Can caddy forward SSH traffic over port 443?

dinki · September 11, 2018, 8:49pm

I’d like to be able to SSH into my server from time-to-time from work but the only port open is 443. Can I set up caddy server to route traffic from SSH (22) to 443 using net?

I saw the caddy-net and think that might work but I’m unsure on how to set it up.

Whitestrake · September 11, 2018, 11:42pm

Hi @dinki,

Caddy’s HTTP(S) server can’t do this - different protocol. Caddy’s net server type can proxy raw TCP traffic, though - so you could sit Caddy at the edge and forward all port 443 traffic to port 22 on your machine. It’d be equivalent to running your SSH server directly on the edge at port 443.

To set it up, download Caddy from Download Caddy, selecting the net server type from the bottom of the plugins list (under the “Server Types” header).

Use a Caddyfile like the examples given in the plugin’s documentation:

github.com

pieterlouw/caddy-net/blob/master/README.md

# Caddy Net #

TCP/UDP server type for [Caddy Server](https://github.com/caddyserver/caddy)

The server type is called `net`

## Proposed Caddyfile 

```
echo :22017 {
    host echo.example.com
}

proxy :12017 :22017 {
    host proxy.example.com
}
```

The first server block will listen on port `22017` and echo any traffic back to caller

This file has been truncated. show original

I think a simple proxy :443 [SSH-HOST]:22 is correct. Lastly, don’t forget to add the -type=net flag when you run Caddy.

dinki · September 12, 2018, 12:05am

So all traffic going to 443 for that subdomain will go to 22 or does that mean all traffic on the machine going to 443 will go to 22? The later won’t do me much good.

Whitestrake · September 12, 2018, 1:23am

Perhaps I misunderstood - you said the only open port is port 443, and you want to make SSH available on this port?

proxy :443 [SSH-HOST]:22 should receive traffic on the open port (443) and forward it to port 22 on [SSH-HOST].

That means that externally you’ll connect over port 443, but the machine on the inside of your network will be using the standard port. If you need it the other way 'round, just swap the ports.

dinki · September 12, 2018, 12:43pm

I’m sure I was not clear. Apologies. What I should have said is that I want to have a bunch of subdomains that program forward to different web apps but in addition I would like a subdomain that points to my ssh.

I have ‘shell in a box’ set up but I want able to reverse proxy to it. This is how I’m trying in my Caddyfile:

myssh.mycoolsite.com:443 {
        tls {
                dns cloudflare
        }
        proxy /  localhost:4200 {
                websocket
                transparent
        }
}

When I try to connect I get:

502 Bad Gateway

‘Shell in a box’ is baked in to OpenMediaVault so I’m not certain of it’s origin but I think it’s from here Google Code Archive - Long-term storage for Google Code Project Hosting.

Whitestrake · September 12, 2018, 11:20pm

To route SSH to one endpoint and HTTP(S) to another, Caddy would have to recognize and expect both protocols on the same port. It’s not designed to handle SSH at all, so Caddy is not going to be the right choice to multiplex SSH and HTTP(S), I’m afraid.

That said, shellinabox is not SSH - it’s a web server (looks like we had a classic case of XY Problem), so you should be able to proxy to it. To find out why Caddy can’t talk to it, try running curl -IL localhost:4200 on your Caddy host and let us know what comes back.

dinki · September 13, 2018, 12:06am

curl -IL localhost:4200
curl: (52) Empty reply from server

When I log in local I get a ‘This site is not secure’ message but it allows me to proceed. Not sure if that’s the problem.

Whitestrake · September 13, 2018, 12:09am

This error might be because shellinabox is serving HTTPS on that port, not HTTP.

Try with curl -kIL https://localhost:4200/. If that works, you’ll need to make a few modifications to the Caddyfile.

dinki · September 13, 2018, 12:48am

 curl -kIL https://localhost:4200/
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 5215

Looks like it worked. Thanks again for helping!

EDIT by it worked I meant that the curl command worked… Not sure how to proceed.

dinki · September 14, 2018, 6:51pm

Hi @Whitestrake . Just checking in. Did what I post give a clue as to what I should do to get this working? Thanks again…

Whitestrake · September 15, 2018, 3:24pm

Change your proxy upstream from localhost:4200 to https://localhost:4200, then reload Caddy.

Since cURL works with HTTPS, but not HTTP, the same must be true of Caddy.

dinki · September 15, 2018, 6:43pm

Unfortunately this did not work. I’m getting the ‘502 Bad Gateway’ when I try this. I can get to the page from another machine on my network using https://ipaddress:4200 … It does complain that it’s insecure but I can continue onto Shell in the Box.

Whitestrake · September 16, 2018, 8:09am

Ahh. Add the insecure_skip_verify subdirective to your proxy. Caddy is trying to validate the upstream server’s certificate and can’t - this tells Caddy to ignore that problem.

dinki · September 16, 2018, 8:57pm

Absolutely perfect!! Thank you!

system · December 15, 2018, 9:08pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.