reverse SSH tunnels and mediawiki - SSH

This is a discussion on reverse SSH tunnels and mediawiki - SSH ; ive got media wiki running at work and in the office can do http://serveratwork/mediawiki and it appears On leaving work I do ssh -R 2096:localhost:80 www.serverathome from my linux box then at home from my desktop I do http//serverathome:2096 and ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: reverse SSH tunnels and mediawiki

  1. reverse SSH tunnels and mediawiki

    ive got media wiki running at work and in the office can do
    http://serveratwork/mediawiki and it appears

    On leaving work I do
    ssh -R 2096:localhost:80 www.serverathome
    from my linux box

    then at home from my desktop I do
    http//serverathome:2096
    and my apache page comes up



    http://serverathome:2096/mediawiki
    gives a name not found error unless i add to my client /etc/hosts

    serveratwork 192.168.0.1(home server IP address)

    and then http:/serverathome:2096/mediawiki

    tells me the wiki isnt installed and takes me to the configuration page
    , yet at the same time my secretary can access it from the LAN at work
    with http://serveratwork/mediawiki

    Why ?( I suspect it could be somthing to do with PHP sessions???)
    Is it soluble?


  2. Re: reverse SSH tunnels and mediawiki

    >>>>> "PDC" == pdc124@yahoo co uk writes:

    PDC> ive got media wiki running at work and in the office can do
    PDC> http://serveratwork/mediawiki and it appears

    PDC> On leaving work I do ssh -R 2096:localhost:80 www.serverathome
    PDC> from my linux box

    PDC> then at home from my desktop I do http//serverathome:2096 and my
    PDC> apache page comes up

    PDC> http://serverathome:2096/mediawiki gives a name not found error
    PDC> unless i add to my client /etc/hosts

    PDC> serveratwork 192.168.0.1(home server IP address)

    PDC> and then http:/serverathome:2096/mediawiki

    PDC> tells me the wiki isnt installed and takes me to the
    PDC> configuration page , yet at the same time my secretary can access
    PDC> it from the LAN at work with http://serveratwork/mediawiki

    PDC> Why ?

    1) When you type http//serverathome:2096 into your browser, it supplies
    the name "serverathome" to the web server in the Host header of the
    HTTP request. The server doesn't know anything about this name.

    2) The wiki code generates links in its HTTP output that refer to
    "serveratwork". Your local host doesn't know anything about that
    name.

    PDC> Is it soluble?

    As you discovered, you can fix it in a limited way if you map the name
    "serveratwork" on the client side. However, what you really need is a
    proxy. If your web browser supports SOCKS, you may be able to use the
    OpenSSH -D feature -- although this is less useful than it should be,
    since (at least the last time I checked) OpenSSH does not pass name
    resolution through SOCKS. Also, you'd have to establish an SSH connection
    from home to work. Alternatively, you could run an HTTP proxy
    (e.g. Squid) at work, forward a port to that, and set your browser to use
    the forwarded socket as its HTTP proxy.

    --
    Richard Silverman
    res@qoxp.net


  3. Re: reverse SSH tunnels and mediawiki

    thanks.
    the other possibility ive thought about is to create the ssh tunnel
    with portforwarding to bring it to my desktop box and then use a VNC
    connection to go back to 'serveratwork' and run a simple GUI on it.
    Dont know enough yet about SSH to see if I can portford a reverse SSH
    connection.

    My server has shorewall as a firewall.

    Is that do-able from the SSH point of view ? - and then I just point
    a vnc client to eg localhost:5910 and my serveratwork GUI should appear
    !


  4. Re: reverse SSH tunnels and mediawiki

    or would a mod_rewrite rule converting 'serverathome' to
    'serveratwork' sort the first problem ?

    or some sort of proxypass directive translate both ways


  5. Re: reverse SSH tunnels and mediawiki

    On 2005-11-10, Richard E. Silverman wrote:
    > If your web browser supports SOCKS, you may be able to use the
    > OpenSSH -D feature -- although this is less useful than it should be,
    > since (at least the last time I checked) OpenSSH does not pass name
    > resolution through SOCKS.


    It's time to check again :-)

    OpenSSH has supported SOCKS5 since (I think) 3.7x, and it includes support
    for remote host lookups (ie SOCKS5_DOMAIN) if the SOCKS client sends them.

    Last time I checked most browsers don't send SOCKS5_DOMAIN requests even
    when they're configured to use SOCKS5, though.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  6. Re: reverse SSH tunnels and mediawiki

    >>>>> "DT" == Darren Tucker writes:

    DT> On 2005-11-10, Richard E. Silverman wrote:
    >> If your web browser supports SOCKS, you may be able to use the
    >> OpenSSH -D feature -- although this is less useful than it should
    >> be, since (at least the last time I checked) OpenSSH does not pass
    >> name resolution through SOCKS.


    DT> It's time to check again :-)

    DT> OpenSSH has supported SOCKS5 since (I think) 3.7x, and it includes
    DT> support for remote host lookups (ie SOCKS5_DOMAIN) if the SOCKS
    DT> client sends them.

    DT> Last time I checked most browsers don't send SOCKS5_DOMAIN
    DT> requests even when they're configured to use SOCKS5, though.

    Thanks for the correction Darren -- in fact, I didn't even remotely write
    what I was thinking. What I meant to say was just what you said: that
    most *browsers* don't do the right thing (not OpenSSH), making the method
    much less useful than it should be. In fact, I believe the only browser I
    ever found that did resolve names via socks5 was, amazingly enough... IE
    for OS X. If anyone knows of any others, I'd love to hear about it.

    --
    Richard Silverman
    res@qoxp.net


  7. Re: reverse SSH tunnels and mediawiki

    What I've found useful, at least in the windows world, is proxycap
    (http://proxylabs.netwu.com/) or sockscap
    (http://www.socks.nec.com/Download/So...load/index.asp). Sockscap
    is free (for non-commercial, and you need to register), but time limited
    (about a year) whereas proxycap costs a few dollars.
    What they both do is grab packets coming from any specified application
    which would otherwise be destined for the internet (e.g. your
    browser/mailclient etc.) and route them to a defined proxy. The useage
    with putty/openssh is to route them to localhost port 1080 (you choose),
    where putty encrypts/portforwards them to your remote SSH server, where
    they are unwrapped and carry on their way to the internet. Using Putty's
    'D' (dyanamic) port forward option (on port 1080, as set above) allows
    any IP that the application is sending stuff to, to be port forwarded.
    In other words the whole setup acts as a proxy web server at the remote,
    SSH server, IP. This has the effect of anonymising the original IP; web
    pages see only the IP of the SSH server, and allows you to tunnel
    through proxy server firewalls, using the proxy features in Putty. Also
    any traffic (personal mail, forbidden web-sites) is encrypted as it
    travels through your local network, right up to your personal machine,
    so your local IT admin/chinese firewall admin, can't read it.

    Now most of you on this board probably knew this; I'm new at this, but
    hopefully it will help someone.

    Richard E. Silverman wrote:
    >>>>>>"DT" == Darren Tucker writes:

    >
    >
    > DT> On 2005-11-10, Richard E. Silverman wrote:
    > >> If your web browser supports SOCKS, you may be able to use the
    > >> OpenSSH -D feature -- although this is less useful than it should
    > >> be, since (at least the last time I checked) OpenSSH does not pass
    > >> name resolution through SOCKS.

    >
    > DT> It's time to check again :-)
    >
    > DT> OpenSSH has supported SOCKS5 since (I think) 3.7x, and it includes
    > DT> support for remote host lookups (ie SOCKS5_DOMAIN) if the SOCKS
    > DT> client sends them.
    >
    > DT> Last time I checked most browsers don't send SOCKS5_DOMAIN
    > DT> requests even when they're configured to use SOCKS5, though.
    >
    > Thanks for the correction Darren -- in fact, I didn't even remotely write
    > what I was thinking. What I meant to say was just what you said: that
    > most *browsers* don't do the right thing (not OpenSSH), making the method
    > much less useful than it should be. In fact, I believe the only browser I
    > ever found that did resolve names via socks5 was, amazingly enough... IE
    > for OS X. If anyone knows of any others, I'd love to hear about it.
    >


+ Reply to Thread