Marek Skrobacki

SSH: Connecting through HTTP proxy

If your proxy server supports CONNECT method, you actually can use this functionality to connect with SSH protocol. This is very useful if the servers you are connecting to are located in restricted network and the only unrestricted access is through bastion/jump host.

Most people just login to the bastion host through SSH and then start SSH client to their destination device from there. While it certainly works, it takes too much time, especially if you are using password authentication because you need to type password twice.

It’s much quicker to configure your local Open SSH client to connect through proxy. Unfortunately it does not have such built-in functionality, but it is relatively easy to achieve that with external application called ‘socat’ or ‘connect-proxy’. Below is an example using socat.

Installing socat

This will vary depending on your linux distribution. I am using ArchLinux, so this is how I install socat:

resolving dependencies...
looking for inter-conflicts...

Targets (1): socat-1.7.2.1-1

Total Installed Size:   0.46 MiB
Net Upgrade Size:       0.00 MiB

Proceed with installation? [Y/n] y
(1/1) checking package integrity                                                        [###################################################] 100%
(1/1) loading package files                                                             [###################################################] 100%
(1/1) checking for file conflicts                                                       [###################################################] 100%
(1/1) checking available disk space                                                     [###################################################] 100%
(1/1) upgrading socat                                                                   [###################################################] 100%
[skrobul@atol ~]$ 

Example OpenSSH config

Let’s assume that your “jump” host is called bastion.example.com and you want all outbound SSH connections to be proxied through this bastion, but on top of that you would like to exclude noproxy.example.com to which you want to connect directly. For the sake of example, we will assume that proxy service is listening on port 3128 (default in Squid).

Your ~/.ssh/config file should look like this:

Host bastion.example.com noproxy.example.com 
    ProxyCommand none

Host *
    ProxyCommand socat STDIO PROXY:bastion.example.com:%h:%p,proxyport=3128

You can verify if it works by connecting to any host behind the jump server with “-v” option. In a debug output you should see line similar to this

debug1: Executing proxy command: exec socat STDIO PROXY:10.9.30.111:184.106.124.64:22,proxyport=3128