BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] ssh tunnels

Subject: [Discuss] ssh tunnels
From: warlord at MIT.EDU (Derek Atkins)
Date: Mon, 25 Feb 2013 11:00:32 -0500
In-reply-to: <5127A82D.4020708@horne.net> (Bill Horne's message of "Fri, 22 Feb 2013 12:17:33 -0500")
References: <51277385.9090209@gmail.com> <5127960D.6090302@horne.net> <20130222110417.000067b0.Richard.Pieri@gmail.com> <5127A82D.4020708@horne.net>

Bill Horne <bill at horne.net> writes:

> On 2/22/2013 11:04 AM, Rich Pieri wrote:
>> On Fri, 22 Feb 2013 11:00:13 -0500
>> Bill Horne<bill at horne.net>  wrote:
>>
>>> Speaking of ssh tunnels, can someone figure out how to tunnel through
>>> ssh to a virtual domain?
>> Clarify what you mean by "virtual domain".
>
> Many web servers, mine included, are set up so that they deliver
> different pages, based on which domain name is included in the http
> headers sent with the request.

This is a requirement of HTTP/1.1 -- you need to send the Host: header
in the HTTP headers to tell the server the target hostname.

> For example:
>
> 67.190.84.154 - - [17/Feb/2013:15:42:25 -0800] "GET / HTTP/1.1" 200
> 4816 "http://billhorne.com/"; "Mozilla/5.0 (Windows NT 6.1; WOW64;
> rv:18.0) Gecko/20100101 Firefox/18.0"

Well, this isn't *quite* what's going on.  You're seeing a log message,
but it's not necessarily showing you what's in the HTTP request.  The
'200' is the response code from the server which means "Success".  The
request looks like:

GET / HTTP/1.1
Host: billhorne.com

[snip]
> Of course, it's also possible to set up the server so that it delivers
> the same page no matter which domain name is included in the
> headers. There is usually a default "splash" page to handle requests
> that are for an invalid domain, or which were sent with only an IP
> address. Since ssh tunnels require that the browser access the
> tunneled site via a localhost port, Apache doesn't get the desired
> domain name in the header, and it delivers the default page instead of
> the one that the user wanted.

SSH has nothing to do with this.  SSH just performs TCP connection
proxying, either directly via a -L or -R port-forwarding line, or via a
-D SOCKS proxy.  In neither case does it affect the HTTP headers being
sent, it only (potentially) changes the target IP that gets contacted.

For example, I use FoxyProxy in firefox along with an ssh Socks Proxy to
allow myself to connect to a bunch of 'behind the firewall' web
services.  Firefox sets the Host header to the target based on the URL,
foxyproxy routes it over ssh, ssh sends it to the "correct" server.

> Bill

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

References:
- [Discuss] Secure VNC
  - From: gaf.linux at gmail.com (Jerry Feldman)
- [Discuss] Secure VNC
  - From: bill at horne.net (Bill Horne)
- [Discuss] ssh tunnels
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] ssh tunnels
  - From: bill at horne.net (Bill Horne)

Prev by Date: [Discuss] btrfs
Next by Date: [Discuss] USB thumbdrive, Linux only usage: FAT vs NTFS vs other? TRIM support?
Previous by thread: [Discuss] ssh tunnels
Next by thread: [Discuss] nouveau E[DRM] GPU lockup - switching to software fbcon
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org