Port Forward or TCP tunneling over HTTP

The development is now at https://github.com/luizluca/bridge

In some places, network is locked behind a firewall and Internet connection is available only by using a proxy server. If you wishes to connect to your SSH at home, you're in trouble. However, there is a simple solution to this: tunneling over HTTPS. However, if you are one of those lucky guys that cannot use tunneling over HTTPS, this page can help you.

Using any protocol that can exchange information, it is possible to encapsulate a connection over it. Some not-so-common examples are: IP-over-DNS, IP-over-ICMP. This page shows a TCP tunneling solution (like ssh -L option) (ab)using HTTP.

The program is divided in two parts: the first one implements a HTTP server, that can be setup to run on any server. However, it is generally easier to have ports 80 or 8080 as authorized ports in your proxy server.
The seconds part is the client program. It opens a local TCP port or reads STDIN. After a connection is received, it connects to the server program just like a browser would do and exchange packages using HTTP requests (in this case: GET, PUT, POST, DELETE).

How to run

Download bridge file (attachments bellow this page). It is a ruby script that implements both server and client. It depends on webrick and net:http that are also ruby on rails dependencies. Run it as any other ruby script. Server is activated when two parameters are passed: local server port and relative URL

bridge$ ruby bridge 8080 /bridge

This brings up Webrick running in port 8080 and answering bridge requests at http://myserver:8080/bridge
Now, it is time to run the client program:

client$ ruby bridge 8022 http://myserver:8080/bridge mysshserver.xxx.com 22

If everything goes OK, the client program starts to listen on port 8022 (user "-" intead of 8022 for STDIN/STDOUT). When someone connects to it, it translates the communication with HTTP commands and forwards them to myserver that effectively connects to mysshserver.xxx.com at port 22. As 22 is a ssh port, one can use this tunneling using:

client$ ssh localhost -p 8022

mysshserver $

Now, someone might like to use SSH to setup a SOCKS server, a reverse TCP port, etc or just connect to a remote VPN server.

This command can also be used as ProxyCommand in OpenSSH client. In this casem the use of bridge is more "transparent".

Host *.xxx.com
    ProxyCommand bridge - http://myserver:8080/bridge %h %p
Host mysshserver2
    ProxyCommand bridge - http://myserver:8080/bridge 
mysshserver2.noip.org 8022

And call ssh as usual. For any xxx.com server:

client$ ssh mysshserver.xxx.com

mysshserver $

And for server2:

client$ ssh mysshserver2

mysshserver2 $


  • 2010-09-01
    • Add TCP keepalive flags for local socket (thanks Jan Adámek)
    • Increased local buffer to 640k
    • Fixed sync problem with stdin/out when using as ProxyCommand inside ssh config
    • Reconnection on client-webrick disconnection
    • Fixed proxy absence 
    • Specified webrick timeout (10m)
    • Treated more signals
    • Divide connection (open, read, write)

Possible future features

  • (FIXED) Fix timeout disconnections - thanks Jan Adámek
  • Security concerns (really?)
  • Implement port forward as a SOCKS5 Server (or just use ssh -D over the tunnel)
  • Allow multiple client connection (persistent local client)
Luiz Angelo Daros de Luca,
Sep 1, 2010, 3:18 PM