Skip to content

ThomasHabets/huproxy

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
cmd
cmd
 
 
lib
lib
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

HUProxy

Copyright 2017 Google Inc.

This is not a Google product.

HTTP(S)-Upgrade Proxy — Tunnel anything (but primarily SSH) over HTTP websockets.

Why

The reason for not simply using a SOCKS proxy or similar is that they tend to take up an entire port, while huproxy only takes up a single URL subdirectory.

There's also SSL/SSH multiplexers but they:

  1. Take over the port and front both the web server and SSH, instead of letting the web server be the primary owner of port 443.
  2. For SSH don't look like SSL for packet inspectors, because they're not.
  3. Hide the original client address from the web server (without some interesting iptables magic).
  4. Only allow connecting to the server itself, not treat it as a proxy jumpgate.

Setup

nginx

Create user

sudo htpasswd -c /etc/nginx/users.proxy thomas

Add config to nginx

map $http_upgrade $connection_upgrade {
    default upgrade;
         '' close;
}

server {
    # ... other config
    location /proxy {
        auth_basic "Proxy";
        auth_basic_user_file /etc/nginx/users.proxy;
        proxy_pass http://127.0.0.1:8086;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        # proxy_set_header Connection "upgrade";
        proxy_set_header Connection $connection_upgrade;
    }
    # ... other config
}

Start proxy:

./huproxy

Start proxy with specific IP:port:

./huproxy -listen 10.1.2.3:8086

Running

These commands assume that HTTPS is used. If not, then change "wss://" to "ws://".

echo thomas:secretpassword > ~/.huproxy.pw
chmod 600 ~/.huproxy.pw
cat >> ~/.ssh/config << EOF
Host shell.example.com
    ProxyCommand /path/to/huproxyclient -auth=@$HOME/.huproxy.pw wss://proxy.example.com/proxy/%h/%p
EOF

ssh shell.example.com

Or manually with these commands:

ssh -o 'ProxyCommand=./huproxyclient -auth=thomas:secretpassword wss://proxy.example.com/proxy/%h/%p' shell.example.com
ssh -o 'ProxyCommand=./huproxyclient -auth=@<(echo thomas:secretpassword) wss://proxy.example.com/proxy/%h/%p' shell.example.com
ssh -o 'ProxyCommand=./huproxyclient -auth=@$HOME/.huproxy.pw wss://proxy.example.com/proxy/%h/%p' shell.example.com

If remote server uses self-signed or invalid certificate then use -insecure_conn, for example:

ssh -o 'ProxyCommand=./huproxyclient -insecure_conn wss://proxy.example.com/proxy/%h/%p' shell.example.com

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

75 stars

Watchers

3 watching

Forks

16 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 97.0%
  • Dockerfile 3.0%