Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

reverse SSH tunnels and mediawiki

30 views
Skip to first unread message

pdc...@yahoo.co.uk

unread,
Nov 10, 2005, 9:55:43 AM11/10/05
to
ive got media wiki running at work and in the office can do
http://serveratwork/mediawiki and it appears

On leaving work I do
ssh -R 2096:localhost:80 www.serverathome
from my linux box

then at home from my desktop I do
http//serverathome:2096
and my apache page comes up

http://serverathome:2096/mediawiki
gives a name not found error unless i add to my client /etc/hosts

serveratwork 192.168.0.1(home server IP address)

and then http:/serverathome:2096/mediawiki

tells me the wiki isnt installed and takes me to the configuration page
, yet at the same time my secretary can access it from the LAN at work
with http://serveratwork/mediawiki

Why ?( I suspect it could be somthing to do with PHP sessions???)
Is it soluble?

Richard E. Silverman

unread,
Nov 10, 2005, 12:13:40 PM11/10/05
to
>>>>> "PDC" == pdc124@yahoo co uk <pdc...@yahoo.co.uk> writes:

PDC> ive got media wiki running at work and in the office can do
PDC> http://serveratwork/mediawiki and it appears

PDC> On leaving work I do ssh -R 2096:localhost:80 www.serverathome
PDC> from my linux box

PDC> then at home from my desktop I do http//serverathome:2096 and my
PDC> apache page comes up

PDC> http://serverathome:2096/mediawiki gives a name not found error
PDC> unless i add to my client /etc/hosts

PDC> serveratwork 192.168.0.1(home server IP address)

PDC> and then http:/serverathome:2096/mediawiki

PDC> tells me the wiki isnt installed and takes me to the
PDC> configuration page , yet at the same time my secretary can access
PDC> it from the LAN at work with http://serveratwork/mediawiki

PDC> Why ?

1) When you type http//serverathome:2096 into your browser, it supplies
the name "serverathome" to the web server in the Host header of the
HTTP request. The server doesn't know anything about this name.

2) The wiki code generates links in its HTTP output that refer to
"serveratwork". Your local host doesn't know anything about that
name.

PDC> Is it soluble?

As you discovered, you can fix it in a limited way if you map the name
"serveratwork" on the client side. However, what you really need is a
proxy. If your web browser supports SOCKS, you may be able to use the
OpenSSH -D feature -- although this is less useful than it should be,
since (at least the last time I checked) OpenSSH does not pass name
resolution through SOCKS. Also, you'd have to establish an SSH connection
from home to work. Alternatively, you could run an HTTP proxy
(e.g. Squid) at work, forward a port to that, and set your browser to use
the forwarded socket as its HTTP proxy.

--
Richard Silverman
r...@qoxp.net

pdc...@yahoo.co.uk

unread,
Nov 10, 2005, 2:28:46 PM11/10/05
to
thanks.
the other possibility ive thought about is to create the ssh tunnel
with portforwarding to bring it to my desktop box and then use a VNC
connection to go back to 'serveratwork' and run a simple GUI on it.
Dont know enough yet about SSH to see if I can portford a reverse SSH
connection.

My server has shorewall as a firewall.

Is that do-able from the SSH point of view ? - and then I just point
a vnc client to eg localhost:5910 and my serveratwork GUI should appear
!

pdc...@yahoo.co.uk

unread,
Nov 10, 2005, 3:30:11 PM11/10/05
to
or would a mod_rewrite rule converting 'serverathome' to
'serveratwork' sort the first problem ?

or some sort of proxypass directive translate both ways

Darren Tucker

unread,
Nov 10, 2005, 3:39:02 PM11/10/05
to
On 2005-11-10, Richard E. Silverman <r...@qoxp.net> wrote:
> If your web browser supports SOCKS, you may be able to use the
> OpenSSH -D feature -- although this is less useful than it should be,
> since (at least the last time I checked) OpenSSH does not pass name
> resolution through SOCKS.

It's time to check again :-)

OpenSSH has supported SOCKS5 since (I think) 3.7x, and it includes support
for remote host lookups (ie SOCKS5_DOMAIN) if the SOCKS client sends them.

Last time I checked most browsers don't send SOCKS5_DOMAIN requests even
when they're configured to use SOCKS5, though.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Richard E. Silverman

unread,
Nov 10, 2005, 4:33:56 PM11/10/05
to
>>>>> "DT" == Darren Tucker <dtu...@gate.dodgy.net.au> writes:

DT> On 2005-11-10, Richard E. Silverman <r...@qoxp.net> wrote:
>> If your web browser supports SOCKS, you may be able to use the
>> OpenSSH -D feature -- although this is less useful than it should
>> be, since (at least the last time I checked) OpenSSH does not pass
>> name resolution through SOCKS.

DT> It's time to check again :-)

DT> OpenSSH has supported SOCKS5 since (I think) 3.7x, and it includes
DT> support for remote host lookups (ie SOCKS5_DOMAIN) if the SOCKS
DT> client sends them.

DT> Last time I checked most browsers don't send SOCKS5_DOMAIN
DT> requests even when they're configured to use SOCKS5, though.

Thanks for the correction Darren -- in fact, I didn't even remotely write
what I was thinking. :) What I meant to say was just what you said: that
most *browsers* don't do the right thing (not OpenSSH), making the method
much less useful than it should be. In fact, I believe the only browser I
ever found that did resolve names via socks5 was, amazingly enough... IE
for OS X. If anyone knows of any others, I'd love to hear about it.

--
Richard Silverman
r...@qoxp.net

pbarwich

unread,
Nov 13, 2005, 6:10:05 AM11/13/05
to
What I've found useful, at least in the windows world, is proxycap
(http://proxylabs.netwu.com/) or sockscap
(http://www.socks.nec.com/Download/SocksCapDownload/index.asp). Sockscap
is free (for non-commercial, and you need to register), but time limited
(about a year) whereas proxycap costs a few dollars.
What they both do is grab packets coming from any specified application
which would otherwise be destined for the internet (e.g. your
browser/mailclient etc.) and route them to a defined proxy. The useage
with putty/openssh is to route them to localhost port 1080 (you choose),
where putty encrypts/portforwards them to your remote SSH server, where
they are unwrapped and carry on their way to the internet. Using Putty's
'D' (dyanamic) port forward option (on port 1080, as set above) allows
any IP that the application is sending stuff to, to be port forwarded.
In other words the whole setup acts as a proxy web server at the remote,
SSH server, IP. This has the effect of anonymising the original IP; web
pages see only the IP of the SSH server, and allows you to tunnel
through proxy server firewalls, using the proxy features in Putty. Also
any traffic (personal mail, forbidden web-sites) is encrypted as it
travels through your local network, right up to your personal machine,
so your local IT admin/chinese firewall admin, can't read it.

Now most of you on this board probably knew this; I'm new at this, but
hopefully it will help someone.

0 new messages