Open Source & Linux Lab

It's better when it's simple

User Tools

Site Tools


SSH over HTTP proxy: connection issue


SSH client tries to connect to SSH server through HTTP proxy that supports method CONECT (using e.g. corkscrew).


SSH client establishes TCP connection, but after a while disconnects with message “ssh_exchange_identification: Connection closed by remote host”. SSH server at the same time receive no connection attempt at all.


It's been discovered that HTTP proxy may not establish outbound connection unless it receive two lines of text closed by '\n'. Furthermore, even provided these two lines from client, sometimes it doesn't send SSH server reply back, unless it has two leading text lines closed by '\n'.


We need to push two lines of text at the beginning of SSH client connection, throw them away (as they don't conform SSH protocol) at the SSH server side, and push two lines of text before SSH server reply (which is acceptable by SSH protocol, if these lines don't start with 'SSH-').


Client side: use the following script as proxy script:

#! /bin/bash
cat << EOF

) | corkscrew "$@"

Server side: use the following script as xinetd demon:

#! /bin/bash

cat <<EOF
Hello. This is a text allowed by RFC4253.
We use it here in order to pass by HTTP proxies
that are too lazy to work through.
And some more text, to be pretty sure.

nc 22

If it is saved as /usr/local/bin/sssh, add sssh to /etc/services and register it with xinetd like this:

service sssh
        disable = no
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/local/bin/sssh
        log_on_failure  += USERID
etc/users/jcmvbkbc/ssh-over-http-proxy.txt · Last modified: 2016/08/08 20:53 by kel