I was trying to setup (SSH) Internet access to github.com on some servers wich don’t have any Internet connectivity.
I wanted to use SSH instead of HTTP because this way you can use encryption keys instead of username and password authentication for github.
There are some excellent guides out there how to do this with corkscrew. I used one of those and almost got it working …… :
[martin@dhcp3b.hgl-pv ~]$ corkscrew 10.255.248.131 8080 github.com 22
Proxy could not open connnection to github.com: Forbidden
putty displayed the same error so the problem was probably with the proxy. If you need to fix this allow the (Squid) proxy to be able to open a connection to port 22.
edit: /etc/squid/squid.conf
# Allow squid to establish a connection to destination port 22
acl ssh_port port 22 # ssh
# Allow SSH tunneling through Proxy/http from specific networks:
acl ssh_networks src 10.247.1.0/24 # IT&NOC Office Clients Hengelo:
acl ssh_networks src 10.248.1.0/24 # IT&NOC Office Clients Rijssen:
acl ssh_networks src 10.248.2.128/25 # IT&NOC MS VPN Clients Rijssen:
acl ssh_networks src 10.248.50.0/27 # IPTV Network management Rijssen:
acl ssh_networks src 10.247.50.0/27 # IPTV Network management Hengelo:
http_access allow ssh_port ssh_networks
dns_defnames on # Gets Multi LABEL DNS names to start working for ssh tunneling
Put the above “allow” before any “deny” statements who matches. I don’t want the whole RFC1918 ranges to be able to ssh through our proxy so explicitly configured only a few safe ranges.
I consulted the (network) Firewall administrator in advance, but we/he are not blocking SSH outbound traffic so no trouble there. Don’t be in any compliance breach here!
If you are not able to reconfigure the squid proxy but need to use the proxy because there is no NAT/public Internet an other solution would be to reconfigure the SSH daemon to listen on a different port, try: 21,70,80,81,210,280,443,488,563,591 or 777 good change this works.
The “dns_defnames on” is there because at our site we separate function.location(.domainname) with a dot, ie dhcp3a.hgl-pv as a hostname. This is (officele) not allowed but for us it makes sense. You probably don’t need it.
If you are connecting from a linux box install corkscrew (.ssh/config: proxy command), with putty you get a build in proxy client (and server)!
putty keeps amazing me! But reading some articles about squid made me realize that Squid is also still alive and kicking. :)
Enjoy, and don’t use this to bypass your/others firewall. It’s there for a reason!