROXYHOST:PROXYPORT %h %p" You can use the same -o . option for scp as well, see my superuser answer.
If you get this in OS X:
nc: invalid option -- X Try `nc --help' for more information. it may be that you’re accidentally using the homebrew version of netcat (you can see by doing a which -a nc command— /usr/bin/nc should be listed first). If there are two then one workaround is to specify the full path to the nc you want, like ProxyCommand=/usr/bin/nc .
For CentOS nc has the same problem of invalid option —X . connect-proxy is an alternative, easy to install using yum and works —
ssh -o ProxyCommand="connect-proxy -S PROXYHOST:PROXYPORT %h %p" USER@FINAL_DEST I use arch linux with gnu-netcat and the nc: invalid option — X still exists. The solution for this problem is to replace gnu-netcat with openbsd-netcat. See pagekite.net/wiki/Howto/SshOverPageKite/#wrongnetcat for details. Thes two versions probably conflict to each other.
A bit out of topic, but one can also open a tunnel through this connection (remove all ‘<' and '>‘ and keep ‘localhost’ as is): ssh -l -L :localhost: -o «ProxyCommand=nc -X connect -x : %h %p»
@Petr, —proxy command may work for you. EDIT: Scrolled down and noticed that an example is in shoaly’s answer.
I got: «nc: Proxy error: «HTTP/1.0 403 Forbidden» ssh_exchange_identification: Connection closed by remote host» What do I do?
For CentOS 7, where I have no «-X» option for ncat, I used the following construction: ssh REMOTEUSER@REMOTEHOST -o «ProxyCommand=ncat REMOTEHOST 22 —proxy PROXYHOST:PROXYPORT —proxy-type http». E.g.: ssh user123@ssh.othercomany.com -o «ProxyCommand=ncat ssh.mycomany.com 22 —proxy proxy.mycomany.com:80 —proxy-type http»
If your SSH proxy connection is going to be used often, you don’t have to pass them as parameters each time. you can add the following lines to ~/.ssh/config
Host foobar.example.com ProxyCommand nc -X connect -x proxyhost:proxyport %h %p ServerAliveInterval 10 i tried that but didnt work. mind you i wasn’t exactly sure what i needed to put in but it went something like Host 159.23.191.23 ProxyCommand nc -x connect -x 10.3.50.01:22 %h %p ServerAliveInterval. is that right?
I just wanted to add that this solution did work perfect for me. My current workplace deploys HTTP-proxies and I simply replaced proxyhost by the IP (adding no schema!) and the proxyport by — in this case — 8080.
This answer only can tell someone that the commands you can pass are already (or can be defined) in it’s config file, but you have not to explicitly wrote it to a file. You can just pass the argument to the ssh connect command.
For CENTOS/RedHat: ProxyCommand connect-proxy -H proxyhost:proxyport %h %p. Please check the connect-proxy options -H/-T/-S and use the right one on the basis of the proxy server. Most likely they would be -H or -S, try out both combination
«nc: invalid option — ‘x'» same for -X. I checked nc -h. What these options are suposed to stands for? Can’t find how to replace them.
I use -o «ProxyCommand=nc -X 5 -x proxyhost:proxyport %h %p» ssh option to connect through socks5 proxy on OSX.
Your answer is the only one that worked on macOS 1.12. I added it in my ssh config: ProxyCommand nc -X 5 -x proxyhost:proxyport %h %p
Just a remark to @rogerdpack’s answer: for windows platform it is really hard to find a nc.exe with -X(http_proxy) , however, I have found nc can be replaced by ncat, full example as follows:
Host github.com HostName github.com #ProxyCommand nc -X connect -x 127.0.0.1:1080 %h %p ProxyCommand ncat --proxy 127.0.0.1:1080 %h %p User git Port 22 IdentityFile D:\Users\Administrator\.ssh\github_key and ncat with —proxy can work perfectly.
For windows, @shoaly parameters didn’t completely work for me. I was getting this error:
NCAT DEBUG: Proxy returned status code 501. Ncat: Proxy returned status code 501. ssh_exchange_identification: Connection closed by remote host I wanted to ssh to a REMOTESERVER and the SSH port had been closed in my network. I found two solutions but the second is better.
- To solve the problem using Ncat:
- I downloaded Tor Browser, run and wait to connect.
- I got Ncat from Nmap distribution and extracted ncat.exe into the current directory.
- SSH using Ncat as ProxyCommand in Git Bash with addition —proxy-type socks4 parameter:
ssh -o "ProxyCommand=./ncat --proxy-type socks4 --proxy 127.0.0.1:9150 %h %p" USERNAME@REMOTESERVER ssh -o "ProxyCommand=connect -a none -S 127.0.0.1:9150 %h %p" To use the proxy in git commands using ssh (for example while using GitHub) — assuming you installed Git Bash in C:\Program Files\Git\ — open ~/.ssh/config and add this entry:
host github.com user git hostname github.com port 22 proxycommand "/c/Program Files/Git/mingw64/bin/connect.exe" -a none -S 127.0.0.1:9150 %h %p $ which nc /bin/nc $ rpm -qf /bin/nc nmap-ncat-7.40-7.fc26.x86_64 $ ssh -o "ProxyCommand nc --proxy %h %p" USER@HOST $ ssh -o "ProxyCommand nc --proxy --proxy-type --proxy-auth %h %p" USER@HOST ProxyCommand nc -proxy xxx.com:8080 %h %p remove -X connect and use -proxy instead.
This is how I solved it, hoping to help others later.
My system is debian 10, and minimal installation.
I also have the same problem like this.
git clone git@github.com:nothing/nothing.git Cloning into 'nothing'. nc: invalid option -- 'x' nc -h for help ssh_exchange_identification: Connection closed by remote host fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. git clone git@github.com:nothing/nothing.git Cloning into 'nothing'. /usr/bin/nc: invalid option -- 'X' nc -h for help ssh_exchange_identification: Connection closed by remote host fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. So, I know the nc has different versions like openbsd-netcat and GNU-netcat , you can change the nc in debian to the openbsd version, but I choose to change the software like corkscrew , because the names of the two versions of nc in system are same, and many people don’t understand it well. My approach is as follows.
sudo apt install corkscrew Change this file like this.
Host github.com User git ProxyCommand corkscrew 192.168.1.22 8118 %h %p 192.168.1.22 and 8118 is my proxy server’s address and port, you should change it according to your server address.
http proxy over ssh, not socks
I need a kind of proxy that i can use with http_proxy variable, in an embedded device that doesn’t support SOCKS. What should i do?
i’ve done it with ssh a while back.. vnc through ssh. but you could I suppose use squid(an http proxy) through ssh. can’t recall how i did it though at the moment. it’s not -D ‘cos (as you know -and better than me) -D is SOCKS if I recall.
@ngen: No. -D specifies a port to open the tunnel on, not the port to connect to. (Even the connection port is specified as -p port , not :port , for compatibility reasons.)
9 Answers 9
Method 1: Use a HTTP proxy that supports using a SOCKS upstream, e.g. Polipo or Privoxy.
First establish a -D tunnel over SSH like always, then configure the HTTP proxy to use the SSH tunnel – example Polipo configuration:
proxyAddress = "::1" proxyPort = 8118 socksParentProxy = "localhost:8080" socksProxyType = socks5 Finally, point the app to Polipo using http_proxy=localhost:8118 .
Method 2: Run your program inside the torsocks wrapper (or the older tsocks ), which proxies all connections transparently. It was meant for use with Tor, but works with any SOCKS server, including ssh -D .
Method 3: Set up a HTTP proxy on your server, then use ssh -L to access it.
Every -D results into a SOCKS server. If your client can not handle SOCKS forget -D .
You must run a HTTP-Proxy on the remote host and forward with -L :
ssh -f -N -n -L8080:127.0.0.1:8080 host For a proxy to run, I found «tinyproxy» super simple and already configured reasonably by default. On Ubuntu/etc remote host, just «sudo apt-get install tinyproxy», and then forward to port 8888 as above: «ssh -L8888:127.0.0.1:8888»
I have the same issue that want to use HTTP proxy through SSH. Because many applications only support HTTP proxy, and HTTP proxy is easy to be used in command line environment.
Although searched several pages but I can’t find a direct(can be chained with Polipo, Privoxy, or tsocks ) way to do this.
After a days’ work, I finished a simple Golang version of HTTP proxy over SSH. Feel free to play with it: mallory.
Currently only support RSA key(located at $HOME/.ssh/id_rsa) and password authorisation.
host is the SSH server address, port is 22 if is not changed by your admin. The server side is just our old friend sshd with zero configuration.
mallory -engine=ssh -remote=ssh://host:port mallory -engine=ssh -remote=ssh://user@host:port or with username user and password 1234
mallory -engine=ssh -remote=ssh://user:1234@host:port After connected, a HTTP proxy will serve on localhost:1315.
How to use ssh over http or https?
I have a linux fedora21 client laptop behind a corporate firewall (which lets through http and https ports but not ssh 22) and I have a linux fedora21 server at home behind my own router. Browsing with https works when I specify my home server’s public IP address (because I configured my home router) Is it possible to ssh (remote shell) to my home server over the http/s port? I saw a tool called corkscrew . would that help? opensshd and httpd run on the home server. What else would need configuration?
I can’t quite though that. I need httpd(s) for git pushed as well. so I gotta have a httpd listening on 443.
try httptunnel — yum install httptunnel http://www.nocrew.org/software/httptunnel.html, or as you mentioned in your question: corkscrew.
Either way, sshd would listen to 22, and httpd to 80/443 and httptunnel or corkscrew would forward traffic httpd receives to sshd ?
3 Answers 3
What is possible depends on what the firewall allows.
If the firewall allows arbitrary traffic on port 443
Some firewalls take the simple way out and allow anything on port 443. If that’s the case, the easiest way to reach your home server is to make it listen to SSH connections on port 443. If your machine is directly connected to the Internet, simply add Port 443 to /etc/ssh/sshd_config or /etc/sshd_config just below the line that says Port 22 . If your machine is behind a router/firewall that redirects incoming connections, make it redirect incoming connections to port 443 to your server’s port 22 with something like
iptables -t nat -I PREROUTING -p tcp -i wan0 --dport 443 -j DNAT --to-destination 10.1.2.3:22 where wan0 is the WAN interface on your router and 10.1.2.3 is your server’s IP address on your home network.
If you want to allow your home server to listen both to HTTPS connections and SSH connections on port 443, it’s possible — SSH and HTTPS traffic can easily be distinguished (in SSH, the server talks first, whereas in HTTP and HTTPS, the client talks first). See http://blog.stalkr.net/2012/02/sshhttps-multiplexing-with-sshttp.html and http://wrouesnel.github.io/articles/Setting%20up%20sshttp/ for tutorials on how to set this up with sshttp, and also Have SSH on port 80 or 443 while webserver (nginx) is running on these ports
If you have a web proxy that allows CONNECT tunnelling
Some firewalls block all outgoing connections, but allow browsing the web via a proxy that allows the HTTP CONNECT method to effectively pierce a hole in the firewall. The CONNECT method may be restricted to certain ports, so you may need to combine this with listening on port 443 as above.
To make SSH go via the proxy, you can use a tool like corkscrew. In your ~/.ssh/config , add a ProxyCommand line like the one below, if your web proxy is http://web-proxy.work.example.com:3128 :
Host home HostName mmm.dyndns.example.net ProxyCommand corkscrew web-proxy.work.example.com 3128 %h %p then you can connect by just running ssh home .