[Discuss] ssh tunnels
Matthew Gillen
me at mattgillen.net
Fri Feb 22 13:37:37 EST 2013
On 02/22/2013 12:25 PM, Dan Ritter wrote:
> On Fri, Feb 22, 2013 at 12:17:33PM -0500, Bill Horne wrote:
>> On 2/22/2013 11:04 AM, Rich Pieri wrote:
>>> On Fri, 22 Feb 2013 11:00:13 -0500
>>> Bill Horne<bill at horne.net> wrote:
>>>
>>>> Speaking of ssh tunnels, can someone figure out how to tunnel through
>>>> ssh to a virtual domain?
>>> Clarify what you mean by "virtual domain".
>>
>> Many web servers, mine included, are set up so that they deliver
>> different pages, based on which domain name is included in the http
>> headers sent with the request.
>>
>> For example:
>>
>> 67.190.84.154 - - [17/Feb/2013:15:42:25 -0800] "GET / HTTP/1.1" 200
>> 4816 "http://billhorne.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64;
>> rv:18.0) Gecko/20100101 Firefox/18.0"
>>
>> Since the "200" line includes the domain name, Apache knows that it
>> needs to deliver a "splash" page from the "billhorne.com" tree. If
>> the request were for the "william-warren.com" domain, Apache would
>> deliver a "splash" page appropriate for a different domain. The
>> point is that Apache needs to see the domain name in the "200"
>> request, in order to know which page to deliver. That's why it's
>> called a "virtual domain": it doesn't depend on the IP address per
>> se.
>>
>> Of course, it's also possible to set up the server so that it
>> delivers the same page no matter which domain name is included in
>> the headers. There is usually a default "splash" page to handle
>> requests that are for an invalid domain, or which were sent with
>> only an IP address. Since ssh tunnels require that the browser
>> access the tunneled site via a localhost port, Apache doesn't get
>> the desired domain name in the header, and it delivers the default
>> page instead of the one that the user wanted.
>>
>
> You need a proxy. SSH can provide a SOCKS proxy for you, and you
> can either route requests through that directly, or you can
> write a tiny bit of JavaScript (proxy access control) to
> determine which requests go to the proxy and which go direct.
A generally inferior but sometimes still useful alternative to using the
proxy is to edit your local /etc/hosts (or equiv on windows) to point
billhorne.com and william-warren.com both to 127.0.0.1, and have your
ssh port forward to 80.
As mentioned elsewhere in the thread, ssh doesn't touch the header, it
merely routes bits around for you, and the /etc/hosts tweak together
with port forwarding tricks it to send the packets to the right place.
This is painful if you need to switch back and forth between "tunneled"
mode and non-tunneled mode. However, it can be useful in situations
where you never want to access the service when you're not tunneled
(since without the tunnel, no traffic will ever leave your box, not even
DNS queries for the domains involved).
HTH,
Matt
More information about the Discuss
mailing list