How to set up that specific domains are tunneled to another server

I am working at an university as research assistant. Often I would like to connect from home to university resources over http or ssh, but they are blocked from outside access. Therefore, they have a front-end ssh server where we can ssh into and from there to other hosts. For http access they advise to set up an ssh tunnel like this

ssh -L 1234:proxyserver.university.fi:8080 publicsshserver.university.fi

and put the proxy settings of your browser to point to port 1234

All nice and working, but I would not like to let all my other internet traffic go over this proxy server, and everytime I want to connect to the university I have to do this steps again.

What would I like:

Set up a ssh tunnel everytime I log in my computer. I have a certificate, so no passwords are needed
Have a way to redirect some wildcard-domains always through the ssh-server first. So that when I type intra.university.fi in my browser, transparently the request is going through the tunnel. Same when I want to ssh into another resource within the university

Is this possible? For the http part I think I maybe should set up my own local transparent proxy to have this easily done. How about the ssh part?

Peter Smit

Posted 2010-03-06T06:34:23.700

Reputation: 7 906

Answers

This is really easy to do. I use it all the time to access the database behind our production webserver.

1) The first part was a question I asked a bit ago.

You can alias it in you ~/.bashrc.

Add that line
alias university_ssh="ssh -L 1234:proxyserver.university.fi:8080 publicsshserver.university.fi" 
And reload the bashrc file with source ~/.bashrc

And now you only have to type university_ssh to ssh to your database server.

2) Next you need to edit your /etc/hosts file to add university.loc (.loc is a fake TLD) and have it point to localhost::1234. For example, my hosts file looks like this:

127.0.0.1       localhost
127.0.1.1       ubuntu-64-desktop
127.0.0.1       code2design.loc    localhost

and Now I can type code2design.loc to access my local version of code2design.com on my PC.

3) Last change your browser proxy back to nothing as you don't need it anymore. Since typing university.loc now is setup to use that tunnel.

Updated

I would try adding the port to the hosts file (127.0.0.1:port or localhost:port) and you could also change the .loc TLD to the real .fi TLD if you are worried about virtual hosts breaking.

So for you it might look like this:

127.0.0.1       localhost
127.0.1.1       ubuntu-64-desktop
127.0.0.1       university.fi    localhost:1234

Xeoncross

Posted 2010-03-06T06:34:23.700

Reputation: 3 274

Where exactly are you pointing things to port 1234? I don't see that in the example in step 2 – Peter Smit – 2010-03-14T19:20:05.610

This answer is not perfect yet, but still I accept it as it is the best and the deadline is in an hour. Can you still answer my question above here? – Peter Smit – 2010-03-15T04:40:38.503

This answer requires you to always connect to port 1234, which means an awful lot of typing/changing URLs. Also, if you use the .loc TLD instead of whatever the real TLD was, name-based virtual hosts will stop working. I am curious as to why you did not respond to my PAC suggestion below, as it only requires you to add the URLs in one place (the PAC file). – janmoesen – 2010-03-15T07:40:59.347

updated question – Xeoncross – 2010-03-15T15:57:23.273

1What does the port thing in the hosts file do? – janmoesen – 2010-03-15T21:32:18.863

It should route all requests to university.fi to localhost:1234 - though I might be mistaken. – Xeoncross – 2010-03-16T01:24:08.260

1You are. Gravely. From man hosts: IP_address canonical_hostname [aliases...]. IMO, this is not an adequate solution. – janmoesen – 2010-03-19T12:15:48.987

1Note that multiple hosts for the same IP address can just be placed on one line, so your example could be rewritten as 127.0.0.1 localhost ubuntu-64-desktop university.fi. – Mathias Bynens – 2011-04-01T12:58:51.400

I use a Proxy Auto-Config (PAC) file for this. I'd paste mine here, but Wikipedia has a nice example file.

In your browser, point the "Use proxy auto-configuration from" to said file (maybe hosted on a shared web server). Works in pretty much every half-decent browser.

Note that you still need to set up your SSH tunnels, though. (Or use a ssh -D SOCKS proxy for certain hosts only, defined in your PAC – but SOCKS does not work in Opera.)

EDIT: Right, since there does not seem to be much interest from your side, I will expand my answer a bit. :-)

To automatically set up your SSH tunnel, sudo apt-get install autossh and put this in your crontab:

@reboot autossh -L 1234:proxyserver.university.fi:8080 publicsshserver.university.fi

Alternatively, you can put the ssh command in your ~/.bash_profile or ~/.bashrc.

Now, as for determining which domains to proxy and which to connect to directly, create a PAC like this:

function FindProxyForURL(url, host)
{
    var httpProxy = 'PROXY 127.0.0.1:1234';
    var noProxy = 'DIRECT';
    var default_ = noProxy;

    // Host matches that use the HTTP proxy.
    var httpProxyMatches = [
        'intranet.university.fi',
        'webmail.university.fi',
        '*yourwildcard*'
    ];
    // Check all host patterns and network masks.
    for (var i = 0; i < httpProxyMatches.length; i++) {
    if (shExpMatch(host, httpProxyMatches[i])) {
        alert('HTTP ' + httpProxy + ' match for host: ' + host + '; url: ' + url);
        return httpProxy;
    }
    alert('DEFAULT ' + default_ + ' for host: ' + host + '; url: ' + url);
    return default_;
}
alert('PAC loaded at ' + new Date() + '.');

Then, go to Firefox's advanced network settings and point it to that file. If succesful, you will see the "PAC loaded" message in your JavaScript console (Ctrl+Shift+J). If you are not using Firefox, remove the "alert" lines.

This is a pretty basic PAC, but it should help you on your way. Mine also looks at IP netmasks to determine internal/external services, etc.

Let us know how you are getting along.

janmoesen

Posted 2010-03-06T06:34:23.700

Reputation: 498

Disclaimer: haven't tested this, just an idea.

Perhaps you could force the private domains to use the 'proxy' by simply editing the host configuration on your local system. If you manually point all the domains to localhost, and had the tunnel established, wouldn't:

http://privateaccess.tld:1234

Send a request to:

localhost:1234

Which is really a port forward to the internal network proxy server. The request should still be for the same domain, so the proxy server should respond correctly.

Or so it seems to me. Again, just an idea.

Tim Lytle

Posted 2010-03-06T06:34:23.700

Reputation: 959

Yeah this would work, but it is not easy and pretty. And how about ssh? Would it go through? – Peter Smit – 2010-03-10T05:52:44.480

You're sshing through the ssh tunnel? – Tim Lytle – 2010-03-10T12:52:42.933

As for easy, it really doesn't seem that hard, you list the internal domains in your hosts file, and you open an ssh tunnel. – Tim Lytle – 2010-03-10T14:47:16.450

Yeah, I ssh through a tunnel. The host I want to ssh to is not available from the internet, but is available from the "DMZ"-host – Peter Smit – 2010-03-11T12:23:58.920

FoxyProxy (http://foxyproxy.mozdev.org/) solves the automatic proxy selection problem. It's designed for exactly this purpose, but is, of course, specific to firefox.

TREE

Posted 2010-03-06T06:34:23.700

Reputation: 1 147

Try setting up SOCKS-proxy with ssh (ssh -D <portnumber> publicsshserver.university.fi) and configure your browser to use 127.0.0.1 and <portnumber> as proxy. You can then add domains that it should or shouldn't use the proxy for. For other services (for example vnc) you can use tsocks to make it use your tunnel.

Jimmy Hedman

Posted 2010-03-06T06:34:23.700

Reputation: 886

How can I "add domains"? In my browser settings? Opera only supports exclude patterns. How about the ssh connections. How can I set there to use the sox proxy? – Peter Smit – 2010-03-06T13:04:38.263

I haven't used Opera so I can't really tell. You could perhaps use tsock for that too. Use "tsocks ssh <sitethatneedtheproxy>" to ssh to sitethatneedstheproxy via your socks proxy. – Jimmy Hedman – 2010-03-10T20:55:03.313

Opera still does not support SOCKS proxies, I'm afraid. Ran into this issue earlier this week. It does support PAC, though. See my answer. :-) – janmoesen – 2010-03-11T21:13:14.043

You probably should look into using a VPN instead of just ssh for this problem. Look into openvpn.

txwikinger

Posted 2010-03-06T06:34:23.700

Reputation: 2 467

I'm sorry, but I can not install anything at the university server (and they don't want VPN) – Peter Smit – 2010-03-13T14:43:51.080

The easiest way would be to add the ssh command that connects to the server to your ~/.bash_profile

Then create a separate profile in firefox that uses this proxy setting by doing

$ firefox -profilemanager

You can create a shortcut on your desktop that runs

firefox -P ProfileName -no-remote

The no-remote command allows you to run multiple instances of firefox simultaneously. Make sure that you configure the proxy settings in this new profile.

This way, whenever you want to any university resource, just open this alternate firefox profile.

teknikqa

Posted 2010-03-06T06:34:23.700

Reputation: 412