Can caddy forward SSH traffic over port 443?


(Chuck Connors) #1

I’d like to be able to SSH into my server from time-to-time from work but the only port open is 443. Can I set up caddy server to route traffic from SSH (22) to 443 using net?

I saw the caddy-net and think that might work but I’m unsure on how to set it up.


(Matthew Fay) #2

Hi @dinki,

Caddy’s HTTP(S) server can’t do this - different protocol. Caddy’s net server type can proxy raw TCP traffic, though - so you could sit Caddy at the edge and forward all port 443 traffic to port 22 on your machine. It’d be equivalent to running your SSH server directly on the edge at port 443.

To set it up, download Caddy from https://caddyserver.com/download, selecting the net server type from the bottom of the plugins list (under the “Server Types” header).

Use a Caddyfile like the examples given in the plugin’s documentation:

I think a simple proxy :443 [SSH-HOST]:22 is correct. Lastly, don’t forget to add the -type=net flag when you run Caddy.


(Chuck Connors) #3

So all traffic going to 443 for that subdomain will go to 22 or does that mean all traffic on the machine going to 443 will go to 22? The later won’t do me much good.


(Matthew Fay) #4

Perhaps I misunderstood - you said the only open port is port 443, and you want to make SSH available on this port?

proxy :443 [SSH-HOST]:22 should receive traffic on the open port (443) and forward it to port 22 on [SSH-HOST].

That means that externally you’ll connect over port 443, but the machine on the inside of your network will be using the standard port. If you need it the other way 'round, just swap the ports.


(Chuck Connors) #5

I’m sure I was not clear. Apologies. What I should have said is that I want to have a bunch of subdomains that program forward to different web apps but in addition I would like a subdomain that points to my ssh.

I have ‘shell in a box’ set up but I want able to reverse proxy to it. This is how I’m trying in my Caddyfile:

myssh.mycoolsite.com:443 {
        tls {
                dns cloudflare
        }
        proxy /  localhost:4200 {
                websocket
                transparent
        }
}

When I try to connect I get:

502 Bad Gateway

‘Shell in a box’ is baked in to OpenMediaVault so I’m not certain of it’s origin but I think it’s from here https://code.google.com/archive/p/shellinabox/


(Matthew Fay) #6

To route SSH to one endpoint and HTTP(S) to another, Caddy would have to recognize and expect both protocols on the same port. It’s not designed to handle SSH at all, so Caddy is not going to be the right choice to multiplex SSH and HTTP(S), I’m afraid.

That said, shellinabox is not SSH - it’s a web server (looks like we had a classic case of XY Problem), so you should be able to proxy to it. To find out why Caddy can’t talk to it, try running curl -IL localhost:4200 on your Caddy host and let us know what comes back.


(Chuck Connors) #7
curl -IL localhost:4200
curl: (52) Empty reply from server

When I log in local I get a ‘This site is not secure’ message but it allows me to proceed. Not sure if that’s the problem.


(Matthew Fay) #8

This error might be because shellinabox is serving HTTPS on that port, not HTTP.

Try with curl -kIL https://localhost:4200/. If that works, you’ll need to make a few modifications to the Caddyfile.


(Chuck Connors) #9
 curl -kIL https://localhost:4200/
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 5215

Looks like it worked. Thanks again for helping!

EDIT by it worked I meant that the curl command worked… Not sure how to proceed.


(Chuck Connors) #10

Hi @Whitestrake . Just checking in. Did what I post give a clue as to what I should do to get this working? Thanks again…


(Matthew Fay) #11

Change your proxy upstream from localhost:4200 to https://localhost:4200, then reload Caddy.

Since cURL works with HTTPS, but not HTTP, the same must be true of Caddy.


(Chuck Connors) #12

Unfortunately this did not work. I’m getting the ‘502 Bad Gateway’ when I try this. I can get to the page from another machine on my network using https://ipaddress:4200 … It does complain that it’s insecure but I can continue onto Shell in the Box.


(Matthew Fay) #13

Ahh. Add the insecure_skip_verify subdirective to your proxy. Caddy is trying to validate the upstream server’s certificate and can’t - this tells Caddy to ignore that problem.


(Chuck Connors) #14

Absolutely perfect!! Thank you!