[Techtalk] access to intranet over ssh?

Almut Behrens almut-behrens at gmx.net
Sat Oct 23 10:40:26 EST 2004 

On Fri, Oct 22, 2004 at 03:17:00PM +0100, Caroline Johnston wrote:
> I have some cgi scripts on my machine at work (RH9). What is the best way 
> to get access to these from outside? 
> 
> I have vnc tunnelled over ssh, so I can just run a browser on the work
> machine, but it's kinda slow. 
> 
> I thought it would be possible to get my browser to tunnel requests
> through ssh, but I'm having problems getting it working. I'm using putty
> on WinXP and, following the advice of various webpages (and not entirely
> understanding what I'm doing) have set up a connection to a machine I have 
> access to at work and got it to forward stuff to my_machine:80 from local 
> port XXXX. Now I can access some pages via 
> http://localhost::XXXX/cgi-bin/blah.pl 
> 
> The problem is that if any of the scripts use full urls in links etc,
> these pages get accessed directly instead of through the tunnel and it
> breaks. I guess I could go and make all the links relative in all my
> scripts but there must be a better way of solving this?

Hi,

this is going to be a bit shorter than usual :) 'cos I'm just on the
leave for a trip over the weekend...


If you do not want to make your URLs relative (which would probably be
the easiest way to circumvent the problem...), you could do the
following instead:

(1) Set up a so-called "forward proxy" somewhere at work.
    (A reverse proxy - like apache configured with ProxyPass and
    ProxyPassReverse - won't work here, as such a setup will never
    achieve to reverse rewrite your HTML-embedded absolute URLs to
    http://localhost::XXXX, as required for seamless ssh tunneling...)

(2) Have your ssh tunnel forward requests to the proxy, instead of
    to the real intranet webserver.

(3) Configure your browser to use your ssh port forwarder (i.e.
    http://localhost::XXXX) as its proxy  (any decent browser can
    be configured to use a proxy -- typically somewhere under
    'preferences')

As the forward proxy, you can either use a dedicated proxy like squid,
or apache + mod_proxy, configured with "ProxyRequests on" (which
you'd typically want "off" for a reverse proxy, btw  !!! - see
http://httpd.apache.org/docs/mod/mod_proxy.html#access for why...).


What happens then is:  your browser sends a _proxy request_ to
localhost::XXXX, which gets forwarded to the proxy on the remote side.
This kinda tells the proxy "fetch me that URL" (explicitly, the request
containing the original URL to fetch).  The proxy in turn fetches the
URL on behalf of the browser, and returns the content.  Though
superficially similar, this is quite different from a port-forwarded
regular HTTP request.

The important difference is, that the proxy can reach/resolve any
internal URLs, while the browser directly (from the outside) cannot...
The browser always delegates any request, when there's a proxy
configured/active. In this case, it does not try to perform normal HTTP
requests on its own.  Thus, everything nicely gets tunneled through the
ssh connection -- and, there's no longer any need to rewrite anything,
independently of whether URLs are relative or full.
(For the same reason, you of course need to deactivate the browser's
proxy setting again, when you shutdown the ssh connection...)

Note, you don't need to touch the actual webserver in any way -- just
run another instance of apache (with a different config, and having it
listen on some non-privileged port >1024).


Hope this is enough to get you started.  Of course, there's a whole
lot more to tell, but I really need to go now...
If this sounds all greek to you, just shout, and I might write a bit
more when I'm back (Tuesday) -- if you want :)

Good luck,
Almut


PS: alternatively, you might also try NX (http://www.nomachine.com/)
to considerably speed up your redirected X or VNC sessions.
I'm in no way affiliated with Nomachine, but I can only recommend NX.
It works great!  Don't be put off by the commercial appearance of the
site -- everything you _really_ need is open source and free
(http://www.nomachine.com/sources.php). Though, admittedly, it's not
exactly trivial to set up without their wizards and precompiled
binaries.  I guess that's their business model...  Anyway, just wanted
to mention it.

PPS: a couple of weeks ago, we had a thread here discussing _reverse_
proxies, which might be of interest, too, just for comparison...
http://mailman.linuxchix.org/pipermail/techtalk/2004-October/019204.html

More information about the Techtalk mailing list