Show HN: Run SSH and HTTP(S) on the same port

by jamescun on 1/21/2015, 2:06 PM with 65 comments
  • by slyall on 1/21/2015, 9:37 PM

    You can also do this with haproxy. I ran it for a while (I think it was for git). Here is a page about how to do it:

    https://dgl.cx/2010/01/haproxy-ssh-and-ssl-on-same-port

      defaults
    timeout connect 5s
    timeout client 50s
    timeout server 20s

  listen ssl :443
    tcp-request inspect-delay 2s
    acl is_ssl req_ssl_ver 2:3.1
    tcp-request content accept if is_ssl
    use_backend ssh if !is_ssl
    server www-ssl :444
    timeout client 2h

  backend ssh
    mode tcp
    server ssh :22
    timeout server 2h

  • by AceJohnny2 on 1/21/2015, 9:42 PM

      > apt-cache search ssh http
  [...]
  sslh - ssl/ssh multiplexer
    http://www.rutschle.net/tech/sslh.shtml

    I mean, it's cool that you got the exercise of implementing this in Go and all, but I don't see what's new and interesting about it.

    (and another implementation in Perl almost 4 years ago: https://news.ycombinator.com/item?id=2395787)

    Edit: oh whoops, didn't get to OP's "Why not sslh" section :\ "The result is useful in its own right through use of Go's interfaces for protocol matching (making adding new protocols trivial), and lightweight goroutines (instead of forking, which is more CPU intensive under load)."

    Well alright, the first point I'll concede, though I'm wary of the "reinvented wheel" scent, the second point I'm even more uncomfortable with as I think it makes wild assumptions of the kind of environment this tool could be useful in.

  • by leni536 on 1/22/2015, 9:44 AM

    I wonder if it hides ssh from an nmap scan. Since it requires a timeout for ssh "since the server waits for a bit if the client send a http request" then scanning for this type of hiding ssh would be really time consuming if it's on a random port hiding behind a fake http server.

    I know obscurity can't replace security, but security + some obfuscation could help you a bit for not getting hacked instantly by 0-days. It's easier to setup on client side than port knocking (you just have to set the port) but it's less detectable than sshd on a random port.

  • by jsd1982 on 1/22/2015, 1:13 AM

    Nice! I wrote my own version of this in Go about 7 months ago. It's running in production and has been very reliable. You can find it here on my github account: https://github.com/JamesDunne/sslmux

    I notice you haven't set any IO timeouts on your protocol sniffer. I had to add a read timeout because PuTTY (a Windows SSH client) waits for a packet from the SSH server first before sending any itself.

  • by hardwaresofton on 1/21/2015, 9:44 PM

    Another interesting and enabling lower-level system tool written in Go.

    I don't know if it's because I surf HN , but a lot of really cool "ops" and system stuff seems to be written in Go lately.

  • by mkj on 1/22/2015, 2:37 AM

    It doesn't appear to set tcp nodelay, as with most of these forwarders. https://github.com/stealth/sshttp does it at the kernel level, much better.

  • by petercooper on 1/21/2015, 9:02 PM

    I wonder how far you could take this in terms of protocols. I can't think of a good use case yet, but is it at least technically possible to detect and quickly proxy away most common protocols?

  • by antoaravinth on 1/22/2015, 2:05 AM

    A simple question. How come two programs can run on the same port? How does this being implemented?

  • by alexchamberlain on 1/21/2015, 10:05 PM

    Very interesting, but it's a real shame that you have to stoop to this level to access in order to access SSH from all networks. Interestingly, I guess this wouldn't work where HTTPS is MITM'd.

  • by h43k3r on 1/22/2015, 4:24 AM

    Can this help me to ssh to my servers on DO.

    I am behind my institute squid proxy which is a HTTP proxy. All the ports are blocked, all connections has to be through proxy. For https, it uses the connect request.

  • by jasonlfunk on 1/21/2015, 9:00 PM

    This is neat. What practical applications does it have?

  • by yeukhon on 1/22/2015, 4:19 AM

    I still don't get the practical advantage of this. As someone said below he/she wrote one and running similar setup in production. Just why? Typicall you access internal stuff over intranet over VPN. How is running both 22 and 443 on 443 in this multiplexing way help security?

  • by gbuk2013 on 1/22/2015, 12:31 AM

    That's cool. :-)

    I wrote something very similar in Node.js at work recently: a JSON-RPC server that accepts TCP and HTTP messages on the same port. I remember being very excited when I realised this was actually possible!

  • by rustyconover on 1/21/2015, 9:19 PM

    I wonder if you could do this with Nginx and the Upgrade header.

  • by spullara on 1/21/2015, 9:56 PM

    At weblogic, http, https and t3 (custom protocol) were all on the same port (since '97). No real need for multiple when they all have different negotiation protocols.

  • by on 1/21/2015, 9:20 PM

    undefined

  • by ponytech on 1/22/2015, 9:38 AM

    Anyone knows how nmap -sV (Version detection) would report the open port? HTTP, SSH or neither ?

  • by ZeWaren on 1/21/2015, 9:50 PM

    I've been using the same trick with OpenVPN for a while. Perfect to go trough proxies.

  • by blueskin_ on 1/22/2015, 1:23 PM

    It's a nice idea, but far from the only implementation. sslh is nice as it doesn't need go, and is packaged for most distros: http://www.rutschle.net/tech/sslh.shtml

  • by est on 1/22/2015, 8:58 AM

    it could perform better by using splice() kernel calls.

  • by on 1/21/2015, 2:48 PM

    undefined

  • by Pinn2 on 1/21/2015, 11:30 PM

    Liking the Go, not liking the .gitignore.