// you’re reading...

Open Source

Use SSH Tunnel to access an Intranet Web Server behind a Firewall

You have SSH (Secure Shell) access to an intranet server running a web application in your office. Sitting remotely, you can modify the web scripts on the command line. Once done, to see the results, you cannot access the web application because it is meant to be accessed from within the intranet, within the office. Port 80 is blocked by a firewall. So should you wait to go to the office to see the result? Not really. You have SSH access and thanks to something called SSH Tunnel.

Let’s say you can access server.abc.com using SSH which is running the web application. After modifying the web scripts, you can see the results in your web browser (on your laptop) as follows:

Login as root on your laptop and issue:

ssh -L 80:localhost:80 root@server.abc.com

When prompted, enter the password and as usual you will be dropped into the shell of server.abc.com

On your laptop, fire the web browser and type in the URL http://localhost:80/ and voila, you will see the web application running at server.abc.com

The syntax of the above SSH command is as follows:

ssh -L <local-laptop-port>:localhost:<web-server-port> <username>@<server>

But, It may not work
In the above example, you are mapping port 80 on the server to port 80 on your laptop (localhost). There are two scenarios where the above command will not work:

  • If you are issuing the above command as a non root user on your laptop
  • If you are running a web server on your laptop

As a non root user you cannot map to a privileged port (ports upto 1023). That is, if you use any port less than 1024 for  <local-laptop-port> as a non root user, you will get an error saying “Privileged ports can only be forwarded by root”.

Also, even as a root user, you will not be able to use a port for SSH tunnel if the port is already in use. As per the above example, you cannot use 80 for <local-laptop-port>, if you are running a web server on your laptop (which also uses port 80). And it is likely that you are running a web server on your laptop, after all, you are working on a web application 🙂

So a command as follows will work for a non root user and will be safe to not to conflict with an existing service (like a web server) running on your laptop

ssh -L 7777:localhost:80 root@server.abc.com

With the above command, on your laptop fire the web browser and type in the URL http://localhost:7777/

It may still not work 🙁
While the above mentioned commands will work, the above mentioned scenario may not be realistic. It is unlikely that the server to which you can SSH into, is also running your intranet’s web server. Typically, the server to which you can SSH will be a firewall. Once SSHed into the firewall, you will in turn SSH into the web server. So how do you access the web application? The answer is to daisy chain the SSH tunnel. That is, SSH tunnel into the firewall and from the firewall, SSH tunnel into the web server. For example, say, machine with an internal/private IP 192.168.0.3 is running the web server and you can SSH into server.abc.com:

ssh -L 7777:localhost:7777 root@server.abc.com

Once logged into On server.abc.com, issue:

ssh -L 7777:localhost:80 root@192.168.0.3

On your laptop, fire the web browser and type in the URL http://localhost:7777/

The above set of commands may be confusing. But if you can identify an unused, non privileged port across the servers and the laptop, the syntax is:

ssh -L <unused-non-privileged-port>:localhost:<unused-non-privileged-port> <username>@<server>

ssh -L <unused-non-privileged-port>:localhost:<web-server-port> <username>@<web-server>

I googled to find out if port 7777 is used by any service. Seems it is used by Terraria game servers. So, just in case, if you are using the so called Terraria game servers ;-), feel free to substitute 7777 or <unused-non-privileged-port> with any other port. The options range from 1025-65534. So you have a wide range of port number to choose from.

Note: the port range can go upto 65535 but Google Chrome considers 65535 as an unsafe port and does not display the web page. Though Firefox is okay with 65535.

Also, the simpler solution to the above is VPN. But in case you do not have VPN access, then SSH Tunnel can come to your rescue.

GD Star Rating
loading...
GD Star Rating
loading...
Use SSH Tunnel to access an Intranet Web Server behind a Firewall, 4.5 out of 10 based on 2 ratings
Share

Email This Post Email This Post Print This Post Print This Post Print This Post Post A Comment Tweet your comments/question to me @shekharg

Discussion

One comment for “Use SSH Tunnel to access an Intranet Web Server behind a Firewall”

  1. RT @shekharg: Blog post: Use SSH Tunnel to access an Intranet Web Server behind a Firewall http://t.co/V1IsHdBqX9 http://t.co/yRDbrAhiWh

    Posted by sharat_j | August 17, 2015, 11:36 am

Post a comment

Recent Tweets

Follow Me on Twitter