Last active
July 20, 2017 09:41
-
-
Save DavyLandman/8314380 to your computer and use it in GitHub Desktop.
A recent nodejs trick, hide the ssh agent behind a https port. This means you can serve stuff via https, and almost always login into ssh (since the 443 port is hardly filtered/proxied).And if you have ssh, well all bets are off ;-)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var net = require('net'); | |
| net.createServer(httpsSshSwitch).listen(443); | |
| // if the first byte is 22, it is a https handshake, | |
| // so redirect it to the actual https server (running on port 8443) | |
| // else redirect it to the ssh instance. | |
| // | |
| // some ssh clients wait for the server to send the first welcome message | |
| // so if we have not seen any data for 2 seconds, assume it is a ssh connection | |
| // and redirect the stream to the ssh instance. | |
| function httpsSshSwitch(conn) { | |
| var allreadyPiped = false; | |
| var sshServer = setTimeout(function() { | |
| allreadyPiped = true; | |
| var proxy = net.createConnection(22, function() { | |
| conn.pipe(proxy).pipe(conn); | |
| }); | |
| setupErrorHandlers(proxy, conn); | |
| }, 2000); | |
| conn.once('data', function(buf) { | |
| clearTimeout(sshServer); | |
| if (allreadyPiped) return; | |
| // A TLS handshake record starts with byte 22. | |
| // 9443 = actual https server | |
| var address = (buf[0] === 22) ? 9443 : 22; | |
| var proxy = net.createConnection(address, function() { | |
| proxy.write(buf); | |
| conn.pipe(proxy).pipe(conn); | |
| }); | |
| setupErrorHandlers(proxy, conn); | |
| }); | |
| } | |
| function setupErrorHandlers(f,t) { | |
| setupCorrectBreakDown(f,t); | |
| setupCorrectBreakDown(t,f); | |
| } | |
| function setupCorrectBreakDown(t,f) { | |
| t.on('error', function (e) { | |
| if (e.code !== 'ECONNRESET' && e.code !== 'EPIPE') { | |
| console.log("Strange error" + e) | |
| } | |
| t.destroy(); | |
| f.destroy(); | |
| }); | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ curl -v https://www.example.com | |
| * About to connect() to www.example.com port 443 (#0) | |
| * Trying x.x.x.x... | |
| * Connected to www.example.com (x.x.x.x) port 443 (#0) | |
| * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | |
| * Server certificate: *.example.com | |
| * Server certificate: * | |
| > GET / HTTP/1.1 | |
| > User-Agent: curl/7.30.0 | |
| > Host: www.example.com | |
| > Accept: */* | |
| > | |
| < HTTP/1.1 200 OK |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ssh -p 443 www.example.org | |
| Last login: Wed Jan 8 10:57:41 2014 from x | |
| [xxx:davy]-[~] | |
| $ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment