1

I have a device ("A) on my network that only serves content via HTTPS, it's not accessible as its behind my router/firewall.

I have another machine ("B"), elsewhere on the internet (fake IP of 44.44.44.44)

I want to be to access the content being served from A from B. I have accepted_keys set up on B for A.

--

I have a basic understanding of SSL/TLS tunneling, but I've never complicated it with HTTPS.

So I start with creating a reverse tunnel from A -> B:

ssh -N -R 8888:localhost:443 [email protected]

So at this point, on B, I should be able to access port 8888 as if it were 443 on A?

When I try to hit localhost:8888 on B, I get the following (from link2s)

Bad request! Your browser (or proxy) sent a request that this server could not understand. If you think this is a server error, please contact the webmaster. Error 400 www.example.com Sat Mar 29 22:50:34 2014 Apache/2.2.26 (Unix) PHP/5.5.8 mod_ssl/2.2.26 OpenSSL/1.0.1f DAV/2

While I'm playing with this, I happen to be using Apache, is there a feature I need to enable in its config or something else I need to do?

Improve this question

1 Answer 1

Reset to default
2

When you ask a browser to connect to localhost:8888 it will actually default to using http://localhost:8888/, which will not work in your case since it is an SSL port. Using the URL https://localhost:8888/ instead should work, except from the certificate warning.

Improve this answer
3
  • Great. I totally whiffed on the HTTPS:// prefix. Is there an easy work around for the certificate issue? I'm guess it's being rejected as it's not signed for 'localhost' at 8888. Do I have to modify the certification on A to include that? Commented Mar 30, 2014 at 12:25
  • 1
    If you are fine with getting a warning about a self-signed certificate, then you could just include the additional name in the certificate. If you need a CA signed certificate, then the easiest solution may be to add an entry to /etc/hosts on B and then access the port forwarding by a fully qualified hostname rather than using localhost. Commented Mar 30, 2014 at 12:56
  • So I could add the IP for B as a SAN in the self-signed cert? Or if I use your hosts file suggestion, I just add an entry "thisisb.com" that points to localhost with "thisisb.com" in my non-snakeoil cert? Commented Mar 30, 2014 at 19:47

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.