How to configure HTTP CONNECT to SSH Proxy?

Wladislav Artsimovich git at frost.kiwi
Tue May 14 08:03:30 UTC 2024 

Dear NGINX Mailing list,
 
I'm a user of https://github.com/proxytunnel/proxytunnel to connect to SSH over HTTPS. This requires the HTTP server to redirect the traffic to a local SSH server.
 
Following http://dag.wiee.rs/howto/ssh-http-tunneling/ I implemented this on my server using Apache. Works great! Now I wish to transfer that config to nginx using ngx_http_proxy_connect_module. Is this possible?
 
For simplicity, the following example shows the non encrypted configuration. The configuration is from my NixOS config.
```nix
httpd = {
 enable = true;
 virtualHosts."localhost:21343" = {
   listen = [
     {
       ip = "*";
       port = 21343;
       ssl = false;
     }
   ];
   extraConfig = ''
     LoadModule proxy_module modules/mod_proxy.so
     LoadModule proxy_connect_module modules/mod_proxy_connect.so
     LoadModule proxy_http_module modules/mod_proxy_http.so
     ProxyRequests on
     AllowConnect 22
     <Proxy *>
       # Deny all proxying by default ...
       Require all denied
     </Proxy>
     <Proxy 127.0.0.1>
       # Now allow proxying through localhost only
       Require all granted
     </Proxy>
 '';
 };
```

This results in a successful connection as tested by `proxytunnel.exe -v` (Here the connection goes through an additional local proxy `127.0.0.1:54450`, which is not relevant to the question)

```
proxytunnel.exe -v -q -p 127.0.0.1:54450 -r example.org:21343 -d 127.0.0.1:22
Tunneling to example.org:21343 (remote proxy)
Communication with local proxy:
-> CONNECT example.org:21343 HTTP/1.1
-> Host: example.org:21343
-> Proxy-Connection: Keep-Alive
<- HTTP/1.1 200 Connection established
<-
Tunneling to 127.0.0.1:22 (destination)
Communication with remote proxy:
-> CONNECT 127.0.0.1:22 HTTP/1.1
-> Host: 127.0.0.1:22
-> Proxy-Connection: Keep-Alive
<- HTTP/1.0 200 Connection Established
<- Proxy-agent: Apache/2.4.59 (Unix)
<-
Tunnel established.
SSH-2.0-OpenSSH_9.6
```
 
Now I configure the same with nginx, because nginx is my main HTTP server and I wish to do this over a subdomain, instead of another random non-standard port.
 
```nix
nginx = {
 enable = true;
 recommendedProxySettings = true;
 recommendedTlsSettings = true;
 recommendedGzipSettings = true;
 recommendedBrotliSettings = true;
 recommendedZstdSettings = true;
 recommendedOptimisation = true;
 additionalModules = [ pkgs.nginxModules.http_proxy_connect_module_v24 ];
 virtualHosts = {
   "example.org" =  {
     root = "/var/www/example.org";
     enableACME = true;
     forceSSL = true;
   };
   "ssh.example.org" =  {
     extraConfig = ''
       proxy_connect;
       proxy_connect_allow  all; # For testing set to all
       proxy_connect_address 127.0.0.1:22;
     '';
   };
 };
};
```
 
Connecting to this results in a rejection however.
 
```
proxytunnel.exe -v -q -p 127.0.0.1:54450 -r ssh.example.org:80 -d 127.0.0.1:22
Tunneling to ssh.example.org:80 (remote proxy)
Communication with local proxy:
-> CONNECT ssh.example.org:80 HTTP/1.1
-> Host: ssh.example.org:80
-> Proxy-Connection: Keep-Alive
<- HTTP/1.1 200 Connection established
<-
Tunneling to 127.0.0.1:22 (destination)
Communication with remote proxy:
-> CONNECT 127.0.0.1:22 HTTP/1.1
-> Host: 127.0.0.1:22
-> Proxy-Connection: Keep-Alive
<- HTTP/1.1 405 Not Allowed
<- Server: nginx
<- Date: Fri, 10 May 2024 05:33:10 GMT
<- Content-Type: text/html
<- Content-Length: 150
<- Connection: keep-alive
<-
```

What am I doing wrong? Is this possible?
 
Best regards,
 
Vlad

More information about the nginx mailing list