Is it possible to tunnel https traffic via ssh tunnel with standard ssh-programs?

Can I reroute the https traffic (of an svn repository) via ssh-tunnel.

The problem is that the the services that use https don't work if I just create one tunnel for listening with e.g.:

ssh -L 12345:server.com:443 localhost

Do I have to do something else? The aim is to tunnel https://PROJECT.googlecode.com/svn/ where PROJECT is the project name.


Solution 1:

HTTPS connection can be redirected via SSH port forwarding - however the SSL/TLS certificate validation will fail in such cases as the host name does not match:

You are connecting to https://localhost:12345 but the server certificate contains the name server.com.

Instead of directly forwarding the HTTPS connection I would run an HTTP(s)/SOCKS proxy on the remote computer you are opening the SSH connection to. Then set-up the program you want to tunnel to use this proxy through port forwarding. This would be a clean solution.

Update: It seems like SVN can use HTTP proxies but not SOCKS proxies. If want to do so you need an additional "socksifier" on your local system. See Serverfault.com: How can I set proxy for subversion with ssh tunnel?

Solution 2:

To be able to work around the certificate DNS mismatch issue while accessing the remote server with SSH tunnel, I did the following:

  1. Configure an SSH tunnel in putty so that local port 443 forwards traffic to the remote server (L443 : <remote.server.com>:443 )
  2. Update C:\Windows\System32\drivers\etc\hosts file to add an entry such as 127.0.0.1 <remote.server.com>
  3. If you are using HTTP proxy server (for example if you are working from a corporate proxy), then bypass the <remote.server.com> host from system proxy
  4. Now you can access the remote server URL with https://<remote.server.com>

Solution 3:

For Linux one could just SSH dynamic port forwarding

Localhost ssh -fND 1234 user-name@remote-ip-address-A

Remote host ssh -fNL 12345:remote-ip-address-B:443 remote-ip-address-A

Open Firefox install FoxyProxy and set it up as shown in the screengrab. FoxyProxy settings

In Firefox click the FoxyProxy icon and select the proxy connection you just made. In the URL bar type https://127.0.0.1.

Additionally you could just bypass this whole thing and just use sshuttle. Using sshuttle's -H argument causes it to update your local /etc/hosts file as new remote hostnames are found. You will need this so that certificates will work properly.

sshuttle -H -vr user-name@remote-ip-address-A remote-net/ip-address-B