When SSH traffic is blocked or restricted, accessing your VPS or server can become a challenging task. A simple and effective solution is to use a reverse proxy over HTTPS to tunnel your SSH connection. In this guide, I’ll walk you through setting up this method using Nginx and SSL, ensuring secure and reliable access to your server.
Why Access SSH Over HTTPS?
There are several scenarios where accessing SSH over HTTPS becomes necessary:
- Corporate Networks: Many workplaces block non-standard ports, including SSH (port 22), while allowing HTTPS (port 443).
- ISP Restrictions: Some internet service providers block SSH to prevent certain types of usage.
- Bypassing Firewalls: HTTPS traffic is rarely blocked, making it an excellent option for tunneling SSH.
- Security: Using HTTPS ensures encrypted communication, adding an extra layer of security.
Overview of the Solution
The idea is simple: we configure Nginx as a reverse proxy to forward HTTPS traffic (port 443) to the SSH service running on port 22. Here's what we’ll cover:
- Installing Nginx.
- Configuring SSL/TLS certificates.
- Setting up Nginx as a reverse proxy for SSH.
- Connecting to SSH via HTTPS.
Step 1: Install Nginx
To start, install Nginx on your VPS or server:
For Debian/Ubuntu:
sudo apt update
sudo apt install nginx
For CentOS/RHEL:
sudo yum install nginx
Once installed, ensure Nginx is running:
sudo systemctl start nginx
sudo systemctl enable nginx
Step 2: Obtain SSL/TLS Certificates
To securely access SSH over HTTPS, you’ll need SSL/TLS certificates. Using Let’s Encrypt, you can obtain free certificates.
Install Certbot:
sudo apt install certbot python3-certbot-nginx
Generate Certificates:
Replace your-domain.com with your actual domain name:
sudo certbot --nginx -d your-domain.com
Certbot will automatically configure SSL for your domain. Ensure port 80 and 443 are open in your firewall before running the command.
Step 3: Configure Nginx as a Reverse Proxy
Now we’ll set up Nginx to forward HTTPS traffic to the SSH service.
Create a New Configuration File:
sudo nano /etc/nginx/sites-available/ssh-proxy
Add the Following Configuration:
server {
listen 443 ssl;
server_name your-domain.com;
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:22;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}
Replace your-domain.com with your domain and ensure the SSL certificate paths are correct.
Enable the Configuration:
sudo ln -s /etc/nginx/sites-available/ssh-proxy /etc/nginx/sites-enabled/
Test and Restart Nginx:
Test the configuration:
sudo nginx -t
If successful, restart Nginx:
sudo systemctl restart nginx
Step 4: Connect to SSH Over HTTPS
To connect to SSH over HTTPS, you’ll need to configure your SSH client to use an HTTPS tunnel.
Using openssl:
Run the following command, replacing your-domain.com with your actual domain name:
ssh -o ProxyCommand="openssl s_client -connect your-domain.com:443 -quiet" user@127.0.0.1
Using Custom SSH Config:
Edit your SSH configuration file (~/.ssh/config) to simplify the connection:
Host your-domain.com
HostName 127.0.0.1
Port 22
ProxyCommand openssl s_client -connect your-domain.com:443 -quiet
Now you can connect using:
ssh user@your-domain.com
Security Enhancements
-
Disable Password Authentication:
To ensure security, disable password authentication in your SSH configuration file (
/etc/ssh/sshd_config):
PasswordAuthentication no
Restart the SSH service:
sudo systemctl restart sshd
Restrict Access:
Use Nginx’s IP whitelisting or basic authentication to restrict access to authorized users only.Monitor Logs:
Regularly check Nginx logs for unusual activity:
sudo tail -f /var/log/nginx/access.log /var/log/nginx/error.log
Alternative Tools
SSLH:
SSLH is a multiplexer that allows SSH and HTTPS traffic on the same port. It’s an excellent alternative to Nginx for tunneling SSH over HTTPS:
sudo apt install sslh
Ngrok:
For temporary solutions, Ngrok can create an HTTPS tunnel to your SSH port.
Conclusion
By setting up a reverse proxy with Nginx, you can easily access SSH over HTTPS and bypass network restrictions. This method is secure, flexible, and reliable, making it a go-to solution for restricted environments. With proper configuration and monitoring, you can ensure uninterrupted and safe access to your server.
Have any questions or alternative approaches? Let me know in the comments!
Top comments (0)